Cloudwards Video Courses New may earn a small commission from some purchases made through our site. However, any earnings do not affect how we review services. Learn more about our editorial integrity and research process.

what is ransomware as a service

Ransomware as a Service: What Is It and How Does It Work in 2024?

Ransomware has been around since the 1980s, but beginning in 2016, a new business model emerged: hackers recruit affiliates and provide them with the ransomware payload needed to encrypt sensitive data, target critical infrastructure and extract ransomware payments from victims. Learn more about ransomware as a service in this detailed guide.

Aleksander HougenAleksandar KochovskiVildana Bratic

Written by Aleksander Hougen (Co-Chief Editor)

Reviewed by Aleksandar Kochovski (Writer, SEO Editor)

Facts checked by Vildana Bratic (Video Editor, Fact-Checking Editor)

Last Updated: 2024-03-16T16:51:22+00:00

All our content is written fully by humans; we do not publish AI writing. Learn more here.

Ransomware incidents have risen greatly over the last few years, especially as large parts of the world shifted to reliance on remote work and digital infrastructure during the COVID-19 pandemic. In this climate, something called “ransomware as a service” (RaaS) has gained popularity among threat actors. 

RaaS allows just about anyone to deploy ransomware in exchange for a monthly subscription or some other revenue model. 

Key Takeaways:

  • Ransomware as a service is a practice of developers offering ransomware kits to other groups or attackers in exchange for a subscription fee or shared revenue.
  • RaaS operators offer their services at prices ranging from less than $100 to many thousands. However, one successful ransom payment can mean a payout of hundreds of thousands or even millions of dollars, making it a tempting proposition.
  • Most ransomware targets businesses and organizations, but private individuals can also fall victim to RaaS attacks. Frequent backups and an understanding of common threats is crucial to protect yourself and your data.

Although ransomware attacks primarily target businesses, the rise of RaaS providers makes it ever more likely that you will find yourself faced with ransom demands to decrypt your data, even if you’re just a private individual. Luckily, there’s plenty of ransomware protection software out there, and simply performing frequent backups will protect you from the worst damage.

What Is a Ransomware Attack?

A ransomware attack functions by encrypting the data on your device, either individual files and folders or your entire operating system. 

Online Security

Check out our online security courses and grab a limited-time offer.
Enrollment available now!

Enroll Now

Either way, the target is then asked to pay a ransom to unlock their files or devices, with the precise dollar amount usually depending on who is being targeted. Just as the number of attacks themselves has increased, so has the cost of the ransom payments.

After your data or device has been encrypted, the decryption key is what’s really being held for ransom.

Ransomware operators will generally target companies or industries that have a lot of valuable data or require their systems to be functioning at all times. That’s because the target is far more likely to pay if they’ve lost access to critical data or systems that they need to continue operating.

What Is Ransomware as a Service?

Ransomware as a service is a subscription service model where you pay a monthly or yearly fee for access to ransomware tools that are already developed and ready to be deployed. These “RaaS kits” are marketed and sold on underground forums and marketplaces on the dark web, and they range in price from less than $100 to thousands.

malware service raas phishing scams
RaaS operators sometimes facilitate malware deployment, making it easier for other criminals to quickly take advantage of known security vulnerabilities.

Because the kits are easy to use, and sometimes even come with customer support, it allows an attacker to set up and perform many ransomware attacks rapidly with little to no technical skill.

How Does Ransomware as a Service Work?

The first step in any RaaS attack is the attacker locating the kit on the dark web and signing up for the software as a service. 

Generally, there are four different payment models in the RaaS market. The first — and simplest — is a standard flat monthly fee, just like you’d pay for cloud storage or a virtual private network. Some RaaS kits are also available for a one-time license fee, though we imagine these generally don’t come with the same level of ongoing support.

Next is an affiliate model, where the RaaS affiliates still pay a subscription fee, but also promise a share of the profits to the malware developers. This way, a RaaS operator can set themselves up with multiple affiliates and potentially benefit from thousands of attacks happening every day. 

Finally, there’s a pure profit-sharing model, where the RaaS operator works out a profit split with the affiliate in exchange for providing the kit free of charge.

Silk Road
The Silk Road is the most famous dark web marketplace, but there are many others like it.

Regardless of how they pay for it, the attacker now has their hands on a RaaS kit. The exact way in which it works will depend on the ransomware code it uses, but generally it will infect systems and otherwise gain access to data through avenues like phishing emails and malicious links. 

A more powerful tool might automate this delivery process, while cheaper options simply give purchasers the ransomware to deliver themselves.

Regardless, once the attacker has control of an infected system, a ransom note is delivered to the target. This is typically done as part of the software, allowing the demand to appear right on the target’s device. The kit might also include tools for facilitating the payment, which is generally done with an anonymous cryptocurrency.

How Did the RaaS Model Lead to More Ransomware Attacks?

Because ready-made RaaS kits require little technical ability or understanding, it removes the only significant barrier to entry for performing ransomware attacks. Anyone who can afford to pay for and knows how to access the appropriate dark web marketplaces can acquire one and become a RaaS affiliate. 

This means that ransomware attackers no longer have to be ransomware developers themselves, greatly increasing the accessibility of these types of attack techniques.

Final Thoughts: RaaS & Ransomware Attack Protection

With the number of ransomware variants and attacks only increasing, RaaS operators are a known problem that security teams have to combat by implementing a rigorous patch program and fixing known vulnerabilities quickly. Even so, the sheer ease with which the RaaS affiliate model allows a threat actor to carry out attacks makes this an uphill battle.

Luckily, there are steps you can take for ransomware protection, including installing a good antivirus software, making sure to backup your data often (some services even have ransomware protection), and to use a secure VPN.

What did you think of our breakdown of the RaaS model? Do you feel like you have a better understanding of how it works, and more importantly, how to protect yourself or your organization? Have you been the target of a RaaS operation? Let us know in the comments below. Thank you for reading.


  • Yes. RaaS attacks, just like any other cyberattacks, are considered illegal in most (if not all) jurisdictions.

  • You can divide ransomware into locker ransomware (which disables access to some or all of your system), crypto ransomware (which encrypts files or data), doxware (which threatens to release the decrypted data publicly) and RaaS (which encompasses all of the above, but as a subscription service sold to other cybercriminals).

  • Some of the earliest ransomware services include Ransom32, Shark and Stampado.

  • Yes. Though it’s hard to say for sure, Ryuk Ransomware is perhaps the most widely deployed ransomware service out there.

↑ Top