What is ransomware-as-a-service (RaaS)?

| By:
Bryson Medlock

It’s every MSP’s nightmare: a message from a cybercriminal that they encrypted and locked a customer’s data. Until the organization pays a significant fee (often in the form of cryptocurrency), the cybercriminal will hold access to the data hostage indefinitely, or they will publish or sell the data on the dark web for other criminals to access and exploit.

Known as ransomware, this cybercrime is becoming more common due to the proliferation of ransomware-as-a-service (RaaS). Criminal groups have adopted the efficiencies and scalability of the software-as-a-service (SaaS) model to make this kind of cyberattack easier and faster than ever—and for the purveyors of ransomware-as-a-service, even more lucrative. 

RaaS can incur significant costs to victims due to downtime, unhappy customers, lost or destroyed data, and compromised infrastructure and systems that are expensive to replace or fix. There is also the damage stemming from the bad publicity of a data breach and the release of sensitive information.

Beyond the damage to the victim, ransomware-as-a-service can disrupt critical services like utilities, transportation, finance and banking, manufacturing, and even healthcare that customers depend on. Individuals may suffer from their private data being sold online, leading to identity theft and other scams. 

The consequences of RaaS attacks can be far-reaching across hundreds of additional businesses and impact thousands of people. For MSPs, understanding what ransomware-as-a-service is and how it works is essential.

Ransomware-as-a-service definition

When ransomware is offered as a service, it makes the technology easily available to buy, install, and use. Cybercriminals no longer need deep technical expertise to design and implement their own program—they can simply purchase or subscribe to a ready-made solution at a fairly low cost, and they’re in business. 

RaaS providers may use social media and other platforms to promote their services on the dark web, often using sophisticated marketing tactics to identify and target potential customers. They may even use ads, bundles, and special offers to attract and entice them. 

How does ransomware-as-a-service work? Just like SaaS solutions, RaaS typically offers a user-friendly dashboard or control panel with various features and functionalities. Ransomware typically involves malware that encrypts files, but some versions may include other capabilities, such as data theft or blockers that prevent users from accessing systems or programs. 

Besides data encryption, ransomware-as-a-service has expanded to include data exfiltration and theft, distributed denial-of-service (DDoS) attacks, the ability to lock cloud-based backups, and variants that can infiltrate smartphones and internet of things (IoT) devices such as thermostats.

Ransomware-as-a-service platforms can be remarkably robust and similar to offerings from legitimate companies. Their features can include:

  • Instructions, guides, and 24/7 technical support
  • Customization options, such as messaging or a type of operating system (OS)
  • Applications for monitoring and managing attacks
  • Payment processing
  • Forums where users can share tips and tricks
  • A knowledge base
  • Regular software updates

Beyond these capabilities, RaaS gives cybercriminals the ability to carry out attacks on many targets simultaneously through automated processes. The greater the number of victims, the greater the profits.

What is the RaaS model and how does it work?

In the basic ransomware-as-a-service model, cybercriminals (often large criminal enterprises) create a ransomware platform and sell it on the dark web. The RaaS provider takes on the costs of designing, maintaining, and marketing the technology, then profits from the sales of the technology and sometimes from the resulting ransoms.

Ransomware-as-a-service works with a few different payment variations:

  • A flat one-time fee for access to the ransomware program
  • Monthly or annual fees for a subscription to the service
  • An affiliate program in which customers pay a commission to the provider
  • A straight percentage split of the ransom profits between the RaaS provider and the customer

RaaS services can run from less than $100 a month to thousands of dollars, depending on the sophistication, features, and capabilities of the platform. Since ransom demands can go up to millions of dollars, the returns on the investment for buyers can be significant even when the cost of the service is relatively high. 

Anatomy of a RaaS attack

Just like “traditional” ransomware attacks, ransomware-as-a-service attacks exploit vulnerabilities in networks and systems. One of the classic ransomware-as-a-service examples involves sending a phishing email with a link or a file to be downloaded. Cybercriminals may also use other methods of social engineering to gain access to security credentials or leverage technical weaknesses in the system or third-party software. With a RaaS solution, they can attack dozens or hundreds of different victims at once.

In the case of a phishing scam, when the victim clicks a link or downloads an infected file, the resulting malware encrypts or locks data on some or all their files, rendering them inaccessible, and identifies additional targets on the network. It may also disable security software and attack or destroy backups.

The victim then receives a message that they must pay a ransom for the decryption key, usually in cryptocurrency or via some other hard-to-trace method. The cybercriminals may threaten to leak, sell, or delete the files if the ransom is not paid. 

