Enterprise ransomware is being democratized. While these large-scale threats have been a primary vector for many years, the rise of Ransomware as a Service (RaaS) has rapidly amplified their scale and scope. Today, RaaS lowers technical barriers, making it easier for bad actors to launch damaging attacks.
While reports show companies are recovering faster and more cost-effectively from each incident, the end of 2024 saw a 50% surge in ransomware attacks. If your organization hasn’t been targeted yet, it may only be a matter of time. RaaS introduces a new twist that makes ransomware more accessible and widespread than before. Here’s how RaaS increases your business risk and why securing your business is a critical priority.
What is Ransomware as a Service (RaaS)?
Ransomware as a Service (RaaS) is a business model in which cybercriminals develop a set of malware services that can be purchased on the dark web. To use the RaaS kit, a would-be criminal pays a subscription fee or a percentage of the ransom received to use the ransomware, as well as other amenities such as distribution services, software updates, and tech support.
How is RaaS Different from a Traditional Ransomware Attack?
While RaaS and traditional ransomware attacks can yield the same result for threat actors, the difference is who is doing the attacking. Traditional ransomware attacks require skilled cyber attackers. RaaS, on the other hand, can be operated by anyone who has the money to pay for the service.
How Ransomware as a Service Works
Ransomware as a Service functions a lot like legitimate Software as a Service (SaaS) models. A customer pays for a license or a service, and the vendor helps by carrying out key tasks—often providing a dashboard for monitoring. In this case, it’s ransomware experts providing access to sophisticated ransomware tools and attack campaigns. Once someone pays a ransom, the distributor may collect it and take their share before passing the rest onto the customer.
There are two key parts to RaaS: the operators and affiliates, and the pricing and revenue models used to operate the system.
RaaS Operators and RaaS Affiliates
RaaS operators are the figures behind the curtain who develop, update, and maintain ransomware that can be packaged and used by everyday customers. They may create the algorithms, decryption keys, and ransom notes, as well as any infrastructure necessary to collect payments or communicate with infected systems. Similar to SaaS providers, RaaS operators can offer support to people looking to use the services.
RaaS affiliates are the people who actually utilize the ransomware after it’s been purchased. They’re customers who deploy the software on a victim’s networks through methods like phishing campaigns, using stolen credentials, or finding and exploiting software vulnerabilities. Affiliates don’t tend to have the technical knowledge that operators do, but they will be carrying out the full ransomware campaign and are often the people who communicate with the victims to negotiate and collect the ransom.
Evolving Pricing and Revenue Models
Like many software companies, ransomware providers are moving beyond the one-time service fee mode, which previously allowed affiliates to pay for an unlimited-access license or the underlying code. There are two pricing models most commonly used by RaaS providers:
- Profit-sharing: One of the most popular models is the profit-sharing model, where affiliates pay minimal upfront fees, but agree to share a percentage of the proceeds of a ransom with the operator. This cut can range from 10-40%—sometimes more, though the affiliate generally keeps the majority of the earnings. The operator is more incentivized to maintain and update the software because their support will result in greater payouts.
- Subscription service: Affiliates pay a recurring fee, generally monthly or annually, to access RaaS programs, which can range anywhere from $40 per month to thousands of dollars. This will depend on the features the RaaS operators offer and how sophisticated the software is.
RaaS pricing strategies are proving to be as sophisticated and lucrative as those of legitimate businesses, as our cloud solutions expert explains in TierPoint’s recent ransomware webinar:
“As an interesting example, DarkSide ransomware operators take a 25% cut of the ransom for amounts below $500,000 but only take a 10% cut for ransoms above $5 million”
— Mike Grondahl, Cloud Solutions Architect at TierPoint
Revenue models are continuing to evolve. Affiliate programs, which incentivize affiliates to deploy attacks for a sizable commission, are driving the rapid spread of ransomware. For example, the rising RaaS group Lynx lets affiliates generate exploit code and earn 80% of ransom proceeds if successful—plus access to a leak site with the stolen data of victims who do not pay.
Why Ransomware as a Service Is So Concerning Today
Even with increased awareness and enforcement efforts, which have disrupted major players like LockBit, new RaaS groups keep popping up. Some have been prevalent for years, and others are on the rise. Prominent examples of active RaaS organizations include:
- Akira
- Anubis
- Black Basta
- Cicada3301
- CL0P
- DragonForce (which reportedly took over RansomHub)
- Medusa
- Qilin
Experts warn that seemingly shuttered RaaS groups like BlackCat/ALPHV could also reemerge under a different name after a period of dormancy.
