Ransomware-as-a-Service: How It Works and How to Defend Against It
Ransomware-as-a-Service transformed ransomware from a technical criminal skill into a scalable business model. The ransomware developer builds the malware and negotiation infrastructure, then licenses it to affiliates who handle the actual intrusions. Initial access brokers sell network footholds to affiliates. Cryptocurrency mixers launder payments. Data leak sites coerce victims. Each role in the ecosystem is specialized, which is why the model is so resilient to law enforcement disruption of any single group.
The RaaS Business Model
RaaS operates like a software franchise. The core developer group (often called the operator or core team) builds and maintains the ransomware payload, the victim negotiation portal, and the data leak infrastructure. Affiliates pay a percentage of ransom proceeds (typically 20 to 30 percent) to the operator in exchange for access to the malware and support services. The affiliate handles the entire intrusion: gaining initial access, moving laterally, exfiltrating data for double extortion, and deploying the encryptor. Some RaaS operations provide affiliates with playbooks, technical support, and even negotiation assistance. LockBit, BlackCat/ALPHV, and Cl0p operated this model at industrial scale before law enforcement disruption.
Initial Access Brokers
Initial access brokers (IABs) are the supply chain of the ransomware ecosystem. They specialize in compromising organizations and selling the access (typically valid VPN credentials, Remote Desktop Protocol access, or persistent webshell access) on criminal forums rather than monetizing the access themselves. A single IAB may sell hundreds of network accesses per month. RaaS affiliates purchase accesses that match their targeting criteria (industry, revenue size, country) and begin lateral movement from the purchased foothold. IAB activity is an early warning indicator: monitoring dark web forums and threat intelligence feeds for your organization's assets being sold as access listings can provide days or weeks of warning before ransomware deployment.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Double and Triple Extortion
Modern RaaS operations combine multiple pressure mechanisms: Double extortion deploys ransomware to encrypt systems and exfiltrates data before encryption, then threatens to publish the stolen data on a leak site if the ransom is not paid. This coerces organizations with good backups who might otherwise restore without paying. Triple extortion adds a third pressure: contacting the victim organization's customers, partners, or regulators directly, threatening to notify them of the breach unless payment is made. Some groups also conduct DDoS attacks against the victim's public infrastructure to amplify pressure. Cl0p's MOVEit campaign in 2023 was a triple extortion operation at massive scale, targeting over 2,700 organizations through a single vulnerability in a file transfer product.
The Attack Chain
Most RaaS intrusions follow a recognizable pattern across affiliates, because affiliates use shared tooling and follow operator-provided playbooks:
Initial access
Phishing emails, exploitation of internet-facing vulnerabilities (VPN appliances, file transfer software, Exchange servers), or purchased IAB access. Common targets: Fortinet SSL VPN, Citrix NetScaler, MOVEit Transfer, Confluence, Exchange.
Persistence and discovery
Deploy Cobalt Strike, Sliver, or Brute Ratel C2 beacons. Run BloodHound/SharpHound for Active Directory enumeration. Identify backup infrastructure, security tools (EDR), and domain controllers.
Lateral movement and privilege escalation
Pass-the-Hash, Kerberoasting, DCSync attacks against domain controllers. Target domain admin and backup admin accounts specifically.
Data exfiltration
Stage and exfiltrate sensitive data to attacker-controlled cloud storage (Mega.nz, Amazon S3, rclone to SFTP). Focus: customer PII, financial records, legal documents, and IP.
Defense evasion
Disable or uninstall EDR using legitimate admin tools. Delete volume shadow copies (VSS) to prevent snapshot-based recovery. Disable Windows Defender.
Encryption
Deploy ransomware payload to all enumerated systems simultaneously using Group Policy, PsExec, or WMIC. Encrypt domain controllers last to maximize encryption reach.
Defenses That Disrupt the Attack Chain
Effective ransomware defense targets multiple points in the chain rather than relying on any single control:
Patch internet-facing systems aggressively
VPN appliances, file transfer software, and remote access tools are the most common initial access vectors. CISA KEV catalog memberships for these product categories should trigger emergency patching within 24 hours.
Protect and isolate backups
Ransomware affiliates specifically target backup infrastructure. Air-gapped or immutable backups that cannot be deleted by compromised domain admin credentials are the most important resilience control.
Detect C2 beaconing
Cobalt Strike and Sliver C2 traffic has detectable patterns. DNS-based C2 detection, JA3 fingerprinting of TLS connections, and beacon timing analysis all surface active C2 in your environment.
Alert on BloodHound execution
SharpHound (the BloodHound data collector) generates distinctive Active Directory queries that are detectable via Windows Event ID 4662 and LDAP query monitoring. This detection provides early warning of lateral movement reconnaissance.
