--- title: "Ransomware-as-a-Service (RaaS): How the Shadow Economy Works" date: 2026-02-06T14:35:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/ransomware-as-a-service-so-funktioniert-die-schattenwirtschaft" section: "Entries: Articles" --- ### The RaaS Business Model Explained [\#](#the-raas-business-model-explained "The RaaS Business Model Explained") #### Three Roles: Developers, Affiliates, Brokers [\#](#three-roles-developers-affiliates-brokers "Three Roles: Developers, Affiliates, Brokers") **Developers** write the ransomware software. They handle encryption, command-and-control communication, and decryption services. This is highly specialised work. **Affiliates** (also called operators) are the attackers. They rent the ransomware and carry out the actual operations. Affiliates typically do not pay for the ransomware upfront; instead, a commission model applies. **Initial Access Brokers (IABs)** act as intermediaries. They penetrate networks via phishing, RDP exploits, or vulnerabilities and sell access to already compromised networks. An affiliate purchases a ready-made entry point and launches the attack from there. #### The Commission Model [\#](#the-commission-model "The Commission Model") An affiliate pays no fixed licence for the ransomware. Instead, developers receive a share of the ransom. In documented RaaS schemes, the larger share of each ransom goes to the affiliate who executed the attack, while the platform operator keeps a smaller cut. Payments are made in cryptocurrency to obscure the money trail. The model rewards scale: the more attacks, the more profit for both sides. #### The Service Character [\#](#the-service-character "The Service Character") RaaS operators genuinely provide customer service: - **Decryption tools:** Once the ransom is paid, developers provide a decryption tool (often buggy, but functional). - **Leak sites:** Many RaaS groups operate dark web sites where stolen data is posted for negotiation or sale. This is used as leverage against organisations that refuse to pay. - **Support channels:** Forums and chat support where affiliates report issues and developers respond. - **Version upgrades:** Well-known groups regularly release new versions of their ransomware with improvements, such as faster network propagation or bypass techniques for new EDR tools. --- ### Well-Known RaaS Groups and Their Characteristics [\#](#well-known-raas-groups-and-their-characteristics "Well-Known RaaS Groups and Their Characteristics") #### LockBit [\#](#lockbit "LockBit") For years one of the most prolific RaaS families (LockBit 2.0, LockBit 3.0), with a large affiliate network and aggressive double-extortion leak sites. An international law enforcement operation (Operation Cronos, 2024) disrupted its infrastructure, but the affiliate ecosystem did not disappear. **Characteristics:** Fast encryption, professional leak site, high public visibility as a deliberate tactic. #### BlackCat / ALPHV [\#](#blackcat-alphv "BlackCat / ALPHV") Emerged in 2021. BlackCat used Rust for its malware, making it harder to analyse and more portable across platforms. The group targeted large enterprises and critical infrastructure before its apparent exit in 2024; successor operations and former affiliates remain active. **Characteristics:** Professional branding, double extortion, focus on large enterprises and critical infrastructure. #### Cl0p (Clop) [\#](#cl0p-clop "Cl0p (Clop)") Known for mass exploitation of vulnerabilities in file transfer applications (for example Progress Software’s MOVEit in 2023). Cl0p often skips encryption entirely and extorts victims purely with stolen data. **Characteristics:** Exploit-based, supply chain focus, highly selective in target choice. #### Other Groups [\#](#other-groups "Other Groups") A wide range of smaller RaaS families exists. Some are offshoots of established groups; others are entirely new entrants. When one brand disappears, its affiliates typically move to the next platform. --- ### Why RaaS Makes Attacks Scalable [\#](#why-raas-makes-attacks-scalable "Why RaaS Makes Attacks Scalable") #### Lower Barriers to Entry [\#](#lower-barriers-to-entry "Lower Barriers to Entry") Anyone with money, not just technical skills, can execute a ransomware attack. An Initial Access Broker sells network access; an affiliate then only needs to run the attack. The infrastructure, malware, and decryption are already in place. #### Global Reach [\#](#global-reach "Global Reach") Affiliates are recruited worldwide. The business model operates across borders, which is one reason the EU coordinates its response through NIS2 (Directive (EU) 2022⁄2555), ENISA, and the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). #### Standardisation [\#](#standardisation "Standardisation") With each new version, the ransomware improves: faster, harder to detect, better at evading defences. Development teams continuously refine their techniques. This mirrors legitimate software development, applied to illegal purposes. #### Profit Motivation [\#](#profit-motivation "Profit Motivation") Commission models mean both sides earn significant money quickly. A single large attack can yield millions. This finances further development and marketing of the RaaS platform. --- ### Implications for Your Defence Strategy [\#](#implications-for-your-defence-strategy "Implications for Your Defence Strategy") RaaS means you are not fighting a single piece of malware. You are facing an organised, funded ecosystem. This requires: 1. **Prevention alone is not enough.** The threat is too professionalised and too well-funded. 2. **Recoverability is central.** With automated, tested, air-gapped backups you can recover regardless of who the attacker is. 3. **Incident response is essential.** If you are hit, you need a team that can act quickly, and under NIS2 you must report significant incidents (early warning within 24 hours, incident notification within 72 hours). 4. **Regular recovery tests.** A backup is worthless if you do not know whether it works. --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Should you pay the ransom?** Legally: payments can be prohibited where sanctioned entities are involved. Practically: paying funds the attacker and encourages future attacks, and a working decryptor is not guaranteed. With working backups, payment should not be necessary. **Can security solutions stop RaaS malware?** Modern RaaS malware is often polymorphic (changes its signature) and exploits vulnerabilities before patches are available. EDR tools help, but are not 100 percent effective. Prevention plus detection plus recovery is the combination that works. **Is my company too small to be targeted by RaaS attacks?** No. Many smaller organisations are targeted precisely because they are less well defended. RaaS makes low-effort, high-volume attacks economical, so even mid-sized ransoms are worthwhile for affiliates. --- ### Further Resources [\#](#further-resources "Further Resources") → What Is Ransomware? Explained for IT Decision-Makers (/en/blog/ransomware-was-ist-ransomware/) → How Ransomware Destroys Backups: Technical Analysis (/en/blog/wie-ransomware-backups-zerstoert/) → Ransomware Protection: Guide for IT Decision-Makers (/en/blog/ransomware-schutz-leitfaden/) → Silent Brick System: Air Gap Backup Against Ransomware (/en/produkte/silent-brick-system/) → Request a Demo (/​en/​kontakt/​demo/​) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery)