What is Ransomware-as-a-Service (RaaS)?

Ransomware has become one of the most effective cyberattack methods in recent years. In this type of malware attack, cybercriminals take files hostage via encryption and withhold the decryption key until the victim pays a ransom. While there are many ways to protect yourself against ransomware attacks, Ransomware-as-a-Service (RaaS) has made these attacks more sophisticated than ever. Even the least tech-savvy criminals can carry out attacks successfully, which is why it’s important to understand what RaaS is, how it works, and how to protect yourself from it.

What is Ransomware-as-a-Service?

RaaS is a business model in which ransomware developers—or ransomware operators—rent out malicious software to other cybercriminals known as ransomware affiliates. In this way, RaaS is similar to Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS).

Rather than buying software or setting up infrastructure, bad actors can buy in with a one-time fee or use a pay-per-use model. RaaS has grown in popularity among cyber attackers in recent years because of its ease of use.

This business model creates a unique opportunity for cybercriminals to make money without doing any grunt work to build malware tools. Not only does purchasing a RaaS kit mean less work, but it also gives bad actors access to sophisticated tools without having extensive programming experience or technical skills. This has resulted in a massive increase in attacks explicitly designed to extort money from RaaS victims.

Ransomware vs. Ransomware-as-a-service

Ransomware is a malware payload that encrypts an individual’s or organization’s data, often with solid encryption, then demands payment in return for providing a decryption key. When an individual has their data encrypted by ransomware, they are usually required to pay a ransom fee using Bitcoin or another digital currency to decrypt and regain access to their files.

Ransomware attacks have only multiplied by being made available as a service on underground forums, where cybercriminals can buy both malware code and turnkey attack-as-service operations.

The fundamental differences between both types of operations are minor; in either case, a criminal operator holds the victim’s data hostage while demanding money from them. With traditional ransomware attacks, there is no intermediary between victims and attackers; however, with RaaS, an attack operator provides the platform while the affiliate executes the attack.

How does RaaS work?

Technically speaking, RaaS doesn’t work the same way that traditional ransomware does. RaaS typically involves three parties:

  • The RaaS operator, who provides ransomware using the software-as-a-service model
  • The affiliates, who use and spread the malware
  • The victims, who get locked out of their data until they pay a specific amount of money to receive the decryption key

The affiliates can purchase and deploy ready-made, sophisticated RaaS software against unsuspecting individuals or organizations around the world at little cost and without needing programming skills. This software can be leased or purchased from malware developers looking to make a profit or looking to commission the tools as part of a service.

RaaSberry is one example of a RaaS program. Using RaaSberry, customers (affiliates) pay $60 per month for full use of the ransomware features, including a 250KB “unique EXE” (with both the encryptor and decryptor), free support, multi-OS compatibility, and other features such as task manager disabler, mutex, and delayed start.

RaaS revenue models

As with any crime business model, there are multiple methods of monetizing RaaS. The four RaaS revenue models include:

  • Monthly subscription: This model relies entirely on recurring revenue via monthly subscriptions; affiliates pay a certain amount of money each month to use the service and receive updates on new features and improvements. 
  • Affiliate program: Many RaaS providers utilize commission-based affiliate programs to generate profit while creating more sophisticated tools. 
  • One-time license fee: The same way consumers are used to purchasing software, some RaaS products are sold outright as a single payment upfront without any additional costs unless affiliates choose to upgrade later on. 
  • Profit-sharing: Profits are shared between operators and affiliates depending on the arrangement they agree upon during setup.

Latest TechRepublic RaaS news: Ransomware-as-a-service business model takes a hit in the aftermath of the Colonial Pipeline attack

Who uses RaaS?

In its most common form, RaaS can be used by anyone with malicious intentions. RaaS software enables even non-technical people to create and manage ransomware attacks without technical knowledge or skills. Cybercriminals who don’t have the resources to develop their own ransomware kits also use RaaS kits to launch attacks. 

Cybercriminals typically use RaaS to go after financially viable targets. This means businesses and individuals who possess significant amounts of sensitive data have been targeted en masse in recent years.

The rise of RaaS

The use of RaaS has been on an upward swing for several years now. Reports of cyberattacks delivered via RaaS have increased every year, showing that cybercriminals are more interested in using ransomware as their primary attack vector than they have ever been before.

With thousands of people working across dozens of networks worldwide at any given time, ransomware has become one of the most profitable forms of cybercrime. According to the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), suspicious ransomware-related transactions reached roughly $590 million between January and June in 2021. The FinCEN report also stated that the top 10 hacking groups had trafficked around $5.2 billion worth of Bitcoin over the past three years.

Examples of RaaS attacks

REvil and DarkSide are two RaaS operators behind some of the biggest RaaS attacks in recent history. These attacks have shaped public discourse and global legislation around ransomware and cybersecurity more broadly. They have also illuminated potential weaknesses that businesses must address to avoid becoming the next ransomware victim.


On July 2, 2021, several managed service providers (MSPs) and their clients were victims of a ransomware attack by the REvil group, resulting in severe outages for over 1,000 businesses. The REvil ransomware group claimed responsibility for the attack, claiming to have encrypted over one million devices during the event.

They first demanded a $70 million ransom payment to provide a universal decryptor to unlock all impacted computers. Kaseya said that on July 5, 2021, the attack affected between 800 and 1,500 downstream businesses.

REvil was also responsible for a RaaS attack that targeted JBS Foods, a Brazilian meat processing company, on May 30, 2021. As a result of the attack, the company’s facilities in the United States, Canada, and Australia were rendered inoperative. JBS paid an $11 million worth of Bitcoin ransom to the hacking group. 


The Colonial Pipeline ransomware attack on May 7, 2021, led to a voluntary shutdown of the main pipeline supplying 45 percent of fuel to the East Coast of the United States. The Federal Bureau of Investigation found DarkSide to be the perpetrator. The attack on key infrastructure in the United States was considered the worst ever with DarkSide successfully extorting Colonial Pipeline for 75 bitcoin, valued at almost $5 million.

Later the same month, DarkSide then launched another attack on the North American unit of Brenntag, a chemical distribution company. DarkSide first demanded a 133.65 bitcoin ransom, about $7.5 million. After several days of negotiations, Brenntag and DarkSide reached an agreement, with Brenntag paying out $4.4 million in Bitcoin in exchange for the decryptor.

How can you prevent Ransomware-as-a-Service attacks?

The first step in preventing your organization from being affected by RaaS attacks is ensuring your security measures are up to date. Cybercriminals often exploit vulnerabilities, such as outdated operating systems or default configurations, so maintaining regular patches and antivirus software can effectively deter.

To create an extra layer of protection, you may also want to consider investing in real-time monitoring tools that will alert you if they detect suspicious activity on your servers. This proactive strategy can help your IT staff spot suspicious activities and take necessary action before damage occurs. As with most business matters, prevention and risk management go hand-in-hand when combating RaaS attacks.

As a last resort, consider cyber liability insurance. Cyber risk insurance protects you from losses caused by a large-scale cyberattack or other data breach. It can also cover theft of customer records, unauthorized use of your computing resources, denial-of-service attack liability, and legal costs for handling data breaches. And some policies even help out in cases where an employee’s negligence leads to a security problem.

Read next: How to Prevent Ransomware Attacks

Aminu Abdullahi
Aminu Abdullahi
Aminu Abdullahi is an award-winning public speaker and a passionate writer. He writes to edutain (Educate + Entertain) his reader about Business, Technology, Growth, and everything in between. He is the coauthor of the e-book, The Ultimate Creativity Playbook. Aminu loves to inspire greatness in the people around him through his actions and inactions.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles