Uncovering the Growing Threat of Ransomware As A Service (RaaS)

two men in suits shaking hands and making a deal over money

What Is RaaS?

Ransomware as a Service (RaaS) is a type of cybercrime service where ransomware developers offer their malicious software to others to use for a fee. Ransomware is a type of malware that encrypts a victim’s files and demands a ransom payment in exchange for the decryption key. RaaS makes it easy for cybercriminals with little technical expertise to launch ransomware attacks since they can simply purchase and use the software without needing to create it themselves. This is bad news for the world as this means hackers do not need the skills of being a hacker to target an organization. They only need motive and money. 

In most cases, the developers of RaaS typically take a percentage of the ransom payments collected by their clients as a commission. This business model has made ransomware attacks more widespread and profitable, allowing criminals to scale up their operations without requiring advanced technical skills. RaaS has become a significant threat to individuals, businesses, and organizations around the world.


How RaaS Works

Ransomware as a Service (RaaS) involves a partnership between two types of cybercriminals: the ransomware developer and the affiliate. The developer creates the ransomware software and sets up the infrastructure needed to manage and collect the ransom payments. They then offer access to the software to affiliates who want to use it to carry out attacks. Affiliates can either purchase the ransomware outright or rent it for a period of time, paying a percentage of their earnings to the developer.

Once an affiliate has obtained access to the ransomware, they typically distribute it via spam emails, malicious websites, or other methods designed to trick victims into downloading and executing the malware. Once the malware infects a victim’s device, it encrypts files and displays a ransom note that demands payment in exchange for the decryption key. The victim is often given a deadline to pay the ransom, and failure to meet this deadline can result in an increase in the ransom amount or the permanent loss of their data. Once the victim pays the ransom, the affiliate and the developer split the payment, with the developer taking a percentage as their commission. This model has made it easier for cybercriminals to carry out ransomware attacks on a large scale and has made it more difficult for law enforcement to track down the perpetrators. 



Known Groups Using RaaS


LockBit 2.0

LockBit 2.0 is a Ransomware as a Service (RaaS) that was introduced in June 2021 as an upgrade to its predecessor, LockBit (also known as ABCD Ransomware), which was first spotted in September 2019. LockBit 2.0 gained popularity through recruitment campaigns in underground forums that attracted affiliates and made it one of the most active ransomware operations by the third quarter of 2021. The operators of LockBit 2.0 claimed their encryption software was the fastest among all active ransomware strains, and this contributed to the malware’s efficacy and ability to disrupt the ransomware landscape.


The data analysis of ransomware groups’ dark web leak sites indicates the LockBit 2.0 RaaS leak site has the highest number of published victims, with over 850 total. LockBit 2.0 has targeted many companies worldwide, with professional services, construction, wholesale and retail, and manufacturing being the most highly targeted industries.


Black Basta

Initially detected in April 2022, Black Basta is a ransomware group that operates as a Ransomware as a Service (RaaS) and has since established itself as a significant threat. The group employs double-extortion tactics and has expanded its attack capabilities by incorporating tools such as the Qakbot trojan and the PrintNightmare exploit. These developments demonstrate Black Basta is constantly evolving and adapting its tactics to maximize its success in ransomware attacks.



Conti, a notorious ransomware group, has become one of the most active in the ransomware space. Its activities have been marked by aggressive tactics and large-scale attacks against a wide range of public and private organizations. Conti operates using a Ransomware-as-a-Service (RaaS) attack model, paying affiliates for successfully deploying the malware into an organization’s system and opening the door for the primary threat actors to further exploit and coerce the victim during the second stage of the attack. The group has been observed using various tactics to infiltrate a victim’s network. Once in, they spread through the network and disable security tools to protect their malware. Recent internal divisions in the group have led to questions about the future of the ransomers. Understanding Conti is critical for organizations to have knowledge of ransomware threats as a whole.



The REvil Ransomware, also known as Sodinokibi, is a sophisticated file-encrypting malware operated as RaaS. It has been active since April 2019 and is spreading through various methods such as phishing, spam emails, RDP servers, and scan and exploit kits. The ransomware is hitting organizations and demanding cryptocurrency ransom to return the decryption key for infected files. SISA has released a security advisory providing details on attack patterns, Indicators of Compromise (IoCs), and security measures to prevent intrusion by REvil.



The DarkSide ransomware variant was first seen in August 2020 and quickly spread to multiple countries and industries. The group behind the ransomware was partially responsible for the Colonial Pipeline ransomware incident in May 2021. The US government even issued the offer of a reward in November of 2021 to help identify the individuals responsible. Finally, in early 2022, Russian authorities arrested six people linked to the REvil and DarkSide ransomware groups, including the alleged leader of REvil, who were responsible for the cyberattack.



Protecting Against Ransomware and RaaS

Ransomware as a Service (RaaS) attacks can be a severe threat to organizations, and it is crucial to take preventive measures to protect against such attacks. First, it is essential to keep all software up-to-date, as attackers often exploit known vulnerabilities in outdated software. Second, training employees on cybersecurity best practices, including identifying phishing emails, can help prevent ransomware attacks. Third, implementing multi-factor authentication and limiting access privileges can help prevent unauthorized access to critical data.

Regular backups of all data, both locally and offsite, are also crucial, as they can help restore systems in case of an attack. Finally, investing in comprehensive cybersecurity solutions such as anti-malware, firewalls, and intrusion detection systems can help detect and prevent ransomware attacks.


Written by Peter Burg

Peter Burg is Director of Business Development at AgileBlue, partnering with organizations who are looking for ways to make IT and cybersecurity work. Peter currently resides in Minnesota and is a big baseball fan.

February 27, 2023

You May Also Like…

Request a Demo

AgileBlue is a software company with an innovative SOC-as-a-Service for 24X7 network monitoring, cloud security, data privacy and compliance.

Our modern SOC-as-a-Service is built on innovative machine learning and autonomous execution. If you would like to discuss our SOC-as-a-Service, Partner Program or schedule a brief demo please give us a little info and we will contact you immediately.