These groups are using increasingly sophisticated techniques to infiltrate organizations faster and with greater ease. Qilin, an increasingly dominant player in the RaaS market, equips affiliates with ransomware capable of cross-platform attacks, customizable encryption modes, automated negotiation tools, and even legal support to intimidate victims. RaaS providers are also enabling:
- AI-driven phishing: Helps criminals optimize their messages and tactics in real time.
- Living-off-the-land (LOTL) attacks: Allows attackers to use legitimate tools already present in an organization’s system to evade detection and mount an attack.
- Polymorphism: Enables ransomware variants to change their appearance and code to make it harder for antivirus software to identify them.
Extortion models have also become more complex. Double extortion involves an extra threat beyond a ransom, such as threatening to leak the information if the ransom isn’t paid. Triple extortion includes another layer of pressure, such as a DDoS attack or the harassment of additional parties.
How RaaS Increases Your Business Risk
The rise of Ransomware as a Service is a significant risk to your revenue, compliance, and shareholder trust. With access to malicious software growing, organizations should brace for more frequent exploitation attempts and increasingly severe consequences from successful attacks.
Between 2023 and 2024, the average ransom demand more than doubled to $2.73 million, with cybercriminals demanding tens of millions of dollars in high-profile incidents. However, the ransom payment represents only a fraction of the financial loss. Victims may also face:
- Operational disruption: Businesses often experience weeks of downtime due to ransomware. Strategic initiatives may be halted for longer as disaster recovery efforts take precedence.
- Regulatory fines: Companies can face sizable fines for failing to comply with GDPR, HIPAA, and other data protection regulations. Legal expenses may also stack up in the process.
- Reputational damage: Data breaches create a loss of trust that can result in long-term brand devaluation, customer churn, and employee resignations from the executive-level down. For publicly traded companies, stock values decline an average of 7.5% post-attack, with some failing to ever recover.
Mitigating these intensifying RaaS risks is no easy task. In a ransomware attack, anyone in the physical or software supply chain can be a point of vulnerability. Threats can also come from initial access brokers, who gain access to corporate networks to sell to RaaS affiliates. These brokers often work within underground marketplaces on the dark web to provide credentials to eager affiliates.
Here’s how Josh Davies, a seasoned cybersecurity professional, spells out the danger of RaaS on our Cloud Currents podcast—and why it’s everyone’s problem:
“If one organization gets compromised and they monetize it, they get more sophisticated and they come for you the next day… Talking about security all the time, no matter who you are—exec down to someone who barely touches a computer, apart from to look at their emails—is really important, because this is a global collective issue.”
— Josh Davies, Principal Market Analyst at Fortra
With growingly sophisticated threats looming, it’s important to actively avoid ransomware and protect your business from growing RaaS attacks.
How to Prevent and Protect Your Business from RaaS Attacks
While avoiding ransomware attacks is often easier said than done, there are steps you can take to secure your business and prevent some RaaS attacks entirely. Here are 10 strategies you can implement today.
1. Assess Your RaaS Readiness
First, it’s important to establish your defense by assessing your RaaS readiness. Ask a few key questions, including:
- Are we prepared to detect ransomware early in the kill chain? How quickly can your current system find and address ransomware? The sooner it is identified, the easier it will be to remediate. If you don’t have visibility on your systems, your level of preparedness will likely be low.
- What are our recovery time and recovery point objectives (RTO/RPO) if we’re hit today? If you experienced a ransomware attack today, how long would it take for you to restore core business operations? How much data would you lose? Do these numbers align with how much time and data you can afford to lose (your RTO and RPO)? If not, you should address what steps you need to take to satisfy these objectives.
- Are backups immutable and segmented? The backups your organization has should be stable and separate from the rest of your network, unable to be altered or encrypted by ransomware. If this is not the case, your team must work to protect your backups.
- Do we have a response plan in place? Your legal teams, PR representatives, and any third-party communications agencies should be ready with a response plan if your organization gets hit with ransomware. Even mounting a great defense isn’t 100% foolproof. You want to be able to quickly and clearly address what happened, how it happened, and how you plan on addressing the issue before any erosion of trust occurs.
2. Keep Your Systems Up-to-Date
As software companies find security vulnerabilities in their applications, they issue patches to fix them. Hence, it’s essential to stay on top of patching so a cyber attacker doesn’t take advantage of the vulnerability. If your applications are approaching end of life (EOL) or end of support (EOS), it’s time to upgrade.
