Breaking down ransomware as a service

Ransomware as a service.

---

Ransomware as a service is a business model where ransomware operators and third parties, called “affiliates”, work together to launch ransomware attacks. RaaS was first identified in 2012 with the Reveton ransomware strain, and in the subsequent decade, it has exploded into a sophisticated and ever-evolving cyber crime tactic.

In the RaaS model, ransomware developers (both individuals and organisations called ransomware groups or gangs) write their own software and lease it to other individuals and groups for a price. Those individuals then use that software to conduct various ransomware attacks. This model can also include initial access brokers (IABs), who specialise in gaining access to organisations around the globe. Affiliates often pay or work with IABs for easier access to their victims’ IT environments.

Though the above model is the most common, it can become more specialised, with different cyber criminals playing specific roles before, during and after an attack. Certain operators can focus on writing specific, highly effective malware strains, while other affiliates may be experts at initial access, researching and exploiting certain vulnerabilities or other tactics. Additionally, many operators offer full ransomware kits, which contain access instructions, the malware needed and more to affiliates, offering a streamlined attack process for less technically savvy affiliates. This business model has directly contributed to the growth of ransomware attacks in recent years.

Explore ransomware in-depth with our interactive page.

Operators create ransomware malware, also referred to as the ransomware strain, while affiliates purchase the strain from the operators and often lead the attack. The pricing component of the model, as we’ll discuss below, can vary by operator. IABs can also be involved in the model, helping the affiliates conduct the attack by selling access to victim organisations.

How do operators, affiliates and others come together to take down organisations around the globe and walk away with millions? The process is not that different from how legitimate “as a service” organisations operate, which has no doubt contributed to the RaaS boom and subsequent profitability for those involved.

In the RaaS model:

1. Ransomware operators oversee ransomware strains’ development and distribution to affiliates.
2. Ransomware affiliates purchase the ransomware strain, as well as other tools developed by the operators, and launch a ransomware attack on one or many organisations.
3. The two groups split the profits based on the terms of the agreement.

This division of labour has proved to be successful, as it allows both groups to launch more frequent attacks to maximise profits and allows amateur cyber criminals, who may lack technical experience, to enter the ecosystem.

Common RaaS pricing models include:

• Affiliates pay operators a flat, monthly fee.
• Affiliates pay operators a percentage of their profits.
• Affiliates pay a one-time licensing fee for the use of the ransomware strain.
• Affiliates and operators share all profits and work together before, during and after attacks.

These pricing models are closely tracked, with every cent accounted for, with many ransomware operators using sophisticated portals where subscribers and affiliates can track ransom payments, status of attacks and more.

Another popular component not only of the RaaS model but also of ransomware more broadly is double and triple extortion. Double extortion, where the ransomware affiliates will both encrypt files and exfiltrate them to ensure payment, has become the norm for threat actors since first launching in 2019. Triple extortion, which occurs when the threat actors use exfiltrated data to add another incentive to pay ransom during the attack or attempt to extort funds directly from the individual victims of the data theft, has also increased in recent years. Additional tactics involved in triple extortion can include encrypting more of the organisation’s environment or threatening them with a secondary attack.

As ransomware has become more popular and lucrative, many operators have organised themselves into groups, or gangs, to conduct larger, more frequent attacks with significant payout potential. These gangs develop malware in-house, and while they have been known to conduct full attacks in-house, they more often than not utilise the RaaS model by selling their strain to affiliates, increasing the volume of attacks possible in a certain timeframe.

Let’s look at Akira, which rose from the ashes of RaaS group Conti, and has had a prolific run, according to the US Office of Information Security. In just one day during the autumn of 2024, the RaaS group leaked the exfiltrated data of 35-plus ransomware victim organisations onto the dark web. Their continued attacks, which involve working with affiliates and using phishing and spear-phishing for initial access and asking an average initial ransom demand of over $300 000 (USD) show how efficient and lucrative the RaaS model can be.

According to Arctic Wolf’s own research taken from hundreds of global digital forensics and incident response (DFIR) engagements, the ransomware groups that appeared most frequently in cases investigated by the Arctic Wolf Incident Response are:

1. Akira (15% of attacks)
2. LockBit (9% of attacks)
3. BlackSuit (6% of attacks)
4. Fog (5% of attacks)
5. Play (4% of attacks)

Akira topping this year’s list, with LockBit – who’s targeted critical infrastructure orgs with alarming frequency — taking home silver, shouldn’t be a surprise. Both groups are prolific. Akira lists 215 victims on their leak site, and while there was a law enforcement operation to take down LockBit in the beginning of 2024, the group is still active, even teasing a new ransomware strain for 2025. The numbers above account for all attacks where ransomware variants could be attributed to a specific threat group, including attacks conducted by the cyber criminal gangs themselves as well as attacks conducted by affiliates using a gang’s ransomware variants.

