Ransomware as a Service

Ransomware as a Service (RaaS) is a type of malware service run by criminals, for criminals. RaaS setups are similar in many ways to the traditional Software as a Service (SaaS) business model. The big difference is that in this case, the software is a tool used for criminal activity, specifically, coordinating ransomware attacks.

In this article we take a closer look at what RaaS is and how it works, including some examples. We also reveal the core steps you can take to protect yourself from ransomware.

See also: Our guide to the best ransomware protection tools.

What is Ransomware as a Service?

Ransomware is a type of malware that typically encrypts files and folders on the victim’s device and demands a ransom in exchange for the safe return of the encrypted data.

We are seeing a surge in ransomware attacks in many regions of the globe. In 2023, ransomware affected 66% of organizations – an increase of 15% compared with 2020. This change is likely in part due to the accessibility of ransomware through RaaS.

The average ransom payment of $1,542,333 in 2023 was almost double that of $812,380 in 2022. The additional recovery costs also increased, from an average of $1.4 million in 2022, to $1.82 million in 2023.

Despite less than half of organizations paying the ransom – most rely on backups – successful ransomware attacks can still be huge earners for cybercriminals. And using RaaS can be an inexpensive and relatively simple venture for threat actors.

While ransomware can be straightforward for a criminal to execute, developing the malware itself takes technical savvy and skill. Enter RaaS. This is a type of software service available for sale online, usually on the darknet. Ransomware developers create the ransomware and sell it on for widespread use.

Creators advertise the software for sale, similar to how other software providers promote a legitimate service on the clear web. Sellers create professional websites, advertise on social media, post video advertisements and whitepapers, and promote user reviews. Some provide 24/7 technical support, user forums, support documentation, and regular updates.

Ransomware may be customizable and buyers are often provided with sleek interfaces in which they can tweak their malware. Some dashboards allow users to view information about targets such as where the malware has been executed, how many files have been encrypted, and how many ransoms have been paid.

Criminals browsing RaaS options can get special deals and select from different subscription models. These are similar to those offered by providers of traditional SaaS providers and may take one of the following forms:

  • One-time license fee: Provides unlimited access to the service with no future payments.
  • Monthly rate: Buyers pay a flat monthly fee.
  • Profit-sharing: The operator gets a cut of the profits from each successful attack, similar to an affiliate program.

Some models might involve a combination of payment types. For example, profit-sharing could be combined with a license fee or monthly rate.

While some RaaS models make it easy for less savvy criminals to earn money from ransomware, many RaaS providers are very picky about the affiliates they work with. Developers create the malware, but their profits often rely on the ability of affiliates to spread it. Some creators implement rigid screening processes to ensure they only work with affiliates who will earn them a healthy return.

Ransomware as a Service statistics

Here are a few statistics to illustrate trends in RaaS:

Ransomware as a Service examples

Many different types of RaaS have been uncovered. Operators are continuously developing new and more advanced software. Below are some examples of notorious ransomware that is spread through an RaaS model.


Researchers uncovered evidence in 2023 that the Play ransomware was being sold as a service to affiliates. A report from security firm adlumin described how the company had noticed numerous similarities between Play attacks, suggesting the Russian-linked ransomware was being leveraged according to provided instructions. Attacks typically target small and mid-sized organisations, with attackers stealing data before encrypting it.


The Egregor RaaS first launched in 2020. Operators who developed the ransomware run the payment site, while affiliates hack into corporate networks and deploy the malware. Egregor works on an affiliate system, with developers getting a 20-30 percent cut of the ransom while the remainder goes to affiliates.

It is believed that Egregor was a replacement for the Maze RaaS that shut down its operations around the same time.

Sophos headline.

Over the past year, several French organizations have been the subject of Egregor attacks, including Ouest France, Ubisoft, and Gefco. Several arrests have recently been made in France in connection with the Egregor ransomware gang and its affiliates.


The developers of the REvil RaaS are reportedly very picky about who they work with. Affiliate applicants must prove their hacking experience before they will be accepted.

REvil has a long list of victims including Travelex, Brown-Forman, Cyrus One, and SeaChange International. It reportedly made developers $100 million in a one-year period. This ransomware seems to heavily target companies in the legal, insurance, and agricultural sectors.

REvil is taking a slightly different avenue to making money from traditional ransomware schemes. Aside from demanding a ransom in exchange for the safe return of files, it also threatens to leak stolen data, further extorting victims.

The REvil group is responsible for the largest ransom demand reported to date. It requested $50 million from electronics company Acer in March 2021.


Dharma is far from new to the RaaS scene and has been running since 2017. It replaces files with the .dharma extension. Dharma ransom demands tend to be on the lower end compared to other RaaS, averaging around $9,000.

Providers offer a very easy-to-use kit that makes it simple for less experienced hackers to join as affiliates. The ease of entry may be linked to the lower payload.


Cerber is another ransomware that’s offered as RaaS. This malware has a range of distribution channels including phishing emails, malvertisements (malware-infected ads), and malicious websites. It usually works on an affiliate model, with affiliates getting a 40 percent cut of the ransom payment.

Other RaaS operations include Locky, LockBit, Goliath, Shark, Stampado, Encryptor, Jokeroo, Ragnarok, ProLock, CryLock, and Nefilim.

How can you protect against RaaS?

When we discuss how to protect against RaaS, we are essentially talking about how to protect against ransomware. We go into detail on this topic in a our ransomware removal post but below are the main things to bear in mind.

Here’s how to stop ransomware as a service:

  • Learn to spot malicious emails: With email being a common medium for the spread of ransomware, it’s important to familiarize yourself with common signs of malicious emails, ads, and sites. The golden rule is to never click on a link or attachment unless you are sure you can trust the source.
  • Use a strong firewall: A firewall can act as your first line of defense and prevent certain types of malware entering your system
  • Employ a solid antivirus software: An antivirus software will monitor for and block known threats including many types of ransomware.
  • Keep software up to date: Updates usually include security patches that fix vulnerabilities. Delaying updates can leave your system exposed to weaknesses.
  • Maintain up-to-date backups: It’s a good idea to keep multiple backups in separate locations. When determining the frequency of backups, consider how much data you could afford to lose, for example, an hour’s worth, a day’s worth, and so on. It’s also important to test backups to ensure that the data can be retrieved.

What else can I do to protect my privacy and security?

If you’re generally worried about protecting your data and privacy online you might want to consider some of our recommended security tools below.