What is ransomware as a service (RaaS)?
Explore IBM's RaaS solution Subscribe to Security Topic Updates
Illustration showing collage of cloud, fingerprint and mobile phone pictograms
What is RaaS?

Ransomware as a service (RaaS) is a cybercrime business model in which a ransomware group or gang sells its ransomware code or malware to other hackers, who then use it to carry out their own ransomware attacks.

According to IBM’s X-Force Threat Intelligence Index, ransomware was the second most common type of cyber attack in 2022. Many experts believe the rise of RaaS has played a role in keeping ransomware so prevalent. A 2022 report from Zscaler (link resides outside ibm.com) found that 8 of the 11 most active ransomware variants were RaaS variants.

It's easy to understand why the RaaS model is so popular with cybercriminals. RaaS lowers the bar for entry into cybercrime, allowing even threat actors with limited technical skills to carry out cyberattacks. Furthermore, RaaS is mutually beneficial: Hackers can profit from extortion without developing their own malware, and ransomware developers can increase their profits without manually attacking networks.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for the X-Force Threat Intelligence Index

How the RaaS model works

RaaS works the same way legitimate software-as-a-service (SaaS) business models do. Ransomware developers, also called RaaS operators, take on the work of developing and maintaining ransomware tools and infrastructure. They package their tools and services into RaaS kits that they sell to other hackers, called RaaS affiliates. 

Most operators use one of the following revenue models to sell their kits:

  • Monthly subscription: RaaS affiliates pay a recurring fee—sometimes as little as USD 40 per month—for access to ransomware tools.

  • One-time fee: Affiliates pay a one-time fee to purchase ransomware code outright.

  • Affiliate models: Affiliates pay a monthly fee and share a small percentage of any ransom payments they receive with the operators.

  • Profit sharing: The operators charge nothing up front but take a significant cut of every ransom the affiliate receives, often 30-40%. 

RaaS kits are advertised on dark web forums‌, and some ransomware operators actively recruit new affiliates. The REvil group, for example, spent USD 1 million as part of a major recruitment drive in October 2020 (link resides outside ibm.com).

Once they’ve purchased a kit, affiliates get more than just malware and decryption keys — they often receive a level of service and support on par with lawful SaaS vendors. Some of the most sophisticated RaaS operators may offer such amenities as ongoing technical support, access to private forums where hackers can exchange tips and information, payment processing portals (since most ransom payments are requested in untraceable cryptocurrencies like Bitcoin), and even tools and support for writing custom ransom notes or negotiating ransom demands.

Cybersecurity challenges of RaaS attacks

While the profit potential is a major factor in the proliferation of RaaS, affiliate programs also provide hackers and ransomware developers with additional benefits — and they present additional challenges to cybersecurity professionals. 

Fuzzy attribution of ransomware incidents. Under the RaaS model, the people carrying out cyberattacks may not be the same people who developed the malware in use. Furthermore, different hacking groups may be using the same ransomware. Cybersecurity professionals may not be able to definitively attribute attacks to specific groups, making it harder to profile and catch RaaS operators and affiliates. 

Specialization of cybercriminals. Much like the legitimate economy, the cybercrime economy has led to a division of labor. Threat actors can now specialize and refine their crafts. Developers can focus on making more and more powerful malware, and affiliates can focus on developing more effective attack methods. A third class of cybercriminals, called “access brokers,” specializes in infiltrating networks and selling access points to attackers. Specialization allows hackers to move faster and carry out more attacks. According to the X-Force Threat Intelligence Index, the average time to execute a ransomware attack dropped from 60+ days in 2019 to 3.85 days in 2022. 

More resilient ransomware threats. RaaS allows operators and affiliates to share the risk, making each more resilient. Catching affiliates doesn’t shut down operators, and affiliates can switch to another ransomware kit if an operator is caught. Hackers have also been known to reorganize and rebrand their activities to evade the authorities. For example, after the U.S. Office of Foreign Assets Control (OFAC) sanctioned the Evil Corp ransomware gang, victims stopped paying ransoms to avoid penalties from OFAC. In response, Evil Corp changed the name of its ransomware multiple times (link resides outside ibm.com) to keep the payments coming. 

