Ransomware as a service is a business model where skilled ransomware developers build, maintain, and lease ransomware tools to other criminals — called affiliates — who carry out the actual ransomware attacks. In short, the raas model works like software as a service, except the product is a weapon. Affiliates pay for access through subscriptions, flat fees, or revenue models that split ransom payments with the raas operators. This setup has turned ransomware from a niche skill into an industrial-scale threat. In this guide, you will learn how the raas model works, who the key players are, how ransomware attacks using this business model unfold, and how your cybersecurity team can defend against it. Understanding ransomware as a service is now essential for every firm that wants to prevent, detect, and respond to ransomware threats in the current threat landscape.
What Ransomware as a Service Means
Ransomware as a service — often called RaaS — is a cybercrime business model that mirrors how legitimate software as a service platforms operate. Instead of selling a product outright, raas operators build and maintain ransomware tools, host the infrastructure (leak sites, payment portals, dashboards), and lease access to affiliates who execute ransomware attacks. Essentially, the raas model removes the need for technical skill from the attacker side. In other words, an affiliate does not need to write code, build command-and-control servers, or manage decryption keys. Instead, they just need to gain access to a target network and deploy the payload.
Gartner and other analysts recognize ransomware as a service as a distinct category because of how it changes the threat landscape. Before the raas model, threat actors needed deep technical ability to run a ransomware campaign. Now, anyone with a few hundred dollars and a dark web connection can launch ransomware attacks at scale. This shift has driven a sharp rise in both the volume and diversity of ransomware threats — with 124 tracked ransomware group operations globally.
How the RaaS Model Works
The raas model splits the work of a ransomware attack between two roles: the operator and the affiliate. Specifically, each role handles different parts of the kill chain. Consequently, understanding this split is key to building the right defenses.
Revenue Models in Ransomware as a Service
Raas operators offer several revenue models to attract affiliates. Importantly, each model balances risk and reward between the operator and the attacker.
- Subscription-based: Affiliates pay a flat monthly fee (as low as $250) for access to the ransomware tools and infrastructure. All ransom payments go to the affiliate.
- Profit-sharing: This is the most common raas model. After a successful attack, the ransom is split — typically 60-80% to the affiliate and 20-40% to the raas operators. This is how most major ransomware group operations are structured.
- One-time license: Affiliates pay a single fee for unlimited use of the ransomware tools. No ongoing share is owed to the ransomware developers.
- Affiliate programs: Some raas operators run formal affiliate programs with tiered access, performance dashboards, and escalating revenue shares based on attack volume.
These revenue models make ransomware as a service profitable for both sides. As a result, raas operators earn steady income with low risk. Affiliates get turnkey ransomware tools without building anything. This is why the raas model has scaled so fast — it follows the same incentive structures that make legitimate software as a service businesses work.
The Ransomware Attack Lifecycle in a RaaS Model
Ransomware attacks that use the raas model follow a predictable lifecycle. Knowing each stage gives defenders the best chance to detect and stop the attack before encryption begins.
The key takeaway for defenders: there is a 4-5 day window between initial access and encryption where behavioral detection — across network, identity, and endpoint layers — can catch affiliate activity before the ransomware fires. Endpoint detection and response edr and XDR tools are critical in this window.
Notable RaaS Groups and Their Tactics
The ransomware as a service landscape is shaped by a handful of major groups. Each ransomware group brings different tactics, targets, and business model structures to the raas model.
LockBit was the most prolific raas operation before law enforcement took it down. It launched over 7,000 ransomware attacks globally across healthcare, finance, and government. Specifically, LockBit’s raas model offered fast encryption and a user-friendly affiliate dashboard. Its takedown scattered affiliates to other ransomware group platforms.
BlackCat (ALPHV) was a Rust-based ransomware group known for cross-platform attacks and triple extortion (encryption + data leak + DDoS threat). Notably, its raas model attracted skilled threat actors with a 80-90% affiliate revenue share — one of the highest in the raas model ecosystem.
Active Groups After LockBit
Qilin emerged as one of the most active ransomware group operations after LockBit’s fall. It targets healthcare and critical systems with ransomware attacks that combine data theft and encryption. Currently, its affiliate programs attract both experienced and new threat actors.
DragonForce gained traction as the raas platform behind several high-profile attacks on retail and supply chain targets. Its business model charges one of the lowest affiliate fees, making ransomware attacks accessible to a wider pool of threat actors.
