What is ransomware as a service (RaaS)? How it works, examples, and protection

What is ransomware as a service (RaaS)?

Ransomware as a service is a cybercrime business model where the creators of ransomware provide access, infrastructure, updates, and support to others who conduct cyberattacks. These attackers are typically called “affiliates,” and they often shop for the service on the dark web. Since data breaches and cybersecurity threats can be complex to pull off, cybercriminals simply rent the toolset rather than building or maintaining it themselves.

Under this model, less technical actors can launch ransomware attacks because they don’t need to write code or manage complex infrastructure. Because the operator handles updates, hosting, and sometimes victim communications, RaaS mirrors legitimate software as a service (SaaS) in structure, except it’s done for crime.

Is ransomware as a service (RaaS) legal? 

RaaS is illegal in every jurisdiction where ransomware activity is outlawed. While some RaaS operators hide behind claims of “ethical hacking” or rent out their code on dark web forums, facilitating, selling, or using ransomware tools to extort money is a criminal offense under laws like the Computer Fraud and Abuse Act (CFAA) in the US and the Computer Misuse Act in the UK.

How does ransomware as a service work?

Ransomware as a service works much like a subscription-based business, except it sells to cybercriminals. The RaaS operator develops and maintains the ransomware code, then rents or sells it to “affiliates” who deploy the attacks. These operators often host their services on the dark web, offering ready-made ransomware kits, customer support, payment portals, and even data leak sites for publishing stolen information.

With these ransomware kits, anyone with basic computer skills can buy or subscribe to an attack kit and target victims. Affiliates use these tools to infiltrate systems, encrypt files, and demand payment in cryptocurrency. Meanwhile, RaaS operators handle the logistics, managing encryption keys, ransom notes, and payment processing on their end.

This partnership model between the operators and affiliates makes RaaS incredibly scalable. Instead of running every attack themselves, operators multiply their reach by empowering dozens or hundreds of affiliates, creating a global cybercrime network that behaves like a legitimate SaaS business, just through malicious activities.

4 types of RaaS business revenue models

RaaS operators use different revenue models to attract affiliates. The four main ones are:

1. 1.The subscription model. Affiliates pay a monthly fee to access ransomware tools, support, and updates. This model offers predictable income for operators and is often seen on professionalized RaaS marketplaces.
2. 2.The affiliate model. Affiliates don’t pay upfront but share a percentage (often 20% to 30%) of the ransom proceeds with the operator after a successful attack.
3. 3.The one-time license. A single payment grants permanent access to the ransomware kit. It’s popular among more skilled attackers who prefer independence over revenue sharing.
4. 4.The hybrid model. This model combines subscription fees with revenue sharing. Affiliates pay a smaller upfront fee plus a commission on successful attacks.

The affiliate model dominates the RaaS landscape because it balances risk and reward. Operators gain steady profits without directly launching the attack, and affiliates can start without major investment. All of these models thrive on the same foundation, which is scaling cyber extortion like a commercial product.

Examples of ransomware as a service (RaaS)

RaaS is a model in which many well-known threat groups offer affiliate access. Some have shut down, some have rebranded, and others persist under new names. Let’s take a look at some of the most popular RaaS groups that have done significant damage over the years.

• Maze (with users migrating to Egregor). Maze was once one of the most notorious RaaS operations, pioneering the double extortion tactic (encrypt and leak). Maze officially announced a shutdown in late 2020, and several observers believe parts of its infrastructure and affiliates migrated to Egregor, which shares many operational traits. Today, Egregor is considered one of Maze’s successors, focusing on high ransom demands and public data leak sites.
• Ryuk. Ryuk was active in high-value, targeted attacks, often tied to other malware like TrickBot. Its visibility declined after law enforcement pressure and internal disruption, but newer strains and offshoots hint at possible rebrands or successor groups maintaining its capabilities.
• Pysa (also known as Mespinoza). Pysa is another RaaS gang that has leveraged data theft and extortion techniques beyond mere encryption. It targets large institutions and demands high ransoms backed by cyber threats to publish sensitive data if payment isn’t made.
• REvil (also known as Sodinokibi). REvil has been among the most aggressive RaaS operations, involved in large corporate attacks and vendor chain incidents. Although major law enforcement actions have disrupted parts of its network, REvil’s methodology and variants persist in ransomware discussions and rebrands.
• DarkSide. DarkSide ransomware refers to a newer gang known for its high-profile attack on the US Colonial Pipeline in 2021, highlighting how ransomware can reach critical national infrastructure. DarkSide operates through a RaaS model, distributing the burden of attack among affiliates in exchange for a profit share.

• Dharma. While Dharma has been known since 2016, it started operating as a RaaS provider only in 2020. Dharma attacks have been linked to Iranian cybercriminal groups and are usually financially motivated. The service is not centrally controlled, and its variants come from many sources.

• LockBit. LockBit first emerged as a virus that encrypted user files. However, it later became a RaaS operation. It has a distinct ability to automatically self-propagate to target networks, which makes it attractive to cybercriminals.

Threats posed by RaaS attacks

RaaS targets anyone with valuable or vulnerable digital assets, from small businesses to governments. Beyond losing data or money, victims can suffer privacy loss, identity exposure, and long-term damage to trust and security infrastructure, which can take years to rebuild.

Privacy violations

When attackers exfiltrate personal or sensitive data before or during encryption, digital privacy is shattered. Individuals and organizations handling confidential information are most vulnerable. Victims may face blackmail, unauthorized use of personal information, or exposure of their private communication and media. 

