Ransomware attacks have dominated the headlines in recent years, holding organisations hostage and unleashing widespread disruption upon some of the world’s best-known companies. And the threat is only growing. According to research by Check Point, Q1 2025 saw a 126% jump in ransomware attacks compared to 2024.
When we think of the groups behind these incidents, the natural tendency is to picture hacker groups deploying malicious, self-designed software. However, one of the drivers of the recent jump in attack frequency is ransomware-as-a-service (RaaS). But what is RaaS, and how does it differ from traditional ransomware attacks?
What is Ransomware-as-a-service?
Raas is a business model. It involves ransomware groups leasing their tools to third parties, known as ‘affiliates’. This allows anyone to launch their own attacks without requiring the technical skills of traditional hacking collectives. If successful, the attackers then share a portion of the profits with the original developers.
This model is a win-win for ransomware groups. It creates an additional revenue stream that, in the first instance, doesn’t even rely on an attack being successful. If the individual or group leasing the ransomware fails to launch a successful attack, nothing is lost. If the affiliate does manage to collect a ransom, the developers get paid again without having gone to the effort of making the initial infiltration.
RaaS has effectively professionalised ransomware. It’s given hackers the ability to launch a retail arm of their operations not dissimilar to many of the companies whose defences they spend the rest of their time trying to penetrate.
How does RaaS work?
There are several pricing models for RaaS. Some ransomware groups charge a flat monthly fee for affiliates to use their malware. Others only ask for a percentage of their profits or a one-time licensing fee.
Affiliates may also work with Initial Access Brokers (IABs). These are additional third parties that specialise in breaching organisations’ defences. By using IABs, affiliates can license ransomware and infiltrate target organisations without doing any of the work themselves.
Examples of RaaS attacks
The recent success of several high-profile groups highlights the growing threat posed by RaaS.
Akira
Akira emerged in 2023 and remains highly active. Its ransomware has been used to infiltrate organisations including Nissan Australia, the US energy firm BHI Energy, and Stanford University. Akira generated $42m in proceeds in its first year of operations.
LockBit
LockBit has been around in various forms since 2019. By 2023, it had generated over $90m in ransom payments. The group’s latest iteration, LockBit 4.0, was launched in February 2025. Its victims have included the cosmetics firm Nuxe, the UK’s Royal Mail, and the China Daily newspaper.
Rhysida
Rhysida emerged in 2023, first as a ransomware gang before eventually expanding into becoming a RaaS operation. Its victims include the British Library, the Chilean Army, and the city of Columbus, Ohio.
DragonForce
DragonForce also emerged in 2023. It’s currently known for its role in the recent attack on Marks & Spencer, where DragonForce ransomware was used by an affiliate called Scattered Spider. Previous targets include Coca-Cola, Yakult, and the government of Palau.
How to protect against RaaS
The rise of RaaS has democratised access to ransomware. By lowering the barrier to entry, anyone who fancies themselves as a would-be cybercriminal can now attempt to extort organisations using cutting-edge malware or hire IABs to make the initial breach on their behalf.
The only way to stand tall against this threat is to adopt a comprehensive backup and recovery strategy. There are several steps that organisations need to consider to avoid becoming victims:
Strong access controls: Use multi-factor authentication (MFA) and enforce the principle of least privilege to limit access to critical systems and data.
Regularly update and patch systems: Ensure all software and systems with the latest security patches to prevent exploitation of known vulnerabilities.
Conduct employee training: Educate employees about phishing attacks and social engineering tactics commonly used to deploy ransomware.
Maintain regular backups: Regularly back up data and store it securely offline. This ensures that data can be restored without paying a ransom in the event of an attack.
Deploy advanced security solutions: Use endpoint protection, intrusion detection systems, and threat intelligence services to detect and respond to threats promptly.
Develop an incident response plan: Prepare a comprehensive incident response plan to ensure a swift and effective response to ransomware attacks.
How Redstor can help
Redstor’s cloud-first data protection platform helps organisations stay resilient by enabling rapid, ransomware-resilient recovery across environments. Our immutable backups ensure attackers can’t compromise backup data, while InstantData™ means businesses can access key files immediately.
Redstor is the best solution for your worst-case scenario. Put your ransomware fears to rest by getting in touch today.