Ransomware as a service (RaaS) is a business model that involves selling or renting ransomware to buyers, called affiliates. RaaS can be credited as one of the primary reasons for the rapid proliferation of ransomware attacks, as it has made it easier for a variety of threat actors — even those who have little technical knowledge — to deploy ransomware against targets.
RaaS is based on the software-as-a-service (SaaS) model in which software can be accessed online on a subscription basis. However, the RaaS model also continues to evolve in its own ways, and this fully functional and independent ecosystem thrives in the underground with its key players, including the operators who develop and peddle ransomware. Operators are usually organized in a group and have designated roles such as leader, developers, and infrastructure and system administrators.
Comparison of direct ransomware operations (left) and RaaS operators (right)
Some roles and tools might also be outsourced or acquired through affiliate programs. For example, some operators avail of access-as-a-service (AaaS), which can provide various means of access to targeted organizations. Other groups could also have strong penetration testing teams but might lack the necessary ransomware software. These penetration testing teams often participate as RaaS affiliates and use affiliate program ransomware tools and infrastructure when a target is compromised. Affiliates could operate independently or as a member of organized groups.