Medical records, payment cards, Social Security numbers, and insurance data are among the most sensitive types of information to steal. In February 2024, a criminal rented a ransomware-as-a-service platform and breached Change Healthcare, the largest health payment processor in the U.S., causing over $2 billion in total cyberattack impacts and the leak of health care data.
What are those, and how big are they in the cybercrime territory? The answer will change the way you see cyber risk and prepare your organisation.
Since the early 2010s, ransomware started a new path of business. Ransomware used to require high technical skills and direct victim negotiation. It was slow, technical, and limited. Ransomware-as-a-Service opted for scalability instead.
Ransomware-as-a-Service (RaaS) is a criminal business model where developers write the malware, deploy the platform, and attract clients to run it on victims separately. The developer, or the RaaS operator, handles the hard technical work: updating the ransomware, maintaining the encryption, and building a negotiation portal. The affiliate signs up, gets access to the platform, deploys the ransomware against a target, and splits the ransom payment with the operator.
Some of the most destructive ransomware groups in recent years are LockBit, BlackCat/ALPHV, and Black Basta. They all operated on this model: platforms with developer teams and affiliate networks operating at scale. They facilitated attacks across healthcare, finance, and critical infrastructure, accumulating enough damage to trigger FBI-led operations and become some of the most wanted criminal enterprises in cybercrime history.
A RaaS affiliate begins by gaining initial access, often sourced externally from an Initial Access Broker. From there, the affiliate moves laterally through the network, escalates privileges, identifies where the sensitive data lives, and exfiltrates it before triggering encryption.
Exfiltration is part of the double extortion method that modern RaaS follows. They steal your data before encrypting your systems, to pressure you to pay even if you safely restore from a backup. Once the affiliate deploys the ransomware payload, the victim sees a ransom note coming from the RaaS operator, deployed by the affiliate.
RaaS groups don't operate in isolation, but rather in a cybercrime supply chain. Initial access brokers supply the entry points. Malware developers sell stealers. Negotiation specialists handle victim communication. Underground forums like Exploit, XSS, and RAMP are where affiliates get recruited, and where stolen data gets published.
Their affiliates range from sophisticated actors to entry-level criminals who do nothing more than follow instructions and split the payment. That's how attacks are launched without technical skills, and how accessible the barrier has become. Credential theft and infostealer logs supply a constant stream of access points that affiliates purchase and weaponise.
Most organisations think about ransomware as a worst-case scenario — something that happens to others, to larger targets, to companies that made mistakes. RaaS changes that logic entirely. The affiliate doesn't choose you because you're interesting, but because you're reachable and have data to benefit from. Access is made by brokers and malware is ready in a platform. What used to take a skilled attacker weeks of preparation now takes an affiliate hours of execution.
And the cost doesn't stop at the ransom or encryption. Downtime, recovery, legal exposure, regulatory penalties, and permanent reputational damage are what organisations actually pay. One thing to keep in mind: normal vulnerabilities became more dangerous, attacks are more of an automated process. Nobody decided to target you. Your exposure is the selection process.
Defending against RaaS requires controls that address the full attack chain.
Limit how far an attacker can move once inside. Network segmentation is your strongest control after access. RaaS affiliates need to move laterally from their entry point to your most sensitive data. A flat network gives them that, while segmentation forces them to slow down.
Make your backups ransomware-proof, not just ransomware-resistant. Offline, immutable, and tested backups are not the same thing. Backups connected to your network can be damaged too. Immutable storage and offline copies are what actually survive a RaaS deployment. Prioritise checking and testing your backups regularly.
Detect behaviour, not just signatures. RaaS affiliates use legitimate tools that your traditional antivirus will ignore. EDR with behavioural detection flags the patterns before the payload is run.
Manage privileged access tightly. Let Zero Trust and limited access be your base. RaaS affiliates need domain admin to deploy ransomware at scale across your environment. Therefore, your standard accounts shouldn't have a direct path to your domain controllers.
Have an incident response plan that doesn't start at the ransom note. RaaS attacks move fast once deployed. Organisations without a tested IR plan lose critical hours deciding who calls who and what to do. The plan needs to exist, be practised, and include legal, communications, and executive decision-making.
Not necessarily. Payment stops the countdown but offers no guarantee your data won't be published or sold. Several organisations that paid have seen their data appear on leak sites afterwards. Change Healthcare paid $22 million and their data was still distributed.
Backups protect against encryption, not extortion. RaaS affiliates exfiltrate your data before deploying ransomware. So a perfect recovery doesn't eliminate the threat of that data being published. Backups remain essential, but not enough facing the double extortion model on their own.
The malware used is the same, but who deploys it and how is different. In RaaS, the affiliate executing the attack didn't build the ransomware and doesn't maintain the infrastructure — they just run the end product. That separation is what enables scale across different industries and geographies.
Mid-sized companies are frequently preferred targets. They hold enough valuable data but typically lack the detection and response maturity of larger enterprises. RaaS affiliates optimise for return, not for name recognition.
Usually lateral movement or exfiltration activity. By the time you see the ransom note, the affiliate has already completed reconnaissance, escalated privileges, and staged the data. Behavioural detection and privileged access alerts are what catch the attack in progress.
Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.
Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news — context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.
