Ransomware-as-a-Service (RaaS) has transformed ransomware from a tool wielded by technically sophisticated criminal developers into a scalable criminal enterprise accessible to nearly any financially motivated threat actor. Understanding the RaaS model — how it is structured, who the major players are, and how attacks progress from initial access to ransom demand — is essential for security practitioners defending organizations in 2026.
The RaaS Affiliate Business Model
RaaS operates on an affiliate model directly analogous to legitimate SaaS businesses, with one critical difference: the product is ransomware. The RaaS operator (the developer group) builds and maintains the ransomware infrastructure: the encryptor, the C2 infrastructure, the leak site, the victim negotiation portal, and the affiliate management panel. Affiliates — threat actors who conduct the actual intrusions — license access to this infrastructure and deploy it against victims in exchange for a revenue share.
The standard split in 2025-2026 is approximately 70/30 in favor of the affiliate: the affiliate retains 70% of any paid ransom, with 30% going to the RaaS operator. For successful attacks against large enterprises where ransoms can reach $5-20 million, this represents substantial revenue for both parties without the operator ever directly touching the victim's network.
Affiliates source their initial access through several pathways: conducting intrusions themselves, purchasing access from Initial Access Brokers (IABs) who specialize in gaining and selling network access, or exploiting freshly disclosed vulnerabilities before defenders patch them. The professionalization and division of labor in this ecosystem is significant — distinct specializations have emerged for initial access, post-compromise operations, negotiation, and money laundering.
Active RaaS Groups in 2025-2026
LockBit 3.0
LockBit has been the dominant RaaS group by victim count for three consecutive years, despite a significant law enforcement disruption operation (Operation Cronos) in February 2024 that seized infrastructure and arrested several affiliates. The group relaunched within weeks, demonstrating the resilience of the RaaS model — taking down infrastructure does not eliminate the affiliates or the developer core. LockBit's affiliate panel is noted for its professionalism and reliability, which has made it attractive to high-capability affiliates.
ALPHV / BlackCat
ALPHV (also known as BlackCat) was notable for being one of the first major RaaS groups to write their encryptor in Rust, providing cross-platform capability (Windows, Linux, VMware ESXi) and resistance to code analysis. The FBI disrupted ALPHV's infrastructure in December 2023, but the group retaliated by removing the affiliate payout cap and explicitly encouraging attacks on critical infrastructure — a significant escalation. ALPHV subsequently collapsed in a suspected exit scam in early 2024, with the operator absconding with an estimated $22 million in ransom proceeds owed to affiliates.
Cl0p
Cl0p has differentiated itself through mass exploitation of file transfer vulnerabilities — MOVEit Transfer (CVE-2023-34362), GoAnywhere MFT, and Accellion FTA — affecting hundreds of organizations simultaneously. Rather than encrypting systems, Cl0p often focuses exclusively on data exfiltration and extortion, threatening to publish sensitive data without deploying encryptors. This "pure extortion" model requires less operational time on target and eliminates the decryption negotiation complexity.
Play and 8Base
Play ransomware has shown consistent activity targeting manufacturing, healthcare, and professional services, with a pattern of targeting mid-market organizations in the $50M-$500M revenue range. 8Base emerged as a significant new entrant in 2023-2024, adopting double extortion and maintaining an active leak site with high victim counts. Both groups tend to operate with smaller affiliate networks than LockBit, resulting in more consistent operational security.
Double and Triple Extortion
The ransomware extortion model has escalated in layers over successive years. Single extortion (encrypt and demand ransom for decryption) was the original model. Double extortion, pioneered by Maze ransomware in 2019, adds data exfiltration before encryption — the threat of publishing sensitive data creates payment pressure even if the victim has backups. Triple extortion adds a third pressure vector: DDoS attacks against the victim's public infrastructure, or direct contact with the victim's customers, partners, and regulators to amplify reputational and regulatory pressure.
For defenders, the shift to double extortion fundamentally changes the calculus of backup-based recovery. Offline, immutable backups still eliminate the operational disruption component, but they do not address the data exposure threat. Data Loss Prevention (DLP) controls for detecting bulk exfiltration have become critical — specifically, monitoring for large outbound data transfers over legitimate channels (cloud storage sync tools, web uploads) and alerting on access to sensitive data repositories at volumes inconsistent with the accessing account's baseline.
Most Common Initial Access Vectors
FBI IC3 and CISA joint advisories consistently identify the same primary initial access vectors for ransomware:
- RDP and VPN exploitation: Exposed Remote Desktop Protocol and VPN gateway vulnerabilities or credential brute-forcing account for 30-40% of ransomware initial access. Organizations with internet-exposed RDP on port 3389 (or non-standard ports) are actively scanned and targeted within hours of IP publication.
- Phishing with malicious attachments or links: 25-35% of initial access. Business email compromise and credential phishing feeding into ransomware deployment are particularly common, with attackers taking weeks to escalate from credential theft to ransomware deployment.
- Vulnerability exploitation of public-facing applications: 20-30% of initial access. VPN appliances (Citrix, Fortinet, Palo Alto), email gateways, and web application frameworks are targeted within days of vulnerability disclosure. CVE-2024-21762 (Fortinet FortiOS) and CVE-2024-3400 (Palo Alto PAN-OS) are recent examples exploited by ransomware affiliates.
Ransom Demands and Negotiation Dynamics
Average ransom demands have scaled with target revenue. For organizations with annual revenue below $10M, initial demands typically range from $50,000 to $250,000. Mid-market organizations ($10M-$500M revenue) face initial demands of $500,000 to $5M. Large enterprises ($500M+) face demands of $5M to $50M or higher. These are initial demands — negotiated settlements typically land at 40-70% of the initial demand, though groups vary significantly in their negotiating flexibility.
Downtime costs frequently exceed the ransom itself. The average ransomware recovery time for mid-market organizations is 21 days, with fully burdened operational disruption costs — lost revenue, overtime, third-party IR, forensics, legal, notification — often reaching 5-10x the ransom amount. This context is essential for executives making payment decisions under pressure.
Our penetration testing engagements specifically assess the initial access vectors most commonly exploited by ransomware affiliates — exposed services, credential weaknesses, phishing susceptibility, and lateral movement paths — giving your organization a clear view of ransomware exposure before an incident occurs. For organizations seeking continuous protection, our managed network infrastructure service includes the segmentation and monitoring controls that limit ransomware blast radius. Contact us to assess your current ransomware exposure.