By Gareth Shaw, Managing Director, Pera Prometheus
The Growing Threat of RaaS
Ransomware is a type of malware designed to either steal data from a system, or deny access by locking users out of their data until a ransom is paid. Once deployed, software will either attempt to export or encrypt (or both) critical data, making it accessible to the attacker and inaccessible to the organisation.
The threat actor initiating the attack, then demand payment in exchange for the decryption key which places the organisation in a difficult position, where paying the ransom often seems like the easiest and quickest way to regain access to their data.
Ransomware has now evolved from a niche cyber‑crime into a pervasive global threat. Its latest incarnation, Ransomware‑as‑a‑Service (RaaS), amplifies the danger by enabling more technically astute and capable cybercriminals to offer ransomware tools on dark web marketplaces to less technically capable criminals, often referred to as script kiddies, who purchase the tools and use them for their own intent. The result is less technically capable attackers are now able to launch sophisticated intrusions with the consequential rise in cyber crime. The impact is businesses of all sizes, from small enterprises to critical defence‑industry suppliers, find themselves directly and increasingly at risk.
This easy access to cybercrime means no organisation is safe. Whether you’re in retail or the defence sector, the accessibility of RaaS makes every business a potential target. This post explores how RaaS operates, the scale of the threat, real‑world impacts, and practical steps for prevention, threat mitigation, and data protection.
Understanding Ransomware‑as‑a‑Service
RaaS mimics legitimate Software‑as‑a‑Service (SaaS), but with malicious intent. Cybercriminals create ransomware kits, bundles of malware capable of encrypting files and locking systems and offer them for rent or sale via dark web forums. Ransomware is typically spread or distributed through phishing emails, malicious websites, and exploit kits.
Ransomware kits often include:
- A user‑friendly control panel or dashboard;
- Technical support or affiliates documentation;
- Tracking features to monitor infections and ransom payments.
RaaS operates under various business models:
- Affiliate RaaS: If successful, a small percentage of profits go to the RaaS creator to run a more efficient service and streamline their ransomware attacks;
- Subscription-based RaaS: Users pay a monthly flat fee for access to the ransomware;
- Lifetime license: Users pay a one-time fee and modify it to fit their needs;
- RaaS partnerships: Profit split is defined when an affiliate gains access to the ransomware. This split is larger than the affiliate model, but payment only occurs if an attack is successful.
This ‘business mode’ effectively lowers the barrier to entry. Novices, sometimes called “script kiddies”, can launch complex attacks with kits that cost only a few hundred pounds.
Dark web marketplaces anonymise transactions using cryptocurrency, making attribution difficult. For cyber defenders, it means the pool of potential attackers is far broader, from lone opportunists to organised crime groups targeting high‑value sectors such as the defence industry.
The Scale of the RaaS Threat
The NCSC’s 2024 Annual Review, published on 3rd December 2024, noted a significant increase in cyber incidents, with 542 bespoke notifications sent to UK organisations about cyber incidents in 2024, over twice the 258 sent in 2023.
Of these, 317 were related to pre-ransomware activity, indicating that ransomware, often facilitated by RaaS, remains a dominant threat. The report highlights ransomware as the most pervasive cyber threat to UK organisations, with top targets including academia, manufacturing, IT, legal, charities, and construction.
According to Sophos, a cybersecurity company headquartered in the UK, who conducted an independent survey (Jan – Mar 2025) of 3,400 IT/ cybersecurity leaders working in organisations that were hit by ransomware in the last year, (including 201 from the UK):
- 70% of the attacks resulted in data being encrypted;
- $5.20M was the median UK ransom payment in the last year;
- $2.58M was the average cost to recover from the attack.
Such figures and the attack success rate is a stark reminder there is an urgent need for robust Cybersecurity strategies and layered Information Security defences.
Real‑World Impacts: RaaS in Action
Case Study: UK Defence‑Contractor Breach via LockBit
In August 2023, Wolverhampton-based firm Zaun, supplier of high‑security fencing for UK military installations was breached by the LockBit ransomware group. Attackers exploited an outdated Windows 7 system, exfiltrated around 10 GB of data, and published internal project files on the dark web. While classified data was reportedly unaffected, the breach triggered significant operational disruption and reputational damage.LockBit operates as a classic RaaS model, running affiliate operations, distributing ransomware kits, and taking around 20% of ransom payments while affiliates keep the rest. A global law‑enforcement operation, Operation Cronos, disrupted it in early 2024. The global nature of the organisation illustrates how embedded and widespread this RaaS infrastructure had become.
