Ransomware-as-a-Service (RaaS)

What Is Ransomware-as-a-Service?

Ransomware-as-a-Service (RaaS) is a form of criminal enterprise in which apex predator ransomware gangs (AKA ransomware operators) contract out their service—namely deploying ransomware against a target, then extorting payments—to affiliates. Most RaaS operations use a revenue-sharing model where the ransomware operators commission a percentage of the ransom to an affiliate in exchange for initial access to a target network. This model bisects the ransomware attack sequence into two distinct phases: gaining initial access and a second-stage attack that seeks to compromise valuable data. By segmenting the stages of a cyberattack, both the ransomware operator and affiliate leverage each other’s specialized skill sets, increasing the overall chances of success. A second RaaS model exists in which affiliates pay a subscription or flat fee to purchase ransomware payloads from ransomware operators.

The two most common RaaS business models:

1. Profit-Sharing Model

The ransomware operator collects the ransom and shares a percentage with the affiliate. This is the most common model for situations in which affiliates provide initial access.

2. Subscription or Flat-Fee Model

Affiliates pay either a periodic (monthly) subscription or a one-time fee for a DIY copy of the ransomware payload, known as a ransomware kit. The purchaser configures the ransomware kit and deploys it against the chosen target.


RaaS is one of the biggest drivers behind ransomware’s aggressive growth because it allows prospective threat actors who lack advanced hacking abilities to partner with highly skilled advanced persistent threat actors (APT) and suspected nation-state operators. This tag-team approach increases the potency of the attack by allowing all involved parties to focus on only a tiny part of the exploitation process. 

Collectively, ransomware gangs extorted more than $600 million from their victims in 2021; considering the average ransomware payout per incident was more than $800,000, it’s clear how RaaS represents a cash cow opportunity for affiliates, even at a low commission rate.

Ransomware vs. Ransomware-as-a-Service

Ransomware is malware that encrypts a target’s data and displays a warning notice with instructions to submit payment in exchange for decryption tools. RaaS is a model of criminal enterprise in which ransomware developers offer their services to affiliates—either selling exploit payloads for a flat rate or sharing the extortion money with partner affiliates who provide initial access to a target network, allowing the ransomware operator to further the attack.

How Ransomware-as-a-Service Works

In the RaaS model, primary ransomware threat actors known as operators partner with affiliates to deliver ransomware against a target. The affiliate will either pay a flat fee to the operator to launch an offensive cyberattack campaign against a specified target or provide initial access to an already compromised network in exchange for a percentage of any extorted funds. In this way, RaaS operates similarly to legitimate B2B professional networks. 

Affiliates often develop sophisticated social engineering attacks that use phishing or spear-phishing techniques to gain initial access. They may also gain initial access through unpatched vulnerabilities, configuration errors, compromising existing user accounts using stolen credentials or publicized data from previous cyberattacks to test for re-used passwords or even physical access to a target’s premises.

Communication and deal-making happen on Dark Web forums hosted by the ransomware operators. There are at least 25 such portals known to be explicitly offering RaaS.

Who Are Ransomware-as-a-Service Operators?

RaaS gangs are well-organized criminal enterprises with complex and defined corporate structures that have operational hierarchies with various tiers of management and designated positions such as team leaders, developers, infrastructure and system administrators, and even support agents to help affiliates deploy the ransomware and victims pay ransom to regain access to their files.

Prolific RaaS Operators

As a human-centric subscription-based 24x7x365 Managed XDR service, CylanceGUARD® provides the expertise and support businesses need to prevent and protect against ransomware attacks. CylanceGUARD combines the comprehensive expertise embodied by BlackBerry Cybersecurity Services with AI-based Endpoint Protection (EPP) through CylancePROTECT®, continuous authentication and analytics through CylancePERSONA, and on-device threat detection and remediation through CylanceOPTICS®. In short, CylanceGUARD provides business with the people and technology needed to protect the enterprise from the modern threat landscape.