This post is also available in: Danish

Ransomware trends are on the rise, even more so today than in the previous years. According to some estimates, by end of 2021, the number of ransomware attacks would have increased to 1 every 11 seconds, the outstanding record being one ransomware every 14 seconds. Considering how lucrative e-crime has become, ‘busnifying’ malware would be the next most logical step. In this article, we’re going to talk about Ransomware-as-a-Service (RaaS), the benchmark of online criminal activity.

What is Ransomware as a Service (RaaS)?

Ransomware-as-a-Service is an illicit ‘parent-affiliate(s)’ business infrastructure, in which operators (i.e., malicious software owner and/or developer) provision tools to affiliates (i.e., customers) for the purpose of carrying out ransomware attacks.

Depending on the contractual agreement, the customers may choose to share a portion of the profit with the RaaS provider, keep the profits for themselves, or enroll in a pay-per-use scheme that would grant them access to updates, new malicious versions, and experimental features. In all aspects, any RaaS can be considered a SaaS (Software-as-a-Service). Up next, we’re going to take a closer look at the main types of Ransomware-as-a-Service business models.

How does the RaaS Business Model work?

Since RaaS is not a transparent, clear-web service, monetization and customer relationship are not bound to any of the ‘traditional rules. In other words, each RaaS operator has its own business model. However, based on the observations made so far, all Ransomware-as-a-Service operators – with a few exceptions – can be divided into four major categories.


Just like clear-web, subscription-based services (e.g., Netflix, Hulu, Dropbox, Salesforce, etc.), some RaaS operators can offer access to various types of ransomware-centric services, in exchange for a flat fee, paid in Bitcoin or some other cryptocurrency. The customer can be charged at the end of each month or annually.

Other facilities are readily available – for instance, most Ransomware-as-a-Service providers have dashboards that the user can access with a password and username – both received after the subscription has been acquired. Dashboard operations can range from virtual wallet management to payload customization, freebies, support, and more.


RaaS operators running affiliate programs may demand a percentage of the profit in addition to the flat free. In exchange, the ‘beneficiary’ will receive additional support, may be granted access to paywall features or content, receive case-tailored tools and/or custom code, etc. The profit cut for most RaaS is somewhere between 20% to 30%, probably depending on the target’s profile and ‘beneficiary’s…. needs.

Lifetime licensing

Purchase-once-use-forever business model – some RaaS operators prefer selling fully licensed ransomware kits or malicious tools instead of relying on passive incomes generated by subscribers or affiliates. Naturally, off-the-shelf malicious tools are considerably more expensive compared to a subscription or enrolling in an affiliate program.

A lower ROI does not invalidate the advantages of one-time-purchase RaaS kits – since bookkeeping transparency is not a major issue among RaaS operators, making a one-time purchase might very well decrease the chances of the product being traced back to the ‘beneficiary’ should the RaaS operator be caught by the authorities.


The customer turns into partner-in-crime, splitting the spoils with the RaaS operator. Cuts greatly depend on how each actor contributes to the ‘project’.

Examples of the biggest RaaS ransomware

1. Netwalker

Netwalker’s probably the most profitable ransomware kit. Marketed by criminal groups like Circus Spider and Mummy Spider, Netwalker ‘users’ and operators extorted over $20 million in just six months. Owing its deadly efficiency to advanced cryptography and the double extortion technique, Netwalker is a total business nightmare. Give this article a read if you’re interested in finding more about Netwalker and how to counter it.

2. Stampado

Regarded as the cheaper version of Philadelphia, the Stampado RaaS kit is sold for only $39. Its lack of features is most certainly compensated by its deployment speed. A popup ad for Stampedo, reveals that the first campaign can be set up in 30 seconds or less. Stampedo is actually the very first version of Philadelphia.

The sales campaign began in or around the summer of 2016. Apparently, this easy-to-deploy malware kit was in so high demand, that the makers decided to make a ‘deluxe’ version.

