When you look to complete a task online, whether it be sharing documents between a team or simply sending a message to another user, you likely don’t build the hosting program from the ground up. Instead, you opt to use an existing program known as software as a service.
Many criminal operations look to take this same path, and other cybercriminals have capitalized on this demand. Ransomware as a service is a subscription-based model where ransomware tools are leased out to attackers. In 2021, REvil RaaS was used in roughly 37% of all ransomware attacks(1), and cybercriminals continue to use such models more and more frequently.
RaaS programs allow cybercriminals with limited technical abilities to pull off large-scale ransomware attacks. The REvil family was used in a $42 million extortion attempt against Donald Trump and a $50 million dollar threat targeting Apple(1). However, organizations such as DFC can help clients defend against these attacks, regardless of their profile.
How Ransomware as a Service Works: The Business Model of Cybercrime
Ransomware as a Service operates similarly to the business model of legitimate SaaS developer. A group, known as an RaaS operator, will develop and distribute their tools as kits and sell them to other hackers. These hackers then employ the kits to commit blackmail and cyber extortion, with the profits being split among the parties involved.
The RaaS Ecosystem
Once the operator develops their program, they will look to third-party groups known as initial access brokers who can help locate initial security vulnerabilities. They can use this information to specialize their software.
The operator will sell their service to hackers known as affiliates who perform the actual attack. This benefits both parties, as the operator doesn’t have to carry out the ransom and the affiliate doesn’t have to develop the software. They then split the payload, with the operator typically taking 30-40%(2).
How RaaS Is Sold
Operators will typically find their affiliates online by posting a listing for their malicious software services. Common platforms that host these RaaS sales are dark web marketplaces and private cybercrime forums.
Packages may be sold at an upfront cost, with a subscription plan, or an agreed sharing split for each attack. They can contain features such as 24/7 support from the supplier, regular updates, and even a dashboard to track infection attempts.
Who Are the Targets of RaaS Attacks?
As we discussed in the opening, Ransomware as a service can attack targets as prolific as Apple and even the active president. However, this does not exempt small businesses from being extorted. It is important for providers of any size to be aware of the threat of RaaS.
Small and Medium-Sized Businesses (SMBs)
Small to medium-sized businesses are targeted in a majority of RaaS schemes. Roughly 85% of ransomware attacks target small businesses(3). This is largely due to their weaker security systems that allow easier access to confidential data. Extortive demands for higher ransom pay rates are often made to exploit the lack of cybersecurity familiarity.
Critical Infrastructure and Government Agencies
Ransomware as a Service attacks focus on these organizations due to the value of the information they are responsible for and the massive ramifications of this data being breached. From its inception in 2021, RaaS distributed by the Medusa Ransomware family are responsible for attacks on over 300 critical infrastructure organizations(4).
State and local government may be more susceptible to these threats thanks to outdated IT security systems and limited cybersecurity budgets. The disruption of essential services may encourage governments to give in to ransom demands.
The Real-World Impact of a RaaS Attack
The impact of a ransomware as a service attack can expand far past the price that blackmailers are demanding to resume access to your files. Breach of data can result in cybercrimes such as blackmail, extortion, and sextortion being waged against clients. Companies may suffer IP theft, loss of business, legal issues, and an overall hit to their reputation.
Data Loss and Business Interruption
The obvious impact of a business’s data being held ransom is their inability to access said data. This can paralyze operations, potentially resulting in resounding revenue losses and an avalanching impact on entire industries. It can also compromise IPs and other industry secrets that can severely damage an enterprise.
This interruption isn’t the only impact on business. Confidential Client data can be breached in ransomware attacks, enabling cybercriminals to commit blackmail and craft convincing sextortion scams. When these threats arise due to security vulnerabilities of a company, it can negatively impact their brand in the eyes of consumers and result in loss of business.
