What is ransomware as a service (RaaS) and how does it work?

Cybercrime is advancing not by years or months but by days, and ransomware as a service (RaaS) is one of its most dangerous examples. By enabling even non-technical criminals to launch devastating ransomware attacks, RaaS has made ransomware more accessible, scalable, and profitable than ever.

Ransomware as a service has become a booming underground industry, with some RaaS groups generating millions in annual revenue. According to a 2024 survey reported by Statista, 72% of businesses worldwide were affected by ransomware attacks, with many of them linked to the RaaS model.

In this article, we'll break down what ransomware as a service is, how it works, how it's monetized, and which industries are most affected. We'll also explore relevant examples, legal implications, and what you can do to protect your business from these threats.

What is ransomware as a service (RaaS)?

Ransomware as a service (RaaS) is a business model in which ransomware developers lease their malware to affiliates who carry out ransomware attacks. In return, the developers receive a percentage of the ransom payments.

The model allows even threat actors with minimal technical skills to launch ransomware campaigns by relying on pre-built tools and support infrastructure. RaaS kits often include ransomware executables, dashboards for tracking infections and payments, support documentation, and even customer service for affiliates.

What are the three types of ransomware?

RaaS platforms typically distribute one or more of the following ransomware types, each designed to pressure victims into compliance through different tactics:

• Locker ransomware. Locks the victim out of their system, preventing access but not encrypting data.
• Crypto ransomware. Encrypts files and demands a ransom for the decryption key.
• Doxware. Instead of locking or encrypting files, this type of ransomware threatens to publicly release the victim's personal data.

Each type plays a distinct role in the RaaS ecosystem, but all aim to exploit fear, urgency, and system vulnerabilities to benefit financially from victims.

How does the RaaS model work?

The RaaS model works by enabling cybercriminal developers to sell or lease ransomware tools to affiliates, who then distribute them to targets. The profits from successful ransom payments are split between the developer and the affiliate — usually ranging from 60/40 to 80/20.

RaaS operates much like a typical software-as-a-service (SaaS) business. It comes with a backend dashboard, encryption tools, customer support for attackers, and often even marketing materials. Some RaaS groups run dark web portals where affiliates can register, choose ransomware variants, track infections, and manage payments in cryptocurrencies.

Here's how the RaaS system works step-by-step:

The model is appealing to both parties. Developers can profit without risking exposure, while affiliates don't need technical expertise — they simply need access to targets and distribution methods.

RaaS platforms may offer multiple tiers, just like SaaS subscriptions, including:

• Basic kits (single ransomware variant).
• Premium access (analytics dashboards, anti-detection tools).
• Fully managed services (everything handled by developers).

How does RaaS generate revenue?

Ransomware as a service generates revenue through multiple income streams that mirror legitimate SaaS business models. These flexible monetization tactics allow RaaS operators to appeal to a broad range of cybercriminals (from lone actors to highly organized ransomware-as-a-service groups), all while scaling their platforms efficiently.

Below are the most common revenue models used in RaaS operations.

Subscription fees

Affiliates pay recurring fees (typically weekly or monthly) to access RaaS platforms. These subscriptions grant access to ransomware builders, affiliate dashboards, encryption modules, and support forums. Higher-tier subscriptions often include additional tools such as antivirus evasion, real-time analytics, or 24/7 technical support. The SaaS-style pricing model ensures a steady income for developers while giving affiliates a professionalized attack toolkit.

Profit-sharing (affiliate commissions)

Many RaaS platforms operate on a commission basis where developers provide ransomware tools for free or at low cost, then take a percentage of any ransom paid by victims. The split can vary from 10% to 40%, depending on the sophistication of the platform and the level of support provided. This model lowers the barrier to entry for affiliates while allowing developers to profit passively from each infection.

Pay-per-use pricing

Some RaaS operations offer one-time campaigns or limited-use packages. Affiliates can pay a flat fee to deploy ransomware for a defined period or for a certain number of attacks without committing to an ongoing subscription. This model is attractive to cybercriminals looking to test the waters before investing in long-term access and contributes to the rapid spread of RaaS ransomware by lowering initial costs.

Installation and integration fees

Advanced affiliates may pay extra for tailored deployment methods. These methods can include custom payloads, integration with phishing kits, bundling with infostealer malware, or delivery via pre-compromised access points. Some RaaS systems offer technical support to help affiliates bypass security measures during installation, making the overall attack more effective. These services are often sold as premium upgrades.

Licensing deals

In some cases, RaaS developers sell the ransomware engine outright under a licensing model. Buyers gain full control over the malware, with no need to pay commissions or stay connected to the original platform. This model appeals to more experienced actors looking to build private campaigns, and it aligns closely with the evolution of malware-as-a-service ecosystems, where modular attack kits are traded and customized on the dark web.

Ransom customization services

To increase payment success rates, some RaaS developers offer services to tailor the ransom experience. The offerings can include branded ransom notes, multilingual support, live chat with victims, and dynamic price adjustments based on victim size or location. These add-ons position RaaS as a polished extortion platform aimed at maximizing revenue from every infected system.

