There was a time when launching a ransomware attack required you to actually write ransomware. That barrier is long gone. Today, a criminal with no coding ability and a modest budget can license a fully operational ransomware platform, receive technical support, get access to a victim negotiation portal, and walk away with 80 to 90 percent of whatever ransom they collect. The operators who built the platform take their cut and never touch the keyboard during an attack. This is Ransomware-as-a-Service — and it has industrialized cybercrime in a way that no other development has matched.
From One-Time Sales to Subscription Crime
Early ransomware was sold the way software used to be sold: as a product. A developer would write the code, post it on underground forums, and buyers would pay a one-time fee to own a copy. The sellers often provided support and updates, and some offered customization so buyers could tweak the ransom note or adjust targeting behavior. It was functional, but it was a cottage industry.
The first documented RaaS operation emerged around 2012 with Reveton, a strain that impersonated law enforcement and threatened targets with arrest unless they paid a fine. The impersonation angle made it unusually effective for its time, and it established the psychological pressure model that would define the industry for years. But Reveton was still relatively primitive compared to what came next.
By 2016, the model had matured considerably. Cerber became one of the first large-scale affiliate operations, advertising heavily across Russian-language cybercrime forums and partnering with hundreds of affiliates under a 60/40 revenue split in favor of the affiliate. The scale Cerber achieved through that forum presence — generating estimated monthly revenues of around $200,000 at its peak — set the template that every major RaaS operation since has tried to replicate or improve on.
RaaS mirrors the legitimate Software-as-a-Service model intentionally. Operators provide the infrastructure, tooling, and support. Affiliates provide the access and do the attacking. The division of labor is what makes the model scalable — and resilient.
GandCrab, which ran from 2018 to 2019, pushed professionalization further. The group publicly bragged about paying out over $2 billion to affiliates before voluntarily shutting down — a claim security researchers treated skeptically but which reflected the group's confidence in operating openly. GandCrab also introduced private vetting for affiliates, a practice that would become common as groups tried to filter out law enforcement infiltrators. When GandCrab dissolved, several of its members moved directly into REvil (also known as Sodinokibi), carrying the knowledge and infrastructure with them.
The Corporate Era: Conti, REvil, and LockBit
Between 2019 and 2022, three groups defined what fully professionalized RaaS looked like. Each took a slightly different approach to the affiliate relationship, and understanding those differences matters because they reveal how the RaaS ecosystem continues to function today.
Conti operated less like a traditional affiliate program and more like an employer. Rather than paying affiliates a percentage of ransoms, Conti paid its members salaries. Internal communications leaked in 2022 revealed a structured organization with dedicated roles: developers, system administrators, negotiators, HR functions, and even a recruitment pipeline that pulled from cybercrime forums. The leaked Conti playbooks provided step-by-step attack instructions precise enough to read like corporate training documents. When Conti collapsed following the leak, its members did not disappear — they spun up or joined Black Basta, BlackByte, and several other operations, seeding the next generation of RaaS with experienced personnel.
REvil took the affiliate model in a different direction, offering dashboards where affiliates could track their own attacks, negotiate directly with victims, and receive up to 90 percent of ransoms collected. The group ran a visible public operation, accepted interview requests from security journalists, and became notorious for demanding ransoms from high-profile targets including JBS Foods and Kaseya. Law enforcement actions in 2021 disrupted REvil, but the individuals behind it largely reformed under different names.
LockBit emerged in 2019 and spent the next several years building the largest and most sustained RaaS operation the industry has seen. LockBit's affiliate program allowed affiliates to receive ransom payments directly, then remit a 20 percent commission to the core group — a structure that made affiliates feel more autonomous than competing programs. The group ran active recruitment campaigns, poached affiliates from disrupted rivals, and released successive versions of its malware with improving capabilities. Between June 2022 and February 2024, LockBit launched over 7,000 attacks globally before Operation Cronos — a coordinated takedown involving agencies from 10 countries — disrupted its infrastructure and unmasked its leader, Dmitry Khoroshev.
LockBit's takedown did not end the operation. The group reconstituted and in September 2025 announced plans to target critical infrastructure including nuclear and hydroelectric facilities. The disruption slowed them, but dismantling a RaaS operation does not necessarily dismantle the people running it.
