Ransomware-as-a-Service: The Business Model Behind Modern Extortion

The Economics of Ransomware-as-a-Service

Revenue Models

The RaaS ecosystem operates under three primary revenue models, each reflecting different risk-reward profiles and operational maturity levels. The percentage-split model is the most prevalent, employed by the majority of top-tier operations including LockBit, ALPHV/BlackCat, and Black Basta. Under this arrangement, the affiliate who conducts the intrusion, deploys the ransomware, and manages the victim negotiation retains a majority share of the ransom payment—typically 70% to 80%—while the RaaS operator takes 20% to 30% as a platform fee. LockBit's standard split was 80/20 in favor of the affiliate, with the possibility of negotiating more favorable terms (up to 90/10) for high-volume affiliates who consistently generated large payments. ALPHV/BlackCat operated a tiered model: new affiliates started at 80/20, with proven operators earning 85/15 and top performers achieving 90/10 splits.

The flat-fee licensing model is less common but persists in the mid-tier of the ecosystem. Under this structure, an operator purchases a ransomware builder and associated infrastructure for a one-time fee—typically $1,000 to $5,000 for a basic builder, or $10,000 to $25,000 for a premium package that includes admin panel access, negotiation portal hosting, and leak site infrastructure. The operator then retains 100% of ransom proceeds. This model appeals to experienced operators who prefer full autonomy and have the technical capability to manage their own infrastructure, but it also attracts less sophisticated actors who purchase builders without fully understanding operational security requirements. The September 2022 leak of the LockBit 3.0 builder by a disgruntled developer effectively created a free licensing model, spawning dozens of LockBit clones operated by actors with varying levels of competence.

The subscription model represents a more recent evolution, observed in several mid-tier RaaS operations that emerged in 2023 and 2024. Under this structure, affiliates pay a recurring monthly fee—typically $500 to $2,000—for ongoing access to the platform, including builder updates, infrastructure maintenance, and customer support. Some operations combine subscription access with a reduced percentage split (e.g., a $1,000 monthly fee plus a 90/10 split), creating a hybrid model that provides the operator with predictable recurring revenue while still aligning incentives around successful ransom collections.

Total Market Size

Blockchain analysis firm Chainalysis documented over $1.1 billion in ransomware payments flowing to identified ransomware wallets in 2023, marking a record high and nearly doubling the $567 million tracked in 2022. This figure, while substantial, represents a lower bound: it captures only payments that analysts have been able to attribute to known ransomware operations through on-chain analysis. Payments routed through privacy-enhanced cryptocurrencies (Monero), cross-chain bridges, or novel laundering techniques may not appear in these totals. Dark Angel's independent estimates, incorporating incident response data, insurance claim filings, and underground intelligence, suggest that total ransomware payments in 2023 likely fell in the range of $1.5 billion to $2 billion.

The average ransom payment rose significantly through 2023 and into early 2024. Coveware's quarterly data shows the average payment reaching approximately $850,000 in Q4 2023, while the median payment stood at $200,000—a divergence that reflects the increasing prevalence of eight-figure demands against large enterprises alongside a persistent volume of smaller attacks against mid-market targets. The highest confirmed single payment in 2023 exceeded $35 million, attributed to an ALPHV/BlackCat affiliate targeting a major Fortune 500 organization.

Cost Structure: Operators vs. Affiliates

Operating a competitive RaaS platform requires substantial ongoing investment. Operator costs include core developer salaries (estimated at $150,000–$300,000 per year for senior malware developers, based on underground forum recruitment posts), infrastructure hosting across multiple redundant Tor hidden services ($2,000–$5,000 monthly for bulletproof hosting), continuous development of evasion capabilities to counter EDR/XDR solutions, leak site maintenance, negotiation portal development, and operational security measures including cryptocurrency tumbling for operator-side revenue. LockBit's Operation Cronos-seized database revealed that the operation had collected approximately $120 million in total ransom payments from over 2,500 victims, of which the operator retained approximately 20%—roughly $24 million in gross revenue over a four-year operational period, before accounting for operational costs.