Legal and Financial Fallout
Past the cost of business interruption and reputation damage, businesses could face litigation and further legal reprimanding for failure to secure confidential data. Regulations such as HIPAA, GDPR, and (formerly) the CSRB hold businesses and government bodies responsible for violations pertaining to safeguarding this information.
The cost of recovering from a ransomware attack reaches far past the price that the perpetrator is asking. A global survey from Sophos found that the cost of ransomware remediating reached over 10 times the average extortion request and is continuing to rise exponentially(5). Because of this, it’s in a business’s best interest to invest in proactive protection practices.
How to Protect Your Business from RaaS Attacks
Businesses need to be proactive in their efforts against IP theft, data breaches, and client confidentiality violations. Some ways that companies can stay ahead of the threat of ransomware as a service before it is waged against them include:
- Proactive Cyber Hygiene: It’s essential for companies to safeguard the data they are entrusted with. Having both on and offline storage backups can help a business resume operation quickly. Additionally, performing routine security practices such as password updates, malware scans, and penetration testing can strengthen your resistance.
- Employee Training and Phishing Awareness: Even the most robust security system is only as strong as each member of its network. One employee’s mistake could compromise an entire industry, so regularly educating your staff on social engineering trends is key in preventing infiltration attempts.
- Incident Response Planning: Despite your best efforts, the threat of a Ransomware attack is never zero and no entity is entirely out of the woods, regardless of its size. This is why a data breach response plan is necessary for all businesses. Consider the assistance of cyber investigation services such as DFC who can help you identify vulnerabilities and craft a response plan.
What to Do If You’ve Been Hit by a RaaS Attack
If your case has evolved past the point of prevention, it is important to react quickly. This can be difficult if you don’t know the proper course of action, so proceed with the following if you’ve fallen victim to ransomware as a service:
- Don’t Pay the Ransom: The Sophos survey found that only 8% of businesses recover their data after paying the ransom(5). The blackmailers that have frozen access to your data are criminals, so you shouldn’t trust that they will stick to their word if you pay them. Your money is better spent on services that will help recover and protect your data.
- Contact a Digital Forensics Expert Immediately: The same survey found that over half of businesses feel that their IT team is incapable of handling ransomware attacks(5). This is why cyber investigation services such as DFC are beneficial. These experts can perform malware analysis to identify the root cause of a RaaS attack, isolate the threat, recover data, and protect IPs and other sensitive information moving forward.
- Report the Incident: You should report all cybercriminal activity to law enforcement agencies who are capable of legally pursuing the perpetrators. You should begin with your local cybercrime division and work up to the FBI’s IC3 if necessary.
Staying Ahead of RaaS in a Rapidly Changing Cyber Landscape
Ransomware as a service has contributed heavily to the 81% increase in reported ransomware attacks compared to just a year ago(6). Bad actors are now capable of carrying out these threats with minimal effort and know-how thanks to the wide distribution of ransomware kits.
Cybercrime is an ever-evolving landscape that requires business to remain steadfast in their defense against attacks. This is why it’s never been more necessary to consult cybersecurity services such as DFC who can help you navigate these intricate issues.
Whether you’ve fallen victim to an RaaS attack or want to ramp up your efforts against them, DFC is here and ready to get started right away. Contact us today for a free consultation and let us help you get the situation under control.
Sources:
- The Latest Ransomware Statistics (updated April 2025) | AAG IT Support
- What Is Ransomware-as-a-Service (RaaS)? | IBM
- The Rise of RaaS: How a niche cyberattack revolutionized a cyber-crime business model
- https://www.cisa.gov/news-events/alerts/2025/03/12/cisa-and-partners-release-cybersecurity-advisory-medusa-ransomware
- Ransomware Recovery Cost Reaches Nearly $2 Million, More Than Doubling in a Year, Sophos Survey Shows | Sophos
- Ransomware Attacks Hit All-Time High as Payoffs Dwindle – Infosecurity Magazine
DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.
