What is Ransomware as a Service (RaaS)? How the Criminal Model Works

RaaS operations function as professional criminal businesses. Developers maintain the core technology: the ransomware binary, the key management infrastructure (so encryption keys are server-side and cannot be recovered without paying), the victim negotiation portal (a Tor hidden service where victims communicate with attackers), and the data leak site (where stolen data is published if victims refuse to pay).

Affiliates are recruited through darknet forums. They pay either a subscription fee or receive the ransomware for free in exchange for a revenue-share percentage. To maintain quality and avoid attention, some RaaS groups screen affiliates: requiring demonstrated intrusion capability, ruling out attacks on healthcare or critical infrastructure (to reduce law enforcement pressure), and prohibiting attacks in certain geographies (typically Russia and neighboring countries where the developers are based).

When an affiliate successfully deploys the ransomware, the developer's key management server generates the decryption key and holds it until a ransom is paid. Victims who pay receive a decryptor. Victims who do not pay within a deadline have their stolen data published. This double extortion model (ransomware plus data theft) emerged around 2019 and is now the standard for sophisticated groups.

RaaS attacks follow a consistent playbook that has been documented across hundreds of incident response cases.

Initial access is obtained via phishing emails targeting credentials or delivering loaders, exploitation of internet-facing vulnerabilities (VPN appliances, remote desktop services, and unpatched web applications are consistently targeted), or purchasing access credentials from initial access brokers who specialize in selling footholds to other criminals.

Post-compromise, the affiliate conducts network reconnaissance, escalates privileges (commonly via Kerberoasting, credential dumping from LSASS, or exploiting misconfigured AD delegation), and achieves domain admin rights. This phase typically takes days to weeks in dwell time before encryption begins.

Data exfiltration precedes encryption. Affiliates stage and exfiltrate valuable data to cloud storage (Mega, AWS S3) before deploying the ransomware, ensuring the double extortion threat is credible.

Deployment of the ransomware encryptor is the final stage. Sophisticated operators use legitimate remote management tools (PsExec, Group Policy, Windows Admin Shares) to deploy the encryptor simultaneously to all reachable systems, maximizing damage before defenders can respond.

LockBit was the most prolific RaaS operation from 2022 through early 2024, claiming more than 2,000 victims before law enforcement disruption in February 2024. The group continued operating post-takedown under LockBit 3.0.

Cl0p (TA505) distinguished itself through mass exploitation of zero-day vulnerabilities in managed file transfer products: MOVEit (2023), GoAnywhere (2023), and Accellion FTA (2021). Rather than deploying encryptors, Cl0p typically focused exclusively on data theft and extortion, targeting hundreds of organizations simultaneously from a single vulnerability campaign.

ALPHV/BlackCat operated a technically advanced Rust-based ransomware with cross-platform (Windows, Linux, VMware ESXi) capability. The group was disrupted by the FBI in December 2023 but reformed under various successor identities.

Dark Angels and Hunters International are among the active groups as of 2025. The RaaS ecosystem is fluid: groups are disrupted by law enforcement, rebrand, or have their source code leaked and reused by competitors. Tracking specific group attribution matters less than understanding the consistent TTPs the model produces.

Given the RaaS attack chain, the most effective defenses address the consistent entry points and dwell-time activities across groups.

For initial access: phishing-resistant MFA on all remote access and email accounts eliminates credential phishing as an entry vector. Timely patching of internet-facing systems (VPN appliances, web applications, remote desktop) reduces exploitation exposure. External attack surface monitoring identifies exposed services before attackers do.

For lateral movement and privilege escalation: tiered Active Directory administration (no accounts with both domain admin rights and email access), Kerberoasting detection in your SIEM, and LSASS protection via Credential Guard significantly raise the difficulty of achieving domain admin.

For dwell time detection: EDR behavioral detection for the tools affiliates consistently use (Cobalt Strike, AnyDesk, Rclone for exfiltration, Volume Shadow Copy deletion) surfaces intrusions during the reconnaissance phase rather than at encryption. Network monitoring for anomalous data egress detects exfiltration before ransom demands arrive.

For impact limitation: offline, air-gapped backups tested for restoration are the only reliable recovery option when encryption succeeds. Network segmentation limits the blast radius of a successful deployment.

RaaS succeeded by lowering the technical barrier for ransomware attacks while professionalizing the criminal support infrastructure. The consistent attack chain it produces (initial access via phishing or vulnerability exploitation, domain compromise, data exfiltration, then encryption) means defenders can prioritize specific controls that address each stage rather than trying to prevent every possible attack. Phishing-resistant MFA, timely patching, EDR behavioral detection, and offline backups are the controls with the highest consistent impact against the RaaS model.