Ransomware-as-a-Service (RaaS): What It Is & How It Works

Ransomware — a word that sends shivers down the spine of even the most experienced cybersecurity experts. Simply hearing this word evokes frightening images of business disruptions, customer outrage, tarnished brand reputation, heavy financial losses and even the subsequent attacks that often follow. Ransomware is a growing menace and continues to haunt businesses of all shapes and sizes.

In the last few years, ransomware attacks have hit record highs as threat actors prey on organizations from every industry. With Ransomware-as-a-Service (RaaS) and open-source versions of ransomware available today, ransomware attacks are poised to grow in number and complexity in 2022 and beyond. Researchers from Zscaler ThreatLabz found that ransomware attacks increased by 80% year-over-year. One of the factors in the successful proliferation of ransomware is how easily ransomware operators (or developers) can distribute their malware via Ransomware-as-a-Service. Interestingly, the report by Zscaler ThreatLabz also revealed that the RaaS method was used by eight of the top 11 ransomware families. Read on to learn how RaaS works and how to stop ransomware in its tracks.

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service or RaaS is a perverse take on the Software-as-a-Service (SaaS) business model, where ransomware operators provide ready-to-use ransomware tools to affiliates (or customers) to launch ransomware attacks. This model allows anyone, even those with little or no programming experience, to pay for and use already-developed malware. With a litany of RaaS options having made their way into the marketplace, all that is required from a would-be perpetrator is malicious intent and access to the dark web.

Publicly available tools and code make launching one’s own ransomware campaign(s) easier than ever before. RaaS kits provide those without the skills or time to develop their own ransomware variant an easy route to launch attacks quickly and affordably. The accessibility of RaaS options eliminates the significant technical prerequisite for building out malicious code. RaaS kits have been found for as low as $40 per month and more advanced variants may be sold for several thousand dollars. The simplicity of this malware distribution model enables even novice hackers to execute highly sophisticated cyberattacks.

When did Ransomware-as-a-Service start?

Ransomware has been around since the 1980s. Joseph L. Popp, also known as the inventor of ransomware, wrote the first-known malware — the “AIDS Trojan,” in 1989. The Harvard-taught evolutionary biologist distributed the ransomware through infected floppy disks to attendees of the World Health Organization’s AIDS conference. The Trojan, also known as “PC Cyborg,” hid the files in the victim’s computer hard drive and encrypted the file names. The malware then displayed a message demanding users to pay $189 to regain access.

Reveton, also popularly known as the FBI virus or the Police Trojan, emerged in mid-2012, marking the beginning of Ransomware-as-a-Service. The attackers are believed to have used a referral program to attract illegal sites like porn websites to distribute the malware to their site visitors. Reveton impersonated the FBI and displayed illicit messages, frightening people into paying fines to avoid imprisonment for downloading pornography and pirated content. Since then, ransomware has evolved to become more prominent, complex and dangerous. Today, ransomware is one of the largest perennial cyberthreats that IT professionals and end users alike must be vigilant against.

Ransomware attacks as well as use of RaaS are both illegal. Any activity that is part of a ransomware attack is considered illegal. This includes using Ransomware-as-a-Service, buying malicious software, breaching company networks, stealing and/or encrypting data and extorting ransom from victims.

A legitimate enterprise will never tamper with or encrypt your data without your permission. A legal service will never force you to pay the amount in exchange for a hacked system. Cybercriminals often demand the ransom to be paid in bitcoins because cryptocurrency transactions are much harder to trace.

The Computer Fraud and Abuse Act (CFAA) was established in 1986 and has undergone several changes over the years to address cybercrime. According to the CFAA, it is a crime to access any computer or computer network without authorization. This also includes the use and deployment of ransomware.

How does Ransomware-as-a-Service work?

RaaS kits are advertised to prospective buyers on the dark web in the same way other products and services are marketed on legitimate web portals. These kits may come with technical support, bundled offers, volume discounts, user reviews, community forums and other features identical to those of legitimate SaaS providers. Skillful ransomware operators create software with a high chance of penetration success and a low chance of discovery. Once developed, the ransomware is modified to support a multi end-user infrastructure, ready to be licensed to prospective affiliates.

RaaS kits may be purchased for a one-time fee, monthly subscription fee, affiliate programs (a monthly fee with a percentage split of profits) or a pure percentage split of any ransom collected. One such example is Philadelphia, a kit that rose to prominence several years ago, offered by The Rainmaker Labs. The Rainmaker Labs’ first ransomware exploit was Stampado, which was sold for $39. Having learned from their early experience, Rainmaker Labs later released Philadelphia, a much more sophisticated and notorious ransomware strain, which was offered for $389.

For a ransomware campaign to succeed, the attacker must overcome four key challenges:

  1. Setting up the command-and-control server to communicate with victims
  2. Creating ransomware samples
  3. Sending samples to the victims
  4. Managing the attacks (collecting statistical information, checking payments, etc.)

With the RaaS model, operators (developers) and affiliates (customers) share responsibilities:

RaaS OperatorRaaS Affiliate
  • Recruits potential affiliates on forums
  • Searches for RaaS kits
  • Pays to use the ransomware
  • Agrees on a service fee (one-time, subscription, profit sharing) per kit or per collected ransom
  • Provides affiliates access to a “build your own ransomware package” panel
  • Creates the dedicated command-and-control dashboard for the affiliate to track the package*
  • Targets victims
  • Sets ransom demands
  • Configures post-compromise ransom messages and instructions
  • Sets up victim payment portal
  • Compromises victim’s assets**
  • Amplifies infection using “living off the land” techniques
  • Deploys the ransomware
  • Assists affiliates with victim/ransom negotiations
  • Some operators will provide ongoing tech support
  • Connects with victims using chat portals or other communication channels
  • Manages a dedicated leak site
  • Manages decryption keys

*Affiliates are commonly provided with onboarding documentation with step-by-step guides and support for launching ransomware attacks with the specific software kit. More sophisticated RaaS operators offer RaaS portals that enable affiliates to check the status of infections, revenue generated, number of files encrypted and other details about their victims.