The Extortion Escalation: Double, Triple, and Beyond
The original ransomware business model was simple: encrypt files, demand payment for the decryption key. Organizations that kept good backups could recover without paying. That vulnerability in the attacker's leverage model produced the single most consequential tactical shift in ransomware history: data exfiltration before encryption.
Double extortion — stealing sensitive data and threatening to publish it on a leak site unless a ransom is paid — became standard practice beginning around 2019 and 2020. Maze ransomware is widely credited with popularizing the tactic, and within a year nearly every major RaaS operation had incorporated it. The shift fundamentally changed the calculus for victims: a clean backup no longer made you whole. If the stolen data included customer records, health information, financial data, or internal communications, the threat of publication created pressure independent of whether systems were restored.
Triple extortion added DDoS attacks against victim infrastructure as a third pressure point. Some groups went further, contacting a victim organization's customers or partners directly to amplify the reputational threat. In 2024, reporting emerged of groups targeting the children of corporate executives to coerce ransom payments — an escalation that illustrates how far the extortion model has drifted from a purely technical exercise into something closer to organized crime in the traditional sense.
Exfiltration appeared in 87% of observed ransomware cases in Q4 2024, reclaiming the top spot among MITRE ATT&CK tactics tracked by Coveware.
The logical endpoint of this trajectory is encryption becoming optional. Some groups — including World Leaks (formerly Hunters International) — have shifted to pure extortion operations that steal and threaten to publish data without deploying any encryption payload at all. RansomHub has also been observed using this approach selectively. When your leverage comes entirely from the threat of exposure, the encryption step adds complexity and detection risk for no additional benefit.
The Supporting Ecosystem: IABs, Leak Sites, and Forum Markets
RaaS operations do not function in isolation. They sit within a broader criminal ecosystem that has developed specialized roles, each contributing to the efficiency of attacks.
Initial Access Brokers (IABs) are criminals who specialize in gaining footholds inside target networks — through phishing, credential stuffing, exploiting unpatched vulnerabilities — and then selling that access on underground forums rather than deploying ransomware themselves. Ransomware affiliates purchase this access, bypassing the difficult and time-consuming work of initial compromise. A Searchlight Cyber report documented a real-world example of this pipeline: an IAB posted access to a named company on a hacking forum, and 18 days later the Play ransomware group listed that same company as a victim on their extortion site.
Data leak sites, hosted on Tor, have become the public face of RaaS extortion. Groups use them to post victim names and countdown timers, creating visible pressure for payment and serving as a marketing tool that demonstrates to potential victims that the group follows through on its threats. The existence and visibility of these sites has also given researchers a way to track attack volume — the 3,734 victims listed on extortion sites in the first half of 2025 alone represents a 67 percent increase over the same period the prior year, according to Searchlight Cyber.
Infostealer malware feeds stolen credentials into underground markets that IABs and affiliates draw from when selecting targets. This supply chain of credentials has become so developed that ransomware affiliates can essentially shop for victims based on the value and access level of credentials available for purchase.
RaaS programs typically offer some combination of: subscription access, profit-sharing arrangements (usually 70–90% to the affiliate), one-time license fees, and affiliate dashboards for tracking active campaigns and managing negotiations. The diversity of business models reflects genuine competition between operators for talented affiliates.
Law Enforcement, Takedowns, and the Fragmentation Problem
Between 2022 and 2024, law enforcement operations scored significant wins against major RaaS groups. Operation Cronos disrupted LockBit. The FBI and international partners took down Hive in 2023. BlackCat/ALPHV was disrupted by the FBI in late 2023. These were real achievements — and they produced a real consequence that has made the ransomware problem structurally harder to address.
When large, well-organized RaaS operations collapse, their affiliates do not retire. They migrate. Experienced affiliates from BlackCat moved to RansomHub, which emerged in February 2024 and rapidly became the dominant RaaS platform by offering favorable commission terms — initially 10 percent to the core group rather than the industry-standard 20 to 30 percent. RansomHub's architecture was also distinctive: affiliates managed their own wallets and received payments directly from victims, then remitted the commission, giving them more autonomy than most competing programs. By late 2024, RansomHub had claimed over 600 victims globally.
