Trends in Ransomware: What to Know About RaaS

By now we’ve all heard of SaaS (software as a service) and many have heard of IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or the term that contains them all: XaaS (anything as a service). The as-a-Service business model, which usually has customers paying a subscription rate for ongoing access to an online product, has taken off in recent years. The ISG Index has shown over 40% growth in the last three quarters. In most cases, XaaS is a legitimate business model that makes sense for both the vendor and the customer. But then there’s RaaS trend in the cybersecurity world that should trouble businesses, organizations, and governments worldwide.

What is RaaS?

RaaS stands for Ransomware as a Service, and it takes the typical XaaS business model and applies it to the code used to commit ransomware attacks. In many ways, RaaS providers work much like their legal counterparts. They have affiliate programs for which they recruit hackers wanting an easy way to launch attacks. Some offer customer support and sophisticated features like a portal to track customers’ purchases and targets.

How does RaaS work?

The RaaS industry has a few main revenue models:

  • Hackers can pay a monthly subscription to access the provider’s RaaS kit
  • They can join an affiliate program, in which the RaaS provider gets a percent of all the profits a customer gains from ransomware attacks
  • They can pay a one-time license fee for access to the RaaS kit
  • Or they can enter into a profit-sharing agreement with the RaaS provider

The variety of business models and resources available speaks to just how sophisticated the RaaS market is.

And these groups and the hackers working with them are busy. An Intel 471 report from late 2020 identified 25 notable RaaS crews that were active at the time, several of which had been linked to hundreds of attacks. While the RaaS landscape changes fast and the main players aren’t necessarily the same as then, the report offers evidence of how widespread and damaging RaaS can be.

Examples of RaaS in Action

To understand what RaaS looks like, it helps to look at some of the biggest players in the space.


One of the biggest ransomware stories of 2021 was the Colonial Pipeline attack. In May of last year, the company had to shut down 5,500 miles of pipeline for several days, disrupting the east coast’s access to gasoline. Hackers both locked the company out of their computer systems and stole 100 GB of data as part of a double extortion scheme. After worrying at first that the attack may have come from another government, the FBI determined it was instead perpetrated by the RaaS group Darkside.


Netwalker is another popular RaaS platform that’s been linked to a number of ransomware attacks. The group behind Netwalker has focused specifically on large businesses and organizations—many of them in the healthcare space—with the aim of getting a big payday from each attack. The group’s main M.O. is to steal a large organization’s data and threaten to publish it on their website unless a ransom is paid. A McAfee investigation in 2020 found evidence that the group had made an estimated $25 million (at least) from the scheme.


REvil is one of the best-known RaaS operations. The developers behind REvil provide the code to affiliates, who are the ones that perpetuate the ransomware attacks. Affiliates keep the majority of the profits, around 60-70%, while the rest goes to REvil. REvil has been around since at least 2019 and has claimed responsibility for a large number of attacks including over 20 on local Texas governments, one on the Kaseya attack on the 4th of July weekend 2021 that hit a large number of companies at once. Many experts considered that last one to be the largest ransomware attack on record.

REvil most recently made a different kind of news, when Russia announced it had identified and arrested a number of the group’s members.

4 Reasons to Be Concerned About RaaS

Even if some of the hackers responsible for RaaS attacks are facing prosecution, the larger industry is unlikely to go away anytime soon. Every business, organization, and government entity is a possible target for RaaS, and that’s a serious cause for concern.

1. RaaS demonstrates hacker sophistication.

Hackers are dangerous enough when you’re talking about one savvy coder with the skills to infiltrate a system. But when that person becomes part of a larger community that includes its own businesses, infrastructure, and fellow hackers that each brings a mix of skills to the table, their power is compounded.

2. It makes ransomware attacks easier on hackers.

Making matters worse, the availability of RaaS means hackers don’t even have to be skilled. Now that they can purchase a pre-made code created by someone with more skill than them, they don’t have to be exceptionally talented to do damage. They just need the will to commit ransomware attacks, and access to the dark web.

3. RaaS is harder to track.

With RaaS, the same (or a similar) code can be reused in different attacks coming from different perpetrators. And often multiple people are involved in each attack. That makes it harder to identify who’s responsible. Add to that how the rise of cryptocurrencies makes tracking payments more difficult, and finding someone to hold accountable for an RaaS attack is an uphill battle.

4. RaaS is often successful—and every success makes hackers bolder.

Many businesses can’t afford to stay offline for any length of time. And many don’t want to face the potential embarrassment of a data leak. That means, a lot of the time, they give in and pay the ransom. Research from Sophos found that in 2021, the average ransom paid was $170,404, but the highest amount paid by those surveyed was $3.2 million.

Every time a group of hackers makes a big payday, it serves as inspiration for others, creating a costly cycle.

Stay on Guard Against RaaS

The rise of RaaS is scary, but you’re not powerless against it. There are steps TPRM professionals can take to reduce ransomware risks. Keeping all your systems up to date, creating multiple backups of your data, and training your employees in cybersecurity best practices can all make your organization a more difficult target. That could save you from a costly, damaging attack.

Blog Footer Cybersecurity