Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware developers rent out their malware as a service to "affiliates" who carry out attacks and share the ransom proceeds. RaaS has made ransomware attacks massively scalable—no programming knowledge required.
Ransomware-as-a-Service (RaaS) has democratized cybercrime. Instead of spending months developing malware, criminals today buy or rent a complete "ransomware business kit"—including a C2 panel, negotiation chat interface, payment processing, and technical support. The result: significantly more attackers and significantly more attacks.
The RaaS Ecosystem
The Players
Ransomware Developers (Core Team):
- Write and maintain the ransomware software
- Operate backend infrastructure (C2, leak site, payment processing)
- Recruit and manage affiliates
- Take 20–30% of the ransom
Affiliates (Attackers):
- Carry out the actual attacks
- Purchase initial access or use their own phishing skills
- Receive 70–80% of the ransom
- No technical coding expertise required—everything is provided as a service
Initial Access Brokers (IABs):
- Sell compromised access to corporate networks
- Typical products: VPN credentials, compromised RDP accounts
- Prices: $200–$5,000 depending on company size and depth of access
Negotiators:
- Specialized criminals who negotiate ransom demands
- Understand psychology, know which companies will pay
- Often have their own infrastructure (encrypted chats)
The Lean Startup of Cybercrime
- Affiliate sees IAB offer: "Access to German pharmaceutical company, 500 employees, annual revenue €80M, domain admin, VPN access – $1,200"
- Affiliate purchases access
- Affiliate deploys RaaS (e.g., LockBit payload, via RaaS panel)
- Lateral movement, data exfiltration, then ransomware deployment
- Victim: All servers encrypted + "Your data has been exfiltrated—pay €800,000 or we’ll publish everything"
- Negotiation via RaaS chat interface
- Payment in Monero/Bitcoin
- Split: 70% affiliate, 30% RaaS developer
Known RaaS Groups
| Group | Status | Notable Features |
|---|---|---|
| LockBit 3.0 | Partially dismantled (FBI 2024) | Largest RaaS group, bug bounty program! |
| ALPHV/BlackCat | Inactive following FBI operation in 2024 | Rust-based, highly advanced |
| Cl0p | Active | MOVEit mass attack (2023, 2,500+ victims) |
| RansomHub | Active (new in 2024) | Many former ALPHV affiliates |
| Play Ransomware | Active | Often targets managed service providers |
| Akira | Active | Focus on Linux + VMware ESXi |
| 8Base | Active | Focus on small and medium-sized businesses, many German victims |
Double Extortion: The Escalation
Classic ransomware: Encrypt, demand ransom, decrypt.
Double Extortion (since ~2020): Encrypt AND exfiltrate data.
Phase 1: Exfiltration (stealthy, over weeks)
- Files, emails, database dumps to attacker’s server
Phase 2: Encryption (high-profile, all systems simultaneously)
Ransom threat:
> “If you don’t pay, we’ll publish your data on our leak site on the dark web. Customers, partners, competitors, and journalists will see everything.”
Pressure: Even with a perfect backup, the company is vulnerable to extortion!
Triple Extortion: Additionally, DDoS attacks on the company’s website and direct contact with customers.
Why “never pay” is the right approach
- Payment funds further attacks—directly targeting other victims
- No guarantee of a decryption key – 20–30% of those who pay do not receive a working key
- No guarantee against publication – Data could still be leaked
- Compliance risk – OFAC sanctions for payments to certain groups (U.S. law)
- Victims who pay are attacked again – attackers know: “They pay”
- Flagged as willing to pay – IABs and affiliates share this information
Protection against RaaS
Most ransomware attacks begin with one of these vectors:
- Phishing (47% according to IBM)
- Unpatched public services (VPN, RDP, Exchange, Fortinet, Citrix)
- Weak credentials (credential stuffing, brute force)
- Insider/compromised vendor
Priority protective measures
Immediately:
- MFA for all remote access (VPN, RDP, M365)
- Critical patches within 48 hours (Fortinet, Citrix, Exchange CVEs!)
- RDP not directly accessible from the internet
Short term:
- Set up immutable backups (ransomware cannot delete backups)
- EDR on all endpoints (often prevents ransomware deployment)
- Network segmentation (limits spread)
Medium-term:
- Security awareness training (phishing detection)
- PAM for admin accounts (prevents privilege escalation)
- Penetration testing with ransomware simulation
