RaaS vs SaaS

The average cost of remediating a ransomware attack for victim organizations exceeded $4.5 million in 2022, and this figure does not include the ransom payment, damage to brand, lost revenue from disruption to operations, increased cyber insurance premiums or other tangential costs.

Ransomware is one of the biggest threats to any organization, regardless of size or industry. The downstream impacts from a large-scale ransomware event can have massive fiscal fallout and real-world repercussions.

Traditional security solutions, while robust and effective for some threats, have clearly failed to protect organizations against ransomware attacks. There is a huge gap in protection and ransomware operators are expertly exploiting it to the tune of hundreds of millions of dollars yearly.

Ransomware Operators are operating akin to a SaaS Organization.

Financial profit, money icon

Financially Motivated and Driven by Profits

Top-Down Corporate Organizational Structure

Partner Program to Expand Footprint

24/7 Online Customer Support

New Features and Bug Fixes Released Regularly

Leverages Modern Software Development Tools

So Why is Ransomware So Successful?

The ransomware game is profitable – highly profitable. In fact, if you were to compare P&L sheets from the leading ransomware operations against leading security solution providers, you’d see ransomware gangs enjoy operating margins that would make almost any SaaS provider envious. Ransomware operators are also better viewed as mature criminal business organizations with top-down hierarchical structures and diversified revenue streams.

The Ransomware-as-a-Service (RaaS) business model also includes many aspects that mirror those of legitimate Software-as-a-Service (SaaS) models, including:

Organized like a SaaS company

The RaaS model mirrors the SaaS model in that the providers offer subscription-based services and software – in this case ransomware and the associated attack infrastructure. RaaS operators invest in R&D and talent recruiting to stay competitive, offer customer support to reduce churn, and maintain and are intent on growing their annual recurring revenue (ARR).

Efficient Marketing and Partner Programs

Like their SaaS counterparts, RaaS providers develop their brand and foster revenue growth through marketing. RaaS operators seek to offer competitive affiliate programs where they compete on the basis of platform performance and profit sharing with their affiliate partners, much like SaaS vendors.

Multiple Revenue Sharing Options

Established RaaS operators may offer several options, including one-time licensing for a flat fee, monthly subscriptions, or through profit sharing where the RaaS provider takes a cut of the affiliate’s ransom take. Terms of Service can vary between RaaS operators, so the services included are key competitive factors.

High Revenue, Low COGS

Compared to their SaaS counterparts, RaaS operators typically have extremely low cost of goods (COGS) and a high operating margin, which means that they are very profitable from the outset. In contrast, most SaaS organizations have low or negative operating margins and a high COGS and can take several years or more to become profitable.

The RaaS Ecosystem

The ransomware ecosystem has exploded in recent years with many stunning similarities to non-criminal emerging market sectors. This evolution includes the advent of specialists who focus on particular aspects of the ransomware economy who together represent the entire ransomware attack supply chain. Key players in the ransomware economy include:

Initial Access Brokers

May exhibit attack infrastructure crossover with nation-state attackers
Sells access to other attackers, including ransomware affiliates
May exploit access themselves for various criminal activities
Compromise the networks of high value target

RaaS Platform Providers

Assists with ransom negotiations, payment processing and laundering
Develops ransomware attack platform, attack toolkits
Manages C2 infrastructure, payment portal, leak site
Markets to platform to affiliates, provides technical support

Affiliates and Partners

Initiates and manages the ransomware attack campaigns
Manages decryption keys and post-infection actions
Sets targets, ransom demand, post-infection messaging
Rents RaaS platform and splits proceeds with RaaS developer

Crypto Money Launderers

Abuse DeFi’s/Dex’s (decentralized finance/exchanges) to mask funds
Favor difficult to trace blockchains like Monero and ZCash
Move finds between wallets, across crypto currencies, or into other asset types
Specialize in leveraging crypto exchanges to hide and launder illegal funds

Raas: A Buyer's Market


active Dark Web Markets as of 2022

Largest 2022 payment:


Ransomware kits starting as low as


Unique ransomware product offerings


Average payment:


Additional Remediation Costs:


What Orgs are Most Targeted?

$100M+ Revenue

Ransomware Volume of Attacks

Top 5 Targets By Volume

Most Disruptive Ransomware
Attacks in 2022

Thousands of ransomware attacks occurring every week - here are just a few examples of some of the most disruptive attacks from 2022:
1. Costa Rican Government
$20 million ransom demand; healthcare system disrupted
2. Toyota
Operations at 14 plants disrupted; 5% reduction in production
3. Bernalillo County, NM
$2 million remediation; Metropolitan Detention Center disrupted
4. Nvidia
$1 million ransom demand; one terabyte of company data exfiltrated
5. SpiceJet
Data of 1.2 million customers compromised; flights delayed or cancelled

Top Reported Ransom
Demands in 2022

Growth in Ransomware Follows Growth in Security Markets

Total Victims Per  Group in 2022 (Top 10)

Top Ransomware Group Revenues in 2021

Ransomware in the News

Here's How It Works

Ransomware protection requires multiple layers of defense, the risk of letting ransomware run rampant through an organization is too large to leave to a single AI or behavioral model. Halcyon uses several unique layers to stop the process of ransomware from completing its task, if a single layer fails Halcyon is able to respond accordingly. Even the best defenses can be breached by a persistent actor which is why Halcyon designed an autonomous isolation and recovery layer is a last resort to prevent the spread of ransomware across your company.


Ransomware Attempts to Execute

Deconfliction Checks

Owns the Asset

Completes Execution

Defense Layer

Defense Layer

Behavioral &
Deception Defense

Recovery or
Autonomous Isolation


The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by attackers to stop attackers. The solution is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Interested in getting a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert