TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Threat Actors

What Is Ransomware-as-a-Service (RaaS)? How the Model Works

Ransomware-as-a-service turned extortion into a franchise business: operators build the malware, affiliates deploy it, and they split the profits. Here's how the model works and why it's so dangerous.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Ransomware-as-a-service (RaaS) is a business model in which the developers of ransomware rent or license their malware and supporting infrastructure to other criminals — called affiliates — who carry out the actual attacks, in exchange for a share of the profits. It mirrors the legitimate "software-as-a-service" model, complete with subscriptions, dashboards, customer support, and revenue sharing. RaaS is the engine behind the modern ransomware epidemic: by separating those who build ransomware from those who deploy it, it has industrialized extortion and dramatically lowered the skill needed to launch devastating attacks.

In short: RaaS turned ransomware into a franchise. You no longer need to write malware to be a ransomware attacker — you just rent it, and the developers take a cut of whatever you extort.

How the RaaS model works

RaaS splits a ransomware operation into specialized roles, much like a legitimate business:

  1. Operators (developers). The core group builds and maintains the ransomware, the encryption, the payment and negotiation portal, and the data-leak site. They run the "platform" and recruit affiliates.
  2. Affiliates. Partners who rent the ransomware and handle the intrusions — gaining access, moving through the network, and deploying the payload. They don't need to know how to build malware.
  3. The profit split. When a victim pays, the ransom is divided between the operator and the affiliate, often with affiliates keeping the larger share (commonly 70–80%).

The operators provide everything an affiliate needs: the malware build, infrastructure, a victim-facing payment site, negotiation support, and sometimes even "marketing" via a public leak site that pressures victims.

The wider RaaS ecosystem

RaaS rarely operates alone — it sits at the center of a criminal supply chain with several specialized players:

  • Initial access brokers (IABs): specialists who breach organizations and sell that access to affiliates, so attackers can skip the break-in. See our guide to initial access brokers.
  • Infostealer operators: infostealers harvest the credentials that fuel initial access.
  • Negotiators and launderers: roles dedicated to extracting payment and moving cryptocurrency.

This division of labor is exactly what makes modern ransomware so efficient and resilient — each specialist does one thing well, and the model keeps running even when individual players are arrested.

RaaS revenue models

RaaS operators monetize their "product" in several ways:

  • Affiliate / profit-sharing: the most common — affiliates pay a percentage of each successful ransom.
  • Monthly subscription: a flat fee for access to the ransomware toolkit.
  • One-time license: a single purchase of the malware.
  • Pure profit split with no upfront cost, lowering the barrier for affiliates even further.

Double and triple extortion

RaaS groups have escalated their leverage well beyond simple encryption. Double extortion steals data before encrypting it, then threatens to publish it on a leak site if the victim doesn't pay — so even organizations with good backups face pressure. Triple extortion adds further threats, such as DDoS attacks or directly contacting the victim's customers and partners. These tactics, professionalized and standardized across the RaaS model, are a major reason ransomware has become so damaging.

Why RaaS is so dangerous

  • It lowers the barrier to entry. Low-skill criminals can launch sophisticated attacks they could never build themselves.
  • It scales. One operator can support many affiliates hitting many victims simultaneously.
  • It's resilient. Even when a group is disrupted or rebrands, the model and its people persist and reconstitute under new names.
  • It professionalizes crime. Specialization, support, and reputation systems make the whole ecosystem more effective.

How to defend against RaaS attacks

Defending against RaaS is defending against ransomware itself — and against the access methods affiliates use:

  • Maintain tested, offline backups so you can recover without paying.
  • Enforce phishing-resistant MFA on all remote access to block the credential abuse affiliates and IABs rely on.
  • Patch internet-facing systems fast through disciplined vulnerability management — exposed VPNs and services are prime entry points.
  • Deploy behavior-based EDR to catch intrusion and pre-encryption activity.
  • Segment networks and limit privileges to slow lateral movement before encryption.
  • Have a tested incident response plan that covers ransomware specifically.

Why RaaS groups are so resilient

One of the most frustrating realities for defenders and law enforcement is how hard RaaS operations are to permanently kill. When a prominent group is disrupted — its infrastructure seized, members arrested, or its brand "retired" after too much heat — the model itself survives. The reason is its structure: a RaaS operation is not a single organization but a loose, distributed network of operators, affiliates, brokers, and launderers, many of whom work with multiple groups. Take down the brand and the people remain, free to regroup under a new name, join a rival, or spin up a fresh operation with the same playbook. This "gig economy" of cybercrime means takedowns, while valuable, tend to cause temporary disruption and rebranding rather than elimination. Groups also deliberately avoid certain targets and jurisdictions to reduce the risk of a coordinated international response. For defenders, the practical lesson is sobering but clarifying: you can't rely on law enforcement to remove the threat, so resilience has to come from your own preventive controls and preparation. It also reframes the goal — since the ecosystem will persist, success is measured not by whether ransomware exists but by whether your organization is a hard enough target that affiliates move on to easier prey.

Where threat intelligence fits

Threat intelligence tracks active RaaS groups, their affiliates' TTPs, the access methods they favor, and the leak sites where they name victims. Knowing which RaaS operations are targeting your sector — and how their affiliates typically break in — lets you prioritize exactly the defenses that matter most before an attack reaches the encryption stage.

The bottom line

Ransomware-as-a-service is the franchise model that powers modern ransomware: operators build and rent the malware, affiliates carry out attacks, and they split the proceeds — backed by a supply chain of access brokers and infostealer operators. By lowering the skill barrier and professionalizing extortion (including double and triple extortion), RaaS has made ransomware faster, more scalable, and more resilient. Defense means strong backups, phishing-resistant MFA, fast patching, EDR, segmentation, and a tested response plan. To track active RaaS operations, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-service is a business model where ransomware developers (operators) rent their malware and infrastructure to other criminals (affiliates), who carry out the attacks in exchange for a share of the profits. It works like a criminal version of software-as-a-service.

How does the RaaS model work?

Operators build and maintain the ransomware, payment portal, and leak site, then recruit affiliates who handle the actual intrusions and deployment. When a victim pays, the ransom is split — affiliates often keep the larger share (commonly 70–80%), with the rest going to the operator.

Why is RaaS so dangerous?

RaaS lowers the barrier to entry so low-skill criminals can launch sophisticated attacks, scales across many affiliates and victims at once, is resilient to takedowns and rebrands, and professionalizes the whole ecosystem with specialized roles, support, and reputation systems.

What is double and triple extortion?

Double extortion steals data before encrypting it and threatens to publish it if the victim doesn't pay, pressuring even organizations with good backups. Triple extortion adds further threats like DDoS attacks or contacting the victim's customers and partners.

How do you defend against RaaS attacks?

Defend as you would against ransomware: keep tested offline backups, enforce phishing-resistant MFA on remote access, patch internet-facing systems quickly, deploy behavior-based EDR, segment networks and limit privileges to slow lateral movement, and maintain a tested incident response plan.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is Ransomware? How It Works and How to Stop ItThreat ActorsWhat Is an Initial Access Broker (IAB)? The Ransomware Supply ChainAttacksWhat Is Infostealer Malware? How Info-Stealers Work & SpreadOperationsWhat Is Incident Response? The Incident Response Lifecycle Explained