Even though RaaS may operate similarly to legitimate organisations, it still exists in the world of cyber crime, meaning ransomware groups are popping up, disappearing and consistently changing tactics to avoid law enforcement or exposure. Additionally, operators work with multiple affiliates and affiliates may use multiple operator ransomware strains, further blurring the lines. In fact, Arctic Wolf Incident Response observed more than 50 unique threat actor groups operating in victim environments in 2024, highlighting just how expansive, and often difficult to map, this model has become.

Explore these ransomware groups, including their preferred tactics, targeted industries and behaviours, in-depth.

RaaS has become a major part of the threat landscape.

While not all ransomware attacks can be contributed back to the RaaS model, the continuing increase in of ransomware attacks – accounting for 20% of all cyber crime incidents according to the 2024 IBM X-Force Threat Intelligence Index – is mirrored by the rise in ransomware groups, leak sites and headline-making hacks. Arctic Wolf’s own research confirms this, as 45% of organisations surveyed by Arctic Wolf in 2024 admitted to being the victim of a ransomware attack over the last 12 months.

When looking at the financial side of it, it’s easy to see why RaaS is becoming the norm. The average ransom demand in 2024 was $600 000, and ransomware groups listed above started their demands at anywhere from $300 000 (USD) to $5.5 million (USD), according to Arctic Wolf’s internal incident response data. If a RaaS operator sells their strain over and over while recouping at least part of the initial ransom demand, the individual or gang could quickly make away with millions.

The largest ransom ever paid was also recorded in 2024. A publicly traded company paid Dark Angels ransomware group a whopping $75 million (USD). While the full details are still unconfirmed, it appears that was a discount of the initial demand, and that the group never even deployed ransomware in the victim’s organisation, but instead exfiltrated the data and demanded payment to prevent publishing.

There are a few reasons why cyber criminals have turned to the model to carry out attacks and make a profit:

1. The division of labour increases the volume of attacks groups can launch.
2. The ability to purchase complicated malware or full ransomware kits lowers the barrier to entry for inexperienced threat actors.
3. Organisations, especially those with little tolerance for downtime, continue to pay out ransoms (83% of victims paid according to a recent Arctic Wolf survey).
4. Most ransomware now involves data exfiltration, which these groups can then sell on the dark web if the organisation does not pay.
5. The organised crime model allows for adaptability and opportunism, even in the face of law enforcement crackdowns.

Ransomware is especially insidious because there is no singular root cause for the attack. Ransomware itself refers to the malware that is injected to encrypt and possibly exfiltrate data, not the method used to do that. While there are common TTPs in ransomware every organisation should be aware of and monitor for, a major way to prevent ransomware attacks is to monitor for precursors.

Common ransomware precursors include:

• Unusual access to the environment or suspicious user activity common with lateral movement or privilege escalation.
• Data movement, including file permission changes or data leaving the network.
• Malware detection, particularly of an infostealer or other data exfiltration malware.

However, the best way to defend against a ransomware attack is to be prepared and take steps that prevent it from occurring or mitigate the potential impact. Proactive steps an organisation can take include:

1. Conduct basic file backups. This small act can make a major difference if a ransomware attack occurs, as it defends against double extortion. According to Arctic Wolf, in 68% of ransomware incidents, reliable backups aided in the recovery process – in many cases removing the need for a payout by providing an alternate path to sufficient recovery.
2. Secure the cloud. Not only can the cloud offer initial access to threat actors, but as data storage and operational applications expand to the cloud, it’s likely threat actors will find their way there. Understanding your responsibility in cloud security, as well as staying on top of misconfigurations, can go a long way in hardening this part of the attack surface.
3. Enforce identity and access controls. Identity is an emerging battleground, and not only are credentials a growing root cause of initial access, but Arctic Wolf also found that unsecured remote desktop protocol (RDP) and compromised VPN credentials are the leading root causes of ransomware and intrusions. By implementing identity monitoring, multifactor authentication (MFA) and implementing comprehensive security awareness training, organisations can further harden this attack surface.
4. Conduct risk-based vulnerability management. It’s often known, unpatched vulnerabilities that allow threat actors to gain access to a network or system, and with the number of critical vulnerabilities continuing to increase year over year, continuous vulnerability management is no longer optional for organisations.
5. Invest in 24x7 monitoring, detection and response solutions such as managed detection and response (MDR). There are two key components to preventing and stopping a ransomware attack – visibility into your environment and the ability to swiftly detect anomalies. The Arctic Wolf 2024 Security Operations Report highlights just how valuable these solutions can be, noting that “despite the constant threat, we found that indicators of ransomware activities were detected in fewer than 2% of our MDR customer base”.

However, in today’s evolving threat landscape, it’s not enough to just focus on a single method of defence. Taking an operations approach to cyber security, where multiple points of risk are addressed simultaneously and continuously, is the only way to reduce your cyber risk and increase your security posture. Security is a journey, and organisations should be continually working to enhance their security operations, harden their attack surface and increase their proactive measures.

Learn how a security operations provider, like Arctic Wolf, utilises both cutting-edge technology and human expertise to reduce cyber risk.

Explore the details and dangers of ransomware in-depth in order to better protect your organisation.