With multiple revenue channels and an adaptable pricing structure, the ransomware-as-a-service model has matured into a sustainable cybercrime business. Its blend of low-entry costs for affiliates and high-profit potential for developers is a key reason why RaaS continues to succeed in the broader world of cybersecurity threats.

Is ransomware as a service (RaaS) legal?

Ransomware as a service is illegal under nearly all national laws and international conventions. While its business model may mirror that of legitimate SaaS platforms, its purpose — facilitating cyber extortion — is a criminal offense.

RaaS platforms are designed to enable the deployment of ransomware, a type of malware that encrypts victims' files and demands payment in exchange for decryption keys. This practice violates laws related to computer misuse, unauthorized access, data theft, extortion, and cyber fraud. As a result, both the developers who create RaaS software and the affiliates who use it can face serious legal consequences.

Why RaaS is considered illegal:

• It enables extortion by profiting from threats and coercion, typically demanding cryptocurrency payments from victims under duress.
• It facilitates unauthorized access because RaaS tools are used to break into corporate or personal systems without permission.
• It spreads malware, and distributing or advertising RaaS software qualifies as trafficking in malicious code, which is prosecutable under most national and international laws.
• It supports organized cybercrime, with many RaaS operations linked to cybercriminal gangs and ransomware-as-a-service groups, some of which are sanctioned or connected to state-sponsored entities.

Developers and affiliates involved with ransomware as a service can face severe penalties, including fines, imprisonment, asset seizure, and even extradition, depending on their country's laws and the scale of the ransomware attacks. Additionally, administrators of online forums or marketplaces that facilitate the promotion or sale of RaaS platforms may be prosecuted for aiding and abetting cybercrime. Organizations or individuals who knowingly use or distribute RaaS tools, even indirectly, risk being charged with criminal conspiracy or racketeering offenses.

International law enforcement agencies have coordinated efforts to dismantle multiple RaaS groups by tracing cryptocurrency transactions and infiltrating dark web forums. The distribution and sale of RaaS tools often take place on the dark web, which shares similarities with other cybercrime ecosystems, such as malware-as-a-service platforms. Being connected to RaaS — even indirectly through development, distribution, or use — can result in prosecution.

Notable global examples of RaaS

Several ransomware-as-a-service operations have gained notoriety worldwide due to their scale and impact on businesses and governments. These examples highlight how RaaS groups use technology and partnerships to execute high-profile attacks.

1. REvil (Sodinokibi)

REvil is one of the most infamous RaaS groups, known for targeting large corporations and demanding multimillion-dollar ransoms. Operating as a ransomware-as-a-service platform, REvil recruits affiliates who carry out attacks, with profits split between developers and ransomware operators. They are responsible for high-profile incidents, including attacks on meat-processing giant JBS and tech company Kaseya.

2. DarkSide

DarkSide gained global attention in 2021 after a ransomware attack on Colonial Pipeline, causing fuel shortages across the U.S. Their RaaS model emphasizes a professional service approach with customer support and a "code of conduct," ironically advising against targeting certain sectors like healthcare. DarkSide disappeared after law enforcement pressure but resurfaced under different aliases.

3. LockBit

LockBit is another dominant ransomware operator, known for its fast encryption speeds and aggressive extortion tactics, including leaking stolen data if ransoms aren't paid. Over time, it has evolved significantly, with major iterations like LockBit 2.0 and LockBit 3.0 reflecting ongoing upgrades and a push toward professionalization. Its affiliate program enables multiple cybercriminal groups to deploy ransomware using LockBit's ever-advancing infrastructure.

4. Conti

Conti operates as a RaaS model with a well-organized affiliate network. It has targeted healthcare, government, and critical infrastructure sectors globally. Conti's leak site has been used to publicly shame victims who refuse to pay.

How do the RaaS attacks work?

Ransomware-as-a-service attacks work by combining the technical expertise of ransomware developers with the operational efforts of affiliates who deploy the ransomware on targets. This collaboration allows cybercriminals with varying skill levels to launch effective ransomware campaigns.

How does ransomware get on a server?

RaaS affiliates typically gain access to servers or networks through various ransomware attack vectors, including phishing emails, software vulnerabilities, or stolen credentials. Once inside, they deploy the ransomware payload — software that encrypts files and locks users out of critical systems.

Common infection methods include sending malicious email attachments or links, exploiting weak remote desktop protocols (RDP), and using malware dropper tools. Once ransomware is active, it begins encrypting data and sometimes exfiltrates sensitive information to use as additional leverage during ransom negotiations.

What happens if you don't pay the ransom?

If victims refuse to pay the ransom, threat actors usually escalate their demands by threatening to permanently delete encrypted data or publicly leak stolen information. This double extortion tactic increases pressure on victims to comply. Failure to pay can result in severe operational disruptions, financial losses, and reputational damage. However, paying the ransom does not guarantee that attackers will restore access or refrain from further attacks.

Cybercriminals often target repeat victims who pay once because they know those victims are more likely to pay again. As a result, law enforcement and cybersecurity experts generally advise against paying ransom to discourage criminal behavior.