How to Defend Against Ransomware as a Service
Defending against ransomware as a service requires a layered approach. Because the raas model splits the attack between multiple threat actors, defenses must cover every stage of the kill chain — from initial access through encryption and incident response.
Block initial access. Patch VPN and remote access flaws fast. Enforce multi-factor auth on all remote access. Monitor for credential leaks and compromised accounts. Since initial access brokers sell footholds weeks before the ransomware attack begins, early detection at this stage is the highest-value opportunity. Use threat intelligence feeds to watch for your firm’s credentials on dark web markets.
Detect lateral movement. Once threat actors gain access, they move laterally to reach critical systems. Endpoint detection and response edr and network detection tools catch this movement by flagging abnormal login patterns, privilege escalation, and abuse of admin tools. The 4-5 day dwell time before encryption gives defenders a real window — but only if monitoring is active across all segments.
Protect backups. Ransomware attacks target backups first because restoring from backup is the fastest way to avoid paying. Keep offline, air-gapped copies. Test restore procedures regularly. If your backups survive, ransom payments become unnecessary — which is the single best way to cut the raas model’s revenue.
Detection, Response, and Recovery
Deploy layered detection. No single tool stops ransomware attacks alone. Combine endpoint detection and response edr, SIEM for log correlation, data loss prevention for exfiltration alerts, and XDR for cross-stack visibility. Feed threat intelligence indicators from known ransomware group infrastructure into your detection rules.
Build incident response playbooks. Ransomware attacks need a rehearsed response — who isolates systems, who contacts legal, who handles comms, who engages law enforcement. Build these incident response playbooks before the attack, not during it. Connect your playbooks to your SOAR platform so triage steps run fast. Every minute saved in incident response during a ransomware as a service attack reduces the blast radius of the ransomware attack.
Do not pay the ransom. Law enforcement agencies globally advise against ransom payments. Paying funds the raas operators and their affiliate programs, encourages more ransomware attacks, and does not guarantee data recovery. In fact, overall ransom payment rates in ransomware as a service cases have dropped to roughly 20% — meaning most firms are choosing not to pay. Strong backups, incident response plans, and cybersecurity services support make non-payment viable.
Between initial access and encryption, there is a 4-5 day detection window. If your endpoint detection and response edr, SIEM, and network tools are tuned for lateral movement and privilege escalation, you can catch the affiliate before they deploy the payload. This window is the difference between a contained incident response and a full-scale ransomware attack.
The Economics of Ransomware as a Service
Understanding the financial side of ransomware as a service explains why the raas model grows despite law enforcement pressure. The economics work for every player in the chain.
Low barrier to entry. For instance, an affiliate can start launching ransomware attacks for as little as $250 per month. Some raas operators charge nothing upfront and take their cut only from successful ransom payments. As a result, this low entry cost attracts a flood of new threat actors to the raas model — many of whom have no prior technical skill.
High returns. For example, industry data shows that a single successful infection can yield $21,000 or more. For organized ransomware group operations targeting enterprises, ransom demands often reach millions. The average claim per ransomware attack exceeded $5.2 million in the first half of a recent reporting period, with a record single payment of $75 million. Consequently, these numbers explain why ransomware as a service is one of the most profitable criminal business model structures in history.
Risk transfer. Importantly, the raas model shifts most of the legal risk to affiliates. Raas operators build the tools but rarely deploy them. Since affiliates handle the ransomware attacks, they face the greatest chance of arrest. This risk-reward split is a core feature of the business model — it keeps ransomware developers safe while expanding the pool of threat actors willing to take the operational risk.
Reinvestment in tooling. Furthermore, profits flow back into development. Raas operators invest in faster encryption, better evasion of endpoint detection and response edr, improved leak sites, and AI-powered social engineering. As a result, this constant reinvestment keeps ransomware tools ahead of many defenses and raises the cost of incident response for victims.
Ransomware as a Service and Double Extortion
Most modern ransomware attacks use double extortion — stealing data before encrypting it. This tactic, now standard in the raas model, gives threat actors two points of leverage: pay to decrypt, and pay to prevent data publication.
How double extortion works. Before deploying the ransomware payload, affiliates exfiltrate sensitive files — customer records, financial data, intellectual property. After encryption, the ransomware group posts samples on a leak site and threatens to publish everything if the ransom is not paid. Consequently, this puts pressure on victims even if they can restore from backups, because the data leak itself causes regulatory, legal, and reputational harm.
