--- title: Ransomware-as-a-Service date: 2026-06-01T17:19:00+02:00 author: Hannes Heckel canonical_url: "https://www.fast-lta.de//en/glossary/ransomware-as-a-service" section: Glossar --- Ransomware has evolved from simple extortion trojans (CryptoLocker 2013, WannaCry 2017) into a highly professionalized industry. RaaS is the underlying business model: a core group develops and maintains the ransomware and the infrastructure for ransom negotiations and payment. So-called affiliates — partners who carry out the actual attack — rent these tools and typically receive 70 – 80% of the extorted ransom; 20 – 30% remains with the developers. Well-known RaaS groups: LockBit, BlackCat/​ALPHV, Cl0p, REvil. These groups conduct big-game-hunting campaigns: they target not individuals but large organizations — high-revenue companies, critical infrastructure, public administrations — and demand correspondingly high ransoms. The typical RaaS attack follows a methodical sequence: initial access via phishing or compromised VPN credentials (day 0), reconnaissance and lateral movement over weeks to months with privilege escalation and mapping of backup infrastructure (days 1 – 21), destruction of all backup copies (before encryption), encryption of the production environment and extortion. IBM X‑Force Intelligence shows: the average dwell time of an attacker in the network is 204 days — attacks are often only discovered when maximum damage has already been done. This underscores the importance of physically separated backups that could not be compromised even after months of attacker presence in the network. ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ## Frequently asked questions #### How do I protect against RaaS attacks? RaaS attacks are designed to destroy an organization's entire recovery capability before the actual extortion begins. The most effective counterstrategy: a physically isolated backup that could not be compromised even after months of attacker presence in the network — because it was physically non-addressable during the air gap offline state. Additionally: regular recovery tests, separate backup administrator accounts (no access via the production Active Directory) and network segmentation. #### Do organizations attacked by RaaS groups actually pay the ransom? 46% of affected organizations pay (Sophos 2024). But only 4% receive all their data back completely. The BSI fundamentally advises against ransom payments — they fund further attacks and offer no guarantee of complete recovery. The only reliable alternative: independent recovery from a backup the attacker could not reach.