Laptop infected by ransomware and a locked harddrive near money with a key on top.
Ransomware-as-a-service (RaaS) is a type of cyberattack that allows cybercriminals to rent out ransomware to other criminals—and it’s a rapidly growing business.
Ransomware-as-a-service (RaaS) is a pay-for-use subscription model on the dark web where developers license out malware to other parties to execute targeted ransomware attacks.
RaaS is advertised on the dark web with varying price points where anybody can simply login and buy ransomware kits off-the-shelf to launch an attack. This is what makes RaaS so dangerous, as even a novice hacker with limited coding experience can pay and use already-developed malicious software to launch targeted attacks. Once the hacker gets entry into the target organization, they use malicious malware to exfiltrate and encrypt data and then use double extortion techniques to blackmail the organization.
Global ransomware damage costs are predicted to cost around $265 billion (USD) by 2031. It’s this lure of massive monetary gains that has led to the emergence of newer and more sophisticated techniques like RaaS.
The RaaS model involves two parties: developers and affiliates. Developers are responsible for creating and leasing out ready-to-use code to other attackers called affiliates. Affiliates are the ones who launch the ransomware attack. Once the affiliates successfully deliver the payload, they receive a percentage of the ransom money.
Affiliates are trained on technical details and provided with detailed guides on launching ransom attacks. These affiliates are also provided with 24/7 support and access to community forums.
RaaS kits can be bought:
While targeted ransomware gangs use a lot of tactics to gain entry to unsuspecting users’ networks, phishing emails are one of the most common methods of targeting a victim’s network. These emails contain infected attached Word documents, and when an employee clicks on the malicious link, the malware gets downloaded automatically.
A RaaS attack takes place in several stages, beginning with initial access and proceeding to spread throughout the network before exfiltrating and encrypting data, and finally demanding a ransom.
Although many forms of RaaS are by nature secretive and constantly evolving, some have gained enough notoriety to be widely known due to their success in executing large-scale attacks. Some examples include DarkSide, LockBit, REvil, and Ryuk.
DarkSide is a cybercriminal group that sells RaaS to other hackers in exchange for profits. DarkSide first emerged in August 2020 and quickly spread to over 15 countries, targeting organizations across a swath of industries.
This is the same group that was responsible for the Colonial Pipeline ransomware incident, which literally brought the East Coast to a grinding halt.
Launched in 2019, LockBit is one of the most dangerous malware around. While initially this group remained in the shadow of other famous gangs like REvil and Ryuk, it came into the limelight in the second half of 2021. And by the first quarter of 2022, it had already become the most widely used ransomware variant.
If we go by the gang’s claims, they’ve targeted over 12,125 organizations. LockBit is notorious for using double extortion techniques where they steal the data and then threaten to publish confidential information if the organization doesn’t pay up.
REvil, or Sodinokibi, is a RaaS variant formed in 2019 that is responsible for numerous high-profile ransomware cases. Examples include the JBS USA case, where the food processing company had to pay $11 million ransom money in bitcoins, and the Kaseya attack that compromised over 1,000 companies.
Apart from the usual method of encrypting data and demanding money, REvil also uses double extortion techniques of threatening its victims to leak the stolen information in public if the ransom amount is not paid.
Ryuk is a human-operated targeted ransomware that attacks high-value institutions like media outlets and government agencies that have the capability to pay large sums of ransom money.
Originating in 2018, Ryuk uses open-source tools and manual hacking methods to gain entry into systems. Once the data is encrypted, the Ryuk group demands a ransom in bitcoins.
To date, the gang has earned over $150 million in ransom, making it one of the most notorious in the trade. While it is not clear who owns Ryuk, it’s commonly attributed to Wizard Spider, a cybercrime group based in Russia.
Thankfully, there are ways to protect your organization from ransomware attacks. Here are some best practices you can implement to stave off criminal attacks.
You need to train your staff to spot ransomware attacks. For that, you must conduct comprehensive security awareness training that includes identifying social engineering techniques and phishing emails, as well as taking part in penetration tests and security skill tests to be regularly updated based on the latest RaaS threats.
Once malware enters your computer, it can quickly infect the entire network through lateral movement. Thus, it’s wise to segment your network into smaller sub-networks so that even if it gets infected, you can isolate infections to as few machines as possible.
Zero trust security is an approach that works on the principle of not trusting any device or person unless authenticated. Steps include verifying users, implementing multifactor authentication (MFA), and allowing least privilege access to limit the blast radius of criminals trying to gain unauthorized access.
Hackers are always looking to exploit vulnerabilities in systems and networks. Ensure that your operating systems and software are updated and patched regularly to prevent hackers from exploiting vulnerabilities. Also, encourage your employees to use strong passwords and make it a habit to change them regularly.
It can be difficult to decrypt data that has been encrypted by ransomware; therefore, you must back up your data at regular intervals to multiple locations. Thus, even if your systems get hacked, at least you have a clean copy of your data residing elsewhere.
Endpoints serve as an easy point for hackers to break into your corporate network. Thus, securing endpoint devices is critical to remove any weak links. Put measures in place to track all endpoint devices and run endpoint protection software so that your security operations teams can spot a ransomware attack.
By way of summarizing some of the points of this article, here are a few quick questions you or your employees might have about how RaaS compares to other ransomware or malware models.
The ransomware-as-a-service (RaaS) model is a subscription-based system designed to provide amateur hackers access to ready-made ransomware code to easily launch ransomware attacks with minimal programming. They can do so by buying RaaS kits from the dark web.
Cybercriminals are increasingly using RaaS to extort ransom money from thousands of organizations of every size. In fact, the number of RaaS and other extortion groups grew by 63.2% during the first quarter of 2022 when compared to the previous year.
Ransomware operators are adept at bypassing the security defenses of even the largest organizations. In such a scenario, it pays to be extra cautious. While there is no way to completely prevent ransomware, organizations can adopt a hypervigilant approach and shore up their security defenses so as to respond well to cybersecurity incidents.
Learn more in our ransomware series:
Already been targeted? Here are the best recovery solutions to get your data back as quickly as possible.
Susnigdha Tripathy is a full-time writer and editor based in Singapore, and a regular contributor to Enterprise Networking Planet. She has over 10 years of experience writing, editing, and delivering exceptional content for a variety of international technology brands such as Virtasant, a cloud technology company, and Krista Software, a provider of intelligent automation solutions. She has also appeared in ServerWatch and other industry publications.
Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
