Ransomware-as-a-Service (RaaS) is a criminal service model where the people who build the malware are not the people who use it. Developers create and maintain the ransomware, the leak sites, and the payment infrastructure, then lease that package to affiliates who carry out the actual break-ins. (Source: Huntress)
The setup mirrors a legitimate software company. The operator maintains the product, keeps the supporting infrastructure online, and ships updates, while affiliates get access to tooling that's already built and tested. The difference is the intent: the product exists to disrupt businesses, steal data, and turn downtime into stolen revenue.
That division of labor is what makes the model matter to you, whether you run IT or sign the checks. An attacker no longer needs to write ransomware from scratch to hit your systems. They buy into an ecosystem that already includes the malware, the infrastructure, and sometimes a negotiation playbook, which lowers the barrier to entry and raises the number of crews capable of a serious intrusion.
The scale this creates is measurable. According to the Huntress 2026 Cyber Threat Report: State of Ransomware, four groups — Akira, Medusa, Qilin, and Ransomhub — accounted for over half of observed ransomware incidents, a sign of how effective shared playbooks have become.
Average time-to-ransom jumped from 17 to 20 hours in 2025 as crews spent more time on stealth, staging, and data theft before encryption.
Those extra hours reflect a shift in how these operations work. Attacks are getting more deliberate because affiliates specialize in specific phases of the intrusion, which raises their success rate against mission-critical systems.
The consequences don't stay technical. A ransomware event driven by this model becomes a payroll problem, an operations problem, and a customer-trust problem all at once, and it often lands when your team is short-staffed or heading into a long weekend. Understanding RaaS as an industrialized business, not a one-off attack, is the starting point for defending against it.
Attack Chain and Initial Access Tactics Used by RaaS Operators
The average time from initial compromise to ransom deployment climbed from 17 to 20 hours in 2025, according to the Huntress 2026 Cyber Threat Report. That extra window reflects a deliberate choice: affiliates spend more hours on stealth, staging, and data theft before they trigger encryption.
Understanding what happens during those hours is what separates catching an intrusion early from finding a ransom note on Monday morning.
Initial access typically comes through one of a handful of well-worn entry points. Each maps to a distinct set of log artifacts:
- Exposed remote access services — RDP and VPN endpoints reachable from the internet, often reached with stolen or brute-forced credentials
- Phishing and social engineering — including help-desk scams where an attacker convinces support staff to reset an account or approve access
- Stolen credentials — purchased or harvested, then reused against services that lack multi-factor authentication
- Vulnerable edge devices — firewalls, VPN appliances, and other perimeter hardware running unpatched firmware
A SonicWall VPN incident handled by the Huntress SOC shows how fast the chain moves once that first foothold exists.
Key Insight: Attackers pivoted from a compromised SonicWall appliance into post-exploitation activity within hours.
The observed tradecraft included privilege abuse, lateral movement, credential theft, firewall tampering, and shadow copy deletion, followed by signs of Akira ransomware deployment. Deleting shadow copies removes the local restore points Windows keeps, so a business without separate offsite backups has no clean copy to fall back on.
Persistence in that incident relied on two dual-use tools worth flagging in any log review:
- Cloudflared — Cloudflare's tunnel client, used to open an outbound tunnel that gives attackers a return path into the network without opening inbound firewall rules
- OpenSSH — a standard remote administration utility repurposed for lateral movement and maintaining access across hosts
Both tools are legitimate. That is exactly why attackers reach for them. An outbound Cloudflared tunnel looks like ordinary encrypted traffic, and an sshd process rarely raises an eyebrow on a server. For your SOC, this means signature-based detection alone will miss the activity — the software is signed, expected, and often already whitelisted.
The same pattern applies to remote monitoring and management (RMM) software. In a separate case, Huntress observed attackers using Bomgar RMM to gain access before launching ransomware. RMM agents are built to grant remote control, run scripts, and move files across an environment — the same capabilities an intruder wants, wrapped in a tool your IT team may deploy on purpose.
The ransomware name on the ransom note only points to what hit your system at the end. It doesn't tell you how the attacker got in, what they abused along the way, or how long they were setting the stage.
Because RaaS separates the payload from the intrusion, the same ransomware family shows up behind very different attack chains. One Akira case might start with an exposed VPN; another might begin with a rogue RMM install or a phished credential. The affiliate chooses the access path, persistence method, and tooling, then cashes out through the operator's payload.
