Ransomware has evolved from isolated hacker exploits into a full-fledged criminal Ransomware-as-a-Service (RaaS) economy. In this model, skilled developers lease out ransomware kits to less technical affiliates, lowering the barrier to entry into cybercrime. Practically anyone can now launch a ransomware attack by partnering with RaaS operators, who provide the malware, infrastructure, and even customer support, in exchange for a cut of the profits, as outlined in Ransomware in 2025: Biggest Threats and Trends.
This affiliate model has supercharged the scale of attacks, transforming ransomware into a booming underground industry by 2025.
The Evolving RaaS Model and Its Impact
Under the RaaS model, affiliates don’t need advanced hacking skills. They can rent or subscribe to ransomware platforms and tools developed by professional cybercriminal teams. RaaS operators handle updates, payment portals (often located on the dark web), and sometimes even offer 24/7 technical support or negotiation services to their affiliates. This professionalism means ransomware operations now resemble software startups – complete with dashboards, feature updates, and revenue-sharing agreements. Affiliates typically keep the majority of each ransom paid, while developers take a smaller percentage as their fee. This setup dramatically lowers the skill threshold for attacks, allowing established gangs to expand their reach without having to hack every target themselves.
Security analysts note that this “cybercrime franchise” approach makes ransomware more pervasive than ever. RaaS groups reinvest in better malware, exploits, and partnerships with initial access brokers who sell stolen network credentials. By treating attacks as transactions, the RaaS economy maximises profit and scalability. This reframing challenges defenders to see each incident as part of a coordinated supply chain, not an isolated intrusion.
Shifting Targets: From Big Game to Soft Targets
Early ransomware gangs often targeted huge payouts from large corporations or critical infrastructure, a practice known as “big game hunting.” But in 2024–2025, with law enforcement scrutiny rising, many affiliates shifted toward softer targets like schools and SMBs with weaker defences. The education sector in particular has been hit hard — ransomware incidents against K-12 schools rose 393% between 2016 and 2022, with at least 85 separate attacks recorded from late 2022 to late 2024, according to The hidden cost of the cybersecurity deficit in K-12 education.
The appeal is straightforward: outdated systems, limited cybersecurity budgets, and significant operational disruptions. Even modest ransom demands can push a school to consider payment rather than endure weeks of cancelled classes or inaccessible payroll. In 2024, the median ransomware payout across sectors was about $200,000 — far less than the multimillion-dollar jackpots, but easier to collect repeatedly from numerous minor victims.
Ransomware Pricing: Demands Up, Payments Down
Ransom pricing strategies are shifting. On the one hand, demands have grown bolder: in 2024, the average ransom demanded from a lower-education institution was nearly $4 million, with 44% of attacks requesting more than $5 million (Ransomware Statistics You Need to Know). On the other hand, more victims refuse to pay. Coveware’s Q4 2024 data shows only 25% of victims paid — an all-time low — and the median payment dropped to about $110,000 (Will Law Enforcement success against ransomware continue? Q4 2024 report).
This squeeze forces affiliates to adapt: lowering demands for smaller targets, or doubling down on data theft and “double extortion.” Notably, over 40% of ransomware incidents by late 2024 involved data theft without encryption, turning some campaigns into pure blackmail (FBI Internet Crime Complaint Center 2024 Report). Experts warn that paying for “data deletion” is risky — many gangs take the money and still leak or sell the stolen information.
Law Enforcement Pressure and RaaS Adaptation
International efforts in 2023–2024 scored high-profile wins. In October 2024, Operation Cronos targeted LockBit infrastructure across 12 nations, seizing servers, freezing 200 crypto wallets, and arresting four affiliates. This followed the February 2023 FBI-led takedown of Hive ransomware, which prevented an estimated $130 million in ransom payments by quietly distributing decryption keys to victims.
These actions disrupted major players like LockBit and ALPHV (BlackCat), contributing to a 35% drop in total ransomware revenue in 2024 (35% Year-over-Year Decrease in Ransomware Payments). Market fragmentation followed, with smaller groups chasing lower-value targets. Criminals also adjusted their OPSEC, avoiding traceable crypto mixers and leaving funds idle to reduce seizure risk.
Real-World Examples
Case 1: School Districts Facing Multi-Million Dollar Recovery Costs
In late 2020, Baltimore County Public Schools and Buffalo Public Schools were targeted with ransom demands of $ 100,000–$ 300,000, which they refused. Recovery and hardening costs topped $10 million for each district, and schools were closed for days, disrupting classes for over 100,000 students.
Case 2: University Attack Disrupts Operations
In July 2023, Morehead State University experienced a ransomware incident that compromised the personal data of approximately 20 individuals, resulting in over a month of system downtime. Recovery costs are estimated to be $4 million — far exceeding any ransom demand — and have disrupted summer courses and administrative operations.
Case 3: Change Healthcare Breach and BlackCat Exit-Scam
In February 2024, BlackCat affiliates breached Change Healthcare, stealing 6 TB of data and encrypting critical systems. UnitedHealth reported $872 million in direct costs. Shortly after, core BlackCat operators disappeared with a $22 million ransom, leaving affiliates unpaid, highlighting the risk even criminals face in the RaaS economy.
Conclusion and Outlook
The ransomware-as-a-service economy operates like a global business, with developers, resellers, customer support, and constant adaptation. It has unleashed unprecedented attack volumes, impacting entities from multinational corporations to local schools.
Trends in 2024–2025 show declining payment rates, more decisive law enforcement action, and more cautious criminal behaviour. Yet the model’s resilience means it will continue evolving, perhaps toward higher volumes of lower-value attacks and more data-theft extortion.