Home » RaaS


Ransomware as a service (RaaS) is a software developed by cybercriminals that allows people to launch ransomware attacks without having any particular coding skills. RaaS is very popular among cybercriminals because they do not have any special knowledge or experience in programming. They just need to buy the software and launch a ransomware attack on their victim’s computer system.

The RaaS software is sold on underground forums and marketplaces, where cybercriminals can download it for a fee. Once they purchase the software, they can either use it themselves or sell it on to other people. In this glossary, we will provide a comprehensive and in-depth analysis of RaaS, including its history, evolution, business model, and impact on businesses and individuals. We will also offer practical guidance on how to protect against RaaS attacks and mitigate their effects.

Ransomware as a Service Business Model

RaaS works by providing cybercriminals with access to ransomware that they can use to infect and encrypt the files of their victims. The cybercriminals then demand a ransom payment in exchange for the decryption key. RaaS providers typically take a percentage of the ransom payment as their fee.

The economics of RaaS are attractive to cybercriminals because it allows them to outsource the technical aspects of the attack, such as the development and distribution of the ransomware, while still being able to profit from the attack. RaaS providers also offer technical support and customer service to their clients, making it easier for them to carry out successful attacks.

How does ransomware as a service work?

Ransomware as a service (RaaS) is a type of cyberattack in which malicious actors use a third-party platform to launch ransomware attacks. This type of attack is particularly dangerous because it allows attackers to launch ransomware attacks without having any technical knowledge. RaaS typically works by allowing attackers to rent out ransomware kits and even access to a command and control server. The attacker can then use these resources to launch ransomware attacks against unsuspecting victims. Additionally, RaaS can also provide attackers with access to a payment portal, allowing them to collect the ransom payments from victims. As such, RaaS is a powerful tool for malicious actors to launch ransomware attacks and extort victims.

In Q1 2023, Sekoia.io observed tens of RaaS recruitment publications on cybercrime forums such as RAMP, Exploit, XSS and Breached. Ransomware operators leverage these forums mostly to recruit affiliates to distribute their custom ransomware, but also to recruit partners with specific skills, such as domain privilege escalation, likely to fill a skill gap within the group or for a short-term mission. They usually provide affiliates with an advanced post-compromise kit in exchange for a ransom payment commission.

To learn more about the most prominent RaaS programs launched on the RAMP and XSS cybercrime forums between January and June 2023, check out this article from our TDR team.

Some examples of Ransomware as a service

The most well-known RaaS operators are LockBit, BlackCat, BlackByte, Black Basta, RagnarLocker, Cuba and Hive. These ransomware variants have been used to target organizations in numerous countries around the world. They typically encrypt the victim’s data and demand a ransom payment in exchange for the decryption key. It is important to note that paying the ransom does not guarantee that the data will be recovered, so it is important to take the necessary steps to prevent ransomware attacks in the first place.

Watch the replay of the Webinar on Sigma Correlation

Impact of Ransomware as a Service on Businesses

RaaS attacks can have a significant impact on businesses. The cost of a RaaS attack can be substantial, with some victims paying hundreds of thousands or even millions of dollars in ransom payments. RaaS attacks can also cause significant disruption to business operations and result in the loss of critical data.

RaaS attacks are not limited to any specific industry or sector, but some industries are more vulnerable than others. For example, healthcare organizations and financial institutions are often targeted due to the sensitive nature of the data they handle.

The psychological impact of a RaaS attack can also be significant. The attack can cause long-term damage to their reputation and trust in their organization.


Protecting Against Ransomware as a Service Attacks


Preventing RaaS attacks requires a multi-layered approach that includes both technical and non-technical measures. Best practices for preventing RaaS attacks include:

  • – Regularly backing up critical data
  • – Implementing advanced endpoint detection and response solutions
  • – Using Cyber Threat Intelligence and XDR product to detect and respond to advanced cyber threats
  • – Implementing attack surface reduction rules and addressing translation network address translation (NAT) risks
  • – Educating employees on how to recognize and avoid phishing and business email compromise attacks

If you are a victim of a RaaS attack, it is important to contact law enforcement and a managed detection and response provider immediately. Mitigating the effects of a RaaS attack may involve restoring data from backups, negotiating with the attackers, or rebuilding systems from scratch.


Ransomware as a Service is a growing cybersecurity threat that is unlikely to go away anytime soon. The economics of RaaS make it an attractive option for cybercriminals, and the impact of RaaS attacks can be significant. It is important for businesses to stay vigilant and take proactive measures to protect against RaaS attacks. By implementing best practices for cybersecurity and responding quickly to attacks, organizations can reduce their risk of falling victim to RaaS.

If you would also like to discover how we enable users of our XDR platform to anticipate the presence of IT threats before impact, you can watch this interactive demo:

Explore Sekoia.io SOC platform through an interactive demo

Others Terms

Others Terms

RDDoS(Ransom Distributed Denial of Service)

Ransom Distributed Denial of Service (RDDoS) are a form of cyber malicious campaign aiming at performing distributed denial of service until a ransom fee is paid.

DDoSia project(Distributed Denial of Service attack toolkit)

DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the Russian invasion of Ukraine.

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ?
Vous voulez découvrir nos produits de XDR et de CTI ?
Vous avez un projet de cybersécurité dans votre organisation ?
Prenez rendez-vous et rencontrons-nous !