3. Use Modern Prevention Approaches
It’s important to protect more than just your perimeter. Modern prevention approaches include:
- Zero-trust architecture: Operates on the idea that no user, application, or device should ever be trusted, and that authentication should always be required. This least-privileged basis can reduce how far attackers can move in a network.
- Identity and access management (IAM): Often involves multifactor authentication, strict access controls, the principle of least privilege, and regular reviews to confirm that user privileges are where they should be.
- Endpoint detection and response (EDR): Monitors multiple endpoints for suspicious activity. Extended detection and response (XDR) provides further monitoring across security layers, including clouds, networks, and servers. EDR and XDR can help organizations prepare a more coordinated, planned response to incoming threats.
4. Leverage Advanced Tools
Modern cybersecurity tools can support businesses in detecting and responding to RaaS threats faster than before. EDR/XDR solutions can be bolstered with behavioral analysis, threat intelligence, and machine learning algorithms to pinpoint anomalies faster. AI/ML tools are great at identifying patterns and calling out unusual behavior that humans can miss.
SIEM and SOAR may also be acronyms you see when looking at tools to address ransomware threats. Security Information and Event Management (SIEM) solutions analyze aggregated log data in a centralized view to address trends and find threats in real time. Security Orchestration, Automation, and Response (SOAR) platforms automate repetitive tasks and can orchestrate responses to ransomware incidents, cutting down on the time needed to address infiltrations.
5. Perform Regular RaaS Drills and Penetration Testing
Organizations can prepare with regular RaaS drills and penetration testing. The drills should simulate RaaS attacks and confirm whether your security team is ready to respond to the incident. Presenting hypothetical scenarios can help your incident response team see where weaknesses in their processes may be.
Penetration testing includes simulated attacks on a network to find which vulnerabilities RaaS affiliates may exploit, which can be used to patch before malicious actors can get to them.
6. Maintain Data Resiliency
A good cloud disaster recovery solution, also known as Disaster Recovery as a Service (DRaaS), can ensure you recover most, or all, of your data and minimize downtime. It provides continuous backups that are separate from the production data, so they won’t get encrypted along with the production system during an attack. A disaster recovery plan and solution with continuous data backup will save you hundreds of thousands of dollars in ransom and cleanup costs, as well as days or weeks of downtime.
7. Require Regular Cybersecurity Training
Because they serve as a key line of defense, your internal end-users should be trained on basic cybersecurity practices. Your organization can run phishing tests to ensure employees know how to spot suspicious emails, and you can implement regular training to keep team members up-to-date on emerging threats.
8. Involve Law Enforcement
Businesses and individuals used to feel more stigma around being the victims of ransomware attacks, but reporting has gone up, while payment rates have gone significantly down. Law enforcement support has contributed to significant crackdowns in recent years, with some major arrests happening at the end of 2024.
If you find yourself the victim of a ransomware attack, report it to one of the following authorities to help maintain this momentum long-term:
- Cybersecurity and Infrastructure Security Agency (CISA)
- Federal Bureau of Investigation (FBI) through the Internet Crime Complaint Center or your local field office
- U.S. Secret Service
However, keep in mind that security leaders should not rely solely on law enforcement outcomes to mitigate risk. While international law enforcement has disrupted a few major RaaS groups, response consistency and impact remain limited due to jurisdictional challenges.
9. Work with a Managed Security Services Provider
Many managed service providers also provide IT security services that will detect and deter potential ransomware threats. They focus on preventative measures, which can include ransomware-specific protections such as:
- Email security (anti-spam and anti-phishing)
- Web content filtering
- Firewall management
- Anti-malware protection
- Data encryption
Managed security service providers (MSSPs) also leverage automated tools for intrusion detection, security monitoring, and vulnerability scanning, helping businesses swiftly respond to immediate threats.
10. Leverage a Managed Detection and Response (MDR) Service
With sophisticated ransomware attacks looming, companies need more than a strong response and recovery strategy. Managed Detection and Response (MDR) services are emerging as a core pillar of modern cyber defense, especially for ransomware.
MDR providers blend AI capabilities with human expertise for proactive threat hunting, analysis, and ransomware remediation. Companies gain 24/7 monitoring from automated tools while also receiving the human expertise required to anticipate threats, actively investigate their root causes, contain and remove the threat, and quickly restore and secure operations.
Are You Prepared to Combat Ransomware as a Service?
The latest ransomware trends, like the growing popularity of RaaS, present a problem for businesses of all sizes, but your company can overcome these growing threats with a strong IT security strategy to protect your business.
Read our guide below to get more comprehensive tips on defending your business against ransomware, or contact us to learn more about how TierPoint can help you create the proper response.
