An Emerging Security Threat: Ransomware-as-a-Service

Cybercriminals have turned malicious software into a booming business operation through ransomware-as-a-service.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

Ransomware has been around for several decades, causing havoc for individuals and businesses worldwide. In recent years, ransomware has become more common, professionalized, and sophisticated than ever before. Hackers have become more advanced in their attack methods and have begun selling ransomware to other cybercriminals as a service.

In May 2021, ransomware found its way into the infrastructure of the Colonial Pipeline computer system. This attack caused a full shutdown of the pipeline. The impact generated a full disruption of fuel operations and availability for many living in the Eastern United States. It was determined to be part of a ransomware-as-a-service (RaaS) operation.

RaaS is a recent trend where malicious groups offer their malware programs to affiliates for a fee. The RaaS model has been built with the intent to mimic the software-as-a-service (SaaS) model only with more malicious objectives. Continue reading to learn more about how this growing cyberthreat works, examples of RaaS entities, and how you can protect yourself from RaaS.

In this article
Differentiating ransomware from ransomware-as-a-service
How does RaaS work?
RaaS revenue models
Examples of RaaS threats
How to protect yourself from RaaS attacks
Bottom line

Differentiating ransomware from ransomware-as-a-service

Cybercriminals use many different types of malicious software to steal information and extort victims. Ransomware is a kind of malware that installs on computers and locks users out until they pay a ransom with a credit card, Bitcoin, or another form of cryptocurrency. The goal of ransomware is to restrict access to a user’s system or data until they pay to regain access.

Notably, not all malware used by hackers is developed into ransomware and not all malicious software is developed into ransomware-as-a-service. Ransomware services allow users to create their own ransomware without having to build it entirely from scratch. Envision it as similar to an SaaS product in that the ransomware program is the product, and the RaaS is the service selling that product to users.

How does RaaS work?

Ransomware as a service (RaaS) is a cloud-based platform that allows users to build and buy ransomware. The most common way an RaaS operates is that a developer will sell access to their ransomware online through sites like Black Market Reloaded, AlphaBay, or dark web forums. The buyer pays the distributors upfront based on their payment or fee structure.

Many RaaS distributors also offer a monthly subscription via a monthly fee or profit sharing for the affiliates. The purchaser then waits for the software to be provided and is given instructions on how to use it.

Most RaaS operators use a unique algorithm to encrypt files and send them back to the user purchasing the ransomware. RaaS also includes an administrative panel where the creators can view statistics about how their ransomware is being used by purchasers. These details are valuable to the RaaS creators because they can use them for future virus developments or target specific organizations to maximize the earnings from ransom payments.

Once users purchase their copy of ransomware, it is transferred via email. From there, users can configure what types of files should be encrypted by the program and set up an email account to which victims can submit their ransom demands.

Most ransomware engineers will include a set of instructions with their software that explains how to configure it. This usually involves editing a text file and adding in some information about where encrypted files are stored as well as the email address that receives the payment demands from victims. Many RaaS models also guide buyers on how to conduct phishing or social engineering attacks to deploy their ransomware on victims.

RaaS revenue models

Buying or leasing access to the ransomware software from the original creator is the standard selling structure of most RaaS distributors. They then distribute ransomware, which allows buyers to use it on their own computers or across their network. Purchasers then have complete control over how many files they want encrypted and how much money they will charge victims for them to get their data back.

RaaS kits that are sold have a price range from roughly a few hundred dollars to over thousands. The RaaS operators often set the price based on an affiliate or subscription fee, profit sharing, one-time payment, or a flat fee for others to purchase their software. For instance, if a buyer wants to charge victims $2,000 to regain access to their system, they can split that profit with the RaaS distributors or net the profile minus the expenses of the fee.

The payout of the RaaS kit can also be highly lucrative for both the buyer and purchaser. This is in part because the return on their investment of the product can be highly profitable depending on how many victims are targeted and the monetary amount of ransoms collected.

This has led to these malicious groups turning ransomware's profitability into a full business entity. Similar to SaaS businesses, ransomware developers can build successful software once and continue to earn revenue from it through multiple pathways. Notably, many RaaS distributors often also mirror the structure of a legitimate technology company with dedicated websites for customer support, supporting forums, reviews, and more.

Examples of RaaS threats

There has been a distinct increase in ransomware cyberattacks over the past several years. This could be due to the easier accessibility of ransomware for purchase, which is offered to more novice cybercriminals. According to IT security company Sophos, the average ransomware cost for businesses worldwide is close to $1.4 million annually.

As RaaS becomes more common among many cybercriminals, that number will likely continue to increase. Currently, there are several threat actor groups that are among the main ransomware operators that distribute their software to other hackers. Below are the more widely known threat groups that sell RaaS.


The malicious group REvil, also known as Sodinokibi, is a Russian-based ransomware gang that runs an RaaS toolkit operation. The ransomware gang has been active since initial chatter with the hackers began in 2019. They have conducted a multitude of attacks on individuals and businesses, including a high-profile attack in 2021 on CNA Financial.

The core members of this group maintain and provide the ransomware payload. They also host the victim data leak/auction site, facilitate victim communication, provide payment services, and distribute the decryption key to purchasers. The group focuses on leveraging hackers for hire, referred to as affiliates, in order to conduct the breach, steal target data, delete backups, and infect victims’ systems with ransomware for a share of the proceeds.


