The Rise of Ransomware-as-a-Service: What You Need to Know

Image Alt Text: Security analysts monitoring ransomware alerts on large screens in a modern SOC

Ransomware has evolved from one-off malware campaigns into a mature underground industry. Today, Ransomware-as-a-Service (RaaS) platforms sell everything an aspiring cybercriminal needs: ready-made ransomware, infrastructure, support and even negotiation playbooks. According to the 2024 Verizon Data Breach Investigations Report, roughly one-third of all breaches now involve ransomware or other extortion techniques, and ransomware is a top threat across most industries, making it a board-level risk rather than a purely technical concern.

Research from Kaspersky’s 2025 State of Ransomware report highlights that the RaaS model remains the dominant framework behind many of these attacks, with platforms like RansomHub enabling affiliates to launch sophisticated operations without writing a single line of code. At the same time, industry analysis shows the number of active ransomware groups reaching record levels, with 77 groups tracked as of Q3 2025 and a noticeable rise in smaller, emerging players.

For CISOs and security leaders, understanding how RaaS works is essential to designing realistic ransomware protection strategies.

Why Ransomware-as-a-Service dominates today’s threat landscape

RaaS has taken off because it lowers the barrier to entry and maximises profit for everyone involved in the criminal ecosystem.

Several factors explain its dominance:

• Industrialised cybercrime – IBM describes RaaS as a model that packages malware, infrastructure and support into a turnkey service, enabling even low-skilled actors to run impactful campaigns.
• Affiliate profit sharing – Core operators focus on building and maintaining the ransomware platform, while affiliates handle intrusion and deployment in exchange for a percentage of the ransom.
• Constant churn and fragmentation – Threat reports show the top ten groups now account for only about half of attacks, with many smaller or unattributed operations filling the gap.
• Double and triple extortion – Modern campaigns often combine encryption with data theft, threats to leak data and even DDoS to increase leverage.

For defenders, this means that even if one group is disrupted, new or rebranded affiliates can quickly take their place.

How the RaaS ecosystem works

Understanding the RaaS supply chain helps you map controls to specific stages.

Typical roles include:

• RaaS operators: Build and maintain the ransomware strain, payment portals, leak sites and dashboards where affiliates track victims and revenue. They often maintain strict “rules” about targeting, branding and acceptable behaviour.
• Affiliates: Subscribe to the RaaS platform and execute attacks. Their responsibilities usually include initial access (via phishing, credential theft or exploiting vulnerabilities), lateral movement, privilege escalation and deploying the encryptor.
• Initial access brokers (IABs): Sell ready-made footholds into organisations: VPN credentials, exposed RDP access or compromised cloud tenants. RaaS affiliates often purchase these to shortcut the intrusion phase.
• Infrastructure and tool suppliers: Provide bulletproof hosting, traffic redirectors, obfuscation tools and crypters. Some RaaS programs bundle these services into premium tiers.
• Negotiators and money launderers: Conduct ransom negotiations, operate help desks and handle the laundering of cryptocurrency payments through mixers or exchanges.

Taken together, RaaS behaves like a shadow SaaS ecosystem, complete with customer support, feature roadmaps and performance incentives.

RaaS tactics and trends in 2024–2025

RaaS is not just about more attacks; it is about more sophisticated techniques.

Key trends include:

• Cross-platform ransomware and stealth techniques: Threat intelligence shows some groups deploying Linux-based encryptors inside Windows environments via Windows Subsystem for Linux, making it harder for traditional EDR tools to detect malicious behaviour.
• Aggressive double extortion and pure extortion: Verizon’s 2024 DBIR notes a combined growth in ransomware and pure extortion to around 32% of breaches, underlining the shift toward data theft and extortion even when encryption fails.
• Expansion of mid-tier RaaS groups: Industry monitoring indicates groups like Qilin, Akira and newer operations such as SafePay driving a significant share of global incidents, often targeting manufacturing, technology and legal sectors.
• Use of AI for negotiation and tooling: Recent research has documented RaaS groups experimenting with AI chatbots to handle initial ransom negotiations and assist with coding or social engineering tasks.

