Ransomware has been a big problem for businesses in recent years, especially with the rise of remote and hybrid working brought about by the COVID-19 pandemic. This has made it harder for businesses to protect their data and systems from attack.

With a 13% increase from 2021 to 2022 which is equal to the past 5 years’ increases combined, there are no signs that these attacks are going anywhere and organizations and individuals need to be more vigilant than ever before. (Verizon DBIR)

What is RaaS

Extortion or Ransomware as a Service (RaaS) can be thought of as an interpretation of the popular Software as a Service (SaaS) model where users who may not have the time or skill to create and deploy their own ransom will purchase it on the dark web to infect their victims.

The RaaS comes as a kit that is distributed to affiliates and each kit has different features and benefits. Some RaaS kits can include 24/7 support, user reviews, forums, and even offers to bundle services. Prices for a RaaS kit can range significantly from $40 a month to thousands depending on the kit needed. The average ransom demand in 2021 was $6 million.

How Does It Work

The RaaS model follows this outline for operators and affiliates.

RaaS Operators:

  • Recruit affiliates on forums and the dark web
  • Affiliates gain access to “build their own ransomware package”
  • A command and control dashboard is created to track the status of the package
  • Victim payment portal is set up
  • Victim negotiations assistance
  • A dedicated leak site is managed

RaaS Affiliates:

  • Pay to use ransomware
  • Agrees on the fee per collected ransom
  • Targets victims
  • Set ransom demands
  • Create post-attack user messages
  • Compromise the victims
  • Execute ransomware
  • Communications with victims via chat portals or other channels
  • Manage decryption key

4 common RaaS models:

  • Monthly subscription for a flat fee
  • Affiliate programs, which are the same as a monthly fee model but with a percent of the profits (typically 20-30%)
  • going to the ransomware developer
  • One-time license fee with no profit sharing
  • Pure profit sharing

RaaS is a quick and straightforward way to monetize malware. Through some refined RaaS portals, affiliates can create an account, pay with Bitcoin and start monitoring infection status, and files encrypted, scan their targets, and start making money. Ransomware providers offer a wide range of support options — from online communities, tutorials, documentation, feature updates, and more benefits just like a traditional SaaS product.


CyberMaxx engineers have noted these RaaS as noteworthy this year so far.


LockBit has proven itself to be the world’s most prominent and active ransomware, more than doubling the average ransomware payment by targeting small-to-medium-sized organizations. Dubbed one of the most destructive pieces of software in modern history, LockBit encrypts nearly every file stored on an infected device and drops corresponding ransom notes on victims’ computers.


BlackCat is a notable ransomware family, threatening users worldwide with its unique set of features: possible rebranding of DarkSide, written in Rust (a more secure programming language that offers improved performance and reliable concurrent processing), pays affiliates a comparatively larger share than similar schemes and has launched one of the first public data leaks sites.

Black Basta

Black Basta was only noticed in April 2022 but has become a major player in the RaaS business by using double extortion tactics and attack tools like the QakBot trojan and PrintNightmare exploit.

This ransomware family had multiple successful high-profile attacks back to back:

Black Basta shows no signs of slowing down. In June 2022 they released a new build to their ransomware stack that is designed to infect VMWare ESXi virtual machines.


Monti is a relatively new ransomware that is thought to be the same or a rebrand of the Conti ransomware group. Monti encrypts files on Linux systems and possibly now Windows and uses the extension “.puuuk”. Another characteristic of Monti is they operate two separate TOR sites: one for hosting data stolen from victims and another for ransom negotiation.

Currently, the data leak website shows that almost all of the victims have paid their ransoms with the exception of one from Argentina.

Preventing RaaS

In order to help prevent becoming a victim of a RaaS attack, organizations need to develop a robust plan for data security in order to combat the growing trend of ransomware. Since RaaS is so costly to recover from, organizations should consider leveraging solutions designed to detect and prevent threats.

CyberMaxx has identified the following best practices for preventing RaaS:

  • Reliable endpoint protections that work in the background 24/7 and can decipher complex algorithms
  • Regularly backup systems and devices (a few times a week)
  • Validate the backups are working and test the backup/recovery process
  • Ensure backups are immutable
  • Multiple backups stored in various locations
  • Maintain patch programs for vulnerabilities
  • Anti-phishing protection
  • Train employees and improve security culture


With RaaS being an extremely lucrative business, revenues in 2021 were $20 billion, there is no doubt that we will continue to see it being used more – especially with ransomware attacks rising by 13% that very same year.

There are many things an organization can do to protect against ransomware, but experts recommend being proactive, monitoring continuously, and automating responses to related and enabling attack elements (like phishing). Automation is critical because modern malware attacks move at machine speed and only machines can keep up.

Vulnerability and security incident management solutions can help the security, risk, and IT teams focus by providing playbooks that prioritize and direct action. Data collection, AI, and analytics can make everything less onerous, error-prone, and expensive.

Organizations can use systems to help them anticipate what is most important to their business or mission, optimize processes to minimize exposure, and react quickly when problems arise. This can help businesses avoid potential problems and keep operations running smoothly.

As ransomware attacks continue to grow, it is more important than ever for organizations to have a well-orchestrated IT security infrastructure in place. By doing so, they will be better equipped to weather any malicious attack with less cost and disruption.