Ransomware-as-a-Service (RaaS): Definition & Examples

Enterprise Networking Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Ransomware-as-a-service (RaaS) is a pay-for-use subscription model on the dark web where developers license out malware to other parties to execute targeted ransomware attacks. 

RaaS is advertised on the dark web with varying price points where anybody can simply login and buy ransomware kits off-the-shelf to launch an attack. This is what makes RaaS so dangerous, as even a novice hacker with limited coding experience can pay and use already-developed malicious software to launch targeted attacks. Once the hacker gets entry into the target organization, they use malicious malware to exfiltrate and encrypt data and then use double extortion techniques to blackmail the organization.

Global ransomware damage costs are predicted to cost around $265 billion (USD) by 2031. It’s this lure of massive monetary gains that has led to the emergence of newer and more sophisticated techniques like RaaS.

How ransomware-as-a-service works

The RaaS model involves two parties: developers and affiliates. Developers are responsible for creating and leasing out ready-to-use code to other attackers called affiliates. Affiliates are the ones who launch the ransomware attack. Once the affiliates successfully deliver the payload, they receive a percentage of the ransom money.

Affiliates are trained on technical details and provided with detailed guides on launching ransom attacks. These affiliates are also provided with 24/7 support and access to community forums.  

RaaS kits can be bought:

  • For a fixed monthly fee
  • For a one-time license fee
  • On an affiliate basis, with criminals paying a lower monthly fee while the service provider retains about 25% of the ransoms
  • On a profit sharing or “no ransom no fee” basis

While targeted ransomware gangs use a lot of tactics to gain entry to unsuspecting users’ networks, phishing emails are one of the most common methods of targeting a victim’s network. These emails contain infected attached Word documents, and when an employee clicks on the malicious link, the malware gets downloaded automatically.

Stages of a RaaS attack

A RaaS attack takes place in several stages, beginning with initial access and proceeding to spread throughout the network before exfiltrating and encrypting data, and finally demanding a ransom.

  1. Initial access stage: This is the first step, where users are tricked into clicking on an infected file.
  2. Command and control: Once inside the network, the malware connects to the hacker’s command-and-control center and establishes communication.
  3. Staging: In this stage, the ransomware establishes a foothold, and privilege escalation occurs. It steals credentials and gains access to the most important assets of the network.
  4. Expansion: In expansion mode, the ransomware begins lateral movement and spreads throughout the network. When the attackers have sufficiently infected the network, they can then proceed to extortion.
  5. Data exfiltration: Data exfiltration is a common technique of modern ransomware attacks. Bad actors exfiltrate data and use double or even triple extortion methods to blackmail companies to give in to their demands.
  6. Data encryption: Once data exfiltration is done, attackers use a combination of symmetric and asymmetric encryption to render the data useless.
  7. Ransom note: The attack ends with the delivery of the ransom note requesting the payment terms and a threat to share the exfiltrated data if conditions are not complied with.

Examples of ransomware-as-a-service

Although many forms of RaaS are by nature secretive and constantly evolving, some have gained enough notoriety to be widely known due to their success in executing large-scale attacks. Some examples include DarkSide, LockBit, REvil, and Ryuk.


DarkSide is a cybercriminal group that sells RaaS to other hackers in exchange for profits. DarkSide first emerged in August 2020 and quickly spread to over 15 countries, targeting organizations across a swath of industries. 

This is the same group that was responsible for the Colonial Pipeline ransomware incident, which literally brought the East Coast to a grinding halt.


Launched in 2019, LockBit is one of the most dangerous malware around. While initially this group remained in the shadow of other famous gangs like REvil and Ryuk, it came into the limelight in the second half of 2021. And by the first quarter of 2022, it had already become the most widely used ransomware variant. 

If we go by the gang’s claims, they’ve targeted over 12,125 organizations. LockBit is notorious for using double extortion techniques where they steal the data and then threaten to publish confidential information if the organization doesn’t pay up.  