Protect VSS and backup services
Alert on any attempt to delete Volume Shadow Copies (vssadmin delete shadows, wmic shadowcopy delete) or stop backup services. This is almost exclusively a ransomware indicator.
Monitor dark web for your organization
Threat intelligence services that monitor ransomware leak sites and criminal forums provide early warning when your data is listed for sale or when your network access is being auctioned.
The To-Pay-or-Not-to-Pay Decision
The ransomware payment decision is a business decision made under extreme time pressure. Key considerations: paying does not guarantee data recovery (Coveware data shows 5 to 10 percent of paid ransoms result in non-functional decryptors), paying does not guarantee data deletion (threat actors may sell exfiltrated data regardless), ransomware payments may be prohibited if the group is OFAC-sanctioned (LockBit, Conti successors), and paying funds future attacks. Involve legal counsel and your cyber insurer before any payment decision. The FBI and CISA recommend against paying but do not prohibit it. If you are considering payment, engage a specialized ransomware negotiation firm before initiating contact with the threat actor.
The bottom line
RaaS is a business, and it can be disrupted by attacking its economics at multiple points. Patch internet-facing systems to eliminate IAB inventory, isolate backups to eliminate the leverage that makes ransomware effective, and detect C2 and lateral movement early to interrupt affiliate playbooks before encryption. No single control is sufficient; the defense has to be as layered as the attack chain.
Frequently asked questions
What is the most common initial access vector for ransomware attacks?
In 2025, the three dominant initial access vectors for ransomware are: (1) exploitation of internet-facing vulnerabilities in VPN appliances, file transfer software, and remote access tools (Fortinet, Citrix, MOVEit, Cleo), (2) phishing emails with malicious attachments or links that deliver a C2 loader, and (3) valid credentials purchased from initial access brokers who compromised accounts through phishing or credential stuffing. VPN and remote access exploitation has surpassed phishing as the leading vector for enterprise ransomware in several 2024-2025 threat reports.
How do I know if my organization's access is being sold on criminal forums?
Threat intelligence services including Recorded Future, Intel 471, Flare, and Kela monitor criminal forums and dark web markets for IAB listings and data breach advertisements. They alert when your organization's name, domain, or IP ranges appear in these listings. Some services also monitor paste sites and leaked credential databases. Proactive dark web monitoring is a meaningful early warning capability for organizations that can afford the subscription cost.
Does cyber insurance cover ransomware payments?
Many cyber insurance policies cover ransom payments, but coverage has become significantly more restrictive since 2021. Common conditions: the insurer must be notified before any payment, the insurer may direct you to a preferred negotiation firm, payments to OFAC-sanctioned entities are excluded, and policies increasingly require evidence of specific security controls (MFA, backups, EDR) for ransomware coverage to apply. Review your policy terms before an incident, not during one.
How do ransomware groups launder cryptocurrency payments?
Ransomware groups use layered cryptocurrency mixing to launder ransom payments: they split payments across multiple wallets, use decentralized exchanges (DEX) to swap between cryptocurrencies, run funds through mixers or tumblers that obscure transaction trails, and ultimately cash out through cryptocurrency exchanges in jurisdictions with weak KYC requirements or through peer-to-peer exchanges. Blockchain analytics firms (Chainalysis, TRM Labs) track these flows and have contributed to multiple law enforcement seizures of ransomware proceeds.
What should I do in the first hour of a suspected ransomware attack?
First hour priorities: (1) Do not reboot infected systems, as some ransomware variants encrypt on reboot or destroy forensic evidence. (2) Isolate affected systems from the network by disconnecting network cables or disabling network adapters at the switch level. (3) Identify the blast radius: which systems are affected, which are not, is the domain controller compromised. (4) Notify your incident response retainer or engage an IR firm immediately. (5) Notify your cyber insurer. (6) Preserve evidence: take memory snapshots if your EDR supports it. (7) Begin assessing backup integrity from an isolated system.
Which ransomware groups are currently active?
The ransomware landscape changes rapidly as groups are disrupted and rebrand. As of mid-2026, active major RaaS operations include RansomHub (emerged after LockBit disruption), Akira, Black Basta, and various Cl0p affiliates. LockBit was significantly disrupted by Operation Cronos in 2024 but remnants continue to operate. ALPHV/BlackCat performed an exit scam in 2024. Track current active groups through CISA's #StopRansomware advisories, Ransomwatch, and commercial threat intelligence feeds for current affiliate activity.
Sources & references
- Mandiant M-Trends 2025
- CrowdStrike 2025 Global Threat Report
- Coveware Ransomware Quarterly Report Q4 2025
- FBI IC3 Internet Crime Report 2025
- CISA #StopRansomware Advisories
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.