Ransomware Prevention: Safeguarding Your Business
Stopping RaaS attacks begins with proactive and layered security measures:
- Employee Training: Phishing remains the most common attack vector. The NCSC estimates 84 % of UK businesses encountered phishing attempts in 2024. Regular simulated‑phishing campaigns and awareness workshops can significantly reduce risk;
- Security Frameworks: Frameworks such as ISO 27001 and the NIST Cybersecurity Framework provide structured, proven approaches for robust information security management. See Pera Prometheus’ Information and Cybersecurity Frameworks for context;
- Multi‑Factor Authentication (MFA): Adds a level of security resilience to guard against attacks involving compromised credentials or brute-force attacks;
- Patch Management: Promptly applying software updates reduces exposure to new vulnerabilities. Unpatched systems contribute to the increased risk of exposure to attacks;
- Access Controls: Limit access privileges only those who require access to fulfil their job roles and responsibilities. This is know as applying the principle of least privilege.
Detecting RaaS Attacks Early
Early detection can minimise damage. Key methods include
- Network Monitoring: Flag unusual behaviour such as large outbound data transfers, control connections to unknown IPs (terminal/users), or out of hours or anomalous sign‑in activity;
- Endpoint Detection & Response (EDR): Tools that detect ransomware signatures or anomalous file encryption and isolate compromised endpoints rapidly;
- Technical Security Audits: Regular penetration tests and vulnerability assessments help uncover weaknesses before attackers exploit them.
Recovering from a RaaS Attack
When you identify an attack, actions that you take immediately, may mitigate the potential damage.
Below is the guidance from NCSC, what action should I take?
- Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based;
- In a very serious case, consider whether turning off your WiFi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary;
- Reset credentials including passwords, especially for administrator and other system accounts – but verify that you are not locking yourself out of systems needed for recovery;
- Safely wipe the infected devices and reinstall the operating system (OS);
- Before you restore from a backup, confirm that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you’re connecting it to are clean;
- Connect devices to a clean network in order to download, install and update the OS and all other software;
- Install, update, and run antivirus software;
- Reconnect to your network;
- Monitor network traffic and run antivirus scans to identify if any infection remains.
However, recovery preparedness is your next line of defence to ensure that your business operations are disrupted at a minimum level.
- Offline Backups: Keep encrypted backups physically or logically segregated from the network. Remember to regularly test that backups can be successfully restored;
- Incident Response Plans: Establish clear roles, communication channels, and procedures for isolation, investigation, and remediation. Unfortunately, only 15% of UK businesses currently have a formal plan;
- Avoid Paying Ransoms: Payment encourages further attacks and does not guarantee full recovery, only 8 % of paying victims regained all data in 2023;
Compliance and Legal Obligations: (RaaS) attacks, must be reported quickly under the UK GDPR, usually within 72 hours. After a breach, businesses must review the incident, seek legal advice to ensure compliance, and document details like what happened, its impact, and steps taken to fix it. This is critical in the defence sector to meet legal requirements and protect sensitive data.
Conclusion: Staying Ahead of the RaaS Threat
Ransomware‑as‑a‑Service has turned cybercrime into a scalable enterprise. With low entry costs, user‑friendly tools, and global reach, cybercriminals bring high-stakes ransom demands to organisations of all sizes and sectors. Defence‑industry suppliers must remain especially vigilant: national security, supply‑chain integrity, and reputation are directly at risk.
The best defence is a comprehensive one; investing in employee awareness, adhering to robust cybersecurity frameworks, deploying detection tools, and practicing your incident response procedures. Consider yourself as a potential target and strengthen your business defences accordingly.
A proactive posture toward information security, layered cyber threat mitigation, and disciplined data protection does more than just reduce risk, it equips businesses to recover swiftly and operate resiliently in an increasingly hostile digital landscape.
