article featured image


Ransomware as a Service (RaaS) is a cybercriminal business model allowing ransomware operators with limited technical expertise to carry out a ransomware attack without developing the malware or infrastructure.

In this article, we’re going to take a close look at the RaaS model.

Key Points

  • What Is Ransomware as a Service (RaaS)?
  • Ransomware-as-a-Service Business Models Explained.
  • Examples of the Biggest RaaS Ransomware Groups.
  • Prevention Strategies Against Ransomware Attackers.

What Is Ransomware as a Service (RaaS)?

In this model, a ransomware developer make the kit available for clients via affiliate program or subscription service. These kits are readily available for purchase on the Raas market.

These ransomware affiliates can distribute the ransomware tools to potential victims and carry out a successful Raas attack.

The RaaS revenue models typically include a user-friendly interface that allows payload customization.

This includes the ransom amount, type of ransomware campaign, the ransom note’s content, and the methods of communication. The most sophisticated RaaS operators will also choose to stay in touch with the RaaS affiliates.

RaaS vendors take a pee arcentage of the ransom payments made by victims, while the rest goes to the affiliate.

Depending on the agreement, the customers may choose to:

  • Share a portion of the ransomware payments with the RaaS provider.
  • Keep the profits for themselves.
  • Enroll in a pay-per-use scheme. This would grant them access to updates, new malicious versions, and experimental features.

In all aspects, any RaaS can be considered a SaaS (Software-as-a-Service).

Up next, we’re going to take a closer look at the main types of Ransomware-as-a-Service business models.

Ransomware-as-a-Service Business Models Explained

Since RaaS is not transparent, monetization and customer relationship are not bound to any rule.

In other words, each RaaS operator has its own business model.

Still, most Ransomware-as-a-Service operators can be divided into four major categories.


Just like any subscription-based services, RaaS operators can offer various types services. The client can opt in for in a flat fee, paid in Bitcoin or some other cryptocurrency. The customer can be charged at the end of each month or annually.

Other facilities are readily available.

For instance, most ransomware developers have dashboards that the user can access with a password and username.

Both received after the subscription has been acquired.

Dashboard ops can range from virtual wallet management to payload customization, freebies, support, and more.


RaaS operators running affiliate programs may demand a percentage of the profit in addition to the flat free gained via ransomware attacks.

In exchange, the ‘beneficiary’ will receive additional support, may be granted access to paywall features or content, obtain additional ransomware variants, receive case-tailored tools and/or custom ransomware code, etc.

The profit cut for most RaaS is somewhere between 20% to 30%, probably depending on the target’s profile and ‘beneficiary’s needs.

Lifetime licensing

Some RaaS operators prefer selling fully licensed ransomware kits or malicious tools instead of relying on passive incomes generated by subscribers or affiliates.

Naturally, off-the-shelf malicious tools are considerably more expensive compared to a subscription or enrolling in an affiliate program.

A lower ROI does not invalidate the advantages of one-time-purchase RaaS kits.

Bookkeeping transparency isn’t a big concern for RaaS operators.

A single purchase could reduce the risk of tracing the product back to the buyer if the operator is caught.


The customer turns into partner-in-crime, splitting the spoils with the RaaS operator. Cuts greatly depend on how each actor contributes to the ‘project’.

Examples of the Biggest RaaS Ransomware Groups

1. Netwalker

Netwalker’s probably the most profitable ransomware kit. Marketed by cyber criminals like Circus Spider and Mummy Spider, Netwalker ‘users’ and operators extorted over $20 million in just six months.

Owing its deadly efficiency to advanced cryptography and the double extortion technique, Netwalker is a total business nightmare.

Give this article a read if you’re interested in finding more about Netwalker and how to counter it.

3. RaaSberry

RaaSberry really manages to stage a grand performance when it comes to playing the role of the Good Samaritan – while other RaaS providers ask for a share, RaaSberry allows the customer to keep all revenue.

It sounds like a hacker’s dream come true, doesn’t it? Not exactly. Compared to the competition, RaaSberry boasts several price tiers. A quick glance at their website shows that the cheapest packs are “Plastic”.

So, for the price of $60, which is equal to a one-month Command & Control subscription, you will receive a 250 kb “unique EXE” (packs both encrypter and decryptor), free support, multi-OS compatibility, and other features such as Task Manager Disabler, Mutex, and Delayed Start.

Going up the price tier ladder, we have the Platinum, a three-year C&C subscription, which costs $650. Not many differences between the packages, apart from the membership duration.

4. Satan

A newcomer on the market, compared to the other two, but not completely featureless. Instead of fixed price tiers or ready-to-deploy kits, Satan offers free-to-use ransomware samples. Basically, anyone’s free to use them, on one condition – that 30% of the spoils go to the RaaS provider.

The platform also allows the user to create custom pay schemes: the user can specify the ransom amount, multiplied by days, personalized notes to be sent to the victim for failure to comply, and payment methods other than Bitcoin.

Prevention Strategies Against Ransomware Attackers

RaaS is certainly sophisticated, but not infallible. Below, you will find a list of tips to prevent ransomware.

1. Backup Your Endpoints and Servers

The best possible ransomware protection is to have a backup system in place. You should consider having a local as well as a cloud backup.

2. Don’t Open Suspicious Attachments

If there really was a golden digital rule, this would be it – don’t open an email containing attachments. They might be infected with malware. Even an email coming from someone familiar should be treated with a modicum of suspicion.

For instance, in Bsiness\Vendor Email Compromise attacks, hackers are able to steal credentials and money by posing as someone from the upper management.

3. Frequent Patching Solves Seals Most of your Breaches

Hackers are always looking to take advantage of breaches in your security grid and an outdated app provides them with the best opportunity. Make sure that all your apps are up to date. Heimdal™ Patch & Asset Management​ module can easily search and deploy the latest versions of your favorite app.

4. Ensure Macros are disabled in Microsoft Word

Although Microsoft disabled macro auto-execution a long time ago, some older Office builds might still have this feature switched on. To disable macros in Word, click on the MS Office button and then on Word Options. Click on Disable all Macros without notification and hit the Apply button to commit changes.

5. Employ Stateful Ransomware Encryption Protection Backed by Antivirus

Ransomware relies on two components: C2 communication and host-planted payload. Cybersecurity solutions such as Heimdal™ Ransomware Encryption Protection can actively disrupt malicious encryption attempts, while our Next-Generation Antivirus sanitizes the system.

6. Implement Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to provide multiple verification forms before granting access to sensitive accounts or data. This helps prevent unauthorized access even if an attacker manages to compromise a password.

7. Leverage Network Segmentation

Divide your network into segments to isolate critical systems and data from less important ones. This makes it more challenging for ransomware to propagate across your network if it gains entry.

8. Develop an Incident Response Plan

Develop a robust incident response plan that outlines steps to take in the event of a ransomware attack. Ensure your team knows how to respond quickly and effectively to minimize damage and data loss.

9. Employ Strong Access Control

To maintain network security, controlling the applications and data within the network is essential; they are potential targets for attackers. An improved access control system can impede attackers from entering the network. Implement strict measures to restrict who has permission to access sensitive information and techniques in your organization or home network.

How can Heimdal® Help

Heimda®l’s exclusive Ransomware Encryption Protection technology was designed to thwart even the most sophisticated ransomware attacks in the cloud and on-premises, preventing and protecting rather than mitigating.

Here’s a quick rundown of what Ransomware Encryption Protection can do for your business:

  • Prevent data breaches by protecting your networks and endpoints against fraudulent encryption attempts;
  • Curb risk associated with ransomware incidents;
  • Eliminate downtimes caused by ransomware attacks;
  • Reduce and eliminate post-ransomware impacts;
  • Improve the detection capabilities of your current cybersecurity software;
  • Increase compliance;
  • Get comprehensive defense against zero-day vulnerabilities;
  • Combine with any SIEM for improved detection of policy violations.

Ready to take it for a spin? Click here for a personalized demo.


Ransomware as a Service has become a powerful and lucrative tool in cybercriminals’ arsenal. It significantly threatens individuals, businesses, and critical infrastructure worldwide.

Addressing this threat requires a concerted effort from governments, organizations, and individuals to bolster cybersecurity measures and track down those responsible for this insidious criminal enterprise.

Combating Ransomware as a Service is crucial to safeguarding the digital world against an escalating and evolving threat.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube, for more cybersecurity news and topics.

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.