DACTA Global’s own security reports on Medusa ransomware and AI-enabled attacks discuss similar patterns, particularly the combination of double extortion with AI-assisted phishing at scale.

Defending against RaaS: practical controls for security leaders

You cannot fully eliminate ransomware risk, but you can dramatically reduce the likelihood and impact of a successful RaaS attack.

Focus on a layered approach:

1. Harden identity and access
   • Enforce phishing-resistant MFA on remote access, VPN, and high-value SaaS such as Microsoft 365.
   • Minimise standing admin privileges and adopt just-in-time elevation.
   • Monitor for suspicious authentication patterns and impossible travel events through your SIEM or XDR.
2. Control known exploited vulnerabilities (KEVs)
   • Use the CISA Known Exploited Vulnerabilities catalog as a priority list for patching, rather than treating all CVEs equally.
   • Integrate KEVs into your vulnerability management tools and ensure critical items have strict remediation SLAs.
   • Align remediation ownership clearly between IT, application teams and security.
3. Segment high-value assets
   • Apply network segmentation and application-level controls around domain controllers, backups, OT systems and core business applications.
   • Use Zero Trust principles to restrict lateral movement rather than assuming the internal network is trusted.
4. Strengthen detection and response
   • Deploy EDR or XDR with coverage across servers, endpoints and cloud workloads.
   • Tune detections around early-stage behaviours such as credential dumping, use of built-in tools (PowerShell, WMI) and mass file encryption.
   • Consider a Managed Detection & Response (MDR) service if you lack 24x7 SOC coverage; DACTA Global’s MDR offering is one example that can help smaller teams close this gap.
5. Backups and recovery readiness
   • Maintain immutable, offline or logically isolated backups of critical data.
   • Regularly test restoration of core systems under time pressure to validate RTO/RPO assumptions.
   • Document clear decision paths for partial restoration when full rebuilds are not immediately possible.
6. Third-party and supply chain risk
   • Require key vendors to demonstrate basic ransomware preparedness, including backup strategy, incident response planning and vulnerability management.
   • Use DACTA’s Cloud Security Assessment or Risk Assessment services where appropriate to validate claims from critical service providers.

What to do if you are hit by a RaaS attack

Even mature environments can be compromised. When it happens, speed and discipline matter more than perfection.

Key steps include:

1. Activate your incident response plan: Ensure that technical, legal, communications and executive stakeholders know their roles. If you do not have an internal IR team, immediately contact a specialist such as DACTA Global’s Incident Response Team.
2. Contain and preserve evidence: Isolate affected hosts, revoke compromised credentials and block malicious C2 infrastructure. Preserve logs, memory and disk images for forensic analysis.
3. Assess the scope and data impact: Determine what systems are affected, whether backups are intact and what sensitive data (if any) has been exfiltrated.
4. Engage law enforcement and regulators where required: Depending on your jurisdiction and sector, you may be obliged to notify authorities and regulators within strict timelines.
5. Avoid rushed ransom decisions: Recent analysis from Kaspersky and others shows that paying ransom does not guarantee full recovery and may increase the likelihood of repeat targeting.

Conclusion: treat RaaS as a business risk, not just a technical one

Ransomware-as-a-Service has transformed ransomware into a scalable business model, with affiliates and operators behaving more like agile startups than lone hackers. That shift demands an equally structured response from defenders.

By combining disciplined vulnerability management, strong identity security, network segmentation, robust backups and 24x7 detection and response, you can significantly reduce the probability and impact of a successful RaaS attack. For organisations without in-house capacity, partnering with a provider like DACTA Global for MDR, incident response and security architecture support can accelerate that journey while keeping costs predictable.

To deepen your understanding of ransomware trends and AI-driven attack techniques, consider reading DACTA’s reports “Medusa Ransomware Resurgence: A Growing Threat in 2024–2025” and “The Dual Role of AI in the Intensification of Ransomware Threats” on the insights hub.