® 
Ransomware-as-a-Service (RaaS)
Definition
Ransomware-as-a-Service is a criminal business model where ransomware developers rent their malware to other cybercriminals (affiliates). It has led to explosive growth in ransomware attacks.
Ransomware-as-a-Service (RaaS) is a criminal business model where ransomware developers rent their malware, infrastructure and supporting services to other cybercriminals (affiliates) who execute the actual attacks. RaaS has democratised ransomware: even attackers without technical expertise can now execute devastating attacks.
How does RaaS work?
The RaaS model operates as a criminal franchise. The developer (operator) provides the ransomware software, encryption/decryption platform, C2 infrastructure, victim negotiation portals and sometimes even a helpdesk. The affiliate executes the attack: network penetration, lateral movement, data exfiltration and ransomware deployment. Revenue is split: typically 70-80% for the affiliate and 20-30% for the operator.
Notable RaaS groups
LockBit was the most active RaaS operation until its 2024 takedown, responsible for thousands of attacks. BlackCat (ALPHV) introduced innovations like cross-platform ransomware. Cl0p specialised in exploiting zero-day vulnerabilities in file transfer software.
Double and triple extortion
Modern RaaS operations use multiple extortion. Double extortion combines encryption with data theft and publication threats. Triple extortion adds DDoS attacks or contacting the victim's clients as additional leverage.
Impact on organisations
RaaS has drastically lowered the barrier for ransomware attacks. NIS2 requires adequate protection and mandatory reporting of ransomware incidents.
Protection
Implement layered protection: EDR/XDR, network segmentation, offline backups, MFA and patch management. Prepare an incident response plan with specific ransomware procedures. Consider an incident response retainer.
How DEFION helps
DEFION provides 24/7 incident response for ransomware attacks via a DFIR retainer. MDR detects ransomware activity before encryption occurs. Tabletop exercises prepare teams for ransomware scenarios.