**Phishing attacks are the most popular way for ransomware affiliates to breach target networks. RaaS affiliates target their victims with well-crafted phishing emails that contain malicious links or attachments. Once the victim clicks on the link, malware is automatically downloaded/transmitted.

What are the four common Ransomware-as-a-Service models?

Apart from the affiliate program discussed above, RaaS kits are available as a monthly subscription service. Customers can also access RaaS kits by paying a one-time fee, or through a profit-sharing model where the ransom amount is split between the creator and the executor. 

What are some examples of Ransomware-as-a-Service?

Creating or buying your own ransomware has never been easier. The emergence of these “do-it-yourself” ransomware programs hosted on GitHub and hacking forums is expected to further spur the growth of these attacks in 2022 and beyond. Here are some examples of popular Ransomware-as-a-Service variants:


The DarkSide is perhaps the most lethal ransomware variant we have faced recently. First seen in August 2020, the DarkSide Ransomware-as-a-Service quickly spread to more than 15 countries, targeting organizations across a variety of industries, including financial services, legal services, manufacturing, professional services, retail and technology. The DarkSide ransomware group was behind the Colonial Pipeline ransomware incident that occurred in May 2021. The incident forced the company to temporarily shut down the 5,500-mile pipeline for several days, impacting consumers and airlines on the East Coast of the United States. 


LockBit, previously known as ABCD ransomware, is a malicious software designed to block users from accessing their computers. LockBit is a highly advanced ransomware that automatically scans for valuable targets, deploys the malware and encrypts all possible computer systems. The LockBit ransomware gang launched its Ransomware-as-a-Service in 2019. The group promoted their service on the dark web, provided support on Russian-language hacking forums and recruited wannabe cybercriminals to breach and encrypt networks. 


REvil or Sodinokibi is another Ransomware-as-a-Service variant responsible for extorting large amounts of money from organizations globally. Sodinokibi spreads in several ways, including through unpatched VPNs, exploit kits, remote desktop protocols (RDPs) and spam mail. REvil or Ransomware Evil is also known for double extortion. The group would threaten its victims to publish the stolen information in public if ransom is not paid. The REvil gang is believed to have been shut down by Russian authorities at the request of U.S. government agencies. 


The WannaCry ransomware shook the world in 2017 when it targeted Windows-based computers, encrypted files and blocked users from accessing their computers until the ransom payment was made. The North Korean Lazarus Group was behind the WannaCry ransomware attack.


Ryuk is a popular variant used in targeted attacks against healthcare organizations (such as the attack against Universal Health Services in late 2020). Ryuk is commonly spread by other malware (e.g., Trickbot) or through email phishing attacks and exploit kits.

How can Ransomware-as-a-Service be prevented?

As threat actors refine their techniques, businesses like yours must take proactive steps to effectively defend against Ransomware-as-a-Service attacks. Here are some best practices to begin with.

Security awareness training

Phishing emails are the gateways to many types of damaging cyberattacks including ransomware, malware and business email compromise (BEC). To overcome this threat, businesses must empower their employees by training them as well as leverage technology to improve and assess the effectiveness of the training. A comprehensive security awareness training program can help strengthen your weakest link by educating them to spot suspicious emails and about the role they play in improving cybersecurity.

Update systems

Cybercriminals are opportunists. They often look for vulnerabilities that they can exploit to penetrate an organization’s network and wreak havoc. You must ensure your systems and software are patched and up to date to protect your business from any known and unknown vulnerabilities.

Endpoint protection

Every device connected to your corporate network is a potential threat vector. Therefore, endpoint protection is critical. Make sure you have processes in place to monitor and track all devices that have access to your network. This includes laptops, smartphones, tablets and other devices that employees use as a part of the BYOD program. Ensure all devices are updated and have the latest safeguards and patches. Make using stronger passwords a mandatory and encourage (or force) users to change passwords regularly.

Anti-phishing software

Did you know that about 90% of incidents that end in a data breach start with a phishing email? Phishing emails are extremely convincing and harder to detect. Traditional email security solutions like filters or built-in tools in email applications are not adequate for today’s sophisticated phishing threats. Use anti-phishing software like Graphus that uses patented AI technology to defend Microsoft 365 and Google Workspace inboxes from a variety of threats delivered via email, including phishing and spear phishing.

Perform regular backups

Hackers are after your valuable corporate data; therefore, it is vital to have a backup of your data securely stored away in a different location. By having a clean copy of your backups, you can minimize the impact of RaaS attacks. This will also help in quick recovery of your business operations in the event of a disaster.

Protect your data from ransomware with Unitrends

Ransomware is a pervasive threat and is here to stay. To survive and thrive in this threat-laden business environment, you must have a robust business continuity and disaster recovery (BCDR) strategy in place. With Unitrends Unified BCDR, your business can prepare for, respond to and recover from ransomware attacks with minimal or no impact.

Our Unified BCDR platform uses AI-based technology, including integrated dark web monitoring that helps reduce the frequency and severity of ransomware attacks. Eliminate data loss and downtime due to ransomware with Unitrends’ AI-based detection, hardened Linux appliances and immutability safeguards. Additionally, achieve 100% recovery confidence with Recovery Assurance’s automated, application-level recovery testing.

Download our product brief to discover Unitrends’ five pillars of defense against ransomware attacks.


Discover how Unitrends can help protect your organization's sensitive data