Skip to Content

Ransomware as a Service Explained

Ransomware has become a phenomena that just about everyone is familiar with, even if you aren’t in the technology field.  Many ransomware attacks have made it to mainstream news sites and broadcasts, but there are many things to unpack when we talk about threats.

Today, I want to talk about Ransomware as a Service also known as RaaS.

What is Ransomware as a Service (RaaS)

Today, we’re used to consuming many things as a service, even if we don’t realize it.  SaaS apps are increasingly popular in the workplace, and for general users as well.  Microsoft 365 is probably one of the best known examples around, even for those not in the technology industry.  Almost everyone has heard of something like OneDrive or Dropbox, even the average consumer.

What makes these services so popular is how simple they are to consume.

Ransomware groups follow this same model, and offer their ransomware via an affiliate program, as a service.  This means the barrier for a ransomware attack is very low – all someone needs to do is be able to get into your network.  The threat actors can gain the additional knowledge they need, as well as the ransomware software itself from a ransomware group.

The playbooks ransomware groups provide are honestly better than onboarding documentation I have seen from most organizations.  The threat of ransomware to critical infrastructure like VMware vSphere is huge – especially when bad actors are handed a step by step guide.

This is what makes this model so dangerous.  Let’s take a closer look at how it works.

How does the RaaS Model Work

The RaaS business model is actually a bit sophisticated.  Ransomware groups offer their software and know how to affiliates.  Affiliates then are paid after a successful ransom payment.

The ransomware gang does all the heavy lifting like:

  • Providing the ransomware software and instructions on deployment
  • Providing additional information on how to wreak havoc in the network and what to target
  • Handles ransom negotiations and communication with victims

When you think about it, this is quite similar to what SaaS and IaaS providers also do.

There are some variants on how the revenue model works for affiliates.  Some offer affiliates a percentage of the ransom paid, while others are based on more of a flat rate.

Whatever affiliate model is followed, the outcome is the same.  It is easy for threat actors to get their hands on ransomware.

Examples of RaaS

You may not realize it, but if you have seen some of these ransomware incidents in the news, you have seen an example of RaaS.

There are many examples of RaaS, as this is a beneficial business model for both the ransomware gangs, as well as the bad actors who serve as affiliates.

RYUK Ransomware

RYUK is one of the most popular Ransomware groups out there.  It is known for targeting large companies and Windows systems.

REvil Ransomware

REvil is another large, well known ransomware group.  It has allegedly disbanded, but come on, I don’t believe that for a second.  We’ve seen a lot of ransomware groups “go dark” and similar groups emerge later.


WannaCry was one of the earlier ransomware attacks, and was wide spread and far reaching.

Preventing RaaS Attacks

Here is my unpopular opinion.  You cannot prevent a RaaS attack because the barrier for entry is so very low.  According to Sophos’ State of Ransomware 2022 report, 66% of surveyed organizations had experienced a ransomware attack in the last year.

The odds are not good, especially since according to the same report, 88% of respondents said they had a sufficient cybersecurity budget.  That means that even with security solutions in place, malware and ransomware is still getting in.

Does that mean we should give up on a security strategy?  Absolutely not, but we also need to be realistic and not just plan to prevent ransomware, but to actually recover from it.

There is no one true best defense against ransomware – the best thing you can do is to prepare to be able to recover.

But What About Cyber Insurance?

Many organizations are also seeking cyber insurance policies to help them when it comes to ransomware attacks.  While every policy is different, there are a number of things many do not realize when beginning to evaluate the situation.

  • Not all data is recovered even if your insurance policy pays the ransom
  • Most organizations are benched again after paying ransom
  • Your deductible will increase after you use the cyber insurance

At the end of the day, a cyber insurance policy is not a substitute for a ransomware recovery strategy.  My one pro tip is to make sure that an incident response firm is included in the policy for when ransomware does eventually strike.

RaaS is Bad

Ransomware as a service is bad for us all.  It makes it almost too easy for someone to deploy ransomware once they have gotten into your environment.  There isn’t a 100% foolproof way to prevent ransomware or to defend from it, but we do need to follow good security practices and always be ready to recover.