Affiliate costs are more variable but typically include initial access acquisition ($1,000–$10,000 per corporate target, purchased from Initial Access Brokers), VPN and proxy infrastructure for operational security ($100–$500 monthly), tooling licenses (Cobalt Strike licenses sell for $3,500–$5,000 on underground markets; cracked versions are cheaper but carry their own risks), and time investment for network reconnaissance, privilege escalation, and data exfiltration. A high-performing affiliate operating at scale might invest $20,000–$50,000 per month in operational expenses across multiple simultaneous intrusions, with the expectation of generating $200,000–$1,000,000 or more in monthly revenue from successful operations.

RaaS Organizational Models

Developer/Operator Core Team

The core team of a mature RaaS operation typically comprises 5 to 15 individuals, organized around specialized functional roles. The lead developer (or a small development team of 2–4 engineers) is responsible for the ransomware payload itself—encryption routines, evasion capabilities, builder configuration options, and ongoing updates to counter new security controls. This role requires deep expertise in systems programming (C, C++, Rust), cryptographic implementation, and Windows/Linux internals. The infrastructure administrator manages the operation's Tor hidden services, command-and-control infrastructure, negotiation portals, and data leak sites, maintaining uptime and implementing redundancy to resist law enforcement takedowns. The operations manager (often the public-facing administrator, such as LockBitSupp for LockBit or "Ramp" for ALPHV) handles strategic direction, affiliate recruitment, dispute resolution, public relations on underground forums, and financial management. Some mature operations also employ dedicated QA testers who validate new payload versions against current AV/EDR solutions before release, and web developers who build and maintain negotiation and leak site interfaces.

Affiliate Tiers and Vetting

Top-tier RaaS operations implement formalized vetting processes for prospective affiliates, recognizing that indiscriminate recruitment introduces both operational security risks and brand damage. LockBit, prior to Operation Cronos, operated a three-tier affiliate system. Tier 1 affiliates were experienced operators with established reputations on underground forums, existing relationships with the LockBit team, or verifiable track records of successful ransomware deployments with other operations. These affiliates received the most favorable revenue splits (up to 90/10), priority technical support, and early access to new payload features. Tier 2 affiliates were operators with demonstrable technical capability but less established reputations; they received standard terms (80/20) and were expected to build a track record before advancing. Tier 3 affiliates were newer operators accepted on a provisional basis, sometimes with more restrictive terms (75/25 or even 70/30), mandatory use of the operation's data exfiltration tools, and closer monitoring by the core team.

ALPHV/BlackCat was notably more selective, reportedly maintaining a smaller affiliate pool of 30–60 active operators at any given time (compared to LockBit's 100+). Prospective ALPHV affiliates were required to demonstrate prior ransomware experience, often by providing evidence of previous successful operations (screenshots of admin panels, negotiation transcripts, or blockchain addresses showing received payments). The operation's use of Rust for its payload also created a natural filter: affiliates needed sufficient technical sophistication to operate a more complex toolchain than the typical C/C++ Windows-only ransomware.

Negotiation Specialists

As the RaaS ecosystem has matured, a distinct role has emerged for negotiation specialists—individuals or small teams who handle the victim-facing communication after encryption and data theft have been completed. These specialists are skilled in pressure tactics, corporate communication norms, and calibrating demands to the victim's perceived ability to pay. Some RaaS operations employ in-house negotiators; others allow affiliates to handle negotiations directly, with negotiation playbooks and scripts provided as part of the affiliate package. Analysis of leaked negotiation transcripts from Conti, LockBit, and ALPHV reveals a consistent methodology: an initial demand calibrated at 1–5% of the victim's estimated annual revenue, followed by scripted escalation including countdown timers, selective data leaks to demonstrate possession of sensitive material, and final "deadline discounts" of 20–40% designed to create urgency. The professionalization of negotiation is a key differentiator between top-tier and mid-tier RaaS operations, with the most sophisticated groups achieving payment rates 15–20 percentage points higher than less organized competitors.

