Ransomware is no longer the domain of lone hackers writing custom code. In 2025, publicly reported ransomware attacks surged 47% to more than 7,200 incidents, and researchers tracked 124 distinct named groups operating simultaneously. The force multiplier behind this explosion is ransomware as a service (RaaS) — a business model that lets anyone with cryptocurrency and criminal intent launch enterprise-grade ransomware attacks. This article breaks down how the RaaS model works, who the key players are, which groups dominate the current landscape, and — most critically — how defenders can detect affiliate activity before encryption begins.
Ransomware as a service (RaaS) is a cybercrime business model in which ransomware developers — known as operators — build, maintain, and lease ransomware platforms to other criminals — known as affiliates — who conduct the actual attacks, sharing revenue through subscriptions, one-time fees, or percentage-based profit splits.
The model mirrors legitimate software as a service (SaaS) distribution. Just as a company might subscribe to a cloud platform and use it to run its business, RaaS affiliates subscribe to a ransomware platform and use it to conduct attacks. The operator handles malware development, infrastructure, payment processing, and even customer support. The affiliate handles target selection, initial access, and deployment.
This separation of labor is what makes RaaS so dangerous. Traditional ransomware required a single actor or group to possess the full range of skills — from malware development to network exploitation to ransom negotiation. RaaS eliminates that requirement, exponentially increasing the number of potential attackers.
The scale of the problem is significant. In 2025, attack volumes surged 47% over 2024, with 124 distinct groups tracked — a 46% increase from the prior year. Ransomware now accounts for 20% of all cybercrime incidents, and the MITRE ATT&CK framework classifies the primary ransomware impact technique under T1486 — Data Encrypted for Impact.
Traditional ransomware involves a single threat actor or closed group that develops and deploys the malware end to end. RaaS introduces a division of labor across three or more parties — operators, affiliates, and supporting service providers. The result is a scalable criminal enterprise that functions more like a franchise than a solo operation, dramatically lowering the barrier to entry and driving the attack volumes organizations face today.
RaaS platforms operate with the same operational discipline as legitimate SaaS businesses. Understanding this model is critical for defenders because it reveals where detection opportunities exist across the attack lifecycle.
The speed of this lifecycle has compressed dramatically. According to IBM, the average time from initial access to ransomware deployment dropped to 3.84 days in 2025 — down from more than 60 days in 2019. This acceleration means defenders have a narrower but still exploitable detection window.
Operators provide affiliates with comprehensive tooling — payload builders with customization options, victim tracking dashboards, automated payment processing, and command and control infrastructure. Some platforms even offer "customer support" to help affiliates troubleshoot deployments and negotiate with victims.
Recruitment happens primarily through dark web forums. The RAMP forum served as a primary marketplace until the FBI seized it in January 2026, with its 14,000+ users dispersing to Telegram channels and private referral networks. Entry requirements vary from deposits of 0.05 BTC to proof of prior attack activity.
Once onboarded, affiliates operate independently. They receive access to payload builders, conduct their own attacks, and manage victim negotiations in some models. Operators retain top affiliates through improved payloads, better tooling, and increased revenue shares.
Understanding RaaS pricing provides critical threat intelligence context for defenders assessing the scale and accessibility of the threat.
The affiliate model dominates the current landscape. It aligns incentives — operators earn only when affiliates succeed — and it removes the financial barrier to entry entirely, which is why ransomware as a service has allowed the increase of attacks at such an unprecedented rate.
The RaaS supply chain extends well beyond the operator-affiliate relationship. A full criminal ecosystem supports the model, with specialized services at every stage.
An initial access broker is a specialized threat actor who compromises corporate networks and sells that access to RaaS affiliates. IABs serve as the supply chain link that enables less-skilled affiliates to bypass the most technically demanding phase of an attack.
IABs typically charge $500 to $5,000 per network access, with pricing based on the target organization's size, industry, and the level of access obtained. They operate on dark web forums and Telegram channels, advertising access to specific organizations or sectors.
A notable example is TA584, which Proofpoint documented in 2026 using Tsundere Bot malware to sell access into North American, UK, and European networks. The supporting ecosystem also includes services like Shanya, a packer-as-a-service that helps affiliates evade endpoint detection. Bulletproof hosting, cryptocurrency laundering, and negotiation services round out the cybercrime as a service ecosystem.
This matters for defenders because social engineering and reconnaissance conducted by IABs may occur weeks or months before the actual ransomware deployment, creating early detection opportunities.
Table: Comparison of responsibilities, revenue shares, and risk profiles across the three primary RaaS ecosystem roles.
The RaaS landscape in 2025-2026 is more fragmented than ever, with 124 tracked groups and rapid affiliate migration between platforms. Understanding which groups are currently active — and which models they employ — is essential for calibrating defenses.
