Cyber Security Blog

The rise of Ransomware-As-A-Service in 2022

Written by Aditi Uberoi | 6 July 2022

Ransomware-As-A-Service is a business model in which malware is developed by criminals for use by criminals. It is very similar to traditional software-as-a-service models. The big difference is that, in this case, the product/service being sold is a tool used for criminal activities and for unleashing ransomware attacks.  

First let’s begin by answering the very basic question - What is Ransomware? It is a type of malware that encrypts the victim’s files and folders. The safe return of the encrypted data is promised upon payment of a ransom but in many cases this promise isn’t made good upon. We are seeing a massive surge in ransomware attacks across the world and many of these are fuelled by the rise of RaaS.

What is Ransomware As A Service?

According to the most conservative estimates, the total amount of losses from ransomware from mid-2019 to mid-2020 was more than $1 billion. The average ransom payout in 2020 was allegedly $170,404. Successful ransomware attacks can generate enormous profits for attackers. And using RaaS can be inexpensive and relatively easy. 

While it is easy for a criminal to execute ransomware, developing the malware requires technical savvy and skill. Ransomware-as-a-Service is the answer to this problem. It is a type of software available online, usually found on the darkweb. Developers create ransomware and sell it for widespread use.

What makes RaaS so dangerous? 

Criminals looking at RaaS options can get special offers and choose from different subscription models which is what makes this service so dangerous. RaaS offers in the darkweb look very similar to traditional marketing offers for software services. 

These services are offered in a variety of forms such as: 

  1. Unlimited access by paying a one-time fee. 
  2. Monthly subscriptions
  3. Profit sharing wherein the developer gets a share of every successful attack and ransom earned. 

Some models may include a combination of payment types. For example, profit sharing can be combined with a royalty or monthly fee.

Ransomware is highly customizable, and buyers are often provided with elegant interfaces where they can customise their malware. Many RaaS providers will allow even a novice criminal to access their toolkit while many others are very selective about the affiliates they work with.

Developers create malware, but their profits often depend on the ability of affiliates to distribute it. This is perhaps why some creators implement rigorous selection processes to ensure they only work with partners that will bring them good returns.



RaaS is definitely one of the most prominent business challenges today but it is equally  dangerous for students and teenagers. At this age, teens often visit the dark web and thus may accidentally fall victim to ransomware attacks. Therefore, it is essential to explain to children at this age the dangers of sites such as darkweb, so they do not get into trouble. Some students have, in fact, shared their experience with RaaS in their personal statements for universities. As it’s not something easy to describe, using a personal statement helper to write an interesting essay can be of big help. 

Examples of Ransomware-as-a-Service

Many different types of RaaS exist on the darkweb. Operators are constantly developing new and better software. Examples of infamous ransomware spread through the RaaS model are the following:

Egregor: Egregor allegedly runs on an affiliate system, with developers receiving a 20-30% ransom, with the rest going to affiliates. 

Launched in September 2020, Egregor is believed to have been a replacement for Maze RaaS, which went out of business around the same time. Several French organisations such as Ouest France, Ubisoft, and Gefco have been victims of Egregor over the past year. There have been several recent arrests in France concerning the extortion of Egregor.

REvil: REvil RaaS developers are reportedly very selective about who they allow in as affiliates. Applicants for the programme must prove their hacking experience before they are accepted. REvil has reportedly earned its developers $100 million in a year. This ransomware appears to be heavily targeted at legal, insurance, and agricultural companies.

REvil uses a slightly different way of making money from traditional extortion schemes. In addition to demanding a ransom, the group also threatens to leak data and further extort victims.

The REvil Group is responsible for the most significant buyout demand to date. In March 2021, it asked for $50 million in ransom from electronics manufacturer Acer.

Dharma: Dharma is far from new in the RaaS scene and has been around since 2017. It replaces files with the dharma extension. Dharma's ransom requirements tend to be lower than other RaaS, averaging about $9,000. Some researchers say that this may be because the RaaS provider allows even inexperienced hackers to join as affiliates. 

How can you protect yourself from RaaS?

Just like in case of other Ransomware attacks, there are some steps you can take to protect your organisation from RaaS attacks. Prevention is always better than cure when it comes to cybersecurity.

Hence we recommend taking the following steps to bolster your ransomware preparedness: 

  1. Conduct an evaluation of where your cybersecurity infrastructure stands today in terms of ransomware prevention. Investing in a Ransomware Readiness Assessment is a good idea. 

  2. Make sure that all your confidential information and important business data is backed up. This is one technology investment that is worth every penny. If you have access to your backed up data, by encrypting certain files or attacking devices, the cyber criminal can only achieve so much. Other similar tips are available in our Ransomware Prevention Checklist

  3. Train your staff and your incident response teams in Ransomware Response. Download some handy Ransomware Response Guides and Ransomware Response Checklists while you are at it. Also make sure you run regular Ransomware Tabletop Exercises for your staff to rehearse and practice what is in your Incident Response Plans. This builds muscle memory in how to respond to a ransomware attack.  

Cyber Management Alliance’s unique, modern and technology-driven Virtual Cyber Assistant services can also help businesses of every size bolster their defences against RaaS, ransomware attacks and other common cyberthreats in a cost-effective way. It’s becoming increasingly difficult to stop attackers from gaining unauthorised access to our networks. Simultaneously, finding good cybersecurity talent who can help us protect our organisations from these criminals is not easy. Therefore, our best chance lies in responding with agility and controlling the situation before much damage is done through a cost-effective and easily accessible solution such as the VCA.