article featured image


Ransomware trends are on the rise, even more so today than in the previous years. According to Group-IB’s Hi-Tech Crime Trends Report 2021/2022, the increase of the ransomware industry happened due to a combination of poor corporate security and a thriving ransomware-as-a-service (RaaS) affiliate market.

As mentioned in the report, access to compromised networks is currently very inexpensive. Thanks to an increase in the number of initial-access brokers and RaaS tools, ordinary petty criminals may turn into full-blown hackers in just a few hours for just a few dollars.

What Is Ransomware as a Service (RaaS)?

Ransomware as a Service (RaaS) is a cybercriminal business model allowing individuals or groups with limited technical expertise to carry out ransomware attacks without developing the malware or infrastructure.

In this model, cybercriminals who have created sophisticated ransomware make it available for others to use through an affiliate program or subscription service.

These “affiliates” can then distribute the ransomware to potential victims and carry out attacks. The RaaS model typically includes a user-friendly interface that allows affiliates to customize certain aspects of the ransomware, such as the ransom amount, the ransom note’s content, and the methods of communication for negotiation. The creators of the RaaS take a percentage of the ransom payments made by victims, while the rest goes to the affiliate who initiated the attack.

Depending on the contractual agreement, the customers may choose to share a portion of the profit with the RaaS provider, keep the profits for themselves, or enroll in a pay-per-use scheme that would grant them access to updates, new malicious versions, and experimental features. In all aspects, any RaaS can be considered a SaaS (Software-as-a-Service).

Up next, we’re going to take a closer look at the main types of Ransomware-as-a-Service business models.

Ransomware-as-a-Service Business Models Unveiled

Since RaaS is not a transparent, clear-web service, monetization and customer relationship are not bound to any of the traditional rules. In other words, each RaaS operator has its own business model. However, based on the observations made so far, all Ransomware-as-a-Service operators – with a few exceptions – can be divided into four major categories.


Just like clear-web, subscription-based services (e.g., Netflix, Hulu, Dropbox, Salesforce, etc.), some RaaS operators can offer access to various types of ransomware-centric services, in exchange for a flat fee, paid in Bitcoin or some other cryptocurrency. The customer can be charged at the end of each month or annually.

Other facilities are readily available – for instance, most Ransomware-as-a-Service providers have dashboards that the user can access with a password and username – both received after the subscription has been acquired. Dashboard operations can range from virtual wallet management to payload customization, freebies, support, and more.


RaaS operators running affiliate programs may demand a percentage of the profit in addition to the flat free. In exchange, the ‘beneficiary’ will receive additional support, may be granted access to paywall features or content, receive case-tailored tools and/or custom code, etc. The profit cut for most RaaS is somewhere between 20% to 30%, probably depending on the target’s profile and ‘beneficiary’s needs.

Lifetime licensing

Purchase-once-use-forever business model – some RaaS operators prefer selling fully licensed ransomware kits or malicious tools instead of relying on passive incomes generated by subscribers or affiliates. Naturally, off-the-shelf malicious tools are considerably more expensive compared to a subscription or enrolling in an affiliate program.

A lower ROI does not invalidate the advantages of one-time-purchase RaaS kits – since bookkeeping transparency is not a major issue among RaaS operators, making a one-time purchase might very well decrease the chances of the product being traced back to the ‘beneficiary’ should the RaaS operator be caught by the authorities.


The customer turns into partner-in-crime, splitting the spoils with the RaaS operator. Cuts greatly depend on how each actor contributes to the ‘project’.

Examples of the Biggest RaaS Ransomware Groups

1. Netwalker

Netwalker’s probably the most profitable ransomware kit. Marketed by criminal groups like Circus Spider and Mummy Spider, Netwalker ‘users’ and operators extorted over $20 million in just six months. Owing its deadly efficiency to advanced cryptography and the double extortion technique, Netwalker is a total business nightmare. Give this article a read if you’re interested in finding more about Netwalker and how to counter it.

2. Stampado

Regarded as the cheaper version of Philadelphia, the Stampado RaaS kit is sold for only $39. Its lack of features is most certainly compensated by its deployment speed. A popup ad for Stampedo, reveals that the first campaign can be set up in 30 seconds or less. Stampedo is actually the very first version of Philadelphia.

The sales campaign began in or around the summer of 2016. Apparently, this easy-to-deploy malware kit was in so high demand, that the makers decided to make a ‘deluxe’ version.

3. RaaSberry

RaaSberry really manages to stage a grand performance when it comes to playing the role of the Good Samaritan – while other RaaS providers ask for a share, RaaSberry allows the customer to keep all revenue.

It sounds like a hacker’s dream come true, doesn’t it? Not exactly. Compared to the competition, RaaSberry boasts several price tiers. A quick glance at their website shows that the cheapest packs are

So, for the price of $60, which is equal to a one-month Command & Control subscription, you will receive a 250 kb “unique EXE” (packs both encrypter and decryptor), free support, multi-OS compatibility, and other features such as Task Manager Disabler, Mutex, and Delayed Start.

Going up the price tier ladder, we have the Platinum, a three-year C&C subscription, which costs $650. Not many differences between the packages, apart from the membership duration.

4. Satan

A newcomer on the market, compared to the other two, but not completely featureless. Instead of fixed price tiers or ready-to-deploy kits, Satan offers free-to-use ransomware samples. Basically, anyone’s free to use them, on one condition – that 30% of the spoils go to the RaaS provider.

The platform also allows the user to create custom pay schemes: the user can specify the ransom amount, multiplied by days, personalized notes to be sent to the victim for failure to comply, and payment methods other than Bitcoin.

5. Frozr Locker

A lightweight tool that has the ability to encrypt approximately 250 types of extensions. The cost of acquisition is around $1,262, which makes it the most expensive RaaS solution on this list.

