Ransomware as a service: A growing cyberthreat for data protection

Infrastructure and operationsJune 3, 2024 | 7 minutesBy Anders Dalgaard

And 7 ways to mitigate the impact of RaaS 


Ransomware has evolved from being a nuisance to a full-blown industry, with sophisticated networks of cybercriminals operating on a global scale. Among the various iterations of ransomware, one of the most concerning developments is the rise of ransomware as a service (RaaS). RaaS has emerged as a lucrative cybercrime business model, facilitating the proliferation of ransomware attacks across the globe through a much more extensive network of cybercriminals than ever before.

Let’s get into the intricacies of RaaS, exploring its workings, implications, cybersecurity challenges, and preventive measures.

First off, what is ransomware as a service? 

Ransomware as a service, as the name suggests, is a model where cybercriminals develop and offer ransomware kits and services to other individuals or groups, allowing them to execute ransomware attacks with minimal technical expertise. Essentially, it's a turnkey solution for anyone looking to extort money through malicious means. With this cybercrime business model, one party creates ransomware software and then a second party pays to use said ransomware software to launch attacks.

According to IBM’s X-Force Threat Intelligence Index, ransomware ranked as the second most common type of cyberattack in 2022, with RaaS playing a significant role in its prevalence. Many experts believe the rise of RaaS has contributed to making ransomware so prevalent. The “2022 ThreatLabz State of Ransomware” report from Zscaler found that 73% of the most active ransomware variants were RaaS variants.

What makes RaaS different is that, unlike ransomware of the past, attackers don’t need to have the traditional high-level IT technical skills because they can rely on the technical skills of the RaaS developers. And because of this, criminals that were previously limited by their lack of specialized skills can now carry out sophisticated and successful ransomware attacks. Essentially, RaaS has democratized ransomware. 


How ransomware as a service works 

RaaS operates similarly to legitimate SaaS business models. Ransomware developers, known as RaaS operators, develop and maintain ransomware tools and infrastructure, packaging them into RaaS kits sold to other hackers, referred to as RaaS affiliates. These affiliates purchase the kits through various revenue models, including monthly subscriptions, affiliate programs, one-time license fees, and pure profit sharing and then use them to extort money from their victims.

Read a case about Conti leaks cybercrime commercialization, with a real example of a ransom note: Center for Internet Security.

The availability of RaaS platforms has led to a surge in ransomware attacks globally. As more cybercriminals gain access to these tools, the frequency and scale of attacks are expected to increase further.

An increasing number of new players were attracted by the potential for high profits and lower barriers to entry.


Impact of ransomware as a service on industries and organizations 

Ransomware attacks have a widespread impact on basically all industries and organizations, causing disruption to critical services, loss of sensitive data, and financial damage. The healthcare sector has been heavily targeted, with ransom attacks on hospitals and medical facilities posing a threat to patient safety. Read about why healthcare organizations need Microsoft 365 backup for regulatory compliance and business continuity.

Legal implications of ransomware as a service 

Businesses that fall victim to ransomware attacks may face legal consequences for failing to maintain adequate business continuity and data protection measures. Non-compliance with regulations such as NIS2 (Network and Information Systems Directive) and GDPR (General Data Protection Regulation) can result in significant fines, loss of reputation, and other penalties. These regulations require organizations to implement robust cybersecurity measures, including regular data backups, disaster recovery, and incident response plans, to protect sensitive information and ensure business continuity. Learn why air gapping is your best defense.

The economics of RaaS cyberattacks 

Ransomware attacks can have severe economic repercussions, particularly for small businesses and organizations. The costs associated with ransom payments, data recovery, and downtime can be crippling, leading to financial losses and reputational damage.

In 2023, a new record was set for ransomware attack payments: A staggering $1.1 billion USD in payments for ransomware attacks was sent, according to Reuters. nearly doubling the total from 2022.

RaaS operators engage in competitive marketing strategies, often creating websites that mimic legitimate businesses. The global damages (total impact) from ransomware attacks were approximately $20 billion USD in 2020, and predictions are that ransomware will cost $265 billion USD annually by 2031 (Cybersecurity Ventures), highlighting the significant financial impact of RaaS. This forecast takes into consideration the impact of the increased market of cyberattacks due to accessibility and ease of use of RaaS, enabling threat actors to execute cyberattacks with minimal technical skills.


Extortion methods in ransomware attacks 

Ransomware threat actors employ various techniques to extort money from victims. These include double extortion, multiple extortion, and pure extortion.

