ransomwareRansomware as a Service (RaaS), is a business partnership between ransomware operators, affiliates, and ransomware developers. Affiliates pay to launch ransomware attacks developed by the operators. Ransomware can be seen as a service, which is a variation on the software-as-a-service (SaaS), business model.

Affiliates without the time or skill to create their own ransomware variant can use RaaS kits to get up and running quickly and easily. These kits are easily found on the dark web.

RaaS kits may offer 24/7 support, bundled offerings, user reviews, forums, and other features that are identical to those offered by legitimate SaaS vendors. RaaS kits cost $40 per month and several thousand dollars, which is a small amount considering the ransom demand of $6 million in 2021. To become wealthy, a threat actor does not need to win every attack.

There are four types of RaaS revenue models.

  • A monthly subscription at a flat rate
  • Affiliate programs are similar to a monthly subscription model, but with a percentage of the profits (typically between 20-30%) going towards the ransomware developer
  • Pure profit sharing
  • A one-time license fee, with no profit sharing

RaaS operators with the most advanced technology offer portals that allow their subscribers to see information such as infection status, total payments and encrypted files. A RaaS affiliate simply needs to log in, pay with Bitcoin and enter the details of the malware they want to create. Then click the submit button. Subscribers might have access to support and communities, documentation, feature upgrades, and other benefits similar to those offered to subscribers of legitimate SaaS products.

RaaS is a competitive market. RaaS portals are not the only thing that exists. RaaS operators also run marketing campaigns and have websites that look exactly like your company's. They also have white papers and videos. RaaS is a business. In 2020, total ransomware revenue was $20 billion. This is an increase of $11.5 billion from the previous year.

Locky, Goliath, and Shark are some of the most well-known RaaS kit examples. However, there are many other RaaS operators and they disappear, reorganize, and then re-emerge regularly with better, newer ransomware variants.

RaaS Examples


DarkSide is a RaaS company associated with CrowdStrike's CARBON SPIDER eCrime group. DarkSide used to focus on Windows computers but have expanded their operations to Linux. They are now targeting enterprises with unpatched VMware ESXi virtual machines or stealing vCenter credentials. The FBI announced that the DarkSide ransomware was involved in the Colonial Pipeline attack on May 10. Later, it was revealed that Colonial Pipeline had about 100GB of data stolen from the network and that they paid nearly $5 million USD to DarkSide affiliates.


REvil, also known by Sodinokibi was the ransomware responsible for one of the highest ransom demands ever recorded: $10 million. It is provided by the criminal group PINCHY SPIDER which typically takes 40% of the profits and sells RaaS through affiliate models.

TWISTED SPIDER's first leaks were similar to PINCHY SPIDER's. PINCHY SPIDER warns data victims, usually via a blog posting on their DLS containing samples data as evidence, and then releases the bulk of data after a certain time. REvil will also include a link in the ransom note to the blog post. This link will display the leak to the victim before it is made public. The link will display a countdown clock that will start when you visit it. Once the timer expires, the leak will be made public.


A money motivated Iranian threat group has been responsible for Dharma ransomware attack. The RaaS is available online since 2016, and is mostly associated with remote desktop protocol attacks (RDP). Companies in a variety of industries are often targeted by attackers who demand between 1 and 5 bitcoins.


LockBit has been in development since September 2019. It is now available as a RaaS and advertised to Russian-speaking users and to people who speak English but have a guarantor who speaks Russian. A LockBit affiliate threatened to leak data via a Russian-language criminal forum in May 2020.

The affiliate must provide proof beyond the threat. For example, a screenshot of a document found in the victim data. After the deadline expires, the affiliate will post a mega[. To download stolen victim data, click the ]nz button. This affiliate threatened to publish data on at least nine victims.

Preventing RaaS Attacks

Ransomware attacks can be costly and difficult to recover from. It's better to avoid them altogether. Because RaaS is ransomware that can be used by anyone with malicious intent, the steps to prevent it are the same as those to prevent any other ransomware attacks.

  • Endpoint protection should be reliable and current. It can use advanced algorithms and work in the background 24 hours a day.
  • Regular backups are essential. A ransomware attack can cost a whole week's worth of work products if a backup is not done every weekend.
  • Create multiple backups and keep them separate on different devices at different locations.
  • To ensure that backups can be recovered, it is important to regularly test them.
  • To protect against known and unknown vulnerabilities, you should maintain a strict patch program.
  • To prevent the environment from exploding, segment the network.
  • Install advanced anti-phishing protection.
  • Invest in user training to create a culture that is secure.

Call Integrated Technology Systems now if you need help protecting your network against ransomware.

Like our Facebook page for more great info about managed IT services.

Integrated Technology Systems
6 East 45th Street, Suite 400
New York, NY 10017