Ransomware as a Service (RaaS): Explained

The days when cybercriminals built single-use ransomware and manually pushed it into one organization’s network are gone. Criminals still extort ransoms – and less technical actors still deploy traditional strings – but the center of gravity has shifted to a service economy. Ransomware as a Service (RaaS) packages tool, infrastructure, and playbooks, so affiliates can run high-impact campaigns at scale.

That scale makes RaaS more than a private-sector nuisance. Attacks on energy, transport, healthcare, and municipal services can disrupt lifelines, erode public trust, and create cascading second-order effects that national-level defenders – including Cyber Protection Teams, sector risk management agencies, and Information Sharing and Analysis Centers – must factor into planning. Use this guide as a playbook to harden critical infrastructure and enterprise networks against an adversary that increasingly behaves like a software vendor.

What Is Ransomware as a Service?

RaaS is a subscription-based cybercrime model in which skilled ransomware actors lease or sell the tools required for an attack to affiliates who execute campaigns. In this guide, we use one set of terms consistently:

• Operator: The RaaS provider who builds or maintains the toolkit and platform
• Affiliate: The attacker who buys in and runs the intrusion, deployment, and extortion

The ransomware operator might offer a RaaS kit including anything from malware, hosting, and payment portals to documentation. The setup mirrors legitimate Software as a Service (SaaS) businesses: Operators build and maintain the “product,” while affiliates (the actual ransomware attackers) handle “distribution.”

Key Players in the RaaS Ecosystem

Markets change all the time, and the RaaS provider landscape is no exception. However, due to the level of professionalization, certain elements and roles remain recognizable. 

• Developer/operator: Creates the ransomware payload, manages keys, runs leak sites, and payment portals, and updates features to evade detection.

• Affiliate/attacker: Pays to use the toolkit, selects targets, gains access, moves laterally, deploys the payload, and extorts victims. 
• Initial access broker (IAB): Sells footholds into already-compromised networks, providing a head start for affiliates. Usually, they do this via stolen credentials, exposed remote desktop protocols (RDPs), web shells, etc.

Why this matters to your organization:

• Democratization of cybercrime: Any given ransomware affiliate doesn’t need deep exploit development or crypto-payment expertise anymore. They buy a kit, follow the docs, and execute.

• Scale and specialization: RaaS ecosystems include specialized roles (access brokers, crypter services, bulletproof hosting). As in legitimate SaaS businesses, this level of sophistication aims to streamline operations. Except in this case, the goal is to increase the tempo of attacks on businesses and critical infrastructure.
• Sophisticated ransomware attacks: Mature RaaS programs provide how-to guides, ticketing and “support,” and dashboards. Users can track victims, payments, sensitive information, and “campaign” metrics. 

Understanding the Business Model Behind an RaaS Attack

To defend your organization successfully, it’s helpful to understand how the typical ransomware group operates financially. Otherwise, you may make false assumptions about where the ransom is going or with whom you’re interacting. 

Common RaaS Commercial Models

• Monthly subscription: Affiliates pay a flat fee for platform access and updates.
• Profit sharing: Operators take a percentage of successful ransom payments. Affiliates typically keep the rest in these scenarios.
• One-time license: A larger upfront payment buys long-term access or a private build.

Most programs also offer “value-add” services: 

• Encryptor builders per-OS/architecture
• Obfuscation/packing
• Turnkey leak-site hosting
• “Negotiation playbooks”

The Five Stages of a Typical Ransomware Attack

While the details may change, depending on the scenario, every RaaS attack tends to go through five stages.

• Initial infiltration: Common vectors include spear-fishing and credential theft. The goal is to exploit unpatched internet-facing services (e.g., VPNs, file transfer appliances), abusing weak RDP exposure, or purchasing access from IABs.

• Network reconnaissance and lateral movement: Affiliates enumerate domains and assets. They harvest credentials, disable security tools, and identify high-value systems, like hypervisors or backups. Before pulling the trigger, they’ll map the blast radius for maximum effect.

• Payload deployment: The ransomware executes and begins parallelized encryption to outpace response. Operators often supply per-victim keys and options to skip specific processes or services. This is meant to maximize leverage without bricking critical systems prematurely.

• Extortion: The ransom note appears with payment instructions – usually in cryptocurrency. Modern campaigns use double or triple extortion. That means, they’ll encrypt data, exfiltrate copies, and threaten public leaks or DDoS should payments stall. Negotiation portals and leak sites are fairly common in these scenarios.

• Resolution: Outcomes include restoration from clean backups, partial recovery with data loss, or payment. Keep in mind, though, that even payment carries legal, regulatory, and business risks. It doesn’t guarantee successful decryption or non-disclosure. Post-incident, organizations can expect attempts at re-extortion if the adversary kept copies of sensitive data.

Notable RaaS Attackers and Ransom Variants

Similar to the legitimate SaaS market, RaaS brands and groups evolve. Names may disappear, split, or re-emerge under new banners. The examples below simply illustrate impact and tactics, not endorsements of current activity.

