If you want to understand why ransomware has been so hard to stamp out, you have to understand its business model. Ransomware-as-a-Service (RaaS) is the reason a single brand like LockBit could claim thousands of victims across dozens of countries while its core team numbered perhaps a few dozen people. RaaS is not a piece of software; it is a way of organising criminal labour, and it has done for cybercrime roughly what franchising did for fast food.
The basic structure
A RaaS operation has two layers:
- The operators (sometimes called the "core team"). They develop and maintain the ransomware itself, the encryptor, the data-leak site, the negotiation portal, the affiliate panel. They handle infrastructure, branding, PR, and money laundering. They are the platform.
- The affiliates. Independent intruders who use the operator’s malware to attack victims. They handle initial access, lateral movement, data theft, and the actual encryption. In exchange they keep most of the ransom, typically 70 to 80 percent, and pay the rest to the operator as a "platform fee."
This division of labour is the central innovation. It lets the operators stay relatively small and focused on engineering, while letting any reasonably capable network intruder rent best-in-class crimeware without writing it themselves.
The affiliate panel
Mature RaaS operations look unsettlingly like SaaS businesses. Affiliates log into a web panel, where they can:
- Generate signed builds of the encryptor for specific targets and platforms (Windows, Linux, ESXi).
- Manage active negotiations through a chat interface.
- Track payments and revenue splits.
- Submit stolen data to the leak site.
- Read documentation, FAQs, and "best practices."
- Open support tickets when something does not work.
The panel is the product. The encryptor is just one feature.
The supporting cast
Around the operators and affiliates there is a wider ecosystem of specialists:
- Initial Access Brokers (IABs) sell ready-made footholds, domain admin on a $50 million company for $5,000, on Russian-language forums like Exploit and XSS. Many affiliates buy access rather than gaining it themselves.
- Negotiators are sometimes outsourced. Some operators provide them as a service; some affiliates hire their own. They are often skilled at corporate communications and English-language pressure.
- Money launderers convert ransom proceeds into clean fiat. This involves cryptocurrency mixers, chain-hopping, OTC desks in friendly jurisdictions, and increasingly cross-chain bridges.
- Crypters and pen-testers are sometimes hired to evade specific EDR products before a campaign begins.
- Recruiters post on forums advertising new affiliate programs, citing payment percentages, prohibited targets, and example ransoms paid.
The rules
Most major RaaS operations publish "rules of the road" for affiliates. They are revealing both about how the business runs and about the politics of the underground. Common prohibitions include:
- No targeting of hospitals or healthcare (often violated in practice).
- No targeting of CIS countries (Russia, Belarus, Kazakhstan, etc.), language checks in the malware enforce this.
- No targeting of critical infrastructure in the US after the Colonial Pipeline incident in 2021 (also frequently violated).
- No public discussion of operational details outside the affiliate panel.
Affiliates who break the rules can be banned and have their funds withheld. Affiliates who scam the operators, running off with ransoms without paying the platform cut, can be doxed back to the wider underground. RaaS has, in other words, an internal compliance regime.
The economics
The numbers, where they have been observed in court documents, leaks, and chain analysis, are stark:
- A successful enterprise ransom averages in the low millions of dollars, with outliers in the tens of millions.
- A productive affiliate can run several intrusions a month.
- The operator’s 20–30% cut on a high-volume program produces tens to hundreds of millions of dollars annually.
- Margins are extraordinary: operating costs are dominated by infrastructure, salaries, and laundering fees, all of which scale slowly while revenue grows with affiliate count.
The ContiLeaks of 2022 exposed the internal accounting of a top-tier operation: structured salaries, HR functions, a dedicated R&D team, "employee of the month" awards, and discussions about purchasing zero-days and recruiting penetration testers. It looked like a tech startup, because in many of its operational habits, it was one.
Why RaaS has been hard to break
Three properties make RaaS resilient:
- Decoupling. Arresting affiliates does not kill the operator. Seizing the operator’s infrastructure does not kill the affiliates, who can switch brands. Each layer has to be hit, and ideally simultaneously.
- Rebranding. When a brand becomes too radioactive, through law-enforcement attention, sanctions, or public outcry, the operators rebrand. Maze became Egregor. DarkSide became BlackMatter. Conti spawned Black Basta, BlackByte, Royal, and Karakurt. The infrastructure is rebuilt; the people are mostly the same.
- Jurisdictional sanctuary. Most major operators are based in Russia or its near abroad, where they are effectively immune from Western prosecution provided they avoid Russian-language victims. The geopolitical incentives that allow this have not changed.
What recent disruptions have shown
Operation Cronos (LockBit, 2024), the FBI’s Hive infiltration (2023), and the apparent collapse of ALPHV/BlackCat after the Change Healthcare breach all point in the same direction: it is possible to disrupt a single RaaS brand decisively, but the affiliate pool simply migrates to the next one. Recent rises of RansomHub, Akira, Play, and Medusa have absorbed displaced LockBit and ALPHV affiliates almost in real time.
The implication is that disrupting RaaS at the brand level treats symptoms. Disrupting it durably means going after the supporting infrastructure, IABs, money launderers, bulletproof hosting, cryptocurrency off-ramps, and the operating environments that protect the people behind it. RaaS is a system, and like any system, it has to be attacked at multiple layers at once.