However, once the builder is acquired, it can be used indefinitely, without the need to update your subscription. After you purchase the builder, you will be able to customize the ransomware: payment details, decryptor, UAC bypass, and personalized messages.

6. REvil

REvil was one of the most notorious RaaS groups known for its high-profile attacks. It gained notoriety for targeting large organizations and demanding multi-million-dollar ransoms. In addition to encrypting data, REvil has been known to exfiltrate sensitive information from its victims before encrypting their files. This adds another layer of pressure by threatening to release the stolen data if the ransom is unpaid.

Here’s a YouTube video from our channel that discusses the most notorious ransomware gangs.

Prevention Strategies Against Ransomware Attacks

RaaS is certainly sophisticated, but not infallible. Below, you will find a list of tips to protect your digital assets against Ransomware as a Service.

1. Backup Your Endpoints and Servers

The best possible defense against ransomware and every kind of threat for that matter is to have a backup system in place. You should consider having a local as well as a cloud backup. Companies operating on larger networks can opt for an off-site backup location. In case of a ransomware attack, crucial data can be restored without having to the ransom.

2. Don’t Open Suspicious Attachments

If there really was a golden digital rule, this would be it – don’t open an email containing attachments. They might be infected with malware. Even an email coming from someone familiar should be treated with a modicum of suspicion.

For instance, in Business\Vendor Email Compromise attacks, hackers are able to steal credentials and money by posing as someone from the upper management.

3. Frequent Patching Solves Seals Most of your Breaches

Hackers are always looking to take advantage of breaches in your security grid and an outdated app provides them with the best opportunity. Make sure that all your apps are up to date. Heimdal™ Patch & Asset Management​ module can easily search and deploy the latest versions of your favorite app.

Moreover, the Infinity Management module can provide you with a birds-eye view of your machine and, most importantly, the software currently installed. From there, your sysadmin can choose what patches to deploy and when the patching process should occur.

4. Ensure Macros are disabled in Microsoft Word

Although Microsoft disabled macro auto-execution a long time ago, some older Office builds might still have this feature switched on. To disable macros in Word, click on the MS Office button and then on Word Options. Click on Disable all Macros without notification and hit the Apply button to commit changes.

5. Employ Stateful Ransomware Encryption Protection Backed by Antivirus

Ransomware relies on two components: C2 communication and host-planted payload. Cybersecurity solutions such as Heimdal™ Ransomware Encryption Protection can actively disrupt malicious encryption attempts, while our Next-Generation Antivirus sanitizes the system.

6. Implement Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to provide multiple verification forms before granting access to sensitive accounts or data. This helps prevent unauthorized access even if an attacker manages to compromise a password.

7. Leverage Network Segmentation

Divide your network into segments to isolate critical systems and data from less important ones. This makes it more challenging for ransomware to propagate across your network if it gains entry.

8. Develop an Incident Response Plan

Develop a robust incident response plan that outlines steps to take in the event of a ransomware attack. Ensure your team knows how to respond quickly and effectively to minimize damage and data loss.

9. Employ Strong Access Control

To maintain network security, controlling the applications and data within the network is essential; they are potential targets for attackers. An improved access control system can impede attackers from entering the network. Implement strict measures to restrict who has permission to access sensitive information and techniques in your organization or home network. Periodically examine and renew authorizations to ensure only approved users can access essential resources.

10. Invest in Endpoint Security

Endpoint security solutions protect your devices from ransomware infections, including antivirus software and intrusion detection systems. Choose reputable security software and keep it up to date. Use advanced threat detection solutions to identify and block ransomware attacks quickly.

With Heimdal’s EDR cybersecurity suite, you’ll be covered at an enterprise level with threat prevention, patching, privileged access management, and a next-generation antivirus. You will stop cyber attackers before they even consider targeting your business by adding DNS traffic filtering, vulnerability management, access governance, threat detection, and incident response to your network.

Heimdal’s Ransomware Encryption Protection

Heimdal’s exclusive Ransomware Encryption Protection technology was designed to thwart even the most sophisticated ransomware attacks in the cloud and on-premises, preventing and protecting rather than mitigating.

Here’s a quick rundown of what Ransomware Encryption Protection can do for your business:

  • Prevent data breaches by protecting your networks and endpoints against fraudulent encryption attempts;
  • Eliminate downtimes caused by ransomware attacks;
  • Reduce and eliminate post-ransomware impacts;
  • Improve the detection capabilities of your current cybersecurity software;
  • Increase conformity;
  • Get comprehensive defense against zero-day vulnerabilities;
  • Combine with any SIEM for improved detection of policy violations.

Ready to take it for a spin? Click here for a personalized demo.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

If you’d like to learn more about the world of ransomware and equip yourself with valuable knowledge to protect your digital assets, look no further. Our comprehensive articles discuss practical strategies to mitigate and prevent ransomware and highlight the five robust ways Heimdal can shield you from ransomware attacks.

Moreover, you’ll find a meticulously crafted ransomware prevention checklist to guide you and your company in fortifying your defenses and ensuring that you remain on the safe side of the cybersecurity spectrum.

Whether you’re an individual looking to safeguard your data or a business seeking to protect critical information, this resource is your key to staying one step ahead of the ever-evolving ransomware threat landscape.


Ransomware as a Service has become a powerful and lucrative tool in cybercriminals’ arsenal. It significantly threatens individuals, businesses, and critical infrastructure worldwide. Addressing this threat requires a concerted effort from governments, organizations, and individuals to bolster cybersecurity measures and track down those responsible for this insidious criminal enterprise. Combating Ransomware as a Service is crucial to safeguarding the digital world against an escalating and evolving threat.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube, for more cybersecurity news and topics.

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo