What is Ransomware-as-a-Service (RaaS)? Understanding the Rising Cybercrime Model

The UK’s National Cyber Security Centre (NCSC) warns that ransomware is now the biggest cyber threat facing the country. One driving force behind the surge in attacks is the rise of Ransomware-as-a-Service (RaaS). RaaS is a subscription-based criminal business model that has lowered the barrier to entry for cybercriminals and fuelled an alarming increase in ransomware incidents globally.

In this blog, we’ll explain what RaaS is, how it works, why it’s such a menace to businesses (large and small), and how you can protect your organisation.

What Exactly Is Ransomware-as-a-Service?

Ransomware-as-a-Service (RaaS) is essentially a franchise model for cybercrime. Skilled ransomware developers create and maintain the malicious software, then lease or sell it to other criminals who deploy the ransomware in attacks. In return, the developers take a cut of the illicit profits. In other words, even low-skilled attackers can now simply rent a ready-made ransomware kit on the dark web and start extorting victims, no coding required.

The RaaS model has become the dominant way ransomware is spread. Many of the most infamous ransomware groups operate on a RaaS model. In fact, the UK government noted in 2025 that RaaS is the most common business model used by ransomware groups. Ransomware remains a very prevalent threat (IBM estimates it was involved in ~20% of cyber incidents globally), and RaaS is a major reason why.

How RaaS Works – Crime as a Service

RaaS operates much like a shady version of a Software-as-a-Service (SaaS) startup. Ransomware operators code the ransomware, run payment and leak websites, and sometimes even provide tech support. Affiliates are their “customers” who pay to use this ransomware. The business models can vary:

• Subscription Fees: Some RaaS groups offer monthly subscriptions for access to the ransomware platform.
• Profit Sharing: In other cases, operators charge no upfront fee but take a percentage cut of each ransom that affiliates collect.
• One-Time License: A flat purchase price for the malware is another option, though profit-sharing models are more common.

RaaS kits are openly advertised on underground forums, and RaaS providers actively recruit affiliates to expand their reach. Just like legitimate SaaS businesses, top-tier RaaS operations prioritise user experience. They provide slick dashboards to track victims, offer updates and bug fixes, and even run customer support channels for their criminal clients. Some RaaS packages come with 24/7 help desks, user reviews, and community forums, mirroring the kind of service you’d expect from a normal software company. 

RaaS is big business. The cybercriminal groups behind it operate with corporate-like discipline. They conduct marketing campaigns and even have PR on social media. As a result, the ransomware economy has exploded. Global ransomware revenues were estimated around $20 billion in 2020 (up from $11.5B in 2019), and RaaS has only accelerated that growth.

Why RaaS Is a Growing Threat to Businesses

Lower Barriers = More Attacks: By turning ransomware into a service-for-hire, RaaS has significantly lowered the technical barriers to entry for cybercrime. Even an amateur criminal can purchase a RaaS kit and launch attacks, which means the pool of attackers has widened dramatically. This has led to a decentralised explosion of ransomware activity.

Increasing Attack Frequency and Scope: The ease and profitability of RaaS has led to a sharp rise in ransomware incidents worldwide. In the UK, ransomware attacks doubled from 2022 to 2023. This accounts for roughly 30% of all cyber incidents in 2023. Globally, Verizon’s data breach report found ransomware in 44% of breaches investigated in 2025, highlighting how commonplace these attacks have become. SMEs often lack the in-house security and resources to defend against advanced threats. Studies show ransomware hits SMEs hardest, and a majority of breaches in small businesses now involve ransomware.

The Professionalisation of Cybercrime: Modern ransomware groups don’t fit the old stereotype of a lone hacker in a hoodie. Today’s RaaS outfits run like structured corporations, with hierarchies and even HR: they have administrators, developers, testers, and affiliate managers. Some groups have been known to give victims a 24/7 helpline (run by the attackers) to expedite ransom payment and decryption. All of this makes ransomware operations more effective and far-reaching.

Devastating Impact: The RaaS model’s success means ransomware attacks continue to wreak havoc across all sectors, from hospitals to local businesses. High-profile examples in the UK include the 2017 WannaCry attack that paralysed parts of the NHS, and the 2020 Travelex incident that forced the foreign exchange firm into administration. Many victims pay huge sums only to find their data leaked or their systems too damaged to fully restore. (The UK government explicitly “does not condone” paying ransoms, as it perpetuates the crime and often doesn’t work). 

The RaaS threat may be daunting, but there are effective measures you can take to significantly reduce the risk. Company directors and IT leaders should focus on layered security and preparedness. Here are some key steps:

• Maintain Secure Backups: Regularly back up your critical data and store backups offline. Offline, immutable backups ensure you can restore data even if your systems are encrypted. Test your backups periodically.
• Keep Systems Patched and Updated: RaaS attackers often gain entry by exploiting unpatched vulnerabilities in software or servers. Apply security updates and patches as soon as they’re available, especially for internet-facing systems.
• Use Strong Access Controls (MFA): Implement multi-factor authentication on all remote logins and critical accounts. Strong, unique passwords (managed via a password manager) plus MFA make it much harder for attackers to use stolen or guessed credentials to break in.
• Educate and Phish-Test Employees: Human error is a leading cause of ransomware intrusions, so invest in staff training. Teach employees how to spot phishing emails and suspicious links. An informed workforce is your first line of defence.
• Prepare an Incident Response Plan: Have a clear, tested plan for how your organisation would respond to a ransomware attack. This should include steps for isolating infected systems, contacting authorities (e.g. Action Fraud/NCSC), and restoring data from backups. Early action and coordination can greatly limit the damage of an attack.

By implementing the above practices, businesses can thwart the vast majority of opportunistic attacks. Even ransomware groups will move on to softer targets if you present a hardened front.

Ransomware-as-a-Service has transformed ransomware from a niche hacker hobby into a full-blown criminal industry. Understanding RaaS is vital for any business leader looking to grasp today’s cyber threat landscape. The takeaway is sobering: any organisation can fall victim, but with the right precautions, you can greatly mitigate the risk. 

If you’re concerned about ransomware and want to bolster your defences, our experts are here to help. Contact us today to find out how to protect your organisation from ransomware and other cyber threats.