For incident responders, the practical takeaway is to treat the encryption event as the last link in a chain rather than the incident itself. The privilege abuse, the tunnel client, the SSH sessions, the firewall changes, and the deleted shadow copies all leave traces before the ransom note lands. Those traces are where the intrusion is still recoverable.
Financial and Operational Impact of RaaS-Driven Ransomware Campaigns
The double-extortion model is where the financial pressure comes from. RaaS affiliates steal your data before they encrypt it, which means paying for a decryption key isn't the end of the negotiation. Even if you restore from backups and skip the decryptor entirely, the affiliate still holds copies of your files and can threaten to publish them on the operator's leak site.
That changes the math for your business. You're not just buying back access to your systems—you're weighing whether stolen customer records, financial data, and internal communications end up public. The ransom demand and the recovery cost become two separate line items, and the data exposure creates a third.
The specialization built into RaaS is exactly why these groups push for larger payouts. When separate crews handle initial access, intrusion, and negotiation, each specialist has a financial stake in choosing higher-value targets and extracting the maximum payment. That structure rewards patience, which is part of why crews now spend more time staging and stealing data before encryption.
Consider what the reported dwell time means in practice.
Those hours are spent building leverage against you. The longer an affiliate stays inside, the more data they package for extortion and the more of your environment they can disrupt when they finally trigger the payload.
The industries that get hit hardest tend to be the ones that can least afford downtime. Healthcare, finance, and critical infrastructure hold sensitive records and run operations where an outage carries immediate consequences—which raises the ransom potential in an attacker's eyes. If your organization sits in one of these sectors, you're a more attractive target precisely because the pressure to pay quickly is higher.
The damage doesn't stay inside your walls, either. RaaS-driven attacks create cascading effects that reach well beyond your own systems:
- Supply chain disruption — if your systems support downstream partners or customers, your outage becomes their outage, and the contractual and relationship fallout lands on you.
- Data breach notification obligations — once affiliates exfiltrate customer or employee records, you may be legally required to notify affected individuals and regulators, which carries its own cost and scrutiny regardless of whether you pay the ransom.
- Regulatory attention — a breach involving sensitive data in a regulated sector can trigger investigations and penalties that continue long after your systems are back online.
- Insurance complications — cyber insurance claims tied to ransomware often involve disputes over coverage, controls that were or weren't in place, and payment approvals, which can slow your recovery and shift costs back onto you.
For your board and executive team, the takeaway is that RaaS is a material business risk, not an IT line item. The direct ransom is often the smallest number in the equation. Extended downtime, recovery labor, breach notification, regulatory response, and lost customer trust all stack on top of it, and they accrue whether or not you choose to pay.
The reason RaaS creates this scale of damage is the same reason it works as a business: repeatable tradecraft applied against the targets most likely to pay. Understanding that helps you frame the risk in financial terms your leadership already tracks—revenue interruption, liability, and the cost of rebuilding trust with the people who depend on your operations.
Detection and Response Priorities for RaaS Intrusions
The fastest win right now is to hunt for remote tooling that has no business on your systems. RaaS affiliates reach for legitimate remote access utilities because they blend into normal admin traffic, so start your endpoint and network review there before anything else.
In the SonicWall-to-Akira incident described earlier, attackers established persistence with Cloudflared and OpenSSH and reached in through a remote monitoring tool. Those same artifacts are your first hunt targets.
Identify
Inventory every remote access path that touches the internet, including any VPN appliance, RDP-exposed host, and installed RMM agent. You cannot defend a foothold you don't know exists.
- Flag any host running Bomgar, Cloudflared, or OpenSSH that your team did not deploy—these are the tunneling and remote-access utilities affiliates use to hold access.
- List service accounts and admin credentials that can reach multiple systems, since those are what attackers abuse to move laterally.
- Locate forgotten or over-permissioned tools left from past projects; they give affiliates quiet ways back in.
Protect
Patch your VPN appliances and RMM agents to the fixed build listed in the relevant vendor advisory for your appliance generation—do not guess at a version string. Exposed edge devices are a repeated entry point across these intrusions.
- Enforce MFA on every account that supports it, prioritizing VPN, RDP, and privileged admin logins.
- Segment your network so a single compromised host cannot reach domain controllers, backup servers, and file shares directly.