REvil, or Sodinokibi, is a RaaS variant formed in 2019 that is responsible for numerous high-profile ransomware cases. Examples include the JBS USA case, where the food processing company had to pay $11 million ransom money in bitcoins, and the Kaseya attack that compromised over 1,000 companies. 

Apart from the usual method of encrypting data and demanding money, REvil also uses double extortion techniques of threatening its victims to leak the stolen information in public if the ransom amount is not paid.


Ryuk is a human-operated targeted ransomware that attacks high-value institutions like media outlets and government agencies that have the capability to pay large sums of ransom money. 

Originating in 2018, Ryuk uses open-source tools and manual hacking methods to gain entry into systems. Once the data is encrypted, the Ryuk group demands a ransom in bitcoins. 

To date, the gang has earned over $150 million in ransom, making it one of the most notorious in the trade. While it is not clear who owns Ryuk, it’s commonly attributed to Wizard Spider, a cybercrime group based in Russia.  

How to protect yourself from RaaS attacks

Thankfully, there are ways to protect your organization from ransomware attacks. Here are some best practices you can implement to stave off criminal attacks.

Security awareness training

You need to train your staff to spot ransomware attacks. For that, you must conduct comprehensive security awareness training that includes identifying social engineering techniques and phishing emails, as well as taking part in penetration tests and security skill tests to be regularly updated based on the latest RaaS threats.

Network segmentation

Once malware enters your computer, it can quickly infect the entire network through lateral movement. Thus, it’s wise to segment your network into smaller sub-networks so that even if it gets infected, you can isolate infections to as few machines as possible.

Follow a zero-trust approach to security

Zero trust security is an approach that works on the principle of not trusting any device or person unless authenticated. Steps include verifying users, implementing multifactor authentication (MFA), and allowing least privilege access to limit the blast radius of criminals trying to gain unauthorized access.

Update regularly

Hackers are always looking to exploit vulnerabilities in systems and networks. Ensure that your operating systems and software are updated and patched regularly to prevent hackers from exploiting vulnerabilities. Also, encourage your employees to use strong passwords and make it a habit to change them regularly.

Perform regular backups

It can be difficult to decrypt data that has been encrypted by ransomware; therefore, you must back up your data at regular intervals to multiple locations. Thus, even if your systems get hacked, at least you have a clean copy of your data residing elsewhere.

Endpoint protection

Endpoints serve as an easy point for hackers to break into your corporate network. Thus, securing endpoint devices is critical to remove any weak links. Put measures in place to track all endpoint devices and run endpoint protection software so that your security operations teams can spot a ransomware attack.

Frequently Asked Questions (FAQ)

By way of summarizing some of the points of this article, here are a few quick questions you or your employees might have about how RaaS compares to other ransomware or malware models.

What is a ransomware-as-a-service model?

The ransomware-as-a-service (RaaS) model is a subscription-based system designed to provide amateur hackers access to ready-made ransomware code to easily launch ransomware attacks with minimal programming. They can do so by buying RaaS kits from the dark web.

How popular Is ransomware-as-a-service?

Cybercriminals are increasingly using RaaS to extort ransom money from thousands of organizations of every size. In fact, the number of RaaS and other extortion groups grew by 63.2% during the first quarter of 2022 when compared to the previous year.

Bottom line: Protecting against RaaS attacks

Ransomware operators are adept at bypassing the security defenses of even the largest organizations. In such a scenario, it pays to be extra cautious. While there is no way to completely prevent ransomware, organizations can adopt a hypervigilant approach and shore up their security defenses so as to respond well to cybersecurity incidents. 

Learn more in our ransomware series:

Already been targeted? Here are the best recovery solutions to get your data back as quickly as possible.

Susnigdha Tripathy
Susnigdha Tripathy
Susnigdha Tripathy is a full-time writer and editor based in Singapore, and a regular contributor to Enterprise Networking Planet. She has over 10 years of experience writing, editing, and delivering exceptional content for a variety of international technology brands such as Virtasant, a cloud technology company, and Krista Software, a provider of intelligent automation solutions. She has also appeared in ServerWatch and other industry publications.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles

Follow Us On Social Media

Explore More