Cybersecurity risks associated with RaaS attacks

Ransomware-as-a-service attacks pose significant cybersecurity risks to individuals, businesses, and critical infrastructure worldwide. Their increasing sophistication and accessibility have made ransomware one of the most pervasive cyber threats today.

RaaS attacks threaten data integrity by encrypting essential files and systems, rendering them inaccessible until a ransom is paid. Such disruption can halt business operations, cause financial losses, and damage an organization's reputation.

Additionally, many RaaS attacks involve data exfiltration, where threat actors steal sensitive information before encrypting systems. Such data is often used for blackmail or sold on the dark web, compounding the victim's exposure to privacy breaches and regulatory penalties.

The widespread availability of RaaS tools lowers the technical barrier for cybercriminals, leading to an increase in the number and diversity of attacks. As a result, even small businesses with limited cybersecurity defenses are now targets because they often serve as gateways into larger supply chains, creating a ripple effect that even a single ransomware attack can trigger.

Furthermore, RaaS operators often use ransomware attack vectors such as phishing, software vulnerabilities, and compromised credentials, exploiting weaknesses in enterprise cybersecurity strategies. These attacks may also coincide with other forms of malware infections, including infostealer malware, which harvests user credentials and other valuable data.

The complexity of these attacks has made defense more challenging, requiring continuous monitoring and proactive measures. Services like dark web monitoring can help detect if stolen data is being traded or leaked online, enabling a faster response.

Ultimately, the risks of RaaS attacks emphasize the critical importance of layered cybersecurity strategies to protect sensitive information and maintain operational continuity.

Which industries are most threatened by RaaS attacks?

Ransomware-as-a-service attacks primarily target industries that store sensitive data, support critical infrastructure, or rely on uninterrupted operations. These sectors experience the highest frequency and impact of ransomware attacks.

Recent ransomware-as-a-service statistics reveal that the healthcare industry is a major target due to its sensitive patient information and the critical nature of its services. Disruptions caused by ransomware in healthcare can threaten patient safety and lead to severe regulatory penalties.

The financial sector also faces a high volume of RaaS attacks. Banks, insurance companies, and other financial institutions hold valuable client data and financial assets, making them attractive targets for extortion.

Manufacturing and critical infrastructure sectors are frequently affected as well, where ransomware can halt production lines or essential public services, causing broad economic and social consequences.

Government agencies and educational institutions are similarly vulnerable. Despite often limited cybersecurity budgets, these organizations hold large amounts of sensitive data and perform essential functions, making them appealing targets for ransomware-as-a-service groups.

How can you prevent and protect against RaaS attacks?

Preventing ransomware-as-a-service attacks requires a proactive cybersecurity approach, combining technical measures with employee awareness and organizational policies. Businesses and individuals can reduce their risk by implementing the following best practices:

1. Regularly update and patch software to close vulnerabilities that threat actors exploit. Doing so includes updating applications, operating systems, and network devices. Many ransomware-as-a-service groups take advantage of unpatched systems to gain initial access.
2. Implement strong access controls and multi-factor authentication (MFA). Limiting user privileges and requiring MFA can prevent unauthorized access, even if login credentials are compromised.
3. Conduct ongoing employee training and phishing simulations. Since ransomware often enters networks via phishing emails, educating staff about recognizing suspicious messages and links is critical.
4. Maintain regular, secure backups of all critical data. Backups should be stored offline or in isolated environments to ensure ransomware cannot encrypt or delete them. In case of an attack, backups allow for faster recovery without paying a ransom.
5. Deploy advanced endpoint detection and response (EDR) and network monitoring solutions to detect unusual behavior early. Doing so enhances ransomware resilience by identifying and stopping attacks before they spread widely. Combine these solutions with security best practices — such as zero-trust principles, least-privilege access, and established frameworks like the NIST Cybersecurity Framework.
6. Establish and routinely test an incident response plan to ensure quick and coordinated action in case of a ransomware infection.
7. Use a threat exposure management platform like NordStellar, which offers proactive dark web monitoring and rapid response, helping you detect and reduce the risk of ransomware-as-a-service attacks before they impact your operations.

By combining these preventive strategies, organizations can build defenses against the RaaS technology and reduce their risk of falling victim to ransomware attacks.

Future of ransomware as a service (RaaS)

The future of ransomware as a service looks concerning because this cybercrime model continues to expand. With RaaS technology becoming more sophisticated, its accessibility will likely grow, enabling a wider range of cybercriminals — including less technically skilled actors — to launch attacks.

Building on this, ransomware-as-a-service groups are expected to innovate with new tactics. These tactics may include combining ransomware with other types of malware or targeting emerging technologies and critical infrastructure more aggressively.

Given such a trajectory, it's important for individuals and organizations to understand the risks posed by RaaS and implement the preventive and protective strategies outlined earlier. Staying informed, maintaining robust cybersecurity hygiene, and using expert services like those offered by NordStellar will be essential in mitigating the impact of future ransomware threats.