Triple extortion is emerging. Additionally, some ransomware group operations add a third layer: DDoS attacks against the victim’s public-facing systems during the negotiation. This piles operational disruption on top of data theft and encryption, making incident response even harder and increasing pressure to pay.
Payment rates are dropping. Despite these tactics, ransom payments are still declining. Overall payment rates fell to roughly 20% in late 2025, and data-only extortion payments dropped to about 25%. This suggests that better backups, rehearsed incident response plans, and clearer guidance from threat actors working on the defense side against paying are working. However, threat actors are adapting — raas operators are shifting back to encryption-heavy ransomware attacks to regain leverage.
Defending against double extortion requires two separate controls. First, data loss prevention and network monitoring must detect exfiltration before encryption — because threat actors in the raas model always steal data first. Second, offline backups and tested recovery plans must make encryption recoverable without paying. Both are needed because the raas model attacks on two fronts.
Building Organizational Resilience Against RaaS
Stopping ransomware attacks is the goal, but resilience — the ability to survive an attack with minimal damage — is the realistic standard. Here is how to build it.
Test your backups under pressure. Backups are only useful if they work when you need them. Specifically, run recovery drills that simulate a full ransomware attack: all systems encrypted, primary backups targeted. Time the recovery. If it takes days, refine the process. If backups are incomplete, fix the gaps. Strong backups are the single strongest counter to the raas model because they remove the need for ransom payments entirely.
Rehearsals, Segmentation, and Managed Services
Rehearse incident response. Run tabletop exercises that walk leadership, IT, legal, and comms through a ransomware scenario. Practice the hard decisions: do you pay or not? Who calls law enforcement? What do you tell customers? Rehearsed incident response is faster and calmer than improvised incident response — and speed matters when threat actors are inside your network.
Segment your network. If an affiliate gains access to one segment, do not let them reach every system. Network segmentation limits lateral movement and contains the blast radius of ransomware attacks. Pair segmentation with identity controls so that even valid credentials do not grant blanket access across the environment.
Engage managed services. Many firms lack the in-house staff to monitor for raas attacks around the clock. Cybersecurity services providers offer managed detection and response (MDR) that covers endpoint detection and response edr, threat intelligence, and incident response on behalf of clients. For mid-size firms, managed services are often the fastest path to resilience against ransomware as a service.
The Evolving Threat Landscape of Ransomware as a Service
The ransomware as a service threat landscape is evolving fast. Several trends are shaping what ransomware threats will look like in the near future.
Ecosystem fragmentation. When law enforcement takes down a major ransomware group, its affiliates scatter to other raas operators. After LockBit’s takedown, affiliates moved to Qilin, DragonForce, and others. This fragmentation makes the threat landscape harder to track but does not reduce the overall volume of ransomware attacks.
Data-only extortion is losing effectiveness. Some ransomware group operations stopped encrypting data and only stole it, threatening to leak unless paid. However, victim payment rates for data-only extortion dropped to about 25%. This trend may push the ransomware as a service model back toward encryption-heavy ransomware attacks — meaning defenders should prepare for both vectors.
AI-powered attacks. Some raas operators now provide AI tools that auto-generate social engineering lures and scan networks for weak points. For threat actors, this makes ransomware attacks faster to launch and harder to detect. The integration of AI into the raas model is one of the biggest ransomware threats on the horizon for the threat landscape.
Nation-state involvement. Threat actors from Russia, Iran, China, and North Korea have used ransomware attacks as deniable instruments of disruption. This blurs the line between crime and state-sponsored warfare and raises the stakes of every incident response. The threat landscape is no longer purely criminal.
RaaS and the Broader Cybersecurity Stack
Ransomware as a service does not exist in isolation. Defending against ransomware attacks requires integration across your entire security stack.
RaaS + EDR/XDR. Endpoint detection and response edr catches lateral movement and payload execution. XDR extends this across endpoints, network, and cloud. Together, they cover the stages where raas affiliates are most active — and most detectable.
RaaS + SIEM. SIEM correlates logs from every layer and flags the patterns that signal ransomware attacks: bulk file renames, disabled backups, unusual after-hours logins. Feed threat intelligence on known raas operators and their threat actors into SIEM rules for faster detection and incident response.
RaaS + Endpoint Security. Hardened endpoints with application whitelisting, USB controls, and local admin restrictions limit what a raas affiliate can do even after they gain access. Cloud security extends these controls to cloud workloads.