- Restrict outbound tunneling protocols so tools like Cloudflared cannot open a channel to attacker infrastructure without tripping a control.
Detect
Watch for the staging behavior that shows up in the hours before encryption. In environments Capstone manages, Adlumin ITDR correlates suspicious logins and stolen-credential reuse across managed environments, catching identity abuse before an affiliate reaches your critical systems.
- Alert on new local admin accounts, sudden group membership changes, and off-hours logins from unfamiliar sources.
- Flag firewall rule changes and shadow copy deletion—both appeared in the Akira sequence as attackers cleared the way for the payload.
- Monitor for suspicious PowerShell and WMI activity that indicates lateral movement rather than routine administration.
Respond
Isolate any system showing lateral movement or unauthorized remote tooling immediately, and pull it off the network before disabling accounts. Preserve the logs first so you can trace how far the affiliate reached.
- Reset credentials for every account that touched a compromised host, starting with privileged and service accounts.
- Review VPN and RDP access logs for the source addresses and session times tied to the intrusion, then block them.
- Assume data theft occurred if you find staging activity, and treat exposure of stolen files as part of your incident response—not an afterthought.
Recover
Keep at least one backup copy immutable and offline, because affiliates target backup servers and delete shadow copies specifically to force payment. N-able Cove maintains recovery points that attackers cannot alter from a compromised host across managed environments.
Test your restore process on a schedule rather than assuming backups work. Rebuild affected systems from known-clean images instead of cleaning them in place, since persistence tools like OpenSSH can survive a partial cleanup and hand access back to the same operator.
Why Affiliate Recruitment and Monetization Drive Continued RaaS Expansion
The reason RaaS keeps expanding comes down to money. The operator who builds the ransomware doesn't take on the risk of breaking into your network. Affiliates do that work, and in exchange they hand the operator a cut of every successful payout.
That profit-sharing arrangement is what pulls in lower-skilled criminals. An affiliate doesn't need to write malware, stand up a payment portal, or run a leak site. They rent access to a working operation and focus on one thing: getting into environments like yours and staging the payload.
The Huntress 2026 Cyber Threat Report found that four groups—Akira, Medusa, Qilin, and Ransomhub—accounted for over half of observed ransomware incidents. That concentration tells you the shared-playbook model is paying off well enough that affiliates keep coming back to the same operators.
Why volume and aggression are built into the payout structure
When an affiliate earns a percentage of each ransom, the incentive is to hit as many targets as possible and push hard on the ones that pay. There's no reason to be selective or restrained. More intrusions and more pressure mean more revenue for both the affiliate and the operator.
That structure explains why affiliates spend extra hours on stealth, staging, and data theft before encryption. The longer they stay quiet inside your environment, the more data they can steal and the more leverage they hold when the ransom demand lands.
For your business, this means the threat isn't a single dedicated adversary. It's a rotating pool of affiliates, each running the same tested tradecraft against whatever foothold they can find or buy.
Why dismantling one gang doesn't remove the threat
Law enforcement takedowns matter, but they hit one node in a replicable model. When an operator's infrastructure goes down, the affiliates who ran attacks for that brand don't retire. They move to another operator or a rebranded operation and keep working.
The playbook itself survives. The roles, the profit split, and the tooling can be rebuilt anywhere a foothold can be turned into leverage. That's why sanctions and arrests, while useful, don't reduce the volume of attacks your organization faces from month to month.
Consider what this means for how you budget your defenses:
- A single named group getting taken offline won't shrink your exposure, because the affiliates disperse rather than disappear.
- The same intrusion techniques show up under new operator brands, so your detection has to target behavior, not just a ransomware family name.
- The model scales with demand, meaning attacker capacity grows independent of any one crew's fate.
The role of cryptocurrency in keeping the money moving
Cryptocurrency payment channels are what make the profit split practical. Operators collect ransoms and distribute affiliate cuts through payment portals that don't route through traditional banks, which keeps the money flowing without the oversight a bank transfer would trigger.
Those same channels feed money laundering, letting criminal proceeds get moved and obscured before they cash out. For you, this is why paying a ransom rarely ends the exposure: the funds fuel the next round of tooling, infrastructure, and affiliate recruitment that keeps the model running.
The practical takeaway for decision-makers is that you cannot wait for external enforcement to remove this threat. The business model regenerates faster than any single takedown can dismantle it, so your recovery capability and how quickly you spot an intrusion are the defenses that actually change your outcome.
