Ransomware is no longer the work of lone geniuses and has become an industry: 2025 reports (ESET/WeLiveSecurity, ENISA and CISA) indicate that the overwhelming majority of today's extortion attacks originate within Ransomware as a Service (RaaS) operations — commercial platforms with affiliates, support, "commission plans" and leak sites, in which Brazil remains among the most-targeted countries in Latin America.
What is Ransomware as a Service (RaaS)
RaaS is a criminal business model that replicates, almost to the letter, the logic of legitimate Software as a Service. Instead of selling CRM licenses, the operator sells (or rents) a complete attack platform: the encryption malware, the victim-management panel, the communication infrastructure, the leak site and, often, "support" that helps the affiliate close the extortion. What once required an experienced developer to write the encryptor has become a packaged product, with documentation and updates.
This transformation is what explains the current scale. Ransomware has never been so frequent — not because encryption has become more sophisticated, but because the barrier to entry has collapsed. Someone who knows only how to buy access and run a panel can carry out an attack that, a decade ago, required a dedicated technical team.
The economy: operators, affiliates and profit sharing
The RaaS ecosystem clearly separates two roles, and understanding this separation is essential to defense:
- Operators (or "developers"): maintain the ransomware code, the infrastructure, the brand and the leak site. They usually do not break into companies directly; they provide the "franchise."
- Affiliates: are the executors. They buy access to the platform, break into victims, steal data and trigger the encryption. There can be dozens or hundreds working under the same brand at the same time.
Compensation follows a commission model. Historically, the affiliate kept the largest share — somewhere around 70% to 80% of the ransom — and the operator retained the rest as a platform "royalty." Larger groups offered aggressive terms precisely to attract the best intruders, like a company competing for talent. There are also variants with a fixed monthly fee, a one-time payment for the build or hybrid models.
This arrangement has an uncomfortable practical consequence for victims: there is no single entity to fight. Taking down an operator does not eliminate the affiliates, who migrate to another brand within weeks. It is a market, not a fixed gang.
Why the model exploded
The rise of RaaS combines economic and technical factors. Specialization allowed each participant to do only what they do best: some write the malware, others sell access, others negotiate ransoms. The cryptocurrency economy made hard-to-trace payments easier. And the maturity of the initial access market turned the hardest stage of an attack — getting into the network — into an off-the-shelf item.
The result is a crime funnel with corporate-grade division of labor. For the company defending itself, this means the adversary does not need to be brilliant; they only need to buy the right pieces.
It is also worth highlighting the network effect: the more affiliates a platform gathers, the more victims it produces, the more a reputation for "paid as promised" it accumulates and the easier it becomes to attract new affiliates. It is the same growth cycle as a legitimate marketplace, only geared toward extortion — and that is why fighting the problem requires attacking the economy, not just the malware binary.
The support ecosystem: IABs, negotiators and leak sites
Around RaaS platforms orbits a chain of specialized suppliers:
- Initial Access Brokers (IABs): initial-access brokers. On criminal forums, they sell valid credentials, VPN sessions, RDP access and already-planted webshells. This is where the leaked credential becomes the number-one vector: the affiliate buys a ready-made entry point instead of breaking one open.
- Negotiators: mediate the conversation with the victim, calibrate the ransom amount to the company's revenue and apply psychological pressure.
- Leak sites: dark-web portals where the groups publish victims' names and samples of the stolen data, functioning as a showcase of "social proof" and an extortion lever.
- Auxiliary services: cryptocurrency laundering, takedown-resistant infrastructure rental and even "call centers" to harass the victims' customers.
Reducing exposure to this ecosystem — especially to the credentials the IABs trade — is one of the highest-return defenses, and it is where data leak prevention (DLP) and monitoring of exposed credentials make a direct difference.
Double and triple extortion
Extortion has evolved well beyond "encrypt and charge." Today it is organized in layers:
- Simple extortion: encrypting the data and charging for the decryption key. Good backups already solve much of it.
- Double extortion: before encrypting, the attackers exfiltrate the data and threaten to publish it. Here backups are not enough — the leak remains a lever even if the company restores everything.
- Triple extortion: adds external pressure — DDoS attacks, direct contact with customers, partners and the press, and even threats to report to regulators to exploit the risk of fines for a data breach (in Brazil, exposure to the LGPD and the ANPD).
The shift to double and triple extortion is why "we have backups" is no longer a sufficient answer. Data that leaves the company does not come back.
Notorious groups (historical examples)
A few names help illustrate the model — bear in mind that brands emerge, are dismantled by law-enforcement operations and reinvent themselves frequently:
- LockBit: for years the most prolific RaaS, with a structured affiliate program and one of the largest victim counts before international takedown actions.