Table: Active ransomware as a service groups tracked in Q4 2025 through Q1 2026, ranked by market share.
The ecosystem is in constant flux. Black Basta collapsed in early 2025 after internal chat leaks exposed its operations — leader Oleg Nefedov now faces an INTERPOL Red Notice, and members dispersed to Chaos, INC, Lynx, Cactus, and Nokoyawa. RansomHub similarly collapsed, causing only a brief attack dip before affiliates migrated to competing platforms.
This fragmentation creates data breach risks for organizations. Analysts predict 2026 will be the first year where new ransomware actors outside Russia outnumber those within it, reflecting rapid globalization of the ecosystem and the emergence of English-speaking crews like Scattered Spider building their own RaaS platforms.
Extortion tactics have evolved from simple encryption to multi-layered pressure campaigns, though data-only extortion is losing effectiveness in 2025-2026.
The current landscape shows a surprising trend reversal. According to Sophos, only 50% of attacks resulted in encryption in 2025 — down from 70% in 2024 — as many groups shifted toward data exfiltration-only strategies. However, Coveware's Q4 2025 data reveals that this approach is losing its edge. Data exfiltration-only payment rates dropped to roughly 25%, and overall ransom payment rates hit a historic low of approximately 20% in Q4 2025.
This declining leverage suggests a potential pivot back to encryption-focused attacks in 2026, with groups like Akira and Qilin already demonstrating this approach. Defenders should prepare for both vectors.
RaaS attacks surged 47% in 2025 to 7,200 publicly reported incidents, costing organizations an average of $4.91 million per breach.
The financial picture shows a complex dynamic. Total ransomware payments declined 35% to $813.55 million in 2024 even as attack volumes surged, with the median ransom dropping to $1 million in 2025. The top attack vectors were exploited vulnerabilities (32%), compromised credentials (23%), and phishing. Manufacturing saw attacks surge 61% year over year, accounting for 14% of all attacks, while healthcare suffered 445 attacks in 2025.
Scattered Spider affiliates used DragonForce ransomware to disrupt M&S retail operations for weeks, resulting in an estimated 300 million GBP in lost operating profit.
Lesson: Social engineering and identity compromise remain effective even against mature security programs. Network segmentation and rapid lateral movement detection are critical to containing affiliate activity after initial access.
Qilin operators demanded $50 million in ransom after exfiltrating 400 GB of patient data affecting more than 900,000 individuals. Over 800 NHS operations were cancelled, and the breach was confirmed as a contributory factor in a patient death.
Lesson: Healthcare organizations face disproportionate targeting due to life-critical operations. Third-party supplier security assessment and network segmentation are not optional.
A single compromised VPN credential without multi-factor authentication enabled DarkSide affiliates to shut down the largest US fuel pipeline for six days. Colonial paid approximately $5 million in ransom while roughly 100 GB of data was stolen.
Lesson: Basic security hygiene — MFA on all remote access, network segmentation, credential management — prevents the majority of RaaS initial access vectors. This single incident triggered a national reckoning on critical infrastructure security.
An international coalition of 10 countries seized LockBit infrastructure, source code, and decryption keys. LockBit had claimed more than 2,000 victims and extorted $120 million or more. In H2 2024, payments dropped 79%.
Lesson: Law enforcement takedowns significantly disrupt individual operations but contribute to ecosystem fragmentation. Affiliates migrate to other platforms — continuous, adaptive incident response strategies are required rather than reliance on any single disruption event.
A 4-5 day detection window between initial access and encryption enables behavioral detection of RaaS affiliate activity at the network and identity layers.
With median dwell time at four to five days and the average time from lateral movement to encryption at 17 hours, defenders have a real opportunity to stop RaaS attacks before the payload drops. The key is shifting from prevention-only strategies to assume-compromise detection.
Prevention fundamentals remain essential:
But prevention alone is insufficient. The CISA #StopRansomware Guide and NIST ransomware framework both recommend layered defenses across all security functions.
Table: MITRE ATT&CK technique mapping for common RaaS affiliate tactics, techniques, and procedures with recommended detection approaches.
With median dwell time at four to five days, every hour between initial access and encryption represents an opportunity. Network detection and response identifies C2 beaconing patterns, lateral movement across SMB and RDP, and data staging operations before encryption begins.
Identity threat detection and response catches credential abuse patterns that signature-based tools miss — Kerberoasting attempts, pass-the-hash, golden ticket attacks, and DCSync operations.
Behavioral threat detection is particularly critical when endpoint controls are evaded. Groups like Reynolds leverage bring-your-own-vulnerable-driver (BYOVD) techniques, and services like Shanya's packer-as-a-service specifically target EDR evasion. Threat hunting teams that focus on network and identity anomalies catch what endpoint-only strategies miss.
The RaaS model demands defense-in-depth across the full kill chain, not just at the endpoint. The industry is shifting from prevention-only strategies to assume-compromise detection that leverages the pre-encryption window.
Effective modern approaches combine network detection and response with identity behavioral analytics, automated response capabilities, and SOC automation to contain attacks during the detection window. AI-driven threat detection keeps pace with AI-accelerated RaaS operations that compress attack timelines from months to days.
Vectra AI's assume-compromise philosophy aligns directly with the RaaS detection window. Rather than relying solely on preventing initial access, Attack Signal Intelligence focuses on detecting attacker behaviors — C2 beaconing, lateral movement, privilege escalation, and data staging — across network, identity, cloud, and SaaS environments. This unified observability provides the signal clarity security teams need to stop RaaS affiliates before encryption begins.
Ransomware as a service has transformed the threat landscape from individual actors into a scalable criminal industry with specialized roles, competitive economics, and rapid innovation. The 2025-2026 landscape — with 124 active groups, collapsing payment rates, and emerging cartel models — signals an ecosystem in transition but not in decline.
For defenders, the operational reality is clear. RaaS affiliates follow predictable behavioral patterns — gaining access, moving laterally, escalating privileges, staging data, and deploying payloads. The four-to-five-day detection window between initial access and encryption is not a vulnerability. It is an opportunity.
Organizations that shift from prevention-only strategies to assume-compromise detection — combining network behavioral analytics, identity threat detection, and automated response — position themselves to catch affiliate activity before encryption begins. The attackers have industrialized. The defense must evolve accordingly.
Ransomware as a service is a cybercrime business model where ransomware developers (operators) create and maintain ransomware platforms that other criminals (affiliates) can use to launch attacks. The model mirrors legitimate SaaS businesses, with affiliates paying through subscriptions, one-time fees, or revenue-sharing agreements. Operators handle malware development, infrastructure, payment processing, and support. Affiliates handle target selection, initial access, and deployment. This division of labor is why 124 distinct groups were tracked in 2025 — the barrier to entry has never been lower.
RaaS pricing varies widely based on the model and platform quality. Monthly subscriptions start around $40 for basic access. One-time licenses range from $500 to $84,000 for premium kits with advanced evasion capabilities. Affiliate programs require no upfront cost but take 20-40% of ransom payments. Some programs require a deposit (such as 0.05 BTC) to join. Understanding these price points helps security leaders communicate to business stakeholders why RaaS-driven attacks are so prevalent — the financial barrier to launching an attack is minimal compared to the potential return.
No. Creating, distributing, or using ransomware is illegal in virtually all jurisdictions. RaaS operators and affiliates face severe criminal penalties including lengthy prison sentences. In December 2025, two US cybersecurity professionals pleaded guilty to deploying ALPHV/BlackCat ransomware, demonstrating that law enforcement actively prosecutes all participants in the RaaS supply chain. International operations like Operation Cronos against LockBit show growing cross-border cooperation in enforcement.
Traditional ransomware involves a single actor or group that develops and deploys the malware end to end. RaaS separates these roles — operators build and maintain the platform, while affiliates who may have limited technical skills conduct the actual attacks. This division of labor dramatically increases the number of potential attackers. Where traditional ransomware campaigns might involve a handful of skilled operators, a single RaaS platform can empower hundreds of affiliates to run independent campaigns simultaneously.
An initial access broker (IAB) is a specialized threat actor who compromises corporate networks and sells that access to RaaS affiliates. IABs typically charge $500 to $5,000 per network access, operating on dark web forums and Telegram channels. They serve as the supply chain link that enables less-skilled affiliates to bypass the initial compromise phase entirely. The RAMP forum was a primary IAB marketplace until its FBI seizure in January 2026, after which activity dispersed to private channels and encrypted messaging platforms.
RaaS has lowered the barrier to entry for cybercriminals by eliminating the need for technical expertise in malware development. Affiliates receive ready-made tools, infrastructure, and support, enabling operators of varying skill levels to conduct sophisticated attacks. The economics are compelling — affiliate programs require zero upfront investment and offer 60-80% revenue shares. Combined with IABs selling ready-made network access, the entire attack chain can be assembled without deep technical skills. This contributed to a 47% increase in publicly reported ransomware attacks in 2025.
Defense requires a layered approach across the full kill chain. Implement MFA on all remote access and privileged accounts. Maintain offline, encrypted backups tested regularly. Deploy network segmentation to limit lateral movement. Patch known vulnerabilities promptly — exploited vulnerabilities account for 32% of ransomware root causes. Use behavioral detection tools — NDR and ITDR — to identify affiliate activity during the four-to-five-day window between initial access and encryption. Report incidents to law enforcement, which saves approximately $1 million per incident. Follow the CISA #StopRansomware Guide for comprehensive guidance.