Every year, Proofpoint's threat experts examine trends from the prior year and anticipate changes in the threat landscape for the year ahead. As we move into 2026, organizations face unprecedented challenges driven by agentic AI, cloud complexity, and the ever-present human factor.
Join Proofpoint’s Davide Canali (Threat Research Director) and Carl Leonard (Cybersecurity Strategist) for this must-attend webinar, where we’ll unpack the trends that matter most for CISOs, security leaders, and IT teams across EMEA.
Register Today
Ransomware-as-a-Service
A cybercrime business model where skilled hackers create and maintain ransomware software, then rent or sell it to other criminals who carry out attacks, Ransomware-as-a-Service (RaaS) poses a significant threat in today’s service-oriented IT culture.
Among the more unscrupulous in society, there’s something being pushed as an allegedly easy, get-rich-quick scheme that pays out real money for an almost negligible outlay and a minimal need for technical knowledge: Ransomware-as-a-Service, or RaaS.
As with any “as a Service” offering, the principle is simple: the providers of the RaaS service handle all the difficult technical elements of a ransomware attack – command-and-control servers, tools for encrypting or exfiltrating data, a user interface for customer visibility of attack progress and outcomes and so on) and subscribers simply pay for the service, define what or whom they want to attack via the easy-to-use web portal, and hit “Go”. The RaaS service perpetrates the attack. Where it is successful in attacking the victim it encrypts and/or exfiltrates the required files and issues the ransom demand.
The Cost of RaaS
One recent estimate suggests that, for an outlay of as little as $250 per month, the end user of one of the many RaaS services on the market will make as much as $21,000 per successful infection. Multiply this up and we are looking at a very tidy annual income for the criminals involved. Even the vaguest involvement with RaaS is against the law in most jurisdictions and users of such services run a big risk of being arrested and either fined or locked up (or both). We heartily recommend, therefore, not to be involved with the concept in any way whatsoever.
Yet, ransomware in general and RaaS in particular, are still very popular – though growth is widely believed to be less steep than in previous years. According to another source, for example, the number of ransomware victims increased by around 25% between the third quarter of 2024 and the equivalent period in 2025.
The revenue stream for the RaaS providers and the people that use them is, of course, the ransoms paid by the victims. Perhaps surprisingly the service providers take a fairly small slice of the pie, at between 15% and 40% of the total ransom depending on the provider. With an estimated $800 million paid in ransoms in 2024, that is still a tidy pay-day for the RaaS providers who, aside from developing the service and keeping it running, have a mainly hands-off role. The users of the service – who are frequently not street-wise hardened criminals who know how to cover their tracks – are therefore taking the lion’s share of the revenue, most are doing so whilst constantly looking over their shoulders and fearing arrest.
A Changing Threat Environment
The landscape of ransomware is changing, too, to reflect the fact that defenses are getting better … or, more specifically, that the detection elements of companies’ defenses are improving constantly over time. It is far easier for defense mechanisms to detect attempts to change files – particularly large numbers of files – than to spot the invasive malware simply reading the files and pushing them out to the RaaS provider’s file storage area. So, the focus is moving away from encrypting files to simply stealing them and then extorting a payment from the victim under the threat of releasing the stolen data into the public domain.
In fact, there are plenty more reasons for RaaS to move away from the hassle of encrypting files and demanding payment for the decryption key. First is the fact that to encrypt files, the malware doing the encryption needs write access to the victim’s files – which is far less likely to be available than the much more common read-only access that is needed for data exfiltration. Second is that victims with good backups do not have the compulsion to contemplate paying a ransom, since this will generally be far more expensive than the time required to restore from backups – even if the latter is a big pain and takes weeks. Even with a highly effective backup regime, however, they are no help to the victim when the RaaS vendor already has a copy of the stolen files in its own systems, ready to release with just a couple of mouse clicks if the ransom payment does not arrive.
The Future Outlook for RaaS
Where, aside from a move to focusing on exfiltration rather than encryption, does the industry see RaaS going? AI is the obvious direction, of course: as we mentioned earlier the RaaS providers want to automate as much as possible in their systems, so employing the capabilities of AI is highly attractive to them. Increased automation will make the costs and other barriers to entry even lower than they are now, making it even easier to attract non-technical customers.
Most importantly, though, RaaS will inevitably follow the general shift from on-premise systems to the cloud. Not only will this enable the RaaS providers to follow the shift of data from local to cloud, but into the bargain they also get the bonus of the receding, but still significant, fact that many organizations out there are still not quite up to speed with how to tackle cloud security effectively – so plenty of metaphorical doors will be left open just waiting for RaaS users to pull out their data and threaten to make it public.