Money Laundering Networks

Converting cryptocurrency ransom payments into usable funds represents a critical bottleneck in the RaaS supply chain, and one where the ecosystem has developed increasingly sophisticated solutions. The primary laundering mechanisms observed in 2023–2024 include cryptocurrency mixing services (ChipMixer, prior to its March 2023 seizure; Sinbad, prior to its November 2023 seizure; and various smaller mixing services), decentralized exchanges (DEXs) that do not implement KYC requirements (particularly cross-chain swap protocols that convert Bitcoin to Monero or other privacy-enhanced currencies), sanctioned centralized exchanges (notably Garantex, designated by OFAC in April 2022 but continuing operations from Moscow), and over-the-counter (OTC) brokers operating in jurisdictions with minimal cryptocurrency regulation. Increasingly, ransomware operators demand payment in Monero rather than Bitcoin, with LockBit offering a discounted ransom amount (typically 10–20% lower) for victims who paid in Monero versus Bitcoin.

RaaS Platform Comparison

Affiliate Recruitment and the Underground Economy

Forum Recruitment

The primary recruitment channels for RaaS affiliates are a small number of established Russian-language cybercriminal forums. RAMP (Ransom Anon Market Place), which emerged in 2021 specifically as a marketplace for ransomware-related services, serves as the most prominent recruitment venue. RAMP's administrator explicitly designed the forum to fill the gap left when XSS and Exploit banned ransomware advertising in mid-2021 following the Colonial Pipeline attack's geopolitical fallout. Despite the ban, RaaS recruitment on XSS and Exploit continues through oblique advertisements ("seeking pentesters for red team engagements"), private messaging, and referral networks. Forum threads advertising affiliate positions typically include: the payload's AV evasion capabilities (often demonstrated with recent VirusTotal scan results showing zero or near-zero detection), the revenue split terms, available target geographies, platform features (admin panel screenshots, builder options), and contact methods (typically Tox or Jabber with OTR encryption).

Affiliate Requirements and Vetting

Established RaaS operations have codified their affiliate requirements with increasing specificity. Typical prerequisites include a demonstrable history of successful network intrusions (forum reputation, vouches from existing affiliates, or evidence of prior operations), proficiency with standard post-exploitation frameworks (Cobalt Strike, Sliver, Brute Ratel C4), experience with Active Directory environments and domain-level privilege escalation, familiarity with data exfiltration methodologies and tooling, operational security awareness (use of Tor, VPNs, and anonymization techniques), and a financial deposit or escrow arrangement ($1,000–$10,000) that serves both as a commitment mechanism and insurance against affiliate-side fraud. Some operations also require affiliates to demonstrate the ability to handle victim negotiations, though others provide this as a centralized service.

Non-CIS Targeting Rules

Nearly every Russian-language RaaS operation enforces a strict prohibition on targeting organizations within the Commonwealth of Independent States (CIS)—Russia, Belarus, Kazakhstan, Armenia, Azerbaijan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, and Uzbekistan. This prohibition is implemented both as a contractual requirement (violation results in immediate termination and forfeiture of pending payments) and as a technical control (ransomware payloads typically check the system's keyboard layout, locale settings, and language configuration; if a CIS language is detected, the payload terminates without encrypting). The non-CIS rule serves multiple strategic purposes: it reduces the risk of attracting domestic law enforcement attention, it aligns with an implicit understanding that Russian cybercriminals operating against foreign targets face minimal domestic prosecution risk, and it functions as a signaling mechanism within the underground community establishing the operation's jurisdiction awareness.