DarkSide

DarkSide is best known for its role in the Colonial Pipeline incident in May 2021, which led to a precautionary pipeline shutdown and regional fuel shortages and panic buying across the US Southeast.  It highlighted how a single ransomware event can ripple into critical fuel distribution and public services. Reporting at the time indicated the group portrayed itself as profit-focused, but the real-world disruption told a different story. Public impacts included temporary supply chain disruptions and price volatility; the operator and affiliates reportedly netted tens of millions during their run, with a portion later recovered by law enforcement.

Blockchain analysis suggested DarkSide and its affiliates netted tens of millions of dollars during their run.

Why it matters: Critical infrastructure exposure and third-party interdependencies can amplify the blast radius far beyond a single company.

REvil / Sodinokibi

REvil was among the most prolific RaaS groups, famous for high-value targets and public shaming. Coverage included alleged ties or safe harbor in Russia. The group made headlines with a $42M demand against a New York law firm with threats to leak politically sensitive files.

They also targeted entertainment sector legal docs, threatening to leak materials tied to high-profile artists to pressure payment.

Why it matters: Multi-party exposure (law firms, service providers) compounds legal, reputational, and regulatory risk.

LockBit

LockBit has remained one of the most persistent RaaS operations, repeatedly resurfacing even amid law enforcement pressure. Reports have exposed large sets of associated crypto addresses and documented broad target ranges across geographies and industries. LockBit has also threatened major public services and logistics enterprises, including incidents affecting postal and delivery systems.

Why it matters: Operational speed, automation, and affiliate recruitment can keep an RaaS brand active even when portions of its infrastructure are disrupted.

How To Prevent Ransomware Attacks and Bolster Your Cybersecurity

There’s no silver bullet, so promising one would only do your organization a disservice. However, layered defense and disciplined operations can make ransomware substantially harder and faster to contain. Use this checklist to pressure-test your posture.

1. Comprehensive Employee Training

• Make phishing simulation routine: Train recognition of business-email-compromise, multi-factor authentication (MFA) fatigue, and QR phishing (“quishing”).

• Codify escalation: Staff must know how to report suspicious messages, failed logins, or unexpected prompts. More importantly, they must know what not to do (e.g., enabling macros).

• Reinforce role-based training: IT and privileged users need deeper drills on endpoint hygiene, secrets handling, and out-of-band recovery steps.

2. Robust Backup and Recovery Strategy

• Tested, offline/immutable backups: Use storage that compromised domain credentials cannot alter. Keep separate credentials and out-of-band control. 

• Recovery playbooks by system tier: Define recovery time objectives and recovery point objectives per workload. Rehearse bare-metal restores for active recovery, hypervisors, file servers, and operational technology (OT).

• Map dependencies: Document application-to-database-to-identity chains so you can restore in the correct order under pressure.

3. Strong Access Control

• MFA everywhere (especially VPN, RDP, SaaS admin): Prefer phishing-resistant methods (FIDO2/WebAuthn) for privileged roles.

• Least privilege and just-in-time elevation: Eliminate standing domain admin rights; use privileged access management and strong audit trails.

• Segment aggressively: Separate users, server, and OT networks. Restrict east-west traffic; use application allow-listing for crown-jewel systems. 

4. Timely Patch and Configuration Management

• Prioritize known-exploited vulnerabilities: Track common vulnerabilities and exposures listed in the Known Exploited Vulnerabilities catalog. Patch or mitigate as fast as possible.

• Harden defaults: Disable legacy protocols, enforce signed drivers, and lock down macros and PowerShell where feasible. 

• Asset and exposure inventory: Continuously search for unmanaged assets, shadow IT, and exposed services to remove or secure them.

5. Advanced Threat Intelligence and Detection

• Detection engineering for ransomware tradecraft: Monitor for abnormal Server Message Block activity, mass file renames, shadow copy deletion, and backup tampering.

• Endpoint detection and response/Extended detection and response: Ensure you can remotely isolate endpoints and disable compromised accounts immediately for rapid containment.

• Email and DNS protections: Modern email security, sandboxing, and DNS filtering block many initial access attempts. Ensure all necessary features are set up correctly and activated.
• Tabletop and red team: Exercise playbooks with legal, PR, and executive teams. Rehearse decision-making for pay/no-pay, notifications, and regulator engagement. 

For organizations protecting essential services, a platform approach to prevention, detection, and response reduces gaps between tools and teams. 

Fortify Your Defenses Against Ransomware Threats with SealingTech

SealingTech designs and delivers mission-ready defensive cyber solutions for enterprise and critical infrastructure operators. From deployable Cyber-Fly-Away Kits to AI-enabled capabilities that elevate junior analysts and accelerate response, our focus is enabling your team to detect, investigate, and contain fast – even in constrained or disconnected environments.

Whether you’re building a proactive ransomware defense program or hardening a specific facility, our team can help you: 

• Modernize endpoint, network, and identity controls with proven architectures
• Integrate detection and response workflows to cut mean time to contain
• Engineer backup and recovery you can trust under adversary pressure
• Prepare leadership with real-world tabletop and incident-response guidance

Ready to reduce risk and strengthen your organization’s resilience? Contact our expert team or request a quote today to improve your security posture.