What is Ransomware-as-a-Service (RaaS)?

Share This

Ransomware-as-a-Service (RaaS) is a subscription-based model that allows individuals to launch ransomware attacks without requiring extensive technical skills. This service makes the tools for conducting cyber extortion widely available, lowering the barrier to entry that was previously limited to skilled hackers.

“RaaS represents a formidable and evolving cyber threat, made increasingly dangerous by its user-friendly model.The simplicity and accessibility of RaaS platforms mean that a broader spectrum of cybercriminals can now launch sophisticated attacks without having to build or write code, or even manage infrastructure.”Tab Bradshaw, Chief Operating Officer, Redpoint Cybersecurity

Given the increased accessibility of ransomware tools, it makes sense that there has been a 78% increase in the frequency of ransomware attacks since 2020. What’s important to remember is that just because ransomware is easier to enact for people without technical skills, that in no way lessens the severity of a successful attack.

That’s exactly why it’s critical for you to understand RaaS. So, this article will discuss how it works in further detail and, more importantly, what you can do to reduce your chances of falling victim to a RaaS attack.


How Does a Ransomware-as-a-Service Business Work?

The RaaS business model operates much like regular subscription services. Cybercriminals create and maintain ransomware, which they then lease or sell to clients. The client then uses the leased or purchased tool to launch a cyber attack. The RaaS provider will also typically receive a portion of the ransom payments.

Notable examples include:

HIVE Hive became prominent in April 2022 after targeting numerous organizations, including financial firms and healthcare firms. The U.S. Department of Justice disrupted Hive’s operations in January 2023 and revealed its extensive global impact.
DarkSide Known for the Colonial Pipeline incident, DarkSide has expanded from targeting Windows machines to Linux environments, specifically unencrypted VMware ESXi hypervisors and vCenter credentials.
REvil (Sodinokibi) Linked with the criminal group PINCHY SPIDER, REvil is known for high-profile cases like the JBS USA and Kaseya attacks. REvil uses double extortion techniques that involve threatening to leak stolen information if the ransom isn’t paid.
Dharma Associated with an Iranian threat actor group, Dharma has been active since 2016, primarily initiating remote desktop protocol (RDP) attacks and demanding ransom in Bitcoin.
Maze Maze ransomware attackers breached victim information and threatened to share it. The group behind Maze is speculated to have discontinued it in favor of a different name, Egregor, as of November 2020.
LockBit After emerging in 2019, LockBit became the most widely used ransomware variant by early 2022. It is notorious for using double extortion techniques.
DoppelPaymer First appearing in June 2019, DoppelPaymer is linked to earlier versions of BitPaymer ransomware and uses a TOR-based payment portal.
Ryuk Targets high-value institutions and is estimated to have earned over $150 million in ransom since 2018. It is attributed to the Wizard Spider cybercrime group based in Russia.


When Did The RaaS Model Start?

Although ransomware has been around since the 1980s, the RaaS business model began with the emergence of Reveton, also known as the FBI virus or Police Trojan, in mid-2012. Reveton impersonated the FBI by displaying alarming messages that accused people of downloading illicit content and demanding fines to avoid legal consequences.

This marked a significant shift in ransomware threats. RaaS services have grown significantly due to its profitability and the lower technical barrier for attackers. The rise of cryptocurrencies like Bitcoin has further fueled this trend because it offers anonymity in transactions.

Furthermore, the increasing digitization of business operations and the dependency on online data have made organizations more vulnerable to ransomware attacks. Cybercriminals capitalize on this dependency, knowing that businesses are more likely to pay the ransom to regain access to their critical data.


Is RaaS Illegal?

It should go without saying that causing a ransomware infection is absolutely an illegal activity. This extends to providing RaaS. There are no “legal loopholes” that a RaaS provider can manipulate to make it “technically legal.” Offering RaaS is considered illegal in almost all countries in the world.

The bigger issue with prosecuting RaaS providers comes from the fact that almost all are global in nature. As such, prosecution requires full, organized cooperation between international law enforcement agencies. Cryptocurrency and the dark web also make it more difficult to trace those behind the RaaS.


Strategies for Ransomware Prevention

Email Server Configuration to Reject Executable Files

Configuring email servers to automatically reject emails containing executable files can significantly reduce the risk of ransomware. Many ransomware attacks start with phishing emails that include malicious attachments. By blocking these executables at the server level, you can prevent them from ever reaching end users.

Advanced Endpoint Detection & Response (EDR) 

EDR solutions go beyond traditional antivirus software. They continuously monitor and respond to cyber threats at the endpoint level. Implementing advanced EDR solutions can help detect and isolate ransomware threats before they spread across the network.

Regular Penetration Testing

Conducting regular penetration tests helps identify vulnerabilities in your system that could be exploited by ransomware. These tests simulate an attack on your system, revealing weak points that need reinforcement.

Gain More Cyber Insights

Isolating Critical Assets

Segregating sensitive data and critical systems from the rest of the network can limit the damage of a ransomware attack. This way, even if ransomware infects part of your network, it won’t necessarily spread to critical areas.

Data Canaries

Data canaries are decoy files placed throughout a network. If a ransomware attack starts encrypting files, the data canaries are affected first, triggering an alert. This early warning system allows for quicker response times.


Sinkholing is a technique used to redirect malicious traffic away from its intended target. By using sinkholes, organizations can capture and analyze ransomware traffic to better understand and defend against the specific threats targeting them.

Hardware Security Modules (HSMs)

HSMs provide an additional layer of security for encrypting and decrypting data. They are physical devices that manage digital keys for strong authentication and are less susceptible to tampering and extraction.

Get Professional Ransomware Protection

RaaS is evolving faster than most business owners can keep up. This is simply the result of the rapid pace of technological advancements. Having a professional team with advanced threat intelligence can help you ensure that you don’t get left behind.

Redpoint Cybersecurity offers enterprise-grade, military cyber intelligence. We have extensive experience protecting large enterprises and federal government assets from nation-state threat actors. This experience shows that we are well-equipped to help you combat RaaS threats. Reach out to us today.

Join Our Newsletter & Learn

Get our latest content delivered to your inbox.