Ransomware-as-a-service (RaaS) is a business model where cybercriminals sell or lease ransomware tools to others, typically through dark web marketplaces. It operates like a typical software-as-a-service (SaaS) platform—users pay for access, and in return, they get ready-to-use ransomware, often with technical support, user dashboards, and regular updates provided by the developers. In exchange, the developers usually take a percentage of any ransom payments collected.
RaaS lowers the barrier to entry for cybercrime, allowing people with little to no technical skill to launch ransomware attacks. This model has significantly contributed to the rise in ransomware incidents in recent years.
Notable RaaS platforms active since 2020 include:
- DarkSide – Gained notoriety in 2021 for the attack on Colonial Pipeline. DarkSide operated with a professional approach, even offering customer service and press releases.
- REvil (also known as Sodinokibi) – One of the most prolific RaaS groups, REvil was behind high-profile attacks on companies like JBS and Kaseya. It disappeared after international pressure but has resurfaced under different aliases.
- LockBit – Known for its speed and automation, LockBit has been consistently active since 2020 and continues to evolve, with versions like LockBit 2.0 and 3.0 offering advanced features to affiliates.
These groups show how RaaS has industrialized cybercrime, turning ransomware into a global, profit-driven enterprise.