ELI5: What is Ransomware-as-a-Service?
Bad guys rent out ready-made ransomware tools to other criminals, like a franchise. You don’t need to be a computer expert to launch an attack anymore — just pay for the kit and split the profits.
Definition
Ransomware-as-a-Service (RaaS) is a criminal business model where ransomware developers lease their malware infrastructure, tools, and support to other criminals (affiliates) who conduct the actual attacks. Affiliates typically keep 70-80% of ransom payments, with the remainder going to the RaaS operators. This model has dramatically lowered the technical barrier to entry for ransomware attacks, significantly increasing the overall volume of attacks.
Key Details
- Division of labor: Developers create and maintain the malware; affiliates conduct the attacks and negotiations; operators provide infrastructure (payment portals, C2, customer support).
- Affiliate programs: Often advertised on dark web forums; require vetting; provide dashboards, documentation, and technical support.
- Major RaaS operations: LockBit, ALPHV/BlackCat, Cl0p, Royal, BlackBasta.
- Revenue sharing: Affiliates typically receive 70-80% of ransom; operators take 20-30% for providing the infrastructure.
- Law enforcement takedowns target RaaS infrastructure, disrupting many affiliates simultaneously (e.g., LockBit takedown, 2024).
Connections
- Parent: ransomware — the dominant modern ransomware business model
- See also: notable-examples