Ransomware operations have emerged as one of the most profitable forms of cybercrime. They use a business model that mirrors legitimate software-as-a-service operations: the ransomware affiliate program, also known as Ransomware-as-a-Service (RaaS).
According to The Guardian, ransomware gangs staged a "major comeback" last year, with victims of hacking attacks paying out a record $1.1bn to assailants. This represents an increase from 2022, when $567m was paid out. As noted by Chainalysis researchers, "2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks."
Traditional ransomware operations were typically carried out by individual hackers or small groups who handled every aspect of an attack themselves—from developing the malware to infiltrating networks, encrypting files, and negotiating with victims. This approach was limited by the technical expertise required and the time investment needed for each phase of the operation.
The affiliate model changed this approach by creating a division of labor that increased the scale and efficiency of ransomware operations. As noted in The Ransomware-as-a-Service economy within the darknet academic research, this model represents "a way of democratising crime, giving ordinary people and smaller players an easier way into the criminal market." Much like legitimate business franchises, these programs allow specialized criminal organizations to focus on their competencies while expanding their reach through partnerships. The academic research emphasizes that "this collaborative strategy is a way of achieving a faster rate of infections with a lower risk of getting caught."
The effectiveness of this is evident. According to The Guardian, cybersecurity firm Recorded Future found that "there were 538 new ransomware variants in 2023, which indicates the emergence of new, independent groups." As Allan Liska, an analyst at Recorded Future, noted: "A major thing we're seeing is the astronomical growth in the number of threat actors carrying out ransomware attacks."
According to Ransomware: Recent advances, analysis, challenges and future research directions, "Modern ransomware emerged around 2005 and quickly became a viable business strategy for attackers." The COVID-19 pandemic has accelerated these trends, with researchers observing that "the COVID-19 pandemic has witnessed a huge surge in the number of ransomware attacks."
The ransomware affiliate system has a structure with roles and responsibilities:
Ransomware developers/operators: At the top of the hierarchy are the core groups that develop and maintain the ransomware software. These organizations create the encryption tools, payment portals, negotiation platforms, and victim communication systems. They also maintain the technical infrastructure needed to support operations at scale.
Affiliates: These are the "customers" who purchase or license access to the ransomware tools and infrastructure. Affiliates are responsible for gaining initial access to target networks, moving laterally through systems, and deploying the ransomware payload. According to Europol's Internet Organised Crime Threat Assessment (IOCTA) 2023, "The split of the profits received by the affiliate is based on their rank, which is determined by the success rate of their attacks and the criminal profits generated. At entry level the affiliate shares are low (around 20-40 % of the ransom), but at higher ranks they can receive up to 80 % of the profits because they have proven to be a lucrative business partner for the criminal groups running the service."
Access brokers: These specialists focus on compromising networks and selling that access to affiliates. They may use various techniques including phishing campaigns, exploiting vulnerabilities, or purchasing stolen credentials from other cybercriminals. The Guardian article highlights how "the growth of 'ransomware as a service', where malware is hired out to criminals in exchange for a cut of the proceeds has also stoked activity, along with 'initial access brokers' who sell vulnerabilities in the networks of potential targets to ransomware attackers." Europol's assessment notes that "There is an increase in activity on marketplaces for stolen data and in the demand for IABs. Listings posted by IABs include advertisement of systems they have access to, sometimes accompanied by company revenue."
Support services: The system includes various services such as money laundering operations, victim negotiation specialists, and technical support for affiliates who encounter problems during attacks.
Most ransomware affiliate programs operate on a revenue-sharing model similar to legitimate affiliate marketing. As noted in Ransomware: Recent advances, analysis, challenges and future research directions, "RaaS lets ransomware developers sell or lease their ransomware variants to affiliates, who use these variants to perform attacks." The core ransomware group provides the technical platform and takes a percentage of successful ransom payments, typically 20-30%. This model incentivizes the developers to create reliable, effective tools while allowing affiliates to focus on the attack execution without needing deep technical expertise in malware development.
Some programs also charge upfront fees or monthly subscription costs, though the revenue-sharing model remains most common. The programs often include service level agreements, technical support, and regular updates to the ransomware tools—mirroring legitimate software offerings.
According to Europol's 2023 assessment, "Cybercrime services are widely available and have a well-established online presence, with a high level of specialisation inside criminal networks and collaboration between illicit providers." This specialization extends beyond just ransomware operations. The report emphasizes that "The services offered to perpetrate cybercrime are often intertwined and their efficacy is to a degree co-dependant."
This interconnected nature means that ransomware affiliates often rely on various specialized criminal services, including initial access brokers, dropper services, crypters for obfuscation, and money laundering networks. Each service provider focuses on their particular expertise while contributing to the overall criminal enterprise. As highlighted in The Ransomware-as-a-Service economy within the darknet, "RaaS is often tied to other types of activities as well, such as a plethora of different infection methods and money laundering schemes."
