Ransomware has evolved from a lone-wolf activity into a fully industrialised criminal ecosystem. At the centre of that evolution sits Ransomware-as-a-Service (RaaS) — a business model that mirrors legitimate software-as-a-service platforms, complete with dashboards, customer support, and affiliate programmes. For small and medium-sized businesses, the implications are stark: attacks that once required deep technical skill can now be launched by virtually anyone willing to pay a subscription fee or share a percentage of the ransom.

TL;DR — Key Takeaways

  • Learn how Ransomware-as-a-Service (RaaS) criminal franchises operate, why they lower the barrier to cyber attacks, and how your organisation can defend
  • What Is Ransomware-as-a-Service and why it matters for your security posture
  • Review the RaaS Ecosystem: Key Roles

Visual Overview

flowchart LR
    A["RaaS Platform"] --> B["Affiliate Purchases Kit"]
    B --> C["Customises Payload"]
    C --> D["Delivers via Phishing"]
    D --> E["Encrypts Victim Data"]
    E --> F["Ransom Demanded"]
    F --> G["Profit Split"]

In this article we break down how RaaS operations work, why they have dramatically lowered the barrier to entry for cyber criminals, and — most importantly — what practical steps your organisation can take to defend against them.

What Is Ransomware-as-a-Service?

RaaS is a criminal business model in which ransomware developers create, maintain, and license their malware to affiliates — other criminals who carry out the actual attacks. Think of it as a franchise: the developer provides the product, the infrastructure, and even negotiation support, while the affiliate supplies the victims and executes the intrusion.

The arrangement typically works on one of several revenue models:

  • Revenue share: The affiliate keeps 60–80 per cent of every ransom payment, with the remainder going to the RaaS operator. This is the most common arrangement.
  • Monthly subscription: Affiliates pay a flat fee for access to the ransomware toolkit and infrastructure.
  • One-time licence fee: A single upfront payment grants perpetual access to the malware package.
  • Pure profit split: Some groups operate on a case-by-case negotiation basis, splitting proceeds after each successful attack.

Prominent RaaS operations such as LockBit, BlackCat (ALPHV), Hive, and Royal have collectively caused billions of pounds in damages worldwide. Their success has spawned dozens of imitators, creating a thriving underground marketplace.

The RaaS Ecosystem: Key Roles

Developers

The core team writes and updates the ransomware code, builds command-and-control (C2) infrastructure, develops payment portals, and creates decryption tools. Some groups even maintain bug bounty programmes, paying other criminals to report vulnerabilities in their own malware. Developers rarely interact with victims directly, insulating themselves from law enforcement.

Affiliates

Affiliates are the frontline operators. They purchase or earn access to the RaaS platform, then carry out the attack chain: initial access through phishing, exploitation of vulnerabilities, lateral movement, data exfiltration, and finally ransomware deployment. Some affiliates work with multiple RaaS platforms simultaneously, choosing whichever offers the best terms for a given target.

Initial Access Brokers

A separate class of criminal specialises in breaching organisations and then selling that access to affiliates. These brokers exploit zero-day vulnerabilities, stolen credentials from credential-stuffing attacks, or compromised remote desktop protocol (RDP) sessions. Access to a small business network might sell for as little as a few hundred pounds, while larger enterprises command thousands.

Negotiators and Money Launderers

Many RaaS groups employ dedicated negotiation teams who communicate with victims through dark web chat portals. They set ransom amounts, offer "discounts" for rapid payment, and provide decryption support. Downstream, money launderers convert cryptocurrency ransoms into usable funds through mixing services, decentralised exchanges, and shell companies.

Double and Triple Extortion: Raising the Stakes

Traditional ransomware simply encrypted files and demanded payment for the decryption key. Modern RaaS operations have evolved well beyond that single-lever approach.

Double Extortion

Double extortion adds a data theft component. Before encrypting systems, affiliates exfiltrate sensitive data — client records, financial documents, intellectual property — and threaten to publish it on dedicated leak sites if the ransom is not paid. This tactic is devastating because it nullifies the "just restore from backups" defence. Even if you recover your systems, your confidential data is still in criminal hands.

Triple Extortion

Some groups take it further by contacting the victim's customers, partners, or regulators directly, pressuring them to compel payment. Others launch distributed denial-of-service (DDoS) attacks against the victim's infrastructure as additional leverage. This multi-pronged approach makes the decision to refuse payment far more complex.

According to industry research, over 70 per cent of ransomware attacks in 2025 involved some form of data exfiltration alongside encryption — a clear sign that double extortion has become the norm rather than the exception.

Why RaaS Has Lowered the Barrier to Entry

Before RaaS, launching a ransomware campaign required genuine technical expertise: writing functional malware, building resilient infrastructure, managing cryptocurrency wallets, and evading detection. Today, an affiliate with minimal coding knowledge can launch sophisticated attacks because the RaaS platform handles the hard parts.

Several factors have accelerated this democratisation of cyber crime:

  1. Turnkey platforms: Modern RaaS portals offer point-and-click dashboards for configuring payloads, tracking infections, and managing negotiations.
  2. Documentation and training: Some RaaS operators provide detailed guides, video tutorials, and even mentorship for new affiliates.
  3. Low upfront costs: Revenue-share models mean affiliates can start with zero financial investment.
  4. Anonymity tools: The combination of Tor, cryptocurrency, and encrypted messaging makes it difficult for law enforcement to identify participants.
  5. AI-assisted attacks: Emerging tools help affiliates craft more convincing AI-powered phishing emails and automate parts of the attack chain.

