Ransomware

Ransomware-as-a-service: inside the criminal supply chain

Modern extortion isn't a lone hacker in a hoodie. It's a specialized, profit-sharing economy with operators, affiliates, and brokers. Understand the supply chain, and you'll see exactly where to break it.

David Okoro David Okoro · May 2, 2026 · 10 min read

The popular image of a ransomware attacker — a lone genius hammering a keyboard — is a fantasy that hasn't been true for years. Today's ransomware is a mature, division-of-labor economy that mirrors legitimate software-as-a-service businesses, complete with developers, customer support, affiliate programs, and revenue sharing. It's called ransomware-as-a-service, or RaaS, and understanding how it's structured is the key to defeating it.

Why does the structure matter? Because a supply chain has links, and links can be broken. You don't have to be perfect at every stage of an attack — you have to break it at any one stage. Let's walk the chain.

The cast of characters

A modern ransomware operation typically involves several specialized roles, each focused on what they do best:

  • Operators (the RaaS brand). The core crew that develops the ransomware, runs the leak site, manages the negotiation portal, and maintains the "product." They rarely break into victims themselves.
  • Affiliates. Independent attackers who license the operator's ransomware, do the actual intrusion, and split the ransom — often 70–80% to the affiliate, the rest to the operator.
  • Initial access brokers (IABs). Specialists who breach organizations and sell ready-made access — valid VPN credentials, compromised RDP, web shells — to affiliates on criminal markets.
  • Support functions. Negotiators, money launderers, and even "customer service" for victims who pay. Some crews run help desks more responsive than legitimate vendors.
RaaS lowered the barrier to entry. An attacker no longer needs to write malware or even find a way in — both can be rented or bought. The market does the hard parts.

The economics of extortion

This specialization exists because it's wildly profitable and it spreads risk. Operators get scale without exposing themselves to intrusions. Affiliates get a polished toolkit without writing code. IABs monetize access they might not know how to exploit. Each participant optimizes their slice, and the whole machine grows more efficient — which is exactly why ransomware volume and ransom demands have climbed year after year.

Double extortion is now the default. Attackers no longer just encrypt your data — they steal it first, then threaten to publish it on a leak site if you don't pay. This means backups alone no longer save you from extortion. You can restore your systems and still face the threat of your sensitive data being dumped publicly. Some crews add a third layer: DDoS attacks or direct harassment of your customers to increase pressure.

The kill chain — and where it breaks

Despite the specialization, nearly every RaaS attack follows the same predictable sequence. Each stage is an opportunity for defenders.

1. Initial access

The attacker gets in — usually via phished or stolen credentials, an exposed RDP/VPN, or an unpatched internet-facing vulnerability. Break it here: phishing-resistant MFA on all remote access, aggressive patching of edge systems, and killing exposed RDP. This stage stops the most attacks for the least effort.

2. Establish foothold and escalate

The affiliate deploys a remote-access tool, dumps credentials, and escalates to privileged accounts. Break it here: endpoint detection (EDR) that flags credential dumping and suspicious tooling, plus least-privilege access that denies easy escalation.

3. Move laterally and discover

They map the network, find domain controllers, backups, and the most valuable data. This reconnaissance is noisy. Break it here: network segmentation to slow movement, and behavioral analytics that catch abnormal internal scanning and access patterns.

4. Exfiltrate data

Before encrypting, they steal data for the extortion leverage. Break it here: data-loss monitoring and egress controls that flag large or unusual outbound transfers — often the last clear warning before detonation.

5. Encrypt and extort

Finally, the ransomware runs. If you've detected and responded at any earlier stage, it never gets here. If it does: immutable, offline backups and a tested recovery plan determine whether this is a bad week or an existential crisis.

Network visualization representing lateral movement during an attack

Why speed is the whole game

The dwell time between initial access and encryption has compressed dramatically — affiliates are faster and more practiced than ever. That makes mean-time-to-detect and mean-time-to-respond the metrics that matter most. A 24/7 SOC that catches the credential-dumping or lateral-movement stage and contains the host in minutes turns a catastrophic ransomware event into a contained intrusion — exactly the outcome we delivered for a regional bank in 11 minutes.

Should you pay?

Law enforcement and most security professionals advise against paying. Payment funds the entire RaaS economy, marks you as a willing payer for future attacks, and offers no guarantee — decryptors are often buggy, and "deleted" stolen data frequently resurfaces. The durable answer isn't a ransom budget; it's breaking the chain early enough that you never face the question. Defense in depth, identity hardening, rapid detection, and tested backups are what take the leverage away.

David Okoro
David OkoroThreat Intelligence Lead · S-Security

David tracks ransomware crews and the criminal markets that supply them, turning intelligence on affiliates and access brokers into the detections that protect S-Security clients. He has supported dozens of incident responses against active extortion operations.

Keep reading

Related posts

Phishing email concept on a dark screen
PhishingJun 1, 2026

The 2026 phishing playbook

The initial-access stage of most ransomware attacks starts here.
Circuit board representing zero trust architecture
Zero TrustMay 15, 2026

Zero Trust in 90 days: a realistic rollout plan

Segmentation and least privilege break the lateral-movement stage.
Red warning visualization of a ransomware attack
Case Study2026

Stopping ransomware at a regional bank in 11 minutes

How breaking the kill chain early turned a breach into a non-event.
Break the chain

Stop ransomware before it ever encrypts a file

Get a free ransomware-readiness assessment and see exactly where your kill chain breaks — and where it doesn't yet.

Request a Demo Talk to Sales