Back to Posts Young man with hoodie at a computer with a credit card, ready to purchase Ransomware as a Service (RaaS) online

The Business Model Behind Cybercrime’s Fastest Growth Sector

Sept. 2, 2025

Ransomware attacks are no longer the work of lone hackers. They're run like startups with customer support, affiliate programs, and performance dashboards. This model, known as ransomware as a service, or RaaS, is reshaping global cyber threats.

RaaS allows hackers to rent, lease, or purchase ready-made ransomware kits from criminal developers on dark web forums. These RaaS kits often include encryption tools, payment portals, and even negotiation scripts. Affiliates, who may have little technical skill, use these kits to launch attacks and split the profits with the developers.

RaaS Business Models

The RaaS model is a variation of the software as a service (SaaS) business model that gives hackers access to high-end ransomware tools at lower costs. The RaaS market is competitive, with operators running marketing campaigns and developing websites that mimic legitimate companies, according to Wikipedia.

There are 4 common RaaS revenue models:

  • Flat-fee monthly subscription
  • Affiliate programs, which are the same as a monthly fee but with a portion of the profits going to the ransomware developer
  • One-time license fee with no profit sharing
  • Pure profit sharing

Ransomware developers, also called RaaS operators or RaaS groups, develop and maintain ransomware tools. Some of them package tools and services into RaaS kits they sell to other hackers, called RaaS Affiliates. These affiliates pay monthly fees to share a percentage of ransom payments they receive with the operators. The operators don't charge an up-front fee. Instead, they take a big cut of every ransom the affiliate receives, often 30–40%.

Recent reports show how RaaS has lowered the barrier to entry for cybercrime. Criminal gangs now sell access to compromised networks and offer support to affiliates, making it easier than ever to launch attacks.

But RaaS is just one part of a broader trend: Cybercrime-as-a-Service (CaaS). These platforms offer everything from phishing kits to AI-enhanced attack tools, enabling anyone with a motive and a modest budget to become a hacker. As noted in recent global cybersecurity briefings, CaaS platforms are removing the barriers to entry for cybercrime and expanding the pool of potential attackers.

This Shift isn't Theoretical. It's Operational.

Groups like DragonForce and Medusa are leading the charge. DragonForce uses CAPTCHA evasion and automated data theft, offering affiliates up to 80% of ransom payments. Medusa targets health care systems with double extortion tactics, encrypting data and threatening to leak it unless paid.

The RaaS ecosystem is also evolving. After RansomHub shut down in April, many of its affiliates migrated to Qilin ransomware. Meanwhile, HellCat and Morpheus have been linked by shared code, suggesting criminal developers are recycling payloads across platforms.

Cybercrime Business Model

These developments are not just technical. They're strategic. RaaS and CaaS operators are building scalable, resilient business models. They recruit affiliates, offer incentives, and adapt quickly to law enforcement pressure. The result is a cybercrime economy that mirrors legitimate software-as-a-service (SaaS) companies.

And the stakes are rising. According to the Global Anti-Scam Alliance, scammers siphoned away more than $1 trillion globally in the past year, costing some countries more than 3% of their gross domestic product. The entry of traditional organized crime groups into the cybercrime market is changing its character. These groups are often less concerned about the consequences of attacking critical services like hospitals or utilities.

The Global Impact

In Southeast Asia, more than 220,000 people have reportedly been trafficked to work in online scam farms. These operations harvest data, spread disinformation, and conduct social engineering campaigns. They are, in effect, criminal service providers.

At STACK Cybersecurity, we believe that understanding the business model behind RaaS and CaaS is essential to defending against them. It's not just about code. It's about incentives, infrastructure, and scale.

Learn More

Need Cybersecurity Protection Against Ransomware?

Call (734) 744-5300 or Contact Us to schedule a consultation with our cybersecurity team.

Cybersecurity Risk Assessment

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cyber's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Learn More