Definition
Ransomware-as-a-Service (RaaS) is a business model where ransomware developers (Operators) sell or lease their ransomware variants to other cybercriminals (Affiliates). The Affiliates perform the actual intrusion and deployment, while the Operators maintain the code and payment portals. Profits are typically split (e.g., 70% to Affiliate, 30% to Operator).
Purpose and Core Idea
RaaS lowers the barrier to entry for cybercrime. An Affiliate does not need to know how to write complex encryption code; they only need to know how to buy access or phish employees. This specialization allows for the rapid scaling of attacks globally.
Mini Case Study: The Conti Playbook
In 2021, a disgruntled affiliate leaked the internal "Playbook" of the Conti ransomware group.
- The Structure: The leak revealed that Conti operated like a legitimate software company, with HR departments, "Employee of the Month" bonuses, and 24/7 customer support for victims.
- The TTPs: The playbook provided step-by-step instructions for Affiliates:
- Use Cobalt Strike for initial access.
- Exploit Zerologon for privilege escalation.
- Exfiltrate data using Rclone before encryption (Double Extortion).
- The Impact: This intelligence allowed CTI analysts to write precise YARA Rules and detection logic for the exact tools Conti was using, significantly damaging the group's operations.
Usage in Real CTI Workflows Analysts track RaaS groups not just by the malware, but by their "Leak Sites" on the Dark Web. Monitoring these sites provides Strategic Intelligence on which sectors are being targeted.
Strengths and Limitations The RaaS model makes attribution difficult because different Affiliates use the same ransomware brand but may use completely different intrusion techniques (TTPs). Therefore, defending against RaaS requires focusing on the Affiliate's behavior (Lateral Movement) rather than just the final payload.