TechHorizon Consulting

The Evolution of Ransomware-as-a-Service: From Underground Forums to Global Threats

May 29, 2025By Ethan Coulthard

EC

Ransomware-as-a-Service (RaaS) has revolutionized the cybercrime landscape, taking ransomware attacks from isolated incidents into a booming underground industry. By adopting business models reminiscent of legitimate Software-as-a-Service (SaaS) platforms, RaaS has lowered the technical barriers for cybercriminals, leading to a surge in ransomware incidents worldwide.

Malware attack virus alert. Person use laptop with virtual warning sign with ransomware word

Understanding the RaaS Business Model

At its core, RaaS operates on a collaborative model between developers and affiliates. Developers are responsible for creating and maintaining the ransomware code. They handle software updates, infrastructure such as command-and-control servers, and sometimes even customer support services. Affiliates pay month-to-month for these ransomware kits and execute the attacks themselves, often with miniml technical knowledge.

This division of labor allows for specialization and scalability. Developers can focus on improving ransomware functionality, evading detection, and managing affiliate programs, while affiliates concentrate on social engineering, phishing, or exploiting network vulnerabilities to distribute the malware.

RaaS providers use a variety of monetization strategies. In a subscription-based model, affiliates pay monthly fees to access ransomware toolkits. In commission-based arrangements, developers receive a cut—usually between 20% and 40%—of any ransoms paid. Some platforms charge a one-time fee for lifetime access. More sophisticated services may even offer tiered levels of functionality or support.

This SaaS-like delivery of malware has contributed to a thriving underground economy where cybercrime is marketed with polished branding, user dashboards, onboarding guides, and performance analytics for affiliates.

Notable RaaS Providers

  • LockBit: Launched in 2019, LockBit is one of the most active and adaptive RaaS platforms. Known for its speed and automation, LockBit provides affiliates with a clean interface and support infrastructure. It has been involved in high-profile attacks and was recently disrupted following the unmasking of its alleged operator, Dmitry Yuryevich Khoroshev.
  • REvil (Sodinokibi): REvil became infamous after targeting JBS Foods and IT software firm Kaseya. The group demanded ransoms in the tens of millions and used a profit-sharing model to attract affiliates. Russian authorities reportedly dismantled the group in early 2022.
  • DarkSide: This group came to international attention after its ransomware was used in the Colonial Pipeline attack. Known for its selective targeting and media-savvy tactics, DarkSide claimed to avoid attacking hospitals and non-profits. Following heightened law enforcement attention, it announced a shutdown, only to be succeeded by similar groups like BlackMatter.
  • Medusa: First spotted in 2021, Medusa uses both encryption and data-leak threats to coerce victims. It has targeted sectors ranging from education to critical infrastructure. Its recent attacks, including one against Houston-based MD Anderson Cancer Center, indicate ongoing operational sophistication.
  • BlackCat (ALPHV): Notable for being written in the Rust programming language, BlackCat offers advanced customization and stealth capabilities. It has targeted organizations like Reddit and Change Healthcare. U.S. authorities have put a $10 million bounty on the group’s leadership.

Implications of the RaaS Model

The rise of RaaS has far-reaching implications for cybersecurity and society at large. By making ransomware accessible to virtually anyone with internet access and malicious intent, RaaS has dramatically increased the volume and geographic spread of ransomware attacks. This accessibility leads to attacks on small businesses, schools, hospitals, and municipal governments—targets that may lack robust cybersecurity defenses.

This model also complicates attribution. The separation of ransomware developers from the actual attackers makes it difficult for investigators to trace incidents back to their source. Many RaaS groups host their operations across jurisdictions and utilize cryptocurrency to obfuscate financial trails, further hindering law enforcement.

In economic terms, ransomware damages have skyrocketed. Ransom payments, downtime, remediation, legal liabilities, and reputational damage together cost organizations billions annually. Additionally, the use of double extortion—encrypting data and threatening to leak it—places victims under even greater pressure.

Countermeasures and Defensive Strategies

To effectively counter the RaaS threat, organizations need to adopt a layered and proactive approach to cybersecurity. Regularly backing up critical data—preferably offline—ensures recoverability without needing to pay a ransom. Employee education is essential, as many ransomware attacks begin with phishing emails or social engineering.

Timely patching of vulnerabilities is critical to shutting down known exploits used in ransomware distribution. Network segmentation can prevent malware from moving laterally across systems. Implementing a Zero Trust security architecture, which continuously verifies user identities and permissions, adds another layer of protection against unauthorized access.

Security tools such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) platforms help detect anomalies and respond in real time. Organizations should also participate in cyber threat intelligence-sharing communities to stay updated on emerging threats and techniques.

Government intervention and international cooperation remain vital in taking down major RaaS operations. Recent law enforcement successes show that coordinated actions—seizing servers, disrupting payment systems, and arresting key actors—can significantly impact these cybercriminal ecosystems.

AI Artificial Intelligence Security Sentinel Password Cyber Security Ransomware Email Phishing Encrypted Technology, Digital Information Protected Secured Lock

Conclusion

Ransomware-as-a-Service has transformed ransomware from a technical endeavor into a scalable business model, enabling even low-skilled actors to launch devastating attacks. As these platforms continue to evolve in sophistication and reach, organizations must stay vigilant. If your company has concerns about ransomware attacks TechHorizon Consulting's vCISO service can help. With our real time network monitoring capabilities we can protect your business from threats like ransomware and other malware attacks. If this interests you, please visit our "Contact Us" page.