Ransomware-as-a-Service (RaaS)
What is Ransomware-as-a-Service (RaaS)?
Ransomware-as-a-Service (RaaS)A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
Ransomware-as-a-Service mirrors legitimate SaaS: a core group develops the encryptor, leak site, negotiation portal, and affiliate panel, while affiliates handle initial access and intrusion in exchange for a percentage of paid ransoms (commonly 60–80%). The model has industrialised ransomware, lowering the technical bar and enabling double or triple extortion through data theft, DDoS, and harassment of victims. Notable RaaS programs include LockBit, ALPHV/BlackCat, Conti, and REvil. Defences focus on stopping the affiliate kill chain: phishing and exposure reduction, MFA, EDR, network segmentation, immutable backups, fast detection of staging tools, and well-rehearsed incident response and recovery plans.
● Examples
- 01
LockBit affiliates encrypting enterprise networks for a share of the ransom.
- 02
ALPHV/BlackCat providing a Rust-based encryptor and leak site to recruited operators.
● Frequently asked questions
What is Ransomware-as-a-Service (RaaS)?
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds. It belongs to the Malware category of cybersecurity.
What does Ransomware-as-a-Service (RaaS) mean?
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
How do you defend against Ransomware-as-a-Service (RaaS)?
Defences for Ransomware-as-a-Service (RaaS) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Ransomware-as-a-Service (RaaS)?
Common alternative names include: RaaS, Affiliate ransomware.