DarkSide has become a notable threat group over the past few years. Most notably, they orchestrated the attack on the Colonial Pipeline in May 2021. This ransomware gang offers its RaaS to affiliates for a percentage of the profits.

The ransomware built and sold to their affiliates utilizes phishing and remote desktop protocol (RDP) abuse and exploits known vulnerabilities to gain initial access. The group also uses standard, legitimate tools throughout the attack process to remain undetected and obscure the attack.


Ryuk is a family of ransomware that originally appeared in 2018. According to security SaaS company Trend Micro, Ryuk is a malicious software program that is believed to be the product of an RaaS operator named Wizard Spider. The threat group that operates the Ryuk RaaS toolkit is said to specifically target businesses, hospitals, and government institutions with their attacks.

Experts have advised that this ransomware is derived from an older version of the Hermes ransomware, which was developed by the same gang. The main attack methods of this service are phishing emails that facilitate user entry into systems.

Once the user clicks on the phishing email, the ransomware downloads additional malware elements called droppers onto the operating system. From there, the ransomware secures and encrypts files that lock users out of their data unless they pay a ransom to regain access.


LockBit is one of the oldest ransomware groups that has been operational since at least 2019. Their malicious software self-propagates, making it easier for even novice technical people to purchase and deploy it.

The main targets of this ransomware have been the healthcare, professional services, and government sectors. LockBit’s RaaS operators require purchasers to put a deposit down for the use of custom for-hire attacks and profit under an affiliate program. Ransom payments are then divided between the LockBit developer team and the attacking affiliates.

More recently, LockBit released a bug bounty program for 2022, giving developers an opportunity to fix bugs with their ransomware for a flat payout. According to, the first payout of the new bug bounty program was completed on July 6, 2022. This $50,000 bounty from LockBit helped further strengthen the encryption, ensuring victim payout.


Similar to many other RaaS distributors, Maze first began surfacing in 2019. One of their more notable attacks was when they breached the system of the printing company Xerox. This ransomware program was originally facilitated by hackers via malicious email attachments.

As the group has evolved, its ransomware point of origin now commonly attempts to use stolen or guessed RDP credentials to infiltrate a network. Other attack points have begun by compromising a vulnerable virtual private network (VPN) server.

How to protect yourself from RaaS attacks

With ransomware and RaaS becoming an increasing threat to individuals and businesses, it may seem challenging to stay protected online. However, it is possible to protect yourself from ransomware threats. Here are some simple ways you can protect from yourself RaaS attacks and ensure you are staying safe online as well:

  • Invest in antivirus or anti-malware software to run regular system checks for malicious software on your system.
  • Avoid clicking on or following links sent via email from unrecognized or unconfirmed sources.
  • Refrain from opening any attachments sent in an email if you do not know the sender.
  • Utilize the spam filter with your email provider and report any phishing emails you receive.
  • Schedule regular system and device backups in the event of a possible compromise.
  • Ensure your software and firmware are up to date with the latest manufacturer release.
  • Protect your passwords by utilizing hard-to-crack password combinations or using a password manager.
  • In the event of a ransomware attack, research and source a malware removal tool.
  • Keep social media accounts private, if possible.
  • Abstain from sharing too much personally identifiable information on websites or social media.



What is malware as a service?

Malware-as-a-service (MaaS) relates to the illegal use of software and hardware for cyberattacks. Owners of MaaS servers offer threat actors a paid botnet service that distributes malware. The clients of this service are often provided with access to a personal account on an online platform. Their account will allow them to manage the attack as well as get technical assistance if needed.


Can ransomware affect software as a service?

Cybercriminals can use software-as-a-service (SaaS) applications to sell or lease out malicious software (malware) to others. RaaS malware is the product that RaaS distributors sell to their affiliates. It can easily infect both on-premise and cloud SaaS applications resulting in the loss of critical data from vital SaaS applications.


Is ransomware-as-a-service illegal?

Any involvement with ransomware-as-a-service is illegal. It is illegal to build, develop, and deploy malicious software with the intent to steal information, cause damage, or disrupt services. This also includes buying RaaS kits on the dark web to cause harm by transmitting unwanted code to victims and extorting ransom from them.

Bottom line

Ransomware-as-a-service is a relatively recent development in the cybercrime world. It's become an easy way for cybercriminals to get into ransomware and use it to make money by selling access to these attacks.

RaaS has made it easier than ever for both high-level and low-level cybercriminals to use ransomware tools for extortion. Since this type of malware is so easy to create and distribute, it also makes it highly lucrative for affiliates and distributors alike.

While ransomware will continue to be a threat to individuals and businesses, you can still take cybersecurity measures to protect your information online. Learn more on how to manage your Windows settings to ensure better computer security.

Comprehensive Protection With Database Updates Every 3 Hours
Editorial Rating
Learn More
On Surfshark AntiVirus's website
Antivirus Software
Surfshark AntiVirus
Up to 80% off + 2 months free
  • Powerful app that offers 24/7 virus and malware protection that won’t hog your CPU or RAM
  • Includes webcam protection, fully customizable security, full or quick scans, and more
  • Compatible with Windows, Mac, and Android on unlimited devices
  • No standalone antivirus plan

Author Details
Amanda is a technical content writer based in Illinois, USA. She has a Master of Science in Cybersecurity. After years of working in the tech and cybersec field, she pivoted her career to content marketing and writing within these industries.