What Is Ransomware as a Service (RaaS)?

A criminal affiliate does not need to write a single line of encryption code to take down a hospital, a pipeline, or a city government. They log into a portal, pick a target, deploy a ready-made payload, and collect the larger share of the ransom. The malware, the leak site, the payment infrastructure, and the negotiation playbook were all built and maintained by someone else, who takes a cut for the rental. That arrangement is ransomware as a service, and it is the reason most major ransomware attacks today trace back to a small number of development crews and a large, rotating cast of attackers.

Ransomware as a service (RaaS) is a subscription-style business model in which a core group develops ransomware and rents it to other criminals, called affiliates, who carry out the attacks and share the proceeds. It copies the structure of legitimate software-as-a-service: a vendor maintains the product, customers pay to use it, and the vendor handles updates and support. The product just happens to be extortion. This guide breaks down how the model works, who does what, how the money flows, and what it changes for defenders.

What is ransomware as a service (RaaS)?

Ransomware as a service is a business arrangement between two parties: the operators who build and maintain the ransomware, and the affiliates who pay to use it against victims. The operators never have to break into a network. The affiliates never have to develop malware. Each specializes, and both profit.

This separation is the whole point. Traditional ransomware required one actor or crew to do everything: write working encryption, build delivery, run the payment channel, and break into targets. That demanded rare skills. RaaS splits those skills across a supply chain, so the person deploying the ransomware no longer needs the ability to create it.

The model sits on top of malware that is engineered for resale. Operators package their ransomware the way a vendor packages a product: with a dashboard, documentation, builds for multiple operating systems, and ongoing updates that evade the latest detection. Affiliates are the paying customers. The result is a professionalized criminal economy with branding, customer support, and recruitment.

How the RaaS model works

A RaaS operation runs like a two-sided business. The operators supply the platform. The affiliates supply the intrusions. The split is contractual, and the workflow is repeatable.

What the operators provide

The operators, sometimes called the core group or the developers, build and run everything except the break-in:

• The ransomware payload itself, with builds for Windows, Linux, or both.
• A command-and-control dashboard where affiliates configure attacks, generate payloads, and track infections.
• A victim payment portal that handles ransom collection, usually in cryptocurrency.
• A public leak site used to pressure victims by publishing stolen data.
• Decryption key management, so a victim who pays can actually be unlocked.
• Recruitment, marketing on criminal forums, and affiliate support.

Operators compete for affiliates the way real vendors compete for customers. They advertise reliability, low detection rates, support quality, and a favorable revenue split.

What the affiliates do

The affiliates are the ones who actually attack. They handle the parts that require getting inside a target:

• Gaining initial access, often through phishing, stolen credentials, exposed RDP, or unpatched internet-facing systems.
• Moving through the network and escalating privileges to reach valuable systems.
• Stealing data before encryption to enable double extortion.
• Deploying the ransomware across as many systems as possible.
• Setting the ransom amount and negotiating with the victim.

An affiliate can work with several RaaS operations at once and switch between them. When one brand is disrupted by law enforcement, affiliates migrate to another, which is part of why the ecosystem is so resilient.

The four RaaS revenue models

Operators monetize their platform in a few standard ways. Most operations use one of these, and some blend them.

The affiliate-program model, where the operator takes a percentage of each ransom, is the most common in large operations because it aligns incentives: the operator earns more when the malware works, so it has reason to keep the product effective.

Entry is cheap relative to the payoff. RaaS kits have been advertised from around $40 per month at the low end up to several thousand dollars, a trivial cost against ransom demands that have reached into the millions. That economics is what pulls low-skill actors into high-impact crime.

Notable RaaS operations

A handful of brands have defined the model. Tracking them matters because their tooling and tactics get reused across affiliates.

• LockBit has been one of the most prolific RaaS operations, active since around 2019 and responsible for a large share of attacks before sustained law enforcement pressure.
• REvil, also known as Sodinokibi and tracked by CrowdStrike as PINCHY SPIDER, ran high-value extortion campaigns and at one point demanded a ransom in the tens of millions of dollars.
• DarkSide, linked to the actor CrowdStrike tracks as CARBON SPIDER, is the operation whose affiliate hit Colonial Pipeline in 2021, targeting both Windows and Linux systems.
• Hive was a major RaaS brand whose infrastructure was infiltrated and taken down by the US Department of Justice in January 2023, after the operation had hit more than 1,500 victims worldwide.
• Dharma has been available since 2016 and is associated with attacks that rely heavily on exposed Remote Desktop Protocol.

The pattern across all of them is the same: a development core, an affiliate base, a leak site, and a payment portal. When one is disrupted, the affiliates and often the developers resurface under a new name.

Why RaaS makes ransomware harder to fight

RaaS changes the threat in ways that matter for defense, beyond just raising the volume of attacks.

It lowers the barrier to entry. Deploying ransomware no longer requires the skill to build it, so the pool of attackers is far larger and far less predictable than when ransomware was the domain of a few capable crews.

