Ransomware as a Service

Ransomware as a Service (RaaS) is a type of malware service run by criminals, for criminals. RaaS setups are similar in many ways to traditional Software as a Service (SaaS) models. The big difference is that in this case, the software is a tool used for criminal activity, specifically, coordinating ransomware attacks.

Ransomware is a type of malware that usually encrypts files and folders on the victim’s device and demands a ransom in exchange for the safe return of the encrypted data. We are seeing a surge in ransomware attacks in many regions of the globe, likely in part due to the accessibility of ransomware through RaaS.

Here, we take a closer look at what RaaS is and how it works, including some examples. We also reveal the core steps you can take to protect yourself from ransomware.

See also: Our guide to the best ransomware protection tools.

What is Ransomware as a Service?

Conservative estimates suggest the total sum lost to ransomware between mid-2019 and mid-2020 was upwards of $1 billion. The average ransom payment in 2020 was $170,404. Successful ransomware attacks can be huge earners for cybercriminals. And using RaaS can be an inexpensive and relatively simple venture.

While ransomware can be straightforward for a criminal to execute, developing the malware itself takes technical savvy and skill. Enter RaaS. This is a type of software service available for sale online, usually on the darknet. Developers create the ransomware and sell it on for widespread use.

Creators advertise the software for sale, similar to how other software providers promote a legitimate service on the clear web. Sellers create professional websites, advertise on social media, post video advertisements and whitepapers, and promote user reviews. Some provide 24/7 technical support, user forums, support documentation, and regular updates.

Ransomware may be customizable and buyers are often provided with sleek interfaces in which they can tweak their malware. Some dashboards allow users to view information about targets such as where the malware has been executed, how many files have been encrypted, and how many ransoms have been paid.

Criminals browsing RaaS options can get special deals and select from different subscription models. These are similar to those offered by providers of traditional SaaS providers and may take one of the following forms:

  • One-time license fee: Provides unlimited access to the service with no future payments.
  • Monthly rate: Buyers pay a flat monthly fee.
  • Profit-sharing: The operator gets a cut of the profits from each successful attack, similar to an affiliate program.

Some models might involve a combination of payment types. For example, profit-sharing could be combined with a license fee or monthly rate.

While some RaaS models make it easy for less savvy criminals to earn money from ransomware, many RaaS providers are very picky about the affiliates they work with. Developers create the malware, but their profits often rely on the ability of affiliates to spread it. Some creators implement rigid screening processes to ensure they only work with affiliates who will earn them a healthy return.

Ransomware as a Service statistics

Here are a few statistics to illustrate trends in RaaS:

Ransomware as a Service examples

Many different types of RaaS have been uncovered. Operators are continuously developing new and more advanced software. Below are some examples of notorious ransomware that is spread through an RaaS model.


Egregor is a relatively new RaaS. Operators who developed the ransomware run the payment site, while affiliates hack into corporate networks and deploy the malware. It’s reported that Egregor works on an affiliate system, with developers getting a 20-30 percent cut of the ransom while the remainder goes to affiliates.

It is believed that Egregor, which launched in September 2020, was a replacement for the Maze RaaS that shut down its operations around the same time.

Sophos headline.

Over the past year, several French organizations have been the subject of Egregor attacks, including Ouest France, Ubisoft, and Gefco. Several arrests have recently been made in France in connection with the Egregor ransomware.


The developers of the REvil RaaS are reportedly very picky about who they work with. Affiliate applicants must prove their hacking experience before they will be accepted.

REvil has a long list of victims including Travelex, Brown-Forman, Cyrus One, and SeaChange International. It reportedly made developers $100 million in a one-year period. This ransomware seems to heavily target companies in the legal, insurance, and agricultural sectors.

REvil is taking a slightly different avenue to making money from traditional ransomware schemes. Aside from demanding a ransom in exchange for the safe return of files, it also threatens to leak stolen data, further extorting victims.

The REvil group is responsible for the largest ransom demand reported to date. It requested $50 million from electronics company Acer in March 2021.


Dharma is far from new to the RaaS scene and has been running since 2017. It replaces files with the .dharma extension. Dharma ransom demands tend to be on the lower end compared to other RaaS, averaging around $9,000.

Providers offer a very easy-to-use kit that makes it simple for less experienced hackers to join as affiliates. The ease of entry may be linked to the lower payload.


Cerber is another ransomware that’s offered as RaaS. This malware has a range of distribution channels including phishing emails, malvertisements (malware-infected ads), and malicious websites. It usually works on an affiliate model, with affiliates getting a 40 percent cut of the ransom payment.

Other RaaS operations include Locky, LockBit, Goliath, Shark, Stampado, Encryptor, Jokeroo, Ragnarok, ProLock, CryLock, and Nefilim.

How can you protect against RaaS?

When we discuss how to protect against RaaS, we are essentially talking about how to protect against ransomware. We go into detail on this topic in a our ransomware removal post but below are the main things to bear in mind.

Here’s how to stop ransomware as a service:

  • Learn to spot malicious emails: With email being a common medium for the spread of ransomware, it’s important to familiarize yourself with common signs of malicious emails, ads, and sites. The golden rule is to never click on a link or attachment unless you are sure you can trust the source.
  • Use a strong firewall: A firewall can act as your first line of defense and prevent certain types of malware entering your system
  • Employ a solid antivirus software: An antivirus software will monitor for and block known threats including many types of ransomware.
  • Keep software up to date: Updates usually include security patches that fix vulnerabilities. Delaying updates can leave your system exposed to weaknesses.
  • Maintain up-to-date backups: It’s a good idea to keep multiple backups in separate locations. When determining the frequency of backups, consider how much data you could afford to lose, for example, an hour’s worth, a day’s worth, and so on. It’s also important to test backups to ensure that the data can be retrieved.

What else can I do to protect my privacy and security?

If you’re generally worried about protecting your data and privacy online you might want to consider some of our recommended security tools below.