Europol's IOCTA 2023 reveals how these criminal networks actively recruit new participants, "Ransomware groups make use of forums on the clear and dark web to recruit new affiliates, pentesters, company insiders, IABs and money mules. Ransomware leak sites have also been identified as places where affiliates are being recruited."
These underground forums serve multiple purposes beyond recruitment, providing educational resources, operational security guidance, and marketplaces for various criminal services. The accessibility of these resources has lowered the technical barriers for entering cybercriminal activities. Research demonstrates how accessible these tools have become, with studies noting that "our tests using RAASNet have shown how easy it is to acquire and use ransomware through RaaS software."
Several major ransomware families have operated successful affiliate programs. Groups like REvil (Sodinokibi), DarkSide, Conti, and LockBit have all utilized this model to great effect. According to a CISA advisory, "In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023." These programs often advertise their services on dark web forums, complete with performance metrics, success rates, and testimonials from satisfied affiliates.
The Guardian article highlights how new players continue to emerge, noting that "The Clop group emerged as a significant player last year, claiming responsibility for the hack of the payroll provider Zellis, which targeted a vulnerability in MOVEit software." This attack affected major organizations including British Airways, Boots and the BBC, demonstrating the impact of successful affiliate operations.
These operations are sophisticated, with some programs offering 24/7 technical support, regular software updates, and even dispute resolution processes for conflicts between operators and affiliates.
According to the Cybersecurity and Infrastructure Security Agency (CISA), LockBit exemplifies every aspect of the theoretical affiliate model described above.
LockBit's global impact validates the affiliate model's ability to expand operational scope. CISA reports show LockBit's worldwide presence: "About 1,700 attacks according to the FBI" with "approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020." The operation's geographic reach spans multiple continents, with documented attacks representing 18% of ransomware incidents in Australia, 22% in Canada, 23% in New Zealand, and 16% of government ransomware incidents in the United States, according to CISA data.
LockBit has gained competitive advantage through business model innovations that prioritize affiliate satisfaction. The CISA advisory notes that LockBit distinguishes itself by "assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group; this practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates' cut." This affiliate-first approach, combined with their "simplified, point-and-click interface for its ransomware, making it accessible to those with a lower degree of technical skill," demonstrates how the model reduces barriers to entry while maintaining operational effectiveness.
The CISA advisory documents extensive use of legitimate tools repurposed for malicious activities, showing the specialization aspect of the affiliate model. LockBit affiliates utilize over 30 different tools ranging from network reconnaissance (Advanced IP Scanner, AdFind) to credential dumping (Mimikatz, LaZagne) to data exfiltration (Rclone, FileZilla). This specialization allows affiliates to focus on their strengths while leveraging the core group's technical infrastructure.
LockBit's development timeline demonstrates the innovation pressure within affiliate programs. According to CISA, the operation has continuously evolved from its origins as ABCD ransomware in September 2019 through multiple versions: LockBit 2.0 (June 2021) with built-in data stealing capabilities, LockBit 3.0 (March 2022) incorporating features from other ransomware families, LockBit Green (January 2023) using Conti source code, and even macOS variants (April 2023). This development cycle shows how competition between ransomware programs drives technical advancement.
CISA data shows "up to Q1 2023, a total of 1,653 alleged victims were observed on LockBit leak sites," representing only those victims who refused to pay ransoms. The actual number of successful attacks is likely higher, as many victims who pay ransoms never appear on leak sites.
LockBit's structure exemplifies the challenges the affiliate model creates for law enforcement. As documented in the CISA advisory, the operation spans multiple countries with varying levels of law enforcement cooperation. Even comprehensive law enforcement actions struggle to completely disrupt affiliate networks, as evidenced by LockBit's continued operation despite ongoing international law enforcement efforts.
The distributed nature of affiliate programs creates challenges for both cybersecurity professionals and law enforcement. Traditional approaches focused on identifying and disrupting individual threat actors become less effective when facing a network of loosely connected but independently operating criminals.
The international nature of these operations, with affiliates and operators often located in different countries with varying levels of law enforcement cooperation, further complicates response efforts. Even when core operators are identified and arrested, the affiliate network may continue operating or migrate to new ransomware programs.
As Ellie Ludlam, a partner specializing in cybersecurity at UK law firm Pinsent Masons, noted in The Guardian article, that the trend is expected to continue.
Many affiliate programs provide tutorials, user-friendly dashboards, and even 24/7 technical support.
Yes, affiliates compete for high-value targets and often switch programs if payouts or tools are more attractive elsewhere.
They use escrow systems, reputation rankings, and even “dispute resolution” forums to manage conflicts.
Not necessarily, some affiliates operate as small organized groups or even as part of larger cybercrime syndicates.
Cryptocurrencies like Bitcoin and Monero are essential for ransom payments and laundering proceeds.