It separates the people you can catch from the people who built the weapon. Arresting or sanctioning an affiliate does not stop the operator, and taking down an operator does not stop the affiliates, who simply move to a competitor. The supply chain has redundancy built in.

It standardizes double extortion. Because operators provide the leak site as part of the kit, data theft before encryption is now a default feature, not an advanced tactic. A clean backup no longer ends the incident, because the attacker still holds your stolen data. That turns a ransomware event into a data breach with regulatory and legal consequences stacked on top of the outage.

It professionalizes the whole operation. Negotiation scripts, support desks, and reliable decryption exist because they make victims more likely to pay. The crime is run like a business because, as a business, it works.

How to defend against RaaS attacks

RaaS is delivered by affiliates, so the defense targets how affiliates operate: get in, spread, steal, and detonate. Break that chain early and the rented payload never fires.

• Close the initial-access routes. Enforce multi-factor authentication, restrict or eliminate internet-exposed RDP, and patch internet-facing systems quickly. These are the doors affiliates use most.
• Train against phishing. Affiliates lean on phishing and stolen credentials. User awareness and email filtering cut off a primary entry point.
• Keep isolated, immutable backups. Backups the attacker cannot reach or encrypt are still the difference between recovery and payment for the encryption half of the attack.
• Detect the intrusion before encryption. Watch for the affiliate's behavior inside the network: privilege escalation, lateral movement, and unusual data staging or exfiltration. Endpoint detection and a monitored SIEM catch this window before files lock.
• Plan for the data-theft half. Assume data will be stolen, not just encrypted. An incident response plan that accounts for a leak, not only an outage, reflects how RaaS actually operates.

The shift that RaaS forces on defenders is the same one double extortion forced: stop treating ransomware as a backup problem. The real fight is detecting and stopping the affiliate's hands-on intrusion before the payload ever runs.

The bottom line

Ransomware as a service turned extortion into a rentable product. A core group builds and maintains the ransomware, the leak site, and the payment infrastructure, then rents it to affiliates who carry out the attacks and hand over a cut, often 20 to 30 percent, of every ransom. Affiliates pay through monthly subscriptions, one-time licenses, or profit-sharing deals, with kits starting around $40 a month against payouts in the millions. The model is why brands like LockBit, REvil, DarkSide, and Hive could drive so many high-impact attacks: it split the skill of building ransomware from the act of deploying it, widening the attacker pool and making the ecosystem hard to dismantle. For defenders, the takeaway is that the threat is an intrusion, not just a payload. Closing initial-access routes, detecting lateral movement, and keeping isolated backups beat RaaS where it is weakest, before the rented ransomware ever runs.

Frequently Asked Questions

What is ransomware as a service (RaaS)?

Ransomware as a service is a business model in which a core group develops ransomware and rents it to other criminals, called affiliates, who carry out the attacks and share the proceeds with the developers. It mirrors legitimate software-as-a-service: the operator maintains the product and infrastructure, and affiliates pay to use it. This split lets people deploy ransomware without having the skill to build it.

How does the RaaS business model work?

Operators build and maintain the ransomware, a command-and-control dashboard, a victim payment portal, and a public leak site, then recruit affiliates. Affiliates pay for access, break into victim networks, deploy the ransomware, and negotiate the ransom. The two sides split the money according to the operation's revenue model, which keeps each party specialized in what it does best.

How much does ransomware as a service cost?

RaaS kits have been advertised from around $40 per month at the low end up to several thousand dollars, depending on the operation and its features. Many operations instead take a percentage of each ransom, commonly 20 to 30 percent, rather than charging a flat fee. The cost is small compared with ransom demands that routinely reach into the millions, which is what makes the model attractive to low-skill attackers.

What are some examples of RaaS groups?

Well-known RaaS operations include LockBit, REvil (also called Sodinokibi), DarkSide, Hive, and Dharma. DarkSide is the operation whose affiliate attacked Colonial Pipeline in 2021, and Hive was taken down by the US Department of Justice in January 2023 after hitting more than 1,500 victims. When one brand is disrupted, its affiliates and developers often resurface under a new name.

Who are RaaS affiliates?

Affiliates are the criminals who pay to use a RaaS operation's ransomware and carry out the actual attacks. They handle initial access, lateral movement, data theft, ransomware deployment, and ransom negotiation. An affiliate can work with multiple RaaS operations at once and switch between them, which is part of why the ecosystem survives law enforcement takedowns of any single brand.

How do you defend against RaaS attacks?

Because affiliates deliver the attack, defense focuses on how they operate. Enforce multi-factor authentication, restrict exposed RDP, and patch internet-facing systems to close common entry points, train users against phishing, and keep isolated, immutable backups. Most importantly, detect the intrusion before encryption by watching for privilege escalation, lateral movement, and unusual data exfiltration, since stopping the affiliate inside the network is more effective than reacting after the payload fires.