The Business of Ransomware-as-a-Service (RaaS)
Ransomware Is No Longer Just Malware
To understand this, we first need to define the core concepts:
- Ransomware is a type of malicious software (malware) that encrypts a victim’s files and demands a payment (ransom) to restore access.
- As-a-Service (AaaS) is a business model where software, platform, or infrastructure capabilities are provided on demand, typically as a subscription or franchise. When applied to cybercrime. - Ransomware-as-a-Service (RaaS) is a model where ransomware developers lease their malware and portal infrastructure to third-party attackers (affiliates) in exchange for a percentage of the ransom.
There was a time when ransomware was the work of individual hackers who coded their own encryptors, deployed them manually, and collected Bitcoin through sketchy forums. That era is largely gone. What replaced it is far more sophisticated, far more organized, and in some ways more disturbing - because it mirrors legitimate business models almost perfectly.
Ransomware-as-a-Service has turned ransomware from a technical endeavor into an operational one. You no longer need to know how to code malware. You just need network access and the willingness to run someone else’s tool. The developers handle the infrastructure. You handle the breach.
This post breaks down how RaaS actually works, who the players are, what the attack chain looks like, and how defenders should think about it.
The RaaS Ecosystem: Who Does What
Think of RaaS like a dark web franchise model. There are several distinct roles:
The Developers / Operators
These are the people who actually build and maintain the ransomware. They write the encryptor, manage the negotiation portal, operate the leak site on Tor, and handle the backend infrastructure. They rarely touch victims directly. Their job is to build a reliable product and manage the business.
Examples: LockBit, ALPHV/BlackCat, RansomHub, Cl0p.
The Affiliates
These are the actual attackers - the people who compromise networks and deploy the ransomware. They sign up with a RaaS group (often going through an application process), receive access to the encryptor and support infrastructure, and then go find victims themselves.
Affiliates typically keep 70-80% of every ransom paid. The developers take the rest. This incentive structure means affiliates are highly motivated.
Initial Access Brokers (IABs)
These are a critical part of the supply chain that many people overlook. IABs specialize in one thing: compromising corporate networks and selling that access. They don’t run ransomware. They just sell the door in.
An affiliate might purchase access to a Fortune 500 company’s network for $5,000-$50,000, deploy LockBit, and demand $5 million in ransom. The economics work out very well for everyone except the victim.
The Negotiators
Some sophisticated victims hire professional ransomware negotiators. Some RaaS groups employ their own negotiators. The negotiation process is often remarkably professional - timed responses, “customer service” support, discounts for quick payment.
The Attack Chain
A typical RaaS attack follows a predictable pattern:
Stage 1: Initial Access
Common entry points include:
- Phishing emails with malicious attachments or links
- Exploiting internet-facing vulnerabilities (VPNs, RDP, Exchange servers)
- Purchased access from an IAB
- Valid stolen credentials from previous data breaches
Stage 2: Establish Persistence
Once inside, the attacker sets up persistence so they survive reboots and initial detection. Common methods include scheduled tasks, registry run keys, and backdoors dropped in startup folders.
Stage 3: Reconnaissance and Lateral Movement
This is often the longest phase. The attacker spends time understanding the network:
- Who are the domain admins?
- Where are the backups stored?
- What data is most valuable?
- What security tools are running?
Tools used: BloodHound for AD mapping, Nmap for network discovery, Mimikatz for credential dumping.
1
2
3
4
5
6
# Mimikatz - dump credentials from memory
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
# Lateral movement with PsExec
PsExec.exe \\TARGET -u admin -p password cmd.exe
Stage 4: Data Exfiltration
Before encrypting anything, attackers exfiltrate data. This is what makes modern ransomware “double extortion.” They steal your data, then they encrypt it. Now you have two problems: you can’t access your systems, AND your sensitive data is in the attacker’s hands.
Common exfiltration tools: Rclone (syncing to attacker-controlled cloud storage), MEGAsync, custom upload scripts.
Stage 5: Detonation
The ransomware gets deployed. Usually during off-hours - nights and weekends - to maximize encryption coverage before anyone notices. The attacker deletes or corrupts backups first, then launches the encryptor across the network.
Modern ransomware can encrypt thousands of files per second. By the time a SOC analyst sees the alerts, significant damage is already done.
Stage 6: Negotiation
A ransom note appears. It typically includes a Tor link to the negotiation portal. The victim has a countdown timer. If they don’t pay, the exfiltrated data goes on the public leak site.
Double and Triple Extortion
The evolution of extortion tactics has been rapid:
Single Extortion (original): Encrypt files, demand payment for decryption key.
Double Extortion (post-2019): Encrypt files AND steal data. Pay for decryption AND for data to not be published.
Triple Extortion: Everything above, PLUS threaten to DDoS the victim’s website, AND contact the victim’s customers, partners, and regulators directly to apply additional pressure.
Notable RaaS Groups
| Group | Active Period | Notable For |
|---|---|---|
| LockBit | 2019-2024 | Most prolific group by victim count, developed LockBit 3.0 with bug bounty program |
| ALPHV/BlackCat | 2021-2024 | Written in Rust, cross-platform, targeted healthcare and critical infrastructure |
| Cl0p | 2019-present | Exploited zero-days in GoAnywhere MFT and MOVEit Transfer, mass exploitation |
| RansomHub | 2024-present | Emerged after LockBit/ALPHV takedowns, recruited their former affiliates |
| Conti | 2020-2022 | Highly structured criminal organization, internal playbooks leaked in 2022 |
Why Paying the Ransom Is Complicated
This is a nuanced conversation. The Cyber Security Authority (CSA) Ghana, national CERT teams like CERT-GH, and most international cybersecurity firms recommend not paying. Here’s why:
- No guarantee you get your data back. Some groups take the money and disappear. Some provide broken decryptors.
- No guarantee your data won’t be published anyway. You’re trusting criminals to keep their word.
- You fund the next attack. Every ransom paid finances the next campaign.
- Potential legal risk. If the ransomware group is on international or national sanctions lists, paying them could expose your organization to legal liability and violate local financial regulations.
However, the reality is that some organizations with no usable backups face a genuine choice between paying and shutting down permanently. It is not always a simple decision.
Defending Against Ransomware
Before an attack (prevention):
- Multi-factor authentication on everything, especially VPN and email
- Patch internet-facing systems rapidly, especially VPNs and mail servers
- Segment your network so ransomware can’t spread freely
- Maintain offline, air-gapped backups and test them regularly
- Least privilege: users should only have access to what they need
During an attack (containment):
- Isolate affected systems immediately - disconnect from the network, don’t shut down (memory forensics may be possible)
- Preserve logs before attackers delete them
- Determine patient zero: how did they get in?
- Engage your incident response team or an external IR firm
After an attack (recovery):
- Do not restore from backup until you’ve confirmed the attacker’s persistence mechanisms are gone. Restoring into a compromised environment means you get hit again.
- Remediate the initial access vector before coming back online
- Report to Cyber Security Authority (CSA) Ghana, CERT-GH, and relevant regulatory bodies as required
Threat Intelligence Resources
For staying current on ransomware groups and campaigns:
- Ransomwatch - tracks leak sites and posts new victims as they appear
- CSA Ghana & CERT-GH Advisories - publishes localized alerts, reports, and advisories on active threats
- ID Ransomware - identifies which ransomware encrypted your files based on the note
- VirusTotal - submit samples for analysis
- The DFIR Report - detailed technical breakdowns of real ransomware intrusions
Ransomware is not going away. The groups adapt, rebrand after law enforcement action, and continue operating. Understanding the business model behind it is the first step to defending against it effectively.