Ransomware as a service has turned cybercrime into a franchise — and you don’t need any technical skills to buy in.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/ransomware-as-a-service-how-anyone-can-buy-a-cyberattack.
I’ve been doing this long enough to remember when ransomware meant one bad actor who wrote the code, found a way in, deployed the attack, and collected the money. That person had to be good at all of it. Those days are over. Ransomware as a service has completely changed the game, and if you’re an IT professional or backup admin who hasn’t fully wrapped your head around what that means, this post is for you.
What Ransomware as a Service Actually Is
The term “ransomware as a service” gets thrown around a lot, but most people picture something like a software platform — a portal you log into, a dashboard you manage, some kind of admin console. That’s not what this is. Not even close.
Here’s how Dr. Mike Saylor explained it on the podcast: you’re buying into a point-in-time franchise. You hand over somewhere between $10,000 and $100,000 in cryptocurrency to a ransomware as a service operator. In return, you get a pre-configured attack campaign — validated email addresses, tested malware that’s already proven it can get past a certain percentage of antivirus tools, and a negotiated ransom amount. Then they run the attack for you. You don’t manage anything. You don’t see anything. You sit back and watch your crypto wallet.
No portal. No dashboard. No login. Just a chat on the dark web through the TOR network — The Onion Router — and a hope that they actually do what you paid for.
The Criminal Ecosystem Behind Every Ransomware as a Service Attack
What really blew my mind in this conversation was understanding how specialized the criminal ecosystem has become. Back in the day, one person or group did everything. Now there are entire separate businesses dedicated to each piece of the puzzle.
You’ve got initial access brokers who do nothing but collect and sell validated email addresses and credentials. You’ve got botnet operators who manage millions of compromised computers and rent them out by the hour — you spec out what you need, they carve off part of their botnet, and you never even have to tell them what you’re using it for. You’ve got data brokers, lateral movement specialists, code developers, and affiliate networks tying it all together.
And the bigger ransomware organizations? They’ve got HR departments. Project managers. Payroll. PR campaigns. Their own internal cybersecurity teams — because yes, other bad guys are going to try to attack them too.
Ransomware as a Service and the Affiliate Model
One of the most interesting parts of the conversation was the affiliate model. This is where ransomware as a service gets even more layered. Say you’re a ransomware operator and you need a million validated email addresses. You find someone who specializes in exactly that — they don’t know how to break into systems, they don’t know how to send phishing emails, they just know how to find and validate email addresses. Instead of paying them upfront, you make them an affiliate. They get a base payment for the data, plus a percentage of whatever the attack brings in. Everybody gets a cut. Everybody is incentivized to make the attack succeed.
This model has democratized cybercrime in a way that’s genuinely alarming. Script kiddies with a few thousand dollars. Mid-tier technical actors protecting their anonymity with cryptocurrency. Nation-state actors using ransomware as a service as a distraction while they run a completely different operation underneath. The Conti group’s attack on Costa Rica appears to have been exactly that — a massive, high-profile attack designed to give them cover to dissolve the organization while law enforcement was busy looking the other way.
What This Means for Your Backups
Here’s the part I need every IT admin reading this to really hear: ransomware as a service has lowered the barrier to attacking your organization to almost zero. The person coming after you might have zero technical knowledge. They just need a few thousand dollars and a TOR browser. And there’s a good chance they’ll end up as law enforcement’s fall guy when it’s all over — but that doesn’t help you if your data is already encrypted or stolen.
Your backups are your last line of defense. Not your first. Not your only. But when everything else has failed — and with ransomware as a service out there, the odds of something getting through are higher than ever — your backups are what determine whether your organization recovers or doesn’t. Make sure they’re immutable. Make sure they’re offline or air-gapped. Make sure you’ve tested recovery. Not someday. Now.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