The result is a dramatic increase in the volume and variety of ransomware attacks. Organisations that once considered themselves too small to be targeted are now squarely in the crosshairs, because low-skill affiliates often pursue easier targets with weaker defences.

Defence Strategies for Small Businesses

The good news is that the same fundamentals that protect against traditional ransomware remain effective against RaaS-delivered attacks. The key is implementing them consistently and comprehensively.

1. Implement Robust Backup and Recovery

Backups remain your single most important defence against ransomware. Follow the 3-2-1 backup rule: maintain at least three copies of your data, on two different types of media, with one copy stored off-site or in an air-gapped environment. Critically, test your restoration process regularly — a backup you cannot restore is no backup at all.

  • Automate backup schedules so they occur without human intervention.
  • Ensure at least one backup copy is immutable (cannot be modified or deleted by ransomware).
  • Document your recovery time objectives (RTOs) and recovery point objectives (RPOs).
  • Conduct quarterly restoration drills to verify that backups work as expected.

2. Harden Email and Endpoint Defences

Since phishing remains the most common initial access vector for RaaS affiliates, strong email security is essential. Deploy DMARC, SPF, and DKIM to reduce spoofing, and consider an AI-powered email security gateway that can detect sophisticated social engineering attempts.

On the endpoint side, move beyond traditional antivirus to endpoint detection and response (EDR) solutions that can identify behavioural indicators of ransomware — such as rapid file encryption or suspicious process injection — and automatically isolate affected machines.

3. Enforce Strong Access Controls

Limit the blast radius of a potential compromise by implementing the principle of least privilege. Ensure every user account has only the permissions necessary for its role. Deploy multi-factor authentication across all systems, particularly remote access tools, email accounts, and administrative consoles.

  • Disable RDP access from the public internet or protect it behind a VPN with MFA.
  • Segment your network so that a compromise in one area cannot easily spread to others.
  • Review and remove dormant accounts through a rigorous offboarding process.

4. Patch Relentlessly

RaaS affiliates and initial access brokers actively scan for unpatched systems. A disciplined patch management programme that addresses critical vulnerabilities within 48 hours significantly reduces your attack surface. Prioritise internet-facing systems, VPN appliances, and any software with known exploited vulnerabilities.

5. Train Your People

Technology alone cannot stop ransomware. Your employees are both the first line of defence and the most frequently exploited vulnerability. Regular security awareness training combined with phishing simulations helps staff recognise and report suspicious emails before they lead to a compromise. Focus on practical scenarios that mirror real RaaS affiliate tactics, including business email compromise and callback phishing.

6. Prepare Your Incident Response Plan

When — not if — a ransomware incident occurs, a well-rehearsed incident response plan can mean the difference between a contained disruption and a catastrophic business failure. Your plan should clearly define roles, communication channels, escalation procedures, and decision criteria for whether to engage with attackers.

Key elements to include:

  1. Immediate containment: Isolate affected systems from the network to prevent lateral spread.
  2. Evidence preservation: Avoid wiping systems before forensic examination. Capture memory images and log files.
  3. Stakeholder notification: Know your breach notification obligations under GDPR, sector-specific regulations, and any contractual commitments.
  4. Recovery execution: Follow your documented restoration procedures, prioritising business-critical systems.
  5. Post-incident review: Conduct a thorough lessons-learned exercise to strengthen defences against future attacks.

The Ransom Dilemma: To Pay or Not to Pay

Law enforcement agencies including the UK's National Cyber Security Centre (NCSC) and the FBI strongly advise against paying ransoms. Payment funds criminal operations, offers no guarantee of data recovery, and marks your organisation as a willing payer — increasing the likelihood of repeat attacks.

However, the reality is nuanced. Some organisations face existential threats if they cannot recover data, particularly in healthcare or critical infrastructure. If your organisation lacks viable backups and faces operational collapse, the decision becomes agonising. The best way to avoid this dilemma is to invest in prevention and recovery capabilities before an attack occurs.

The Role of Cyber Insurance

A comprehensive cyber insurance policy can help cover the costs of incident response, business interruption, legal fees, and notification requirements. However, insurers are increasingly scrutinising applicants' security posture. Use the cyber insurance application checklist to ensure your organisation meets baseline requirements, and understand common policy exclusions that might leave you exposed.

Looking Ahead: The Future of RaaS

The RaaS model continues to evolve. Emerging trends include:

  • AI-enhanced reconnaissance: Affiliates using artificial intelligence to identify high-value targets and tailor attack strategies.
  • Supply chain targeting: Compromising managed service providers or software vendors to reach hundreds of downstream victims through a single intrusion, as seen in supply chain attacks.
  • Decentralised operations: Following law enforcement takedowns of major groups, the ecosystem is fragmenting into smaller, more resilient cells.
  • Regulatory pressure: Governments worldwide are considering mandatory reporting requirements and potential bans on ransom payments.

Key Takeaways

Ransomware-as-a-Service has transformed cyber extortion from a niche technical crime into an industrialised threat that targets organisations of every size. The criminal franchise model means that even unsophisticated attackers can deploy devastating ransomware with minimal effort. For small businesses, the message is clear: proactive defence, robust backups, employee training, and a tested incident response plan are no longer optional — they are essential to survival.

Start by assessing your current defences against the strategies outlined above. Identify gaps, prioritise remediation, and invest in the people, processes, and technology that will keep your organisation resilient when — not if — RaaS affiliates come knocking.