Ransomware-as-a-Service

What is Ransomware-as-a-Service?

Ransomware-as-a-Service (RaaS) is a cybercrime business model in which ransomware developers license their malware to affiliates who carry out attacks on organizations. This model has lowered the barrier to entry for cybercriminals, enabling even those with limited technical expertise to launch sophisticated ransomware campaigns, leading to an explosion of ransomware attacks in recent years.

In the typical RaaS model, developers create and maintain the ransomware infrastructure—including encryption tools, payment portals, and victim communication systems—while affiliates handle target selection, initial access, and attack execution. When a ransom is paid, the proceeds are split between the developer and the affiliate according to pre-negotiated terms.

This profit-sharing arrangement has fueled the rapid proliferation of ransomware attacks by creating a scalable, collaborative ecosystem for cybercrime.

Common RaaS Business Models

The RaaS ecosystem operates through several revenue-sharing arrangements.

Affiliate programs: Affiliates execute attacks and share a percentage of successful ransom payments with developers.
Subscription-based access: Some operators charge affiliates a monthly flat fee for access to ransomware tools, allowing affiliates to keep all ransom payments.
One-time licensing: Users pay a single fee for unlimited access without profit-sharing requirements.

The RaaS industry can also be highly selective, with some providers choosing only to engage with cybercriminals who have a “good” reputation and proven track record of attack success.

As with traditional ransomware, payment is made through cryptocurrency, which is difficult to trace and easy to launder back into traditional currency.

The Role of Initial Access Brokers

Initial access brokers (IABs) are cyber threat actors who specialize in gaining unauthorized access to computer networks and systems and then selling that access to other threat actors such as ransomware groups.

RaaS groups reinvest in partnership with initial access brokers who sell stolen network credentials, allowing ransomware affiliates to bypass the time-consuming reconnaissance phase and immediately deploy their attacks.

How Does Ransomware-as-a-Service Work?

1. Developers Create the Ransomware Infrastructure

Threat actors build the malware, encryption algorithms, payment portals, data leak sites, and negotiation platforms.

2. Affiliates Join the Program

Cybercriminals register to use the ransomware, often through dark web forums or invitation-only channels. Some programs vet affiliates based on technical skills or past success.

3. Initial Access Is Obtained

Affiliates either compromise networks themselves or purchase access from initial access brokers who sell stolen credentials and network entry points.

4. The Attack Is Deployed

Affiliates infiltrate the target organization, move laterally through the network, exfiltrate sensitive data, and deploy the ransomware to encrypt systems.

5. Ransom Demands Are Issued

Victims receive ransom notes with payment instructions, typically demanding cryptocurrency. Developers provide the communication infrastructure and sometimes handle negotiations.

6. Profits Are Divided

If the ransom is paid, the cryptocurrency is split between the ransomware developer and the affiliate according to their pre-negotiated agreement.

The Evolution to Double and Triple Extortion

Traditional ransomware attacks focused solely on encryption, but as organizations improved their backup strategies, RaaS operators adapted. Double extortion became the standard: attackers now exfiltrate sensitive data before encrypting systems, then threaten to publish stolen information on leak sites if payment isn’t made. This tactic works even against organizations with strong backups, as exposed data triggers regulatory penalties, lawsuits, and reputational damage. Triple extortion adds a third layer—typically DDoS attacks against the victim’s infrastructure or direct threats to compromised customers and partners.

The Shift Away from Encryption

Some RaaS operators now skip encryption entirely. Encrypting files is time-consuming, increases detection risk, and requires maintaining decryption capabilities. Instead, these threat actors conduct extortion-only attacks focused purely on data theft and exposure threats.

According to the Arctic Wolf 2025 Threat Report, 96% of ransomware cases involved data exfiltration. This streamlined approach allows faster operations and eliminates the risk that victims will simply restore from backups without paying. For defenders, this shift is challenging because traditional ransomware detection methods that monitor for mass encryption activity may miss these data theft-focused campaigns.

Learn more about the evolution of extortion and rise of data exfiltration in ransomware attacks.

Major RaaS Groups

The ransomware landscape is dominated by several sophisticated criminal organizations operating under the RaaS model. Based on Arctic Wolf Incident Response engagements, these groups represent the most active and impactful threats to organizations in 2024:

Akira

First observed:2023

Claimed victims in 2024: 215

Primary tactics: Exploits VPNs lacking multi-factor authentication (MFA) for initial access; practices multi-extortion and operates a dark web leak site where victim data is published if ransom demands aren’t met

LockBit 3.0

First observed: 2019 (originally named “ABCD,” rebranded to LockBit in 2020)

Claimed victims in 2024: 775

Primary tactics: Uses varying initial access methods including brute-force attacks on Remote Desktop Protocol (RDP) and phishing; known for targeting critical infrastructure with extremely high ransom demands

Play

First observed: June 2022

Claimed victims in 2024: 386

Primary tactics: Exploits Remote Monitoring and Management (RMM) tools like ConnectWise ScreenConnect and SimpleHelp, as well as RDP vulnerabilities

Fog

First observed: May 2024

Claimed victims in 2024:24

Primary tactics: Compromises VPN credentials and exploits system vulnerabilities; primarily targets the education sector using double extortion schemes

Notable activity: Linked to both Akira and Conti ransomware groups; known for active ransom negotiation with a median starting demand of $610,000 (USD)

Black Suit

First observed: May 2023

Claimed victims in 2024: 116

Primary tactics: Uses phishing for initial access; conducts data exfiltration and extortion prior to encryption

How To Defend Against Ransomware-as-a-Service

Preventing RaaS attacks requires a multi-layered defense strategy that addresses the most common attack vectors. Organizations should focus on these critical safeguards:

1. Maintain Reliable Backups

Regular, tested backups stored offline or in immutable storage dramatically reduce ransomware impact. In 68% of cases investigated by Arctic Wolf, organizations with solid backup systems successfully recovered without paying ransoms, eliminating the encryption threat entirely.

2. Strengthen Cloud Security

As operations and data migrate to cloud environments, misconfigurations become attractive targets. Understanding your shared responsibility model and regularly auditing cloud settings prevents unauthorized access through this expanding attack surface.

3. Implement Robust Identityand AccessControls

Compromised credentials and unsecured remote access remain leading entry points for RaaS attacks. Deploy multi-factor authentication (MFA) across all access points, monitor for suspicious login patterns, enforce least privilege principles, and conduct regular security awareness training to reduce human-driven vulnerabilities.

4. Prioritize Vulnerability Management

Unpatched systems provide easy pathways for attackers. Establish a risk-based patching program that addresses critical vulnerabilities quickly, rather than treating all patches equally. Given the surge in exploitable vulnerabilities, continuous assessment is essential.

5. Deploy 24×7 Security Monitoring

Early detection stops ransomware before encryption occurs. Managed detection and response (MDR) solutions provide continuous visibility and expert analysis to identify ransomware precursors—such as unusual lateral movement, privilege escalation attempts, suspicious data transfers, and infostealer malware—before damage occurs.

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Incident Response Timelines

Expertise by Industry

Resource Center

Trending Resources

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

Join Arctic Wolf on an interactive journey to discover a better path past the hazards of the modern threat landscape.

Security Bulletins

CVE-2025-55182: Critical Remote Code Execution Vulnerability Found in React Server Components

Salesforce Discloses Unauthorized Access to Customer Data via Compromised Gainsight-published Applications

CVE-2025-64446: Critical Fortinet FortiWeb Path Traversal Vulnerability Exploited to Create Administrative Accounts

Partners

Company

Careers

Press

Brand Partnerships