A criminal business model where ransomware developers create and maintain ransomware tools, then lease them to affiliates who carry out attacks in exchange for a percentage of ransom payments.
RaaS mirrors legitimate software-as-a-service business models. Ransomware developers (operators) build and maintain the ransomware code, encryption infrastructure, payment portals, negotiation chatbots, and leak sites. They then recruit affiliates through dark web forums, providing access to a management portal where affiliates can generate custom ransomware payloads, track infections, manage communications with victims, and process payments. Operators typically take 20-40% of ransom payments, with affiliates keeping the remainder.
This model has dramatically lowered the barrier to entry for ransomware attacks. Affiliates do not need to develop their own malware — they only need the ability to gain initial access to victim networks, which can itself be purchased from Initial Access Brokers (IABs) on dark web marketplaces. The result is a highly professionalized, scalable criminal ecosystem where each participant specializes in one part of the attack chain.
Prominent RaaS operations include LockBit (one of the most prolific, responsible for thousands of attacks before law enforcement disruption), BlackCat/ALPHV (notable for cross-platform encryption capabilities), Cl0p (known for mass exploitation of file transfer vulnerabilities), and Play (increasingly active across multiple industries). These operations function as criminal enterprises with dedicated development teams, customer support for victims, and sophisticated infrastructure. Law enforcement has made progress disrupting some operations, but new groups consistently emerge to fill the void.