If the victim decides to pay, they are directed to a portal for payment that is run by the RaaS provider. Once the ransomware-as-a-service provider receives the payment, it is divided among the provider and the subscriber or affiliate according to the terms of their agreement.

Theoretically, the victim should receive the decryption key or see files unlocked upon payment, but in some cases, the attackers may simply disappear or make additional demands. Decryption keys don’t always work correctly on encrypted files, however. Even after paying the ransom, victims only get about 60% of their data back on average.  

The impact of RaaS on MSPs

According to IBM, the average cost of a data breach in the United States in 2022 was $9.44M, including downtime and lost business. But even less expensive breaches can be devastating, especially for smaller businesses.

Ransomware-as-a-service presents a significant challenge for MSPs. The availability of such solutions increases the likelihood and frequency of ransomware attacks: in the same report, IBM noted that RaaS accounts for 11% of all cybersecurity attacks—a percentage that is likely to grow. 

In addition, smaller businesses may be more at risk. Attackers sometimes assume that ransomware incidents involving such organizations attract less attention than attempts on larger, well-known enterprises—making it easier for cybercriminals to evade law enforcement and more likely that companies will pay ransoms. Read our 2023 Cyber Threat Report for more details on the landscape. 

The sheer number of attacks that ransomware-as-a-service enables presents a significant burden for MSPs, who may have trouble deploying sufficient resources to monitor and defend multiple systems from attacks. In addition, the proliferation of so many types of ransomware makes it challenging to effectively protect networks and systems.

As a result, your organization will be under even more pressure to implement risk assessment tools, train employees to recognize phishing and other scam attempts, protect and back up critical data, and have strategies in place to address, mitigate, and recover from ransomware attacks quickly.

The main RaaS threats

RaaS providers come on the scene, evolve, and change all the time, so as an MSP, you need to stay abreast of the major groups and tactics. These are a few of the main ransomware-as-a-service examples and criminal groups:

  • LockBit/LuckyDay/Lockbit 2.0: Formerly known as ABCD, this criminal group frequently enhances and upgrades its malware and has an exceptionally robust affiliate program. Since their first appearance in 2019, the group has used tactics like collaborating with other criminal groups, working with company insiders, and using network access brokers. Recent attacks disabled the Royal Mail’s ability to handle international shipping and disrupted a public transit system in Washington State. Lockbit was responsible for 42% of all ransomware incidents directly targeting MSPs in 2022.
  • Clop: This variant of CryptoMix, first observed in February 2019, was responsible for 11% of all ransomware incidents directly targeting MSPs in 2022. Commonly distributed through phishing emails and exploit kits, it is known for both encrypting files and stealing personal data, a practice called “double extortion.” By exploiting a zero-day vulnerability in a file transfer tool, they stole data from over 130 organizations in early 2023.
  • Hive: First appearing in June 2021, this ransomware-as-a-service was responsible for 6% of all ransomware incidents targeting MSPs in 2022. From its inception to November 2022, Hive also notably targeted government facilities, hospitals, and other organizations causing approximately $100 million in damage.
  • MountLocker/DagonLocker/QuantumLocker: First appearing in 2020, the Mount Locker Ransomware family was responsible for 6% of all ransomware incidents directly targeting MSPs in 2022. Historically, the Mount Locker family has employed “big game hunting” tactics, meaning that they prefer to target high-value targets like large corporations and government agencies.
  • Conti: First appearing in December 2019, is known both for the speed it is able to encrypt files as well as for demanding large payments. One of its most high-profile attacks was on the Irish healthcare system in 2022, potentially costing over $100 million in damage. Conti was responsible for 4% of all ransomware incidents directly targeting MSPs in 2022.
  • Black Basta: This group seeks out credentials for corporate network access on underground forums in exchange for a cut of the profits. Attackers typically use “double extortion,” in which they steal sensitive data and threaten to post it on the dark web. Black Basta attacked the American Dental Association in 2022, stealing and posting sensitive data, including tax forms and financial spreadsheets.
  • Black Cat: This highly adaptable RaaS platform is notable for its ability to customize attacks on specific victims as well as the payouts it makes to affiliates—as much as up to 90% of the ransom. The group seems to be focused mainly on U.S.-based organizations. 

How MSPs can defend clients from RaaS

Protecting your clients from ransomware-as-a-service attacks requires a multifaceted strategy that combines awareness, end-user security, cybersecurity tools, and planning. A good starting point is the NIST Framework. By tying concepts of ransomware-as-a-service defenses to this structure, you can create a more holistic approach. Here’s an example of how these tie together.