Immediate Actions to Reduce Exposure to Akira, Medusa, Qilin, and Ransomhub
The fastest way to shrink your attack surface against Akira, Medusa, Qilin, and Ransomhub is to lock down the tools their affiliates reach for first. These four groups don't all use the same access path, but they lean on the same categories of infrastructure to move once they're inside. Here's a prioritized checklist a security team can work through in 48 to 72 hours.
Start with remote monitoring and management tools. Disable or isolate Bomgar and any similar RMM agent unless a documented business process actively requires it. Affiliates install or hijack these tools because they blend in with the traffic your IT team generates every day, which means the connection that reaches your servers looks like routine administration.
If a tool is required, restrict it to specific hosts and named operators rather than leaving it broadly reachable. Every RMM agent you can't account for is a foothold someone else may already own.
Next, block outbound tunneling infrastructure. At your firewall, block Cloudflared domains unless you have a confirmed legitimate use for Cloudflare Tunnel. Affiliates use it to build an encrypted channel out of your network that bypasses inbound firewall rules, giving them persistent access without opening a listening port you'd notice.
Blocking the domains at the egress point cuts the tunnel before it establishes. That closes one of the persistence mechanisms observed in the SonicWall-to-Akira intrusion.
Harden SSH. Enforce key-based authentication and disable password login entirely with PasswordAuthentication no in your sshd_config. Affiliates stand up their own OpenSSH access to keep a durable way back in, and password-based SSH lets stolen or guessed credentials do that work for them.
Key-only access means a leaked password alone can't reopen the door. Restart the SSH service after the change so it takes effect.
Tighten VPN access to least privilege. Review every VPN account and confirm each one maps to a current employee with a genuine need, then scope what each account can reach:
- Remove accounts tied to former staff, contractors, and stale service identities.
- Restrict VPN users to the subnets and systems their role requires, not the flat internal network.
- Require MFA on every VPN account and confirm it can't be bypassed by a legacy authentication path.
VPN and remote access endpoints are among the entry points these affiliates favor precisely because a single valid credential can put them inside. Least-privilege scoping limits how far that credential travels once it's abused.
Finally, turn on logging and alerting for all of the above. Enable authentication and session logging on your VPN appliances, RMM consoles, and SSH hosts, and forward those logs somewhere they can be correlated. Repeatable affiliate tradecraft produces repeatable signals, and you can't alert on activity you never recorded.
Watch specifically for RMM installs on hosts that never had them, outbound tunnel connections, and SSH key additions outside a change window. Adlumin correlates these authentication and remote-access anomalies across managed environments, flagging the login and identity abuse that precedes payload staging.
Work the list in order. The RMM and tunneling steps close the persistence paths seen in real Akira activity; the SSH and VPN steps remove the credential-based access these four groups depend on; the logging step gives you the visibility to catch a repeat attempt.
Key Takeaway: Speed of Detection and Isolation Beat Ransom Payment
The decisive factor in a RaaS intrusion is time, not the ransom note. Because affiliates rent proven tooling and follow shared playbooks, they can repeat the same intrusion across many environments and move quickly once inside. The average time from compromise to ransom deployment now sits at around 20 hours, which is the window you have to notice the intrusion and cut it off.
That window is what separates a contained incident from a full recovery cycle. If you spot the lateral movement, the credential misuse, or the tunneling activity during those hours, you can isolate affected hosts before the payload runs and skip the negotiation entirely. If you find out at the ransom note, the affiliate has already staged and stolen your data.
Paying a ransom funds the operator's next round of development and affiliate recruitment, and it does not guarantee your stolen data is deleted—copies stay in the affiliate's hands regardless of whether you pay.
The single most important action is to have a detection and isolation plan written and rehearsed before an incident, specifically covering RMM abuse and suspicious tunneling utilities. Knowing in advance who can pull a host off the network, and under what authority, is what turns a 20-hour window into a real advantage instead of a scramble.
Continuous monitoring of the tools these crews reach for—Bomgar and similar remote management agents, Cloudflared, and OpenSSH—is now baseline. These utilities appear again and again across unrelated intrusions tied to different operators, which makes their unexpected presence a reliable early signal. Treating that visibility as a standing control, rather than a one-time hardening task, is what keeps quiet access from turning into downtime.