Reputation Systems and Escrow

The cybercriminal underground has developed reputation and dispute resolution mechanisms that parallel legitimate marketplace platforms. Forum-based reputation systems allow buyers and sellers to rate transaction quality. More critically for RaaS operations, escrow services administered by forum moderators provide a trust mechanism for high-value transactions. When an affiliate joins a new RaaS operation, initial payments may be held in forum-administered escrow until both parties confirm satisfactory completion. This mechanism protects affiliates against operators who might withhold payment (an increasingly real concern following ALPHV's 2024 exit scam), and protects operators against affiliates who might fail to remit the operator's share. The arbitration process for disputes is handled by forum administrators, whose decisions are enforced through reputation consequences—a finding against an operator can destroy their ability to recruit affiliates across the ecosystem.

Technical Differentiation Between RaaS Platforms

Builder Customization Options

The builder—the tool that generates customized ransomware payloads for each affiliate or campaign—is a central competitive differentiator between RaaS platforms. Modern builders provide a GUI or command-line interface that allows affiliates to configure: target operating systems (Windows, Linux, ESXi, NAS devices), encryption modes (full, partial, intermittent), file extension targeting or exclusion lists, ransom note content and formatting, embedded cryptocurrency wallet addresses for payment, process and service kill lists (to terminate security software, database engines, and backup agents before encryption), network propagation settings (SMB self-spreading, Group Policy deployment, PsExec-based lateral distribution), and safe mode boot options (rebooting targets into Windows Safe Mode with Networking to bypass endpoint protection before encrypting). The leaked LockBit 3.0 builder exposed the full range of these configurability options to public analysis, revealing approximately 40 distinct build-time parameters. ALPHV/BlackCat's Rust-based builder added cross-compilation capabilities, generating payloads for Windows, Linux, and VMware ESXi from a single codebase.

Admin Panel Features

The affiliate admin panel serves as the operational command center for RaaS operations. Mature platforms provide web-based dashboards (accessible via Tor) that display: real-time victim status (encrypted, negotiating, paid, declined), victim organization details (automatically gathered company information, estimated revenue, employee count), negotiation chat interfaces with message templates and scripted responses, payment tracking with blockchain transaction monitoring, file browser for exfiltrated data with selective publication controls, and campaign analytics including encryption success rates, payment conversion rates, and average time to payment. LockBit's admin panel, documented through Operation Cronos disclosures, included a built-in "auction" feature allowing affiliates to sell stolen data directly if the victim declined to pay, and an automated victim company identification system that attempted to determine the organization's identity and revenue from the encrypted network's artifacts.

Payment Portal and Negotiation Infrastructure

Victim-facing negotiation portals have evolved from simple text-based chat interfaces into professional web applications designed to project competence and create psychological pressure. Standard features include a unique victim identifier and login system (typically a key embedded in the ransom note), a countdown timer to data publication (usually set at 72 to 168 hours), a live chat interface staffed by negotiators, cryptocurrency payment instructions with QR codes and address verification, a file browser showing a sample of stolen data as proof of exfiltration, and automated payment confirmation with decryptor delivery. The sophistication of these portals varies significantly. LockBit's portal was notable for its multilingual support and relatively professional design, while some mid-tier operations deploy minimally functional interfaces that undermine victim confidence in the operator's ability to actually deliver working decryptors.

Leak Site Operations

Data leak sites (DLS) serve dual purposes: they function as a coercive mechanism against current victims and as a branding/recruitment tool demonstrating operational capability. The most effective leak sites are structured similarly to corporate news portals, with victim entries organized by date, sector, and country. LockBit's DLS at its peak maintained over 2,500 victim entries. Each entry typically progresses through stages: an initial countdown timer with the victim's name and a sample of stolen data, followed by full data publication if payment is not received. Some operations, including ALPHV and LockBit, implemented search functionality within their leak sites, allowing anyone to search published data by keyword—a feature designed to increase pressure on victims whose customers, employees, or partners might discover their data in leaked materials. The operational challenge of maintaining leak sites is significant: hosting terabytes of stolen data on Tor hidden services requires substantial infrastructure, and law enforcement takedowns specifically target these sites as they represent the operation's public face and primary extortion leverage.

The Double/Triple Extortion Evolution

From Single to Multi-Vector Extortion

The ransomware extortion model has undergone three distinct evolutionary phases, each adding additional pressure vectors to increase the probability and magnitude of payment. Single extortion (the original model, dominant until 2019) relied solely on encryption: the victim's data was encrypted, and payment was demanded in exchange for a decryption key. This model's effectiveness was progressively undermined by improvements in backup strategies, with organizations increasingly able to restore from offline backups and avoid payment.

Double extortion, pioneered by the Maze operation in late 2019 and rapidly adopted across the ecosystem by mid-2020, added data theft as a second lever. Before deploying encryption, affiliates exfiltrate sensitive data and threaten to publish it on a leak site if the victim does not pay. This fundamentally changed the calculus for victims: even organizations with perfect backup strategies now faced the prospect of regulatory penalties (GDPR, CCPA), reputational damage, competitive harm, and litigation from exposed customers or employees. By 2023, Dark Angel's incident response data showed that approximately 85% of all ransomware incidents involved data exfiltration alongside encryption, making double extortion the standard operating model rather than an exception.

Triple extortion extends the pressure through additional vectors: DDoS attacks against the victim's public-facing infrastructure, direct contact with the victim's customers, partners, or employees to notify them of the data breach (creating external pressure on the victim to resolve the situation), regulatory complaints (submitting breach notifications to data protection authorities on behalf of the victim), and short-selling or other financial market manipulation using stolen financial data before public disclosure. These additional vectors are deployed selectively, typically against high-value victims who have declined initial demands or are progressing slowly in negotiations.

Data-Only Extortion

A notable trend observed in 2023–2024 is the rise of data-only extortion operations that steal sensitive data without deploying encryption. Groups including Karakurt (linked to the former Conti syndicate), Lapsus$, and several ALPHV affiliates have conducted operations focused exclusively on data theft and extortion, bypassing the encryption step entirely. This approach offers several operational advantages: it avoids triggering the behavioral detections that EDR solutions use to identify encryption activity, it reduces the operational complexity and time-on-target required, it eliminates the risk of encryption failures that can damage an operation's reputation, and it avoids the legal ambiguity in some jurisdictions about whether data-only extortion constitutes a "ransomware attack" for insurance and regulatory purposes. The economics of data-only extortion differ from traditional ransomware: demands are typically lower (averaging $300,000–$700,000 versus $800,000+ for double extortion), but payment rates may be higher because victims cannot rely on backups as an alternative to payment.

Victim Negotiation Dynamics

Ransomware negotiations follow recognizable patterns that have become increasingly formalized. Initial demands are calibrated to the victim's perceived ability to pay, typically set at 1–5% of estimated annual revenue. Professional negotiation teams—either internal to the RaaS operation or engaged by the victim (incident response firms, specialized negotiation consultancies, insurance-appointed responders)—engage in a structured dialogue that typically lasts 3 to 14 days. Analysis of over 400 negotiation transcripts reviewed by Dark Angel reveals that the final payment amount averages 20–40% of the initial demand. Operators employ several leverage mechanisms during negotiations: time-limited discounts ("pay within 48 hours for a 30% reduction"), selective data publication (releasing a small sample of particularly sensitive data to demonstrate possession), and threat escalation (announcing the victim on the leak site while negotiations are ongoing). The presence of a skilled negotiator on the victim's side consistently correlates with lower final payments and longer negotiation timelines, suggesting that the investment in professional negotiation support is economically rational for most victim organizations.

Supply Chain: From Access Broker to Ransom Payment

Initial Access Brokers

Initial Access Brokers (IABs) represent the critical upstream supply chain for the RaaS ecosystem. These specialized actors focus exclusively on gaining initial access to corporate networks—through exploitation of public-facing vulnerabilities, credential theft, phishing, or social engineering—and then selling that access to downstream buyers, primarily ransomware affiliates. The IAB marketplace has expanded dramatically since 2020, with Dark Angel tracking over 3,500 unique access listings across major underground forums and marketplaces in 2023 alone, representing a 40% year-over-year increase.

Access is sold through several channels: direct listings on underground forums (XSS, Exploit, RAMP), private Telegram channels, and dedicated access marketplaces. Listings specify the type of access (RDP, VPN, Citrix, web shell, domain admin credentials), the victim's estimated revenue (a key pricing factor), the victim's industry and country, and the number of endpoints or servers visible from the access point. Pricing follows a rough formula tied primarily to the victim's estimated annual revenue and the access quality.

Botnet Operators as Feeders

Botnet operations serve as a large-scale upstream feeder for the IAB market and, by extension, the ransomware ecosystem. Operations such as QakBot (prior to its August 2023 takedown), IcedID/BokBot, Emotet (prior to its January 2021 takedown and subsequent revival), and Pikabot maintain persistent implants on tens of thousands of infected systems, including corporate endpoints. Botnet operators monetize these infections through multiple channels, including banking trojan functionality, credential harvesting, and—most lucratively—selling access to infected corporate networks for ransomware deployment. The relationship between botnet operators and ransomware affiliates ranges from ad-hoc marketplace transactions to formalized partnerships. Conti's leaked internal communications revealed dedicated arrangements with Emotet and TrickBot operators who provided a steady stream of corporate access at preferential rates. Black Basta is widely assessed to have maintained a similar relationship with QakBot operators prior to the latter's takedown.

End-to-End Timeline

The full supply chain from initial access acquisition to ransom payment typically spans 10 to 30 days, though the timeline varies significantly based on the affiliate's experience, the target's security posture, and the complexity of the environment. A representative timeline for a mature affiliate operation proceeds as follows: Day 0—affiliate purchases access from an IAB or receives access from a botnet partnership. Days 1–3—initial reconnaissance of the compromised network, deployment of persistent C2 implant (Cobalt Strike beacon, Sliver, or Brute Ratel), and identification of Active Directory structure. Days 3–7—privilege escalation to domain administrator, mapping of backup infrastructure, identification of high-value data stores, and deployment of data exfiltration tooling. Days 7–12—data exfiltration to affiliate-controlled infrastructure (typically 100 GB to 5 TB, depending on target size and data sensitivity). Day 12–14—deployment of ransomware payload, typically during a weekend or holiday to maximize impact and minimize response time. Days 14–28—victim negotiation and payment. The median dwell time (time from initial access to ransomware deployment) tracked across Dark Angel's incident response engagements was 8 days in 2023, down from 12 days in 2022, reflecting the increasing efficiency of affiliate operations.

Law Enforcement Impact on RaaS Business Models

Operation Cronos: LockBit

The February 2024 multinational law enforcement action against LockBit, designated Operation Cronos, represented the most comprehensive disruption of a RaaS operation to date. Led by the UK's National Crime Agency with participation from the FBI, Europol, and agencies from nine additional countries, the operation seized 34 LockBit servers, obtained the backend database containing affiliate and victim records, arrested two LockBit affiliates (in Poland and Ukraine), unsealed indictments against five additional individuals (including two Russian nationals), and deployed a "seizure splash page" on LockBit's former Tor sites that systematically released internal data over several days. Critically, law enforcement obtained and published over 7,000 LockBit decryption keys, enabling past victims to recover data without payment. The operation also identified "LockBitSupp" as Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, who was subsequently sanctioned by the US, UK, and Australia.

The operational impact was significant but not fatal. LockBit re-established infrastructure within days of the takedown, but affiliate confidence was severely damaged. The exposure of affiliate identifiers, payment records, and negotiation logs created profound trust concerns throughout the ecosystem. Dark Angel's tracking shows LockBit's post-Cronos victim count declined approximately 70% relative to the pre-Cronos pace, with many former affiliates migrating to rival platforms—predominantly RansomHub, which emerged in February 2024 and explicitly marketed itself to displaced LockBit and ALPHV affiliates.

ALPHV Exit Scam Post-FBI Seizure

ALPHV/BlackCat's demise followed a different pattern that exposed a fundamental vulnerability in the RaaS trust model. In December 2023, the FBI seized ALPHV's primary Tor infrastructure and published a decryption tool. Unlike LockBit, ALPHV's core team chose not to rebuild the operation in good faith. Instead, in March 2024, following a $22 million ransom payment from Change Healthcare, ALPHV's administrators posted a fraudulent FBI seizure notice on their own site and absconded with the full payment—failing to remit the affiliate's share. The affiliate, identified on forums as "Notchy," publicly accused ALPHV of theft on RAMP, providing blockchain evidence that the $22 million had been moved to wallets controlled by the operators. This exit scam sent shockwaves through the RaaS ecosystem, fundamentally undermining trust in the operator-affiliate relationship and accelerating the trend toward more decentralized operational models where affiliates retain greater control over payment infrastructure.

Hive Takedown

The January 2023 FBI takedown of the Hive ransomware operation demonstrated the potential for covert law enforcement access to disrupt RaaS operations from within. The FBI had maintained clandestine access to Hive's backend infrastructure for approximately seven months prior to the public takedown, during which agents provided decryption keys to over 300 victims, preventing an estimated $130 million in ransom payments. This approach—prioritizing victim assistance over immediate disruption—represented a strategic evolution in law enforcement methodology and created a persistent paranoia among RaaS operators about potential law enforcement infiltration of their infrastructure. Post-Hive, several operations implemented enhanced infrastructure security measures, including multi-factor authentication for admin panel access, infrastructure compartmentalization to limit the impact of any single compromise, and code audits of backend systems.

Adaptation Strategies

The RaaS ecosystem has demonstrated remarkable resilience in adapting to law enforcement pressure. Key adaptation strategies include: infrastructure decentralization (distributing backend components across more servers in more jurisdictions to resist single-point takedowns), affiliate autonomy (providing affiliates with standalone builder tools that can operate independently of central infrastructure), rapid rebranding (operators shutting down and relaunching under new names while retaining the same codebase and affiliate network—as seen in the DarkSide→BlackMatter→ALPHV lineage), source code sharing (releasing builders publicly upon shutdown to ensure the codebase survives even if the operation does not, as Conti and LockBit's leaked builders have done), and jurisdictional arbitrage (operating from countries with no cybercrime treaties and no history of cooperating with Western law enforcement on cybercriminal extradition). The net effect is that while individual operations can be disrupted, the RaaS model itself has proven remarkably durable—new operations consistently emerge to absorb displaced affiliates and maintain the overall volume of ransomware activity.

Defensive Recommendations

Based on the structural analysis of the RaaS business model presented in this report, Dark Angel recommends the following defensive priorities for organizations seeking to reduce their exposure to ransomware operations.