3. RaaSberry

RaaSberry really manages to stage a grand performance when it comes to playing the role of the Good Samaritan – while other RaaS providers ask for a share, RaaSberry allows the customer to keep all revenue.

It sounds like a hacker’s dream come true, doesn’t it? Not exactly. Compared to the competition, RaaSberry boasts several price tiers. A quick glance at their website shows that the cheapest packs are

So, for the price of $60, which is equal to a one-month Command & Control subscription, you will receive a 250 kb “unique EXE” (packs both encrypter and decryptor), free support, multi-OS compatibility, and other features such as Task Manager Disabler, Mutex, and Delayed Start.

Going up the price tier ladder, we have the Platinum, a three-year C&C subscription, which costs $650. Not many differences between the packages, apart from the membership duration.

4. Satan

A newcomer on the market, compared to the other two, but not completely featureless. Instead of fixed price tiers or ready-to-deploy kits, Satan offers free-to-use ransomware samples. Basically, anyone’s free to use them, on one condition – that 30% of the spoils go to the RaaS provider.

The platform also allows the user to create custom pay schemes: the user can specify the ransom amount, multiplied by days, personalized notes to be sent to the victim for failure to comply, and payment methods other than Bitcoin.

5. Frozr Locker

A lightweight tool that has the ability to encrypt approximately 250 types of extensions. The cost of acquisition is around $1,262, which makes it the most expensive RaaS solution on this list.

However, once the builder is acquired, it can be used indefinitely, without the need to update your subscription. After you purchase the builder, you will be able to customize the ransomware: payment details, decryptor, UAC bypass, and personalized messages.

Prevention strategies against ransomware attacks

RaaS is certainly sophisticated, but not infallible. Below, you will find a list of tips to protect your digital assets against Ransomware as a Service.

1. Backup your endpoints and servers

The best possible defense against ransomware and every kind of threat for that matter is to have a backup system in place. You should consider having a local as well as a cloud backup. Companies operating on larger networks can opt for an off-site backup location. In case of a ransomware attack, crucial data can be restored without having to the ransom.

2. Don’t open suspicious attachments

If there really was a golden digital rule, this would be it – don’t open an email containing attachments. They might be infected with malware. Even an email coming from someone familiar should be treated with a modicum of suspicion.

For instance, in Business\Vendor Email Compromise attacks, hackers are able to steal credentials and money by posing as someone from the upper management.

3. Frequent patching solves seals most of your breaches

Hackers are always looking to take advantage of breaches in your security grid and an outdated app provides them with the best opportunity. Make sure that all your apps are up to date. Heimdal™ Patch & Asset Management​ module can easily search and deploy the latest versions of your favorite app.

Moreover, the Infinity Management module can provide you with a birds-eye view of your machine and, most importantly, the software currently installed. From there, your sysadmin can choose what patches to deploy and when the patching process should occur.

4. Ensure Macros are disabled in Microsoft Word

Although Microsoft disabled macro auto-execution a long time ago, some older Office builds might still have this feature switched on. To disable macros in Word, click on the MS Office button and then on Word Options. Click on Disable all Macros without notification and hit the Apply button to commit changes.

5. Stateful Ransomware Encryption Protection Backed by Antivirus

Ransomware relies on two components: C2 communication and host-planted payload. Cybersecurity solutions such as Heimdal™ Ransomware Encryption Protection can actively disrupt malicious encryption attempts, while our Next-Generation Antivirus sanitizes the system.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.


Ransomware as a Service is on the rise and the reasons are more than obvious: cheap, easy to deploy, powerful, and requires little to no technical expertise. The best defenses against this type of threat are frequent patching, a strong AV/AM solution, and vigilance.

Ransomware Payouts in Review: Highest Payments, Trends & Stats

These Free Ransomware Decryption Tools Are Your Key to Freedom [Updated 2023]

What Is Netwalker Ransomware?

Ransomware Explained. What It Is and How It Works

DeepBlueMagic Ransomware Strain Discovered by Heimdal™ – New Ransomware, New Method

Leave a Reply

Your email address will not be published. Required fields are marked *