Artikel | 6. February 2026
Ransomware-as-a-Service (RaaS): How the Shadow Economy Works
The RaaS Business Model Explained #
Three Roles: Developers, Affiliates, Brokers #
Developers write the ransomware software. They handle encryption, command-and-control communication, and decryption services. This is highly specialised work.
Affiliates (also called operators) are the attackers. They rent the ransomware and carry out the actual operations. Affiliates typically do not pay for the ransomware upfront; instead, a commission model applies.
Initial Access Brokers (IABs) act as intermediaries. They penetrate networks via phishing, RDP exploits, or vulnerabilities and sell access to already compromised networks. An affiliate purchases a ready-made entry point and launches the attack from there.
The Commission Model #
An affiliate pays no fixed licence for the ransomware. Instead, developers receive a share of the ransom. In documented schemes, the larger share of each ransom goes to the affiliate who executed the attack, while the platform operator keeps a smaller cut. Payments are made in cryptocurrency to obscure the money trail.
The model rewards scale: the more attacks, the more profit for both sides.
The Service Character #
operators genuinely provide customer service:
- Decryption tools: Once the ransom is paid, developers provide a decryption tool (often buggy, but functional).
- Leak sites: Many groups operate dark web sites where stolen data is posted for negotiation or sale. This is used as leverage against organisations that refuse to pay.
- Support channels: Forums and chat support where affiliates report issues and developers respond.
- Version upgrades: Well-known groups regularly release new versions of their ransomware with improvements, such as faster network propagation or bypass techniques for new E tools.
Well-Known RaaS Groups and Their Characteristics #
LockBit #
For years one of the most prolific families (LockBit 2.0, LockBit 3.0), with a large affiliate network and aggressive double-extortion leak sites. An international law enforcement operation (Operation Cronos, 2024) disrupted its infrastructure, but the affiliate ecosystem did not disappear.
Characteristics: Fast encryption, professional leak site, high public visibility as a deliberate tactic.
BlackCat / ALPHV #
Emerged in 2021. BlackCat used Rust for its malware, making it harder to analyse and more portable across platforms. The group targeted large enterprises and critical infrastructure before its apparent exit in 2024; successor operations and former affiliates remain active.
Characteristics: Professional branding, double extortion, focus on large enterprises and critical infrastructure.
Cl0p (Clop) #
Known for mass exploitation of vulnerabilities in file transfer applications (for example Progress Software’s MOVEit in 2023). Cl0p often skips encryption entirely and extorts victims purely with stolen data.
Characteristics: Exploit-based, supply chain focus, highly selective in target choice.
Other Groups #
A wide range of smaller families exists. Some are offshoots of established groups; others are entirely new entrants. When one brand disappears, its affiliates typically move to the next platform.
Why RaaS Makes Attacks Scalable #
Lower Barriers to Entry #
Anyone with money, not just technical skills, can execute a ransomware attack. An Initial Access Broker sells network access; an affiliate then only needs to run the attack. The infrastructure, malware, and decryption are already in place.
Global Reach #
Affiliates are recruited worldwide. The business model operates across borders, which is one reason the EU coordinates its response through NIS2 (Directive (EU) 2022⁄2555), ENISA, and the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe).
Standardisation #
With each new version, the ransomware improves: faster, harder to detect, better at evading defences. Development teams continuously refine their techniques. This mirrors legitimate software development, applied to illegal purposes.
Profit Motivation #
Commission models mean both sides earn significant money quickly. A single large attack can yield millions. This finances further development and marketing of the platform.
Implications for Your Defence Strategy #
means you are not fighting a single piece of malware. You are facing an organised, funded ecosystem. This requires:
- Prevention alone is not enough. The threat is too professionalised and too well-funded.
- Recoverability is central. With automated, tested, air-gapped backups you can recover regardless of who the attacker is.
- Incident response is essential. If you are hit, you need a team that can act quickly, and under NIS2 you must report significant incidents (early warning within 24 hours, incident notification within 72 hours).
- Regular recovery tests. A backup is worthless if you do not know whether it works.
Frequently Asked Questions #
Should you pay the ransom? Legally: payments can be prohibited where sanctioned entities are involved. Practically: paying funds the attacker and encourages future attacks, and a working decryptor is not guaranteed. With working backups, payment should not be necessary.
Can security solutions stop malware? Modern malware is often polymorphic (changes its signature) and exploits vulnerabilities before patches are available. E tools help, but are not 100 percent effective. Prevention plus detection plus recovery is the combination that works.
Is my company too small to be targeted by attacks? No. Many smaller organisations are targeted precisely because they are less well defended. makes low-effort, high-volume attacks economical, so even mid-sized ransoms are worthwhile for affiliates.
Further Resources #
→ What Is ? Explained for IT Decision-Makers (/en/blog/ransomware-was-ist-ransomware/) → How Destroys Backups: Technical Analysis (/en/blog/wie-ransomware-backups-zerstoert/) → Protection: Guide for IT Decision-Makers (/en/blog/ransomware-schutz-leitfaden/) → Silent Brick System: Backup Against (/en/produkte/silent-brick-system/) → Request a Demo (/en/kontakt/demo/)
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Disaster Recovery
Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
Air Gap
An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure.
Disaster Recovery
Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage.