What is Ransomware as a Service (RaaS)?

According to Kennesaw State University’s article on Ransomware: Evolution, Mitigation and Prevention, “Ransomware is a rapidly growing threat to the data files of individuals and businesses. It encrypts files on an infected computer and holds the key to decrypt the files until the victim pays a ransom.”

Ransomware and RaaS

Ransomware as a Service (RaaS) is a cybercrime business model that closely resembles legitimate Software-as-a-Service (SaaS) offerings. Instead of building ransomware from scratch, attackers subscribe to or partner with ransomware developers who provide ready-made malware, infrastructure, and operational support. In return, RaaS providers typically receive an upfront fee or a percentage of the ransom payment.

Academic research on Ransomware-as-a-Service economy within the darknet defines RaaS as “a franchise offered through darknet marketplaces, allowing aspiring cybercriminals to take part in this dubious economy.” The franchise-style model has changed the ransomware infrastructure, lowering technical barriers and allowing a broader pool of attackers to participate.

Historically, launching a ransomware campaign required advanced programming knowledge, cryptographic expertise, and managing command-and-control servers. RaaS removes this complexity. Providers handle malware development, encryption routines, payment portals, and even victim communication, while affiliates or distributors gain access to victim networks.

As evidenced in the latter study, RaaS “allows people without programming skills to become active attackers and take part in the ransomware economy.”

How the RaaS model works

Developers (authors) create and maintain the ransomware, while affiliates distribute it. Once a ransom is paid, profits are split, often with the RaaS operator taking 20–30% of the proceeds.

Some providers sell source code, while others offer pre-compiled ransomware binaries. Advanced platforms provide dashboards that allow affiliates to track infections, manage ransom negotiations, and monitor payments. According to the academic research, this collaboration allows “a faster rate of infections with a lower risk of getting caught.”

In many modern RaaS operations, providers also manage victim interactions, like hosting leak sites, issuing ransom demands, and guiding victims through cryptocurrency payments. These services further distance affiliates from the most legally risky aspects of extortion.

Why RaaS appeals to attackers

RaaS minimizes effort while maximizing potential reward. Attackers do not need to develop malware, manage infrastructure, or negotiate with victims. These responsibilities are outsourced to specialists.

BlackCat (also known as ALPHV) is one of the most prominent examples of the RaaS model in action. Affiliates focus on intrusion techniques, while operators refine ransomware capabilities and extortion strategies. 

The RaaS model also allows insider threats. As the RaaS economy  in the darknet study notes, “a dissatisfied employee might decide to partner up with a RaaS developer to effectively infect an organisation from the inside.” The risk is concerning for healthcare organizations with large, distributed workforces.

A closer look at BlackCat (ALPHV)

Late 2021 Emergence 

Emerging in late 2021, BlackCat gained notoriety for its technical sophistication, aggressive extortion tactics, and structured affiliate program.

The ransomware was written in the Rust programming language, making it portable across Windows and Linux systems, allowing affiliates to target different environments, including enterprise servers and virtualized infrastructure used by healthcare organizations.

2022 Affiliate program expansion

The operators recruit affiliates through invite-only forums and underground communities. Affiliates are responsible for network penetration, lateral movement, and deploying ransomware, while the operators maintain malware updates, payment portals, and encryption key management. Revenue is shared, typically with 20–30% going to operators and the remainder to affiliates.

It reinforces the academic description of RaaS as a franchise economy, since it “reduces the risk of exposure for the ones on top of the value chain,” allowing developers to profit while remaining insulated from direct attacks.

2022 - 2023 Double extortion tactics

BlackCat uses advanced extortion methods, exfiltrating sensitive data before encrypting systems. Victims are threatened with public leaks of stolen data, increasing leverage, and the likelihood of ransom payment. These tactics are highly effective against healthcare providers, law firms, and critical infrastructure.

2023 High-profile attacks

Documented attacks target US and European organizations, including healthcare facilities, manufacturing firms, and logistics companies. Common attack vectors include phishing campaigns, remote desktop protocol attacks, and exploitation of unpatched vulnerabilities.

2023 - 2024 Affiliate infrastructure enhancement

Operators provide affiliates with dashboards to monitor infections, track ransom payments, and manage victim communications. BlackCat also integrates instructions for cryptocurrency payments, often in Monero or Bitcoin, to further obfuscate financial trails.

More specifically, BlackCat’s operational maturity was evident during the Change Healthcare ransomware attack, in which they deliberately targeted a major healthcare clearinghouse that processes vast volumes of claims and patient data. The attack impacted patient care, triggered HIPAA investigations, and resulted in multi-million-dollar recovery costs.

Ultimately, BlackCat showed how ransomware operators exploit systemic healthcare vulnerabilities, including overworked staff and complex third-party dependencies. These conditions increase susceptibility to phishing and social engineering attacks, allowing affiliates to gain initial access and deploy ransomware at scale during periods of maximum operational strain.

How RaaS uses the darknet

RaaS platforms like BlackCat use darknet infrastructure for recruitment, communication, and payment processing. The darknet, accessed via anonymization technologies such as TOR, provides what researchers describe as “cyber crime’s safe haven for communication and exchange of illegal goods and services.”

Darknet forums and marketplaces allow RaaS operators to vet affiliates, advertise their services, and share operational guidance. However, academic research challenges the assumption that RaaS dominates darknet markets. Specifically, it found that ransomware-related listings often constitute a very small percentage of overall marketplace inventory and that many offerings are fraudulent.

BlackCat also differs from many low-quality darknet listings in that it operates through more controlled, invite-only channels. This also upholds the research finding that experienced actors tend to avoid public marketplaces in favor of private networks, where trust and reputation are more tightly managed.

Is healthcare data at risk from RaaS attacks?

Yes. Since hospitals and clinics depend on continuous system availability to deliver patient care, disruptions can delay treatments, compromise safety, and create pressure to restore systems quickly.

During the COVID-19 pandemic, ransomware attacks against healthcare surged. Attackers exploited overworked staff, remote work environments, and heightened reliance on email. Phishing campaigns themed around public health updates increased click-through rates and infection success.

Although academic research suggests the overall RaaS marketplace may be smaller than media narratives imply, the impact of groups like BlackCat shows that even a limited number of skilled operators can cause widespread harm. As the researchers caution, ransomware “prevails as a serious threat when committed by experienced cybercriminals.”

Reducing RaaS risk through email security

Healthcare organizations must understand the “value chain and descriptions of the actors involved in this economy” to develop effective countermeasures. Since phishing is a primary delivery method for RaaS, email security is the most critical defense. One malicious email can give affiliates the initial access they need to deploy ransomware across an entire network.

HIPAA compliant email solutions, like Paubox, help healthcare organizations send secure emails while protecting inboxes from phishing, ransomware, malware, spam, and viruses. Additionally, Paubox’s patented ExecProtect tool blocks display name spoofing emails before they reach employees, directly addressing one of the most common tactics BlackCat uses.

All Paubox products are HITRUST CSF certified and include a business associate agreement (BAA), supporting healthcare compliance and strengthening cybersecurity defenses. The solution, therefore, reduces the likelihood of a successful phishing attack, helping stop ransomware infections before they begin.

Healthcare organizations further reduce RaaS risk when they pair strong email security with complementary controls, including limiting access privileges, monitoring for suspicious activity, and maintaining resilient, regularly tested backup strategies.

FAQs

What is double extortion in ransomware attacks?

Double extortion is a ransomware tactic in which attackers first infiltrate a network and exfiltrate sensitive data, like patient records, financial information, or proprietary files, before encrypting systems. After encryption, attackers threaten to publish or sell the stolen data if the victim refuses to pay the ransom. 

How does RaaS differ from traditional ransomware attacks?

Ransomware-as-a-Service (RaaS) differs from traditional ransomware as it divides responsibilities across a criminal supply chain. In traditional attacks, a single actor typically develops, deploys, and manages the ransomware. 

In contrast, RaaS operators will develop and maintain the malware, payment portals, and negotiation infrastructure, while affiliates handle initial access, lateral movement, and deployment. The specialization allows attacks to scale rapidly, reduces risk for developers, and allows less technically skilled attackers to launch sophisticated campaigns.

How do RaaS attackers typically gain initial access?

RaaS attackers usually gain initial access through phishing emails that trick employees into clicking malicious links or opening infected attachments. They also exploit compromised or reused credentials, often obtained through previous data breaches or credential-stuffing attacks. In addition, attackers take advantage of unpatched software vulnerabilities and poorly secured remote desktop services to bypass defenses.