RaaS + Ransomware Response. A dedicated ransomware defense plan ties together detection, incident response, backup recovery, legal notification, and communication. Pair it with malware analysis to understand the specific payload and with phishing defense to block the initial access vector.
Ransomware as a service has industrialized ransomware attacks. The raas model separates development from deployment, lets low-skilled threat actors launch sophisticated ransomware attacks, and funds itself through revenue models that mirror legitimate business. Defending against ransomware threats from this model requires layered detection (EDR, SIEM, XDR), proactive threat intelligence, tested incident response plans, and resilient backups that make ransom payments unnecessary.
Preparing Your Incident Response for RaaS Attacks
Incident response against ransomware as a service attacks is different from generic incident response. The raas model means threat actors follow well-documented playbooks, target specific sectors, and time ransomware attacks for maximum disruption. Your incident response plan must account for these patterns.
Pre-position your team. First, assign roles before the ransomware attack happens. Which leader runs incident response? What team isolates systems? Who handles legal, comms, and law enforcement? In ransomware attacks powered by the raas model, threat actors move fast — 69% of ransomware attacks are timed for nights and weekends when incident response teams are thin. Consequently, pre-assigned roles cut the confusion that slows response.
Automate early containment. Connect your incident response playbooks to your SOAR platform. When endpoint detection and response edr flags ransomware behavior — bulk file renames, shadow copy deletion, lateral credential dumping — automated actions should isolate the affected system and alert the incident response lead. In ransomware as a service attacks, the gap between detection and containment is where damage happens. Automation closes that gap.
Preserve evidence for attribution. Threat actors who use the raas model leave forensic traces: command-and-control IP addresses, specific ransomware tools, and tactics that map to known ransomware group profiles. Therefore, preserving these during incident response helps threat intelligence teams attribute the attack, share indicators with peers, and support law enforcement investigations. Good incident response feeds back into better detection, helping incident response teams catch the next raas model attack faster. Threat actors leave patterns that repeat across ransomware attacks.
Communication and Stakeholder Management
Communicate clearly. Ransomware attacks trigger regulatory disclosure requirements, customer notification obligations, and media attention. Accordingly, draft communication templates before the attack. Include talking points for customers, regulators, employees, and media. Obviously, rehearsed incident response communications are calmer and more accurate than ones written under pressure during live ransomware attacks.
Why Ransomware as a Service Will Keep Growing
The ransomware as a service raas model is not going away. Several structural factors in the threat landscape guarantee continued growth of ransomware attacks from raas operators and their affiliate programs.
The talent pool keeps expanding. Every time a ransomware group is taken down, its affiliates — now trained and experienced threat actors — migrate to other raas operators. The raas model creates a permanent workforce of skilled attackers who jump from one ransomware as a service platform to another. Law enforcement can disrupt individual ransomware group operations, but the affiliate labor pool survives.
The revenue models work. As long as some firms pay ransoms, the raas model is profitable. Even at a 20% payment rate, the sheer volume of ransomware attacks generates hundreds of millions in revenue. Consequently, raas operators reinvest that revenue into better ransomware tools, which attract more affiliates, which launch more ransomware attacks — a self-reinforcing cycle.
Why the RaaS Revenue Cycle Continues
Defense gaps persist. Unfortunately, many firms still lack tested incident response plans, offline backups, and endpoint detection and response edr coverage across all systems. Threat actors who use the raas model specifically target firms with weak defenses because they are more likely to pay. Until the baseline security posture improves broadly across industries, ransomware as a service will keep finding victims.
AI is accelerating attacks. Furthermore, raas operators now integrate AI into their ransomware tools for automated phishing, network scanning, and payload generation. For threat actors, this makes ransomware attacks faster to launch and harder to detect. As AI lowers the effort further, the raas model will attract even more threat actors to the ransomware as a service ecosystem.
Ransomware as a Service: A Checklist for Defenders
Use this checklist to assess your readiness against ransomware as a service. Each item maps to a stage of the raas model attack lifecycle.
- MFA on all remote access: Stops threat actors who buy stolen credentials from initial access brokers. This single control blocks the most common entry point for raas-driven ransomware attacks.
- Patch VPN and edge devices within 48 hours: Threat actors scan for exposed flaws constantly. Fast patching closes the doors that raas affiliates use to gain access to your network.
- Endpoint detection and response edr on every device: EDR catches lateral movement and ransomware behavior. Without it, ransomware attacks from the raas model reach encryption before anyone notices.