Notable RaaS variants

It can be difficult to pin down which gangs are responsible for which ransomware or which operators are officially active at a given time. That said, cybersecurity professionals have identified a few major RaaS operators over the years, including:

  • Tox: First identified in 2015, Tox is considered by many to be the first RaaS.
  • LockBit: LockBit is one of the most pervasive RaaS variants today, accounting for 17% of ransomware incidents observed in 2022, more than any other strain. LockBit often spreads through phishing emails. Notably, the gang behind LockBit has tried to recruit affiliates who work for their target victims, making infiltration easier. 
  • DarkSide: DarkSide’s ransomware variant was used in the 2021 attack on the U.S. Colonial Pipeline, considered the worst cyberattack on critical U.S. infrastructure to date. DarkSide shut down in 2021, but its developers released a successor RaaS kit called BlackMatter.
  • REvil/Sodinokibi: REvil, also known as Sodin or Sodinokibi, produced the ransomware behind the 2021 attacks against JBS USA and Kaseya Limited. At its height, REvil was one of the most widespread ransomware variants, accounting for 37% of ransomware attacks in 2021. The Russian Federal Security Service shut down REvil and charged several key members in early 2022, but the gang’s RaaS infrastructure resurfaced again in April 2022 (link resides outside ibm.com)
  • Ryuk: Before shutting down in 2021, Ryuk was one of the largest RaaS operations. The developers behind Ryuk went on to release Conti, another major RaaS variant, which was used in an attack against the Costa Rican government in 2022 (link resides outside ibm.com).
  • Hive: Hive rose to prominence in 2022 after an attack on Microsoft Exchange Server. Hive affiliates were a significant threat to financial firms and healthcare organizations until the FBI took down the operator in 2023 (link resides outside ibm.com). 
Protecting against RaaS

While RaaS has changed the threat landscape, many of the standard practices for ransomware protection can still be effective for combatting RaaS attacks. Many RaaS affiliates are less technically adept than the ransomware attackers of yesterday. Placing enough obstacles between hackers and network assets may deter some RaaS attacks entirely. Additional cybersecurity tactics might include: 

Related solutions
IBM Security® QRadar® SIEM

Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.

Explore QRadar SIEM solutions

IBM Security QRadar EDR

Secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time with this sophisticated yet easy-to-use endpoint detection and response (EDR) solution.

Explore QRadar EDR

Ransomware protection solutions

Stop ransomware from interrupting business continuity, and recover quickly when attacks occur—with a zero trust approach that helps you detect and respond to ransomware faster and minimize the impact of ransomware attacks.

Explore ransomware protection solutions
Resources X-Force Threat Intelligence Index

Find actionable insights that help you understand how threat actors are waging attacks, and how to proactively protect your organization.

Definitive Guide to Ransomware

Learn the critical steps to protect your business before a ransomware attack can penetrate your defenses, and to achieve optimal recovery if adversaries breach the perimeter.

Cost of a Data Breach

Now in its 17th year, this report shares the latest insights into the expanding threat landscape, and offers recommendations for saving time and limiting losses.

IBM Security Framing and Discovery Workshop

Work with senior IBM security architects and consultants to prioritize your cybersecurity initiatives in a no-cost, virtual or in-person, 3-hour design thinking session.

Safer citizens, stronger communities

Los Angeles partners with IBM Security to create first-of-its-kind cyberthreat sharing group to protect against cybercrime.

What is SIEM?

Security information and event management (SIEM) offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes.

Take the next step

Cybersecurity threats are becoming more advanced, more persistent and are demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM helps you remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others miss.

Explore QRadar SIEM Book a live demo