Ransomware-as-a-Service (RaaS)
Cybercrime business model where ransomware operators rent their malware, infrastructure, and leak sites to affiliates in exchange for a cut of each ransom.
Ransomware-as-a-Service (RaaS) is the cybercrime business model that drives most modern ransomware incidents. A core operator team builds and maintains the ransomware itself — the encryption code, the negotiation portal, the data-leak site, the cryptocurrency plumbing — and rents it to affiliates who carry out the intrusions. The affiliate keeps a majority of each successful ransom (often cited as 70-80%); the core operator takes the rest plus retains intelligence on every victim.
LockBit, ALPHV/BlackCat, Conti (now dissolved and forked), Cl0p, and a long tail of smaller programs have all operated this way. Europol’s IOCTA report and ENISA Threat Landscape both treat RaaS as the structural reason ransomware volume has not dropped despite years of high-profile takedowns: when one operator goes down, affiliates migrate to the next platform within weeks.
Defining properties:
- Specialization of labor. Initial-access brokers sell footholds; affiliates handle intrusion and lateral movement; the core team handles the malware and the brand. Each role can be filled by a different group.
- Lower attacker skill bar. An affiliate doesn’t need to write a single line of crypto code. They need to be good at phishing, identity attacks, and lateral movement — skills now widely available.
- Branded leak sites. Most RaaS operators run a public extortion site listing victims who haven’t paid, which functions as both pressure tool and marketing for the next affiliates.
- Code-of-conduct theater. Several programs advertise rules (“no hospitals, no critical infrastructure”) that affiliates routinely ignore.
- Affiliates inherit the meta. Whatever the current best initial-access technique is — MFA fatigue, OAuth phishing, Citrix/VPN exploits — affiliates adopt fast.
The defensive implication is that RaaS makes ransomware a human-access problem more than a malware problem. The encryption code is fungible; the intrusion path is not. Closing the intrusion paths — strong phishing reflexes, FIDO2 / passkeys, OAuth-grant hygiene, identity governance — is the only durable lever, because it works regardless of which RaaS brand the affiliate happens to be renting from this quarter.
Related terms
- RansomwareMalware that encrypts data and/or exfiltrates it, then demands payment for decryption or non-publication — almost always entering through a human-mediated step.
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
- MFA fatigueA social-engineering attack that bombards a user with MFA push prompts until they tap Approve out of annoyance or confusion.
- Supply chain attackAn intrusion that compromises a trusted upstream vendor — software, SaaS, MSP — to reach every downstream organization that uses it.