What is the business model of Ransomware-as-a-Service?

by Anastasios Arampatzis 


Palo Alto defines ransomware as “a criminal business model that uses malicious software to hold valuable files, data or information for ransom. Victims of a ransomware attack may have their operations severely degraded or shut down entirely.”  

Ransomware attacks increase as the digital evolution of businesses continues. Its efficacy to generate serious revenue for the attackers makes this cyberattack method famous amongst cybercriminals and a “must-have” in their toolboxes. Today it is considered the largest threat organizations are facing and a financial burden for all businesses, as this is highlighted in the 2022 Cyber Claims Report. 

Unfortunately, the future looks mischievous. Nowadays ransomware attacks are offered as a service by cybercriminals, named Ransomware-as-a-Service (RaaS), or human-operated ransomware , since they are driven all the way down by human intelligence and end up in intentional business disruption and extortion. These criminals offer their services to others, establishing actual ransomware agreements in exchange for an agreed fee. 

There is no need for someone to be a cybercriminal expert or a dark web guru; literally, anyone can subscribe to a RaaS and unleash a ransomware attack on an organization or even an individual. It is no wonder that security professionals admit that “today no penetration effort is needed to perform a cyber-attack, just enter the correct log-in credentials you have purchased”. 



RaaS is a subscription-based service, an arrangement between two parties: the operator and the affiliate. It is very popular since it allows any nonskilled wannabe cybercriminal to perform ransomware attacks with a high probability of success. 

The operator develops all the necessary tools for the attack, the payment portals to communicate with their victims, and sells ransom payload access to the affiliate. The affiliate performs the intrusion, executes the attack, and collects the agreed ransoms, which are then split among the parties. RaaS developers may also sell their payload for profit, and run their business with other ransomware payloads, making their tracking by law enforcement agencies even more difficult. 

Furthermore, security researchers discovered the presence of a third party involved in the RaaS business model: the “service provider”. The “service provider” assists the affiliate, mostly in the pre-attack phases of victim selection, exploits provision, and negotiations. 

The distribution of the RaaS roles makes that business model resilient and insensitive to law enforcement successes. A recent joint advisory on ransomware highlighted that RaaS is a well-established and professionalized business model, which complicates attribution, since its components, developers/operators, affiliates, and freelancers create a complex network that shares victims’ information and diversifies the threat to their targets. 

Figure 1. How RaaS model enables ransomware attacks (www.microsoft.com) 

In many cases RaaS programs may provide as an extra service an extortion support offerings suite, including leak site hosting and integration into ransom notes, payment pressure, and cryptocurrency transaction services. 

Microsoft mentions that RaaS business model is similar to the traditional economy: “In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves”. 

What is the business model of Ransomware as a Service

What is Access as a Service or Initial Access Brokers? 

The Initial Access Broker (IAB) is one of the most significant links in the RaaS chain. The role of an IAB is vital for a ransomware attack success since it provides initial access to the network and spares valuable time that would be needed for target reconnaissance and intrusion strategy employment. 

Of course, IABs services are not given for free. There is a complete marketplace behind these illegal acts. A research performed by KELA, reveals how IABs operate and are involved in the RaaS business model. As shown in the following flow chart, courtesy of KELA, when the two parties agree on the access price and the payment is finalized, the operation to compromise the victim’s network starts. Upon successful intrusion, the ransomware is deployed and the negotiations with the victim begin. The ransomware route ends either when the ransoms are cleared or the nonpaying victim’s sensitive data are exposed. The route duration takes about a month to conclude. 

Figure 2. IAB operation in the RaaS business model (www.ke-la.com) 

IABs get the credentials they sell from many sources, such as the public domain, purchased from other brokers, and the exploitation of vulnerabilities. The credentials for sale pass a validation check – usually with the use of scripts to check if they are valid – one of the main services IABs provide. 

Best practices against RaaS 

There is no unique solution that will protect your business against RaaS. Every cybersecurity agency recommends baseline practices that an organization shall take into account, and implement according to its needs. This defense baseline consists of the following cybersecurity practices: 

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

  • Update operating systems and software 
  • Encrypt data-at-rest
  • Deploy multi-factor authentication for all applications, systems, and users
  • Secure and monitor RDPs 
  • Train the users
  • Perform phishing exercises
  • Require strong and unique passwords 
  • Back up cloud storage to multiple locations
  • Perform proper machine identity management
  • Segment networks
  • Track and monitor network activity for abnormal behavior
  • Implement a Zero Trust strategy and strict access controls to eliminate implicit trust
towfiqu barbhuiya FnA5pAzqhMM unsplash

To cut the long story short, be proactive; prepare for a ransomware attack before it happens. Identify your exposed systems and take all the necessary measures to reduce your attack surface. Be aware and act fast when an incident occurs to minimize the impacts. 

ADACOM is your partner to defend against RaaS 

As RaaS groups and ransomware attacks increase in number and negative impact respectively, organizations need a robust data security solution. Having all the necessary knowledge and tools, ADACOM provides consulting and customized solutions to help you strengthen your defenses and protect your business effectively against ransomware attacks. Contact ADACOM for any questions you may have.