- Offline, tested backups: Backups that survive a ransomware attack remove the need for ransom payments. Test recovery under pressure, not just in drills. This is the strongest counter to the raas model.
Response Readiness and Threat Intelligence
- Incident response plan rehearsed quarterly: Ransomware as a service attacks move fast. Rehearsed incident response is the only way to match that speed. Include legal, comms, and leadership in every drill.
- Threat intelligence feeds active: Feed indicators from known raas operators and ransomware group infrastructure into your detection rules. Threat actors reuse infrastructure — threat intelligence catches them.
- Network segmentation enforced: Segmentation limits what raas affiliates can reach after gaining access. It contains the blast radius of ransomware attacks and gives incident response teams more time.
- Security awareness training current: Phishing is how most threat actors gain access in the raas model. Regular training on social engineering, credential safety, and reporting cuts the success rate of ransomware attacks at the first stage.
Finally, score each item: green (in place and tested), yellow (partial), or red (missing). Fix the red items first. Every control you add against ransomware as a service also strengthens your defense against other ransomware threats and threat actors across the threat landscape.
Conclusion
Ransomware as a service has turned ransomware from a solo crime into an industrial operation. The raas model gives ransomware developers steady income, gives affiliates turnkey ransomware tools, gives initial access brokers a market, and gives threat actors worldwide access to the same ransomware attack capabilities. The result is more ransomware attacks, hitting more targets, with greater speed and precision than ever before. For the threat landscape, this means ransomware threats are no longer limited to skilled threat actors — any threat actors willing to pay can launch a ransomware attack.
The Defense Playbook
However, the defenses are clear. Block initial access with patching and MFA. Detect lateral movement with endpoint detection and response edr and network monitoring. Protect backups so ransom payments are never needed. Build and rehearse incident response plans. Feed threat intelligence into every detection layer. And treat ransomware as a service as a standing business risk — because the raas model is not going away, and neither are the threat actors who profit from launching ransomware attacks through it.
Stopping the RaaS Revenue Engine
Ransomware as a service has turned ransomware attacks into a scalable business. Threat actors no longer need to build anything — the raas model gives them turnkey ransomware tools, and affiliate programs give them support. Every successful ransomware attack funds the next round of development by raas operators, attracting more threat actors to the ecosystem. For incident response teams and defenders, the answer is layered: block the initial access that threat actors need to start ransomware attacks, detect the lateral movement that threat actors in the raas model require, protect backups so ransom payments stop flowing, and rehearse incident response so your team moves faster than the threat actors. Ransomware as a service will keep evolving.
Threat actors will keep adapting. But firms with strong incident response, tested backups, and layered detection across their stack will survive every ransomware attack that comes their way — because they built their defenses against the raas model, not against yesterday’s threats. Each incident response drill your team runs makes you faster. Meanwhile, every threat intelligence feed you add makes your detection smarter. And every backup you test makes ransom payments pointless. This is the only way to break the cycle that makes ransomware as a service profitable for threat actors and raas operators alike.
Building Defenses That Last
The threat actors who run ransomware attacks through the raas model are getting faster, more organized, and more creative. Incident response teams that prepare now — with tested playbooks, strong backups, and layered detection — will handle ransomware attacks with speed and confidence. Those that wait will face threat actors with every advantage. Ransomware as a service is a business, and the only way to shut down a business is to make it unprofitable. Strong incident response, fast threat detection, and a refusal to pay ransoms are how defenders cut off the revenue that keeps the raas model alive. Every firm that builds these defenses makes the entire ecosystem less viable for the threat actors who depend on ransomware attacks for income.
Ransomware as a service has changed the game. The raas model makes ransomware attacks available to any threat actors willing to pay. Incident response teams must adapt. The old playbooks built for single-actor ransomware attacks do not work when the raas model sends different threat actors through the same infrastructure. Build your incident response for the raas model — assume the attack will be fast, assume data will be stolen, and assume the threat actors will time their ransomware attacks for maximum disruption. This is the new normal for incident response against ransomware as a service.
Common Questions About Ransomware as a Service
References
- Vectra AI — How Ransomware as a Service Helps Attackers Scale
- Trend Micro — What is Ransomware as a Service (RaaS)?
- Halcyon — Ransomware Evolution Report
Join 1 million+ technology professionals. Weekly digest of new terms, threat intelligence, and architecture decisions.