  • Double extortion involves encrypting stolen data and then also threatening to release stolen data should the ransom not be paid, putting more pressure on the victim to pay. 
  • Multiple extortion combines data encryption with DDoS attacks against victim infrastructure.  
  • Pure extortion entails threatening to publish stolen data without encryption. (Read more about ransomware from the Cybersecurity & Infrastructure Security Agency’s #StopRansomware Guide.)

Main threat actors and notable ransomware as a service variants 

Several well-known cybercriminal groups developing RaaS include Hive, DarkSide, PINCHY SPIDER, ALPHV BlackCat, and LockBit. These operators continually evolve their ransomware to maximize impact and profit. Notable incidents involving RaaS operators include Hive's targeting of Microsoft's Exchange Server customers and DarkSide's involvement in the Colonial Pipeline incident.

Hive garnered attention in April 2022 when they targeted Microsoft's Exchange Server customers. The US Department of Justice seized two servers belonging to Hive, disrupting their operations.

DarkSide primarily targeted Windows machines but has expanded to Linux systems. They gained notoriety in the Colonial Pipeline incident, where the organization paid nearly $5 million to a DarkSide affiliate. TechTarget explains the Colonial Pipeline incident in depth. REvil is known for receiving one of the largest ransoms on record: $11 million USD. 


7 ways to mitigate the impact of RaaS attacks 

Mitigating the impact of ransomware as a service (RaaS) attacks is crucial. While it may be challenging (or even impossible) to entirely prevent ransomware incidents, organizations can take proactive steps to minimize the effects and impact of RaaS, thereby ensuring business continuity and data compliance. The following seven steps outline strategies to mitigate the impact of RaaS attacks:

  • Maintain rigorous patch management: Vigilantly applying security patches and updates is essential to mitigate known and unknown vulnerabilities. By promptly addressing vulnerabilities, organizations can reduce the likelihood of exploitation by threat actors seeking to deploy ransomware. 
  • Deploy robust endpoint protection: Implementing reliable and modern endpoint protection solutions is key to detecting and mitigating threats. These solutions should leverage advanced algorithms to provide continuous threat detection and mitigation, reducing the risk of ransomware infiltration. 
  • Frequent and air-gapped backups: Conducting regular and frequent backups of critical data is crucial for minimizing the impact of ransomware attacks. Storing multiple backups on separate devices in different physical locations ensures data availability and resilience in the event of an attack. Look for backup services that store backup data independent from production data. 
  • Test backups regularly: Regularly testing backups is vital to ensure their reliability and effectiveness in restoring data. By verifying the integrity of backups, organizations can minimize downtime and data loss in the event of a ransomware attack. 
  • Implement advanced anti-phishing measures: Deploying robust email security solutions with advanced threat detection capabilities helps mitigate the risk of ransomware attacks initiated through phishing emails. By blocking malicious emails before they reach end-users, organizations can reduce the likelihood of ransomware infiltration. 
  • Immutability by default: Deploying a solution with immutability baked into the design greatly enhances resilience against ransomware attacks. Immutable data storage ensures that once data is written, it cannot be altered or deleted, effectively preventing unauthorized modifications by ransomware. Immutable data storage allows organizations to safeguard critical data from encryption or tampering attempts by threat actors. 
  • Invest in user training and security culture: Educating users about the risks associated with ransomware attacks and fostering a culture of security awareness is critical. By training employees to recognize and report suspicious activities, organizations can strengthen their overall security posture and mitigate the impact of ransomware incidents.

By implementing these proactive measures, organizations can significantly mitigate the effects and impact of RaaS attacks, enhancing their resilience in the face of evolving cyberthreats.


Ransomware as a service poses a significant (and growing) threat to cybersecurity globally, contributing to the proliferation of ransomware attacks across various industries. Understanding the workings of RaaS, its implications, and the associated cybersecurity challenges is essential for organizations to effectively combat this evolving threat.

By implementing proactive measures, such as maintaining cybersecurity hygiene, deploying robust defense mechanisms like backup management, and fostering a culture of security awareness, organizations can significantly mitigate the impact of RaaS attacks. Additionally, investing in an immutable, air-gapped backup and recovery solution is paramount to ensure data resilience and continuity of operations in the event of a ransomware incident.

Interested in learning more about ransomware? Register for our webinar "From threat to defense: Cyber insurance woes as ransomware surges" and get the chance to engage with an expert panel of cybersecurity and IT leaders.

Register for the webinar


Anders Dalgaard is Director of Product Management at Keepit, ensuring that technology implementation and solution onboarding is aligned with the business and technological requirements of the organizations using Keepit for backup and recovery of their SaaS data.

He holds an MSc in innovation and Business Development and has extensive experience in mapping industry developments and projecting technology advances, matching these to customer requirements and solution capabilities.

Find Anders on LinkedIn and Twitter.