Is ransomware as a service the same as malware as a service?

Ransomware and malware are two types of cyber threats that organizations need to be aware of. Ransomware encrypts files and systems, demanding payment for decryption. Malware is any software designed to cause damage, gain unauthorized access, or otherwise negatively impact systems and data. While ransomware is a specific type of malware, “ransomware as a service” and “malware as a service” refer to two different business models for distributing these types of malicious software.

What is ransomware?

Ransomware is a form of malware that encrypts files on a device or network, preventing the owner from being able to access them. The attackers demand payment of a ransom, usually in cryptocurrency like Bitcoin, in exchange for the decryption key to unlock the files. Some of the most common ransomware variants include CryptoLocker, WannaCry, and Ryuk.

Once installed, ransomware can spread across networks and storage devices, encrypting more and more systems. It may be delivered through phishing emails, compromised websites, or other infection vectors. The consequences of a ransomware attack can be severe, from temporary data loss to permanent damage of files if decryption is not possible.

Ransomware attacks have been rapidly growing in frequency and impact over the past decade. They have hit businesses, hospitals, schools and universities, city governments, and other organizations. The FBI estimates over $1 billion in ransom payments were made globally in just the first half of 2019.

Examples of major ransomware attacks

  • WannaCry – This 2017 attack hit over 200,000 computers across 150 countries, affecting businesses, hospitals, and government agencies. It crippled organizations like the UK’s National Health Service.
  • NotPetya – Posing as ransomware, this attack in 2017 caused over $10 billion in damages across Europe, Asia, and the Americas. Many companies had to replace entire systems.
  • Colonial Pipeline – The largest fuel pipeline in the U.S. was forced to shut down operations for nearly a week after a 2021 ransomware attack. Gas shortages resulted across the East Coast.

What is ransomware-as-a-service?

Ransomware-as-a-service (RaaS) refers to the offering of ransomware tools and infrastructure to cybercriminals through a subscription model. Like software-as-a-service, RaaS allows attackers who lack technical skills to easily deploy ransomware campaigns.

RaaS offerings first began emerging on the cybercrime underground around 2012 and 2013. The developers of ransomware variants like REvil and Ryuk have adopted the RaaS model, licensing their malware to affiliates.

Typically, the ransomware authors manage the infrastructure and development of the malware tools. The affiliates or subscription customers are responsible for the distribution and execution of attacks – they identify targets, infect systems, and handle ransom negotiations and payments. The developers take a cut of any ransom profits.

For as little as $40 to $200 per month, cybercriminals can gain access to sophisticated ransomware strains through RaaS networks on the dark web and launch their own campaigns. The lowered barrier of entry has resulted in an explosion of ransomware attacks in recent years.

Elements of a ransomware-as-a-service offering

  • Custom ransomware executable files
  • Command and control server infrastructure
  • Dashboards for managing infections and ransoms
  • Payment sites for collecting ransoms
  • Support and updates for malware

Major ransomware-as-a-service players

  • REvil (Sodinokibi) – RaaS model launched in 2019, shut down in 2021
  • Ryuk – Developed by Russia-based Wizard Spider, peak activity 2020-2021
  • Conti – Operated out of Russia, finally disabled in 2022

What is malware-as-a-service?

Malware-as-a-service (MaaS) is a monetization model where malware developers lease or sell access to custom malware tools and infrastructure to other attackers. Similar to RaaS, it enables less sophisticated actors to launch their own malware campaigns through a subscription.

MaaS offerings provide varieties of malware beyond just ransomware. They may include:

  • Information stealers – Capture usernames, passwords, credit cards
  • Banking trojans – Enable theft from online bank accounts
  • Keyloggers – Record keystrokes to harvest sensitive data
  • Botnets – Infect networks of computers for DDoS attacks
  • Spyware – Secretly monitor activity and steal data

The MaaS operator handles developing, updating, and hosting the malware tools. Customers can rent access to this ready-made infrastructure to deliver their selected malware to targets. Prices typically range from $10 to $500 per month for MaaS subscriptions.

Elements of a malware-as-a-service offering

  • Variety of turnkey malware types
  • Builders to create custom malware executables
  • Command and control server hosting
  • Traffic redirection and anonymity services
  • Dashboards and analytics
  • Technical support

Major malware-as-a-service players

  • Cerberus – Android banking malware, active 2020 to present
  • buildent – Spyware/information stealer MaaS, Russia-based
  • SocGholish – Framework for cloning websites for phishing

Comparing ransomware-as-a-service vs. malware-as-a-service

While RaaS and MaaS have some similarities in their subscription-based models, they have some important differences:

Ransomware-as-a-Service Malware-as-a-Service
Focused specifically on ransomware malware Provides access to wide range of malware types
Encrypts data to extort ransom payment Malware designed for theft, DDoS, spying, etc.
Customers handle ransom demands Operators may handle extraction of stolen data
Revenue from ransom payments Revenue from monthly subscriptions

While RaaS provides access to just ransomware, MaaS gives customers a menu of malware options – trojans, bots, spyware, adware, and more. RaaS affiliates earn money from ransom payments, while MaaS operators generate revenue through monthly subscription fees.

However, MaaS offerings can include ransomware options. And some threat actors offer both RaaS and MaaS services. So there can be overlap between these models even though they are not exactly the same thing.