Data breaches and data loss

RaaS attackers frequently leak stolen data even if victims pay the ransom, creating a full-fledged data breach. For organizations handling critical records, that means compliance fines, regulatory scrutiny, and long-term recovery costs, which can be crippling.

Financial loss

Beyond the ransom amount itself, victims grapple with recovery costs, which often include forensic work, downtime, legal fees, and fines. According to the Sophos State of Ransomware 2025 report, an average ransom demand hits a little over $1 million. 

Extended downtime

Attacks can cripple infrastructure, shutting operations for days or weeks. Organizations that rely on real-time access to data, such as hospitals and emergency services, are especially vulnerable. In the health sector alone, the HIPAA Journal reported that 2024 saw 181 ransomware attacks impacting 25.6 million records, halting patient care in some cases.

Reputational damage

Customers and partners may lose trust if a breach becomes public, which can erode brand value and future revenue. Leaked internal communications or client data intensify the damage, even after systems are restored.

Identity theft

Stolen personal identifiers (Social Security numbers or account credentials) allow criminals to open new accounts, commit tax fraud, or impersonate victims. Individuals with strong credit histories or high online activity are prime targets.

Long-term security challenges

After an attack, systemic weaknesses often remain undetected. Attackers may plant backdoors, steal encryption keys, or gain persistent footholds, leaving assets at risk and highlighting challenges in big data security. Organizations handling large volumes are particularly vulnerable to these long-term threats.

How to prevent ransomware as a service (RaaS) attacks

RaaS may be getting more sophisticated, but prevention still starts with basic cyber hygiene and strong digital discipline. Below are important steps that can help build ransomware resilience and prevent attacks.

Be cautious and vigilant 

Many RaaS attacks begin with a single click. Phishing emails, fake download links, and other social engineering tactics trick users into installing malware disguised as legitimate files. Always verify senders before opening attachments or clicking links, especially when messages use urgency or emotional pressure.

Avoid downloading software or media from unverified sites, and monitor any new or unexpected connection requests. Cybercriminals often rely on panic or curiosity to cloud their victims’ judgment. Practicing this kind of digital mindfulness is your first line of defense.

For organizations, implementing data loss prevention systems helps identify and stop suspicious file transfers. Learn how to avoid phishing attacks and train staff to double-check before taking action on unfamiliar requests.

Deploy cybersecurity solutions 

A proactive cybersecurity suite is essential for preventing ransomware infections. Tools that scan, block, and remove malicious activities can catch threats before they spread.

For individuals, Threat Protection Pro™ by NordVPN automatically blocks trackers, harmful downloads, and infected websites, even when your VPN isn’t active. For companies, endpoint protection and firewalls should be paired with network monitoring and behavioral analysis tools to detect early signs of compromise.

Keep software and systems updated

Enable automatic updates for your OS, browsers, and productivity tools to keep attackers from targeting the gaps. Don’t forget firmware and security software because even your antivirus and intrusion detection systems need to stay current to remain effective. For organizations, automated patch management tools can help track and enforce updates across hundreds of endpoints.

Regularly back up data

Keeping multiple backups (both offline and in secure cloud storage) ensures you can restore your data without paying a ransom. Follow the 3-2-1 rule, meaning you maintain three copies of your data, on two different media types, with one stored off-site. In some cases, “ransomware resilience as a service” solutions can automate backups, verify integrity, and speed up recovery after an incident.

Invest in cybersecurity training and knowledge

Human error can often cause cybersecurity breaches, so encourage employees (and family members) to stay informed about evolving threats like phishing, ransomware incidents, and other cybersecurity threats. Build a culture where questioning suspicious activity is encouraged, not penalized. The more informed your network, whether human or digital, the harder it is for RaaS attackers to succeed.

Challenges in cybersecurity posed by RaaS attacks

RaaS complicates the defender’s job across multiple fronts. These are some of the biggest hurdles:

• Attribution difficulties. RaaS operators and affiliates often use proxies, anonymization networks, and shared infrastructure to hide their identities and execute attacks. Tracking who executed the attack can be difficult.
• Evolving and specialized criminals. The RaaS model enables experts to rent infrastructure to non-experts. RaaS tools are professionally developed, updated, and hardened, making detection harder and response time shorter.
• Resilience and adaptability. Ransomware operators constantly rotate payloads, adjust encryption routines, or spin up new variants. Even if one strain is blocked, affiliates can just instantly switch to another.
• Pressure tactics. Beyond encrypting data, RaaS groups use double extortion, threatening to leak sensitive information like personally identifiable information (PII) or trade secrets if ransom isn’t paid, which adds psychological pressure and urgency.

These challenges demand cybersecurity strategies beyond patching and blocking. When you choose a cybersecurity defense system, make sure it maintains active threat intelligence, flexible controls, and readiness for evolving RaaS systems.

The future of ransomware as a service (RaaS)

RaaS has grown from niche malware experiments into a global cyber extortion economy. What was once limited to lone threat actors has evolved into a subscription model with dashboards, customer support, and affiliate networks. Notorious groups like Lockbit, REvil, and DarkSide have demonstrated the scale and sophistication possible through RaaS. 

Because of how quickly it’s evolved, we’ll likely see affiliates compete for targets, ransomware supply chains that subcontract parts of the operation (like negotiation or leak sites), and AI-driven payloads that adapt to defenses.