  • Identify: Do you understand your level of risk? Knowing the tactics and technologies RaaS providers use can help your team anticipate and defend against attacks from threat actors. This can be accomplished through tools like a cybersecurity risk assessment or a crown jewels analysis. A crown jewels analysis is a toolset designed to identify an organization’s most critical assets.
  • Protect: Are the doors locked? If you had your garage door left open with a Lamborghini inside and the keys on the dash, it’s safe to say you’re exposing yourself to a lot of risk. You need to make sure your clients aren’t doing the same through the following best practices:
  • Providing ample and regular employee training. Make sure users know not to click links or open attachments in suspicious emails and are aware of common social engineering scams. There should also be a clear process on how and where they can report any phishing attempts, as well as a set policy on practices like multi-factor authentication (MFA).
  • Keeping systems patched and updated. This applies to software and hardware, including mobile devices and third-party applications. Our webinar, 7 Key Steps to Automate Patch Management, is a great way to show how you can manage this process more efficiently.
  • Implementing the seven layers of security. The seven layers are as follows:
    • The human layer: human behavior towards a system and how data is protected.
    • Perimeter security: where different devices retrieve and access data from a given source.
    • Network security: where all security measures are implemented to avoid any unauthorized access.
    • Application security: governing access to applications as well as application access to any sensitive data.
    • Endpoint security: keeping security threats from impacting endpoint devices like smartphones or laptops.
    • Data security: protecting data transfer and storage
    • Critical assets: The actual essential data that all security measures are installed to protect, like personal/critical information and user credentials.
  • Detect: Can you sound the alarm when the bad guy gains access? Think of this in terms of security. If a thief was to enter your home, is there a means to let you know that someone has gotten inside? The same principle applies to ransomware-as-a-service. 

Cybersecurity software can alert you to any suspicious or unusual activity across the network. Track all devices with network access and ensure employees are following security protocols when working remotely. In addition, managed detection and response systems help you know when a breach happens as soon as possible so you can react.

  • Respond: Do you have a response plan? If an attack does happen, make sure there is a clear process to stop or slow it, mitigate the damage, and restore systems and data from backups quickly. Support from an incident response service can ensure your team always has expert backup on hand.
  • Recover: How quickly can you get back up and running? Backup and disaster recovery software can help mitigate loss of your clients’ data should there be an attack. Backups should be saved in multiple locations, including secure offsite locations that are separate from the network. 

How you should handle a RaaS attack

Acting quickly in the face of a ransomware-as-a-service attack is critical, as the malware can spread quickly. Here are four steps you should take immediately following a RaaS attack:

  1. Disconnect the affected device or system to isolate it from the rest of the network as soon as possible. This means shutting down its access via Wi-Fi, Bluetooth, and wired connections. Shut down the entire system if too many components have been compromised.  
  2. Disable any automated backup processes to prevent them from being infected.
  3. Use phone calls or other non-network methods to communicate about the breach. Attackers may monitor communication systems to evade detection and create further damage.
  4. Report the attack to the local FBI office or the Internet Crime Complaint Center (IC3). The FBI may also be able to help with decryption for some ransomware variants.

With threats like ransomware-as-a-service being an active danger to your clients, providing that additional layer of security is critical. ConnectWise offers a suite of cybersecurity management software for MSPs looking to protect their clients’ critical business assets, from Endpoint Detection and Monitoring (EDR)  to SIEM

See our software in action by requesting a Cybersecurity suite demo today..


The Computer Fraud and Abuse Act (CFAA) states that it is a crime to access any computer or computer network without authorization, which includes ransomware-as-a-service (RaaS). Because the damage and costs associated with RaaS crime can be so severe, some businesses choose to pay up.

However, federal law enforcement agencies warn against this for several reasons. There is no guarantee that criminals will restore the data, and they may even attack victims a second time. In addition, paying may serve to encourage the perpetrators to attack other victims and attract additional criminals to the RaaS model. 

Plus, paying ransomware-as-a-service attackers could violate federal law. For example, it’s illegal to “carry out business” with an entity on the sanctions list of the U.S. Treasury’s Office of Foreign Assets Control (OFAC), which can include ransomware perpetrators.

The federal government has several agencies and initiatives focused on preventing and addressing ransomware-as-a-service (RaaS) attacks. The website StopRansomware.gov serves as a center for resources, including training modules and webinars, to help organizations and individuals lessen their risk of falling victim to ransomware. 

Any business facing a RaaS attack should report to a local FBI field office or file a report with the FBI’s Internet Crime Complaint Center (IC3). Reporting RaaS attempts or attacks can help law enforcement professionals stay up-to-date on tactics and infiltrate criminal groups.