The growth of ransomware-as-a-service

Ransomware attacks have seen massive growth since the emergence of RaaS in the early 2010s. Damages are now in the billions annually. Factors driving the explosion of RaaS include:

  • Lower barriers to entry – Don’t need coding skills to deploy ransomware
  • Harder to trace – Affiliates provide cover for ransomware developers
  • More targets – RaaS enabled wider ransomware distribution
  • Bigger payouts – Ransoms rising into the millions of dollars

Whereas early ransomware mostly involved opportunistic cybercriminals, RaaS has enabled ransomware to scale to an industrialized business model. Launching campaigns is now more efficient for attackers at lower risk.

Estimates indicate at least 165 RaaS programs were active as of 2021. Major operations like REvil and Ryuk have pulled in over $200 million in ransoms. The trajectory is still trending upwards, as the rewards continue to outweigh the risks for cybercriminals.

RaaS subscription prices

  • Starter – $40 to $200 per month, 5-10% ransom cut
  • Basic – $200 to $500 per month, 20% ransom cut
  • Professional – $500 to $1,000 per month, 25-30% ransom cut
  • Enterprise – Custom pricing, 40-50% ransom cut

RaaS programs offer tiered subscription packages similar to SaaS companies. Lower tiers allow newbies to get started at low cost with limitations. Enterprises pay more but gain access to more features, support, and better ransomware. Revenue gets shared with the operators.

Estimated revenues from top RaaS strains

  • REvil – $200 million
  • Ryuk – Over $150 million
  • Conti – $180 million

Successful RaaS operations like REvil, Ryuk, and Conti have brought in hundreds of millions in total ransom payments. This revenue gets split between the developers and affiliates carrying out attacks. Cybercriminals have made small fortunes through the RaaS model.

The evolution of malware-as-a-service

Malware-as-a-service originated in the cybercrime underground in the late 2000s. Factors driving the emergence and growth of MaaS include:

  • Outsourcing – Developers can monetize tools instead of running campaigns
  • Lower barriers – Don’t need technical skills to use malware
  • Evasion – Makes attribution more difficult with service layers
  • Scaling – MaaS enabled broader distribution of malware

MaaS has professionalized and commercialized the malware ecosystem. No longer limited to few top hackers, even low-skilled criminals can access advanced malware through subscription services. The result has been an enormous volume of malware attacks over the past decade.

As cyber defenses continue improving, MaaS offerings counteract these measures by providing constantly updated malware tools and infrastructure. Customers can rely on MaaS operators to maintain the backend, while they focus on distribution.

Malware-as-a-Service use cases

  • Commodity cybercrime – Steal credentials and financial data
  • Espionage – Spy on governments and companies
  • Hacktivism – DDoS attacks for political reasons
  • State-sponsored – Foreign intelligence operations

From small-time cybercriminals to state-sponsored spies, a wide range of threat actors leverage MaaS offerings for deploying malware. Cheap access to powerful malware tools democratizes cybercrime across the underground.

Malware-as-a-Service subscription tiers

  • Basic – $10 to $50 per month, limited features
  • Professional – $80 to $200 per month, moderate capabilities
  • Advanced – $200 to $500 per month, full customization

MaaS tiers are structured similar to RaaS, with low-cost basic plans and more expensive packages with full malware toolsets and options. This allows different classes of cybercriminals to access MaaS networks.

Defending against ransomware-as-a-service and malware-as-a-service

Defending against RaaS and MaaS threats requires a multifaceted strategy combining both proactive security and incident response:

  • Endpoint protection – Install advanced antivirus/antimalware tools on all devices and servers and keep them continuously updated.
  • Network monitoring – Inspect network traffic for signs of malware delivery and command and control activity.
  • Vulnerability management – Rapidly patch software, operating systems, and devices against known security holes.
  • Email security – Block spearphishing email attacks that deliver malicious links/attachments.
  • Backups – Maintain recent backups of critical systems and data for recovery.
  • User training – Educate employees to identify social engineering and cyberthreats.
  • Incident response plan – Have a plan in place to contain, eradicate, and recover from malware or ransomware infections.

Combining preventive tools and techniques with thorough preparedness and planning is essential. Seek assistance from experienced security consultants and providers to build a robust anti-malware posture.

The future of malware and ransomware monetization

Malware-as-a-service and ransomware-as-a-service are likely to continue evolving in sophistication and prevalence in the underground market:

  • More turnkey ransomware strains will emerge, requiring minimal effort to deploy.
  • MaaS platforms will expand to offer a greater diversity of modular malware services.
  • Machine learning and AI could enable more advanced, stealthy malware able to evade detection.
  • State-sponsored threat groups may increasingly outsource malware development and operations to contractors.
  • Prices for subscriptions will decline allowing broader access to cybercrime-as-a-service.
  • Anonymous cryptocurrencies will facilitate ransomware payments while hindering tracking.
  • A growth in malware targeting mobile devices and Internet of Things networks.

Defenders will need to match the innovation in the threat landscape with equally sophisticated tools, solutions, and strategies. Partnering with ethical hackers to deeply understand attacker tradecraft will also become increasingly beneficial.


Ransomware-as-a-service enables wide distribution of ransomware attacks even by unskilled cybercriminals through subscription-based access. Malware-as-a-service similarly democratizes a range of malware tools through online marketplaces and forums.

While RaaS focuses specifically on ransomware, MaaS offers an array of options – trojans, bots, spyware, and more. However, MaaS can incorporate ransomware alongside other malware strains.

Defending against these cybercrime services requires both preventative best practices as well as planning and preparation. As malware continues evolving, organizations need an adaptable approach combining skilled human talent and the latest technology.