What is Ransomware-as-a-Service (RaaS Model Explained)

A ransomware attack is one of the better known and most feared online security threats and each year it gets worse.

So what is behind this growth of ransomware attacks?

Many things, but one in particular - ransomware-as-a-service (RaaS).

What is a Ransomware Attack?

To understand the ransomware-as-a-service, we need to understand the ransomware attack itself and know what it is.

Ransomware is a type of malicious software (aka "malware") that encrypts and locks the victim's device and allows the threat actor to demand a ransom (hence the name "ransomware") to give back access to the user.

Typically, ransomware is distributed via phishing emails.

Once it's there, the ransomware spreads throughout the system and executes a malicious binary that then encrypts, for example a database or important files and documents so that the user can't access them.

The reason why the user can't gain access to their own sensitive data is that ransomware uses a pair of keys to encrypt and decrypt the data on the. victim's system and the attacker will only release the decryption key if the victim pays them a ransom (typically in 24-48 hours).

Problem is, even if victims pay the ransom, criminals often don't release the stranglehold on their data and instead have more ransom demands.

Why are Ransomware Attacks Spreading?

Ransomware Attacks

According to Cognyte's Ransomware Attack Statistics 2021 - Growth & Analysis report, nearly 1,100 organizations were victims of a ransomware attack in the first half of 2021, which is about the same as for the entire 2020.

What is behind this spread of ransomware attacks?

  1. Ransomware developers are now able to encrypt complete disks and not just a single file
  2. The spread of cross-platform ransomware like Ransom32 that uses Node.js with a JavaScript payload
  3. Finally, ransomware-as-a-service kits, which allow ransomware developers to create new ransomware on demand

Let's focus on the RaaS model in particular.

What is Ransomware-as-a-Service?

Ransomware-as-a-Service or RaaS is similar to the software-as-a-service model (except that it's used to spread malware) in that it is an affiliate model that allows criminals to use already developed ransomware tools in order to create their own ransomware and execute attacks.

For each successful ransomware attack (one that results in a ransomware payment), the criminal (in this case seen as "affiliates") earns a percentage.

Typically, these percentages can be very high, ranging from 1/3 or 33% on average and even going as high as 80%, so you can see why the RaaS model is so popular.

Combine that with the fact that "affiliates" don't have to be particularly skilled and experienced to use RaaS tools, which means anyone with rudimentary skills can execute ransomware attacks and you have a recipe for spreading this cyber threat.

Understanding the RaaS Model and How it Works?

So how does the RaaS model work?

It all starts with skilled ransomware operators. After all, someone needs to create a strong ransomware. This ransomware needs to have two things to be successful:

  1. A high penetration rate
  2. Low discovery chance

If it has these two and also the developer has a "good" reputation, then they attract ransomware affiliates who, like w said earlier, earn a percentage based on their successful ransomware payments.

So how do RaaS operators hire affiliates?

Of course, you won't find ads for ransomware on Google. Instead, RaaS affiliates are recruited on the dark web through forums.

One such recruitment ad might look like this:

Free 2 more slots

We will consider specialists only in networks with our own material.

Criteria for future partners:

1) At the moment we do not consider spam, only grids are of interest.

2) Those who do not have their own material do not need to beg from me in the course of the RDP, first show what we are capable of, and we also do not train anyone from scratch,

3) We are not interested if you have only one grid per 1000 PCs, only those who have a constant source of material extraction are interested.

4) We do not accept English-speaking users in the software.

5) Write only if you are ready to start work in the near future, it is unacceptable to take access and then not process any material. Two weeks without activity - your account will be deleted.

6) We do not accept material for processing.

7) If you have not been answered, then we are not interested in cooperation with you.

So, as you can see, there are actually some criteria for affiliates to be accepted, though this depends on the developer and what they're looking for.

The above ransomware gang (Circus Spider), for example, has pretty strict requirements, but some others might just be interested in spreading their malware fast and have lower requirements.

Okay, so what happens once the affiliate is accepted?

They are then given a custom exploit code, which is submitted to the website that hosts the RaaS for the affiliate. Once the code is submitted, the hosting site gets updated and the affiliate can start their ransomware activity on unsuspecting victims.

How to Prevent and Protect Against Different Ransomware Variants?

With every hacker Joe and Jane that now have access to sophisticated ransomware tools, how can you protect against RaaS attacks?

There are a couple of things you can do to prevent a ransomware threat before it reaches your data and system in the first place, including:

  1. Do not download from unknown and unsafe sources. Instead, only use official sources. For instance, if you need to download Windows 11, do not go to a site called something like "freewindows.xxx", but instead go to Microsoft and download it from there.
  2. Do not click or open email attachments that you don't know who they're from. If you receive an email from someone you've never heard of, let alone communicated with, why would you open any attachment from them they send you? Don't be fooled by whatever trickery they use, either their scare tactic or their promises, all they want is to infect your system with malware hidden in the link or attachment.
  3. Do not click on unsafe links. Everything said for suspicious email attachments also goes for unsolicited links. Do not click on them!
  4. Do not disclose your personal information. A ransomware campaign begins with the cybercriminal collecting personal information from would-be victims through phishing emails. Don't be a would-be victim and don't give them your personal data.
  5. Keep your software and operating system up-to-date. Hackers will try to use any vulnerability in your system to launch attacks against it. Do not give them that opportunity by keeping your software outdated. Always update your OS and software and use strong anti-virus and anti-malware programs
  6. If on a public network, use a VPN. If you need to use a public WiFi network, say in an airport, avoid using it to log in to your email or bank account. However, if you need to, make sure to use a VPN service to make sure your data and traffic are protected.
  7. Keep a data backup. The idea of ransomware is to prevent access to an important file to the user unless they make the ransom payment. But if you already have a copy or two of that file then the attacker's threat doesn't really work, now does it?

What if you still end up a victim of ransomware, even after taking all of these precautions?

In that case, you might consider hiring a ransomware negotiator. In this article, we explain what is ransomware negotiation and how it works.


Ransomware attacks are on the rise and they have doubled in frequency between 2020 and 2021, with as much as 37% of organizations in the world saying they were victims of ransomware, according to the IDC's 2021 Ransomware Study: Where You Are Matters!

A big reason for this lies in the ransomware-as-a-service or RaaS model so knowing what it is and how it works will help you protect your sensitive data from this threat.