Ransomware Ecosystem Expands
A joint analysis by Recorded Future, Flashpoint, and Group-IB has identified 14 active Ransomware-as-a-Service (RaaS) platforms operating on dark web forums as of January 2026. The research reveals an increasingly professionalized criminal ecosystem with tiered subscription models, affiliate support systems, and even customer service portals for victims.
The RaaS model has lowered the technical barrier to launching ransomware attacks, enabling affiliates with minimal technical skills to deploy sophisticated encryption payloads against enterprise targets.
RaaS Market Overview
Active Platforms (January 2026)
| Platform | Active Since | Affiliate Cut | Claimed Victims (2025-2026) |
|---|---|---|---|
| LockBit 4.0 | 2024 (rebrand) | 80% | 430+ |
| Qilin | 2023 | 85% | 380+ |
| Akira | 2023 | 80% | 290+ |
| Play | 2022 | 75-80% | 270+ |
| BlackSuit | 2023 | 80% | 210+ |
| Medusa | 2023 | 70-80% | 195+ |
| Hunters International | 2023 | 80% | 180+ |
| RansomHub | 2024 | 90% | 165+ |
| INC_RANSOM | 2023 | 75% | 140+ |
| DragonForce | 2024 | 80% | 95+ |
| Fog | 2024 | 80% | 85+ |
| Lynx | 2024 | 75% | 70+ |
| Cactus | 2023 | 80% | 65+ |
| Cicada3301 | 2024 | 85% | 45+ |
Business Model Tiers
Most RaaS platforms now offer tiered subscription models:
| Tier | Monthly Cost | Features |
|---|---|---|
| Basic | $40-100 | Pre-built payload, basic encryption, manual deployment |
| Professional | $500-1,500 | Customizable payload, data exfiltration, admin panel |
| Enterprise | $3,000-5,000 | Full platform access, negotiation support, DDoS capability |
| Private Build | $10,000-50,000 | Custom-developed ransomware, exclusive use |
Evolution of RaaS Tactics
Triple Extortion Standard
The majority of RaaS platforms now employ triple extortion as standard practice:
Layer 1: Data Encryption
├── Encrypt files with hybrid RSA/AES schemes
├── Target backup systems and shadow copies
└── Demand payment for decryption key
Layer 2: Data Exfiltration & Leak Threat
├── Exfiltrate sensitive data before encryption
├── Publish samples on leak sites
└── Threaten full data release
Layer 3: Harassment & DDoS
├── Contact customers, partners, regulators
├── Report data breaches to authorities
├── Launch DDoS against victim infrastructure
└── Short-sell victim's stock (financial sector)Affiliate Recruitment
RaaS operators actively recruit on dark web forums with postings that read like legitimate job advertisements:
- Technical requirements and skill assessments
- Probationary periods with lower revenue shares
- Performance bonuses for high-value targets
- Restrictions on targeting certain countries or sectors (hospitals, critical infrastructure — though enforcement varies)
Defense Intelligence
Common Initial Access Vectors
| Vector | Frequency | Trend |
|---|---|---|
| Exploited public-facing applications | 38% | ↑ |
| Phishing / social engineering | 27% | → |
| Valid credentials (purchased/stolen) | 21% | ↑ |
| Supply chain compromise | 9% | ↑ |
| Insider threat | 5% | → |
Average Dwell Time
| Metric | 2024 | 2026 |
|---|---|---|
| Time to encryption | 5.3 days | 2.1 days |
| Time to exfiltration | 3.8 days | 16 hours |
| Fastest observed attack | 4 hours | 47 minutes |
The compression of attack timelines means organizations have dramatically less time to detect and respond to intrusions before ransomware deployment.
Recommendations
Prevention
- Patch internet-facing systems within 48 hours of critical vulnerability disclosure
- Implement phishing-resistant MFA on all remote access and privileged accounts
- Deploy EDR on all endpoints with 24/7 monitoring capability
- Restrict RDP and remote access — disable where not required, enforce MFA where it is
- Monitor for credential exposure on dark web markets and paste sites
Detection
- Baseline normal network behavior and alert on anomalous data transfers
- Monitor for lateral movement patterns (PsExec, WMI, SMB, RDP internal)
- Alert on shadow copy deletion and backup tampering
- Deploy canary files and honeypots to detect early-stage encryption
Response
- Maintain offline backups tested with regular restoration exercises
- Establish incident response retainer with a qualified DFIR firm
- Pre-negotiate cyber insurance with clear ransomware coverage terms
- Document and practice ransomware playbook quarterly
Resources
- CISA StopRansomware Resources
- No More Ransom Project — Decryptors
- Recorded Future Ransomware Tracker
- MITRE ATT&CK — Ransomware Techniques