1. Eliminate the IAB attack surface. The RaaS supply chain begins with initial access. Prioritize continuous external attack surface management: patch internet-facing systems within 48 hours for critical vulnerabilities (especially VPN appliances, email gateways, and web servers), enforce multi-factor authentication on all remote access points, and deploy credential monitoring to detect compromised employee passwords appearing on underground markets before they are sold to IABs.
2. Detect pre-ransomware activity, not ransomware. By the time encryption begins, the operation has already succeeded. Focus detection engineering on the 7–14 day window between initial access and encryption: unauthorized service account usage, anomalous LDAP queries (indicative of AD reconnaissance), mass archive file creation (staging for exfiltration), Rclone or MEGAsync execution, and Cobalt Strike/Sliver beacon patterns. These are the activities that consistently precede ransomware deployment across all RaaS platforms.
3. Implement data exfiltration controls. Double extortion renders backups insufficient. Deploy egress monitoring to detect and block bulk data transfers. Baseline normal outbound data volumes and alert on deviations. Block or restrict access to cloud storage services (Mega.nz, file.io, transfer.sh) from endpoints and servers where such services are not business-required. Segment sensitive data stores to limit the blast radius of a successful intrusion.
4. Harden Active Directory as a tier-zero asset. Every RaaS affiliate's playbook centers on reaching domain admin. Implement tiered administration, deploy LAPS for local admin passwords, monitor for Kerberoasting and DCSync attacks, restrict GPO modification rights, and audit service account permissions quarterly. Consider deploying an Active Directory threat detection solution that provides real-time alerting on AD-specific attack techniques.
5. Establish pre-incident negotiation readiness. If a ransomware incident occurs, the organization's negotiation posture in the first 24–48 hours significantly impacts the outcome. Pre-establish relationships with qualified incident response firms and ransomware negotiation specialists. Understand your organization's insurance coverage and its implications for ransom payment decisions. Conduct tabletop exercises that include negotiation simulation scenarios.
6. Monitor the underground for organizational exposure. Implement continuous monitoring for your organization's credentials, access listings, and mentions on underground forums and marketplaces. An access listing appearing on RAMP or Exploit for your organization's VPN represents a near-certain precursor to a ransomware attack within 30 to 90 days. Early detection of such listings can enable preemptive remediation before the access is sold to a ransomware affiliate.
7. Maintain offline, immutable backups with tested recovery procedures. While double extortion has diminished the standalone effectiveness of backups as a ransomware countermeasure, robust backups remain essential for operational recovery. Implement 3-2-1 backup strategies with at least one immutable, air-gapped copy. Test restoration procedures quarterly, including full-environment rebuilds from backup. Encrypt backup data to prevent ransomware operators from using stolen backup data as additional extortion leverage.

Methodology

This report is based on data collected and analyzed by Dark Angel's research team using the following sources and methodologies.

Incident Response Data: Analysis of 520 ransomware engagements conducted or supported by Dark Angel between January 2022 and March 2025, spanning 14 distinct RaaS operations. Data includes TTP documentation, dwell time analysis, ransom demand calibration, payment outcomes, and negotiation dynamics. All organizational data has been anonymized and aggregated.

Negotiation Transcript Analysis: Review of over 400 ransomware negotiation transcripts obtained through incident response engagements and underground intelligence sources. Transcripts span LockBit, ALPHV, Black Basta, Royal/BlackSuit, Akira, and eight additional operations. Analysis focuses on demand calibration, discount patterns, escalation tactics, and payment outcomes.

Underground Forum Intelligence: Continuous monitoring of Russian-language cybercriminal forums (XSS, Exploit, RAMP) and Telegram channels for RaaS recruitment activity, affiliate discussions, IAB listings, and ecosystem dynamics. Monitoring period covers January 2021 through March 2025.

Blockchain Analysis: On-chain analysis of identified ransomware payment addresses across Bitcoin and Monero blockchains, conducted in partnership with blockchain analytics providers. Data includes payment volumes, laundering pathways, and exchange interactions.

Data Leak Site Monitoring: Automated and manual monitoring of 45 active ransomware data leak sites, with historical data extending to over 120 current and defunct DLS domains. Monitoring includes victim posting rates, data publication patterns, and site infrastructure analysis.

Confidence Assessment: This report uses the Admiralty system for confidence grading. Economic estimates and organizational model descriptions carry moderate-to-high confidence based on multiple corroborating sources. Specific revenue figures carry moderate confidence due to inherent limitations in payment visibility. Forward-looking assessments regarding ecosystem evolution carry low-to-moderate confidence and represent analytical judgments informed by observed trends.

Related Reports

• LockBit: A Complete Threat Intelligence Profile — Comprehensive dossier on the LockBit operation covering its evolution, affiliate model, Operation Cronos disruption, and current operational status.
• Double Extortion: Data Theft and Leak Site Operations — Technical analysis of data exfiltration methodologies, leak site infrastructure, and the evolving economics of data-based extortion.
• The State of Ransomware 2025 — Annual overview of the ransomware ecosystem covering major groups, victim analysis, payment trends, and evolving TTPs.