- ALPHV/BlackCat: notable for having been written in Rust and for an "exit scam" episode that exposed the instability of operator-affiliate relationships.
- Cl0p, Play, Akira and RansomHub, among others, filled the vacuum left by disrupted operations, often inheriting the same affiliates.
The lesson is not to memorize names, but to understand that the brand is disposable and the method is stable. Defending against the method is worth more than chasing the brand of the moment.
The attack chain, phase by phase
Despite the variety of groups, the operational playbook of a RaaS attack is remarkably consistent:
- Initial access: a credential leaked/bought from an IAB, phishing or exploitation of an exposed service (VPN/RDP without MFA, a vulnerable application).
- Establishment and escalation: installing remote-access tools, stealing additional credentials and obtaining administrator privileges.
- Lateral movement: navigating the network in search of file servers, backups and the Active Directory.
- Exfiltration: copying sensitive data to the attacker's infrastructure — the ammunition for double extortion.
- Impact: disabling backups and security tools and, finally, mass encryption, followed by the ransom note.
Each phase is an opportunity for detection and containment — provided the defense is instrumented to see it, a topic we cover in depth in ransomware protection.
Defenses by attack phase
The best strategy against RaaS is to assume the affiliate will attempt each step above and to place a control at each one. The table below maps each phase to its priority defense:
| Attack phase | Priority defense |
|---|---|
| Initial access (credential/phishing) | Phishing-resistant MFA (passkeys/FIDO2), exposure management and monitoring of leaked credentials, email filtering |
| Establishment and escalation | EDR/XDR with blocking, principle of least privilege, removal of local admin, application allowlisting |
| Lateral movement | Network segmentation, Active Directory isolation, restriction of internal RDP/SMB, separate administrative accounts (tiering) |
| Exfiltration | DLP and egress inspection, anomalous-transfer alerts, egress filtering, monitoring of unusual destinations |
| Impact (encryption) | Immutable 3-2-1 and offline backups, tamper protection in the EDR, tested response plan, detection of shadow-copy deletion |
Immutable backups and the 3-2-1 rule
Backup remains the life insurance against encryption, but only if it survives the attack. The 3-2-1 rule — three copies, on two types of media, with one copy off-site — should be reinforced with immutability (copies that cannot be altered or deleted for a fixed period) and isolation, so that the affiliate who gained admin cannot destroy the backup before encrypting. An untested backup is merely a hope; a rehearsed restore is a capability.
Identity: the number-one vector
Because the most common entry point is a valid credential, identity is the decisive battlefield. MFA on all external access, migration to passkeys/FIDO2 (phishing-resistant), disabling orphaned accounts and continuously monitoring corporate credentials exposed in leaks cut off the IABs' supply at the root.
Detection and segmentation
A well-configured EDR/XDR turns silent lateral movement into detectable noise. Network segmentation prevents one compromised machine from becoming the entire network. Together, they shorten the window between initial access and impact — which is where the attack is won or lost.
Exposure management and a tested response
Two capabilities tie the set together. The first is exposure management: continuously seeing what the attacker sees from outside — published services, open ports, leaked credentials and brand information on forums — to close the door before an affiliate buys it from an IAB. The second is a tested response plan: defined roles, legal and communications contacts ready, validated backup copies and a decision playbook for the moment when minutes are costly. Companies that rehearse the response recover operations in hours or days; those that improvise measure the downtime in weeks.
To pay or not to pay?
The guidance from CISA, ENISA and most authorities is not to pay. Payment does not guarantee the return or destruction of the data, directly funds the RaaS ecosystem and marks the company as a payer — attracting new attacks. There is also legal risk: paying certain groups can amount to violating international sanctions.
In practice, the decision is a business one, made with legal counsel and leadership, and depends on whether viable backups exist and which data was exfiltrated. That is why it must be planned before the crisis, within a tested response plan. When negotiation is unavoidable, it should be conducted by specialists — which we discuss in ransomware negotiation. The golden rule: whoever decides in a panic pays dearly in every sense.
References
- CISA — #StopRansomware and the joint Stop Ransomware Guide (CISA/MS-ISAC).
- ENISA — Threat Landscape, with ransomware among the top threats to the European ecosystem.
- ESET / WeLiveSecurity Brazil — 2025 threat-landscape reports for Latin America.
Conclusion
RaaS has professionalized crime: the adversary has become a market with suppliers, commissions and marketing. The good news is that the method is predictable — and a predictable method is defensible. Companies of any size, from 1 to more than 100,000 employees, drastically reduce risk by cutting off the IABs' credential supply, hardening identity, making backups immutable and rehearsing the response before the incident.
Decripte helps organizations map their exposure, monitor leaked credentials and structure defense and response against ransomware end to end. Start for free with an exposure assessment of your company, or explore our plans for continuous protection and incident response.
