The Business of Ransomware-as-a-Service (RaaS)
The Evolution of Extortion
Ransomware has evolved from lone-wolf operators to massive, highly organized criminal enterprises. The Ransomware-as-a-Service (RaaS) model allows malware developers to lease their ransomware payloads to “affiliates” who handle the actual network breaches.
Affiliates typically take 70-80% of the ransom payment, while the core developers take the rest.
The RaaS Ecosystem
| Role | Responsibility |
|---|---|
| Operators/Developers | Build the encryptor, manage the leak site, handle negotiations. |
| Affiliates | Buy access, deploy the ransomware, exfiltrate data. |
| Initial Access Brokers (IABs) | Compromise networks and sell the access to Affiliates. |
Double Extortion
Modern ransomware doesn’t just encrypt data; it steals it first. If the victim refuses to pay for the decryption key, the attackers threaten to publish the stolen data on their Tor leak site.
Important: Paying the ransom does NOT guarantee you will get your data back, nor does it guarantee the attackers will delete their stolen copies.
For an overview of notorious variants, check out the Ransomware Wikipedia page.