Then RansomHub's own infrastructure went dark at the end of March 2025 for reasons that remain unclear. Affiliate activity shifted again, this time toward Qilin, which had been advertising aggressively on dark web forums and offering improved tooling. By June 2025, Qilin had become the most active group by victim count, carrying out 81 attacks in a single month.
This pattern — dominant group disrupted, affiliates migrate, new dominant group emerges — has repeated consistently enough to constitute a structural feature of the ecosystem rather than an anomaly. Malwarebytes tracked 41 new ransomware groups entering the market between July 2024 and June 2025. By mid-2025, Searchlight Cyber was tracking 88 active groups simultaneously, with 35 of them entirely new. Total active groups have doubled over the past three years.
Code reuse accelerates this fragmentation. SafePay shares code with LockBit. DragonForce reuses LockBit and Conti code. Leaked source code from disrupted operations becomes raw material for successor groups, compressing the time it takes a new operation to reach attack capability. Disrupting a group does not destroy the tooling — it distributes it.
A secondary effect of high-profile takedowns has been a collapse of trust within the affiliate community. The FBI's infiltration of Hive, the UK's penetration of LockBit, and exit scams by operators who disappeared with affiliate proceeds have made affiliates deeply suspicious of the programs they join. One documented outcome is an increase in lone-wolf actors — experienced former affiliates who conduct attacks independently rather than operating under any RaaS umbrella. Coveware reported this as a sustained trend through 2024 and into 2025, suggesting it represents a durable behavioral shift rather than a temporary anomaly.
AI, Targeting Shifts, and Operational Sophistication
The current generation of RaaS operations is incorporating AI in ways that meaningfully lower the human effort required to execute attacks. Generative AI is being used to produce convincing phishing lures at scale, voice phishing campaigns that use synthesized voices with local accents, and automated vulnerability scanning to identify exploitable systems faster than manual processes allow. These capabilities do not require the attacker to understand AI — they are simply another service available in the criminal ecosystem.
Targeting patterns have also shifted. Zscaler's ThreatLabz research documented a 500 percent year-over-year spike in ransomware against the energy sector in 2024. Manufacturing, healthcare, education, and financial services remained consistently high-value targets. Operational Technology environments — the industrial control systems running power grids, water treatment, and manufacturing — are increasingly attractive because the operational disruption pressure on victims in those sectors is immediate and severe.
Sophisticated groups have also moved away from broad, indiscriminate attack campaigns toward lower-volume, higher-value targeting. Dark Angels exemplified this approach in 2024, demanding and receiving a $75 million ransom payment — a record — from a single victim by conducting a focused, methodical attack rather than the spray-and-pray approach common among less capable operators. The trade-off is that targeted attacks require more reconnaissance and patience, but the per-attack return is dramatically higher.
Key Takeaways
- The barrier to entry is near zero: RaaS platforms, leaked source code, IAB markets, and AI-assisted tooling have made it possible to conduct a ransomware attack without meaningful technical skill. The volume of active groups will continue to grow.
- Encryption is no longer the threat — exposure is: Organizations that rely on backups as their ransomware defense are protected against one component of a two or three-component extortion. Data protection and exfiltration detection are now equally important as recovery capability.
- Takedowns disperse rather than destroy: Law enforcement operations disrupt specific organizations but redistribute experienced affiliates and often release source code into the wild. Expect new groups to emerge within weeks of any major takedown.
- Trust has broken down inside the ecosystem: Exit scams, law enforcement infiltration, and payment disputes have produced a less cohesive criminal market. Lone-wolf operators and smaller groups now conduct a significant share of attacks, making attribution and prediction harder for defenders.
- AI has entered the attack chain: Vishing, AI-generated phishing, and automated target selection are not future concerns — they are current TTPs being deployed by active affiliates.
The RaaS model succeeded because it separated the people who build attack tools from the people who use them, and because it created financial incentives strong enough to attract a continuous supply of both. Law enforcement pressure, improved defenses, and declining ransom payment rates have created real friction — but the fundamental economics remain intact. As long as ransomware pays, the franchise will keep finding new operators.