May 12 is recognized globally as Anti-Ransomware Day, an initiative created to raise awareness about the threat of ransomware and to promote better practices for prevention, response, and recovery. The date was chosen to mark the anniversary of the WannaCry outbreak in 2017, one of the most disruptive ransomware incidents in history, affecting systems in more than 150 countries.
Ransomware did not begin with WannaCry in 2017, however, and the event did not provide the wake-up call needed to prevent the avalanche of attacks that have followed. Since that global incident, the ransomware landscape has changed significantly: What once required technical expertise is now available to a much wider pool of actors through Ransomware-as-a-Service (RaaS) platforms, which offer prebuilt toolkits, hosting infrastructure, and customized support to affiliates.
To mark Anti-Ransomware Day 2025, we look back at ten years of RaaS activity, exploring how ransomware evolved into a billion-dollar criminal enterprise. By tracing its shift to a service economy, complete with affiliate models and branding strategies, we gain valuable insights into how these operations thrive and how defenders can better disrupt them.
The Early Days | From WannaCry to TOX
Ten years is a long time in information security. May 12 not only marks Anti-Ransomware Day, but also reminds us how much the ransomware threat has evolved. One of the earliest significant shifts came in April 2015, when the first fully public, free RaaS platform, TOX, emerged.
TOX allowed anyone to register, customize, and build their own Windows ransomware payloads. While short-lived, it introduced two concepts that would become a core part of the RaaS model: affiliate-based distribution and revenue sharing.
In an interview with Motherboard, the TOX operator said:
“Hackers always had problems spreading their virus, me included. So I decided to delegate this part to other people.”
However, by June 2015 – little more than 3 months later – TOX had vanished. The security community had taken notice, and the resulting attention made the operation unsustainable, prompting the author to try to sell the platform and its codebase before disappearing altogether.
Nevertheless, the foundation had been laid. TOX introduced an affiliate-forward model that would later be adopted by nearly every major RaaS operation. The arms-length approach of delegating infections would become the cornerstone of the modern RaaS model.
The Rise of Affiliate Models
In the wake of TOX, many similar services began to emerge. Platforms like Atom (later rebranded to Shark), Stampado, Satan, and eventually Petya/Mischa introduced tools that allowed public users to create ransomware payloads via web portals or builder applications.
Shark/Atom, for instance, appeared in mid-2016 and offered a stand-alone builder with flexible customization options. It also promised affiliates an 80/20 revenue split, facilitated through automated payments. This was a novelty at the time, made feasible by the rising adoption of Bitcoin and other cryptocurrencies.
A New Breed | Petya, Mischa, and MBR Wipers
In 2016, Petya introduced a more aggressive form of attack. Rather than encrypting individual files, it modified the Master Boot Record (MBR) of infected systems, making recovery difficult or impossible, a technique that would later be borrowed by MBR Wipers. If the malware lacked administrative privileges, it would fall back to encrypting files using its Mischa module.
As a RaaS, the combination of Petya and Mischa stood out not only for its technical impact but also for its marketing, with the operator adopting a very public presence on Twitter. Unusual at the time, this has also become widespread practice among ransomware operators.
The Petya operation also bundled anti-detection services (FUD crypting) with its offering, providing affiliates with a competitive edge that would see attacks defeat many of the AV solutions organizations had traditionally relied on. This model continued into Petya’s rebranding into GoldenEye, with such services becoming a staple feature of future RaaS platforms.
Scaling Up | Cerber, Monetization, and Global Reach
By 2017, Ransomware-as-a-Service was expanding rapidly. One of the first large-scale affiliate operations was Cerber, which emerged in 2016 and quickly became dominant.
Cerber operated globally, partnered with hundreds of affiliates, and generated estimated revenues of up to $200,000 per month. Its revenue model offered a 60/40 split in favor of affiliates. This was less generous than many others, but it generated more profit due to the scale of Cerber’s operation. This was made possible by the fact that Cerber was heavily advertised in Russian-language cybercrime forums, setting a template for how future RaaS operators would use underground markets to scale.
Playing the Percentages | Revenue Splits and Incentives
Different RaaS groups experimented with various revenue-sharing models. Some early copycats offered extreme affiliate incentives. For example, Encryptor RaaS promised a 95/5 split.
Over time, an 80/20 model became the standard. More sophisticated groups like LockBit later introduced dynamic splits, offering high-performing affiliates larger cuts as incentives. This approach helped retain talent and maintain operational scale.
However, not all groups welcomed the public. As profits grew, many RaaS offerings transitioned to private or invite-only affiliate models. GandCrab, DarkSide, BlackMatter, and Conti required affiliates to go through vetting or even pay upfront fees to join. These mechanisms helped filter out security researchers and law enforcement, making operations more secure.
Modern examples of private RaaS groups include Termite, SafePay, Nitrogen, Frag, and the Hive/Hunters International cluster.
While most top-tier RaaS groups now operate discreetly, public recruiting still happens, especially after major shakeups. In late 2023, LockBit openly recruited affiliates from collapsed rivals AlphV and NoEscape. RansomHub, Dispossessor, and others also welcomed former AlphV partners. More recently, DragonForce/RansomBay has attempted to attract former RansomHub partners.
The diversity of models shows that the ecosystem remains fluid and opportunistic, and that there is no shortage of individuals or groups looking to get involved in cybercrime.
Mind Games | Branding, Leak Sites, and Social Media
Over the past decade, branding, marketing, and reputational integrity have become an essential part of RaaS strategy, paralleling the “go-to-market” business model of legitimate organizations. Threat actors now maintain distinctive names, logos, and online personas as a means both to attract affiliates and persuade victims to pay.
Many ransomware groups maintain leak sites and use platforms like Telegram, X (formerly Twitter), Discord, and dark web forums to name and shame victims publicly. Media outreach is now a standard tactic, helping to amplify pressure on victims to pay.
Brand recognition has become so integral to threat actors’ profits that some attackers have impersonated established groups like LockBit and Babuk to gain victim trust.
How SentinelOne Protects Customers from Ransomware
SentinelOne’s Singularity™ Platform combines AI-driven threat detection, automated response, and system recovery capabilities to detect ransomware activities — such as rapid file encryption or unusual access patterns — before significant damage occurs. Upon identifying malicious behavior, Singularity can automatically isolate affected endpoints, preventing the spread of ransomware across the network.
The Singularity platform also offers a ransomware rollback feature that restores systems to their pre-attack state, effectively reversing the impact of ransomware without paying a ransom. This is achieved through continuous data protection and behavioral analysis.
Conclusion | 10 Years On, RaaS Is a Fully Mature Ecosystem
In ten years, RaaS has evolved from a curiosity into a global industry. The service model has lowered the barrier to entry so much that even unskilled actors can now participate. Meanwhile, the most advanced groups operate with professional polish, strong branding, and corporate-style structure.
This dual dynamic, combining accessibility with professionalism, has made ransomware one of the most persistent and costly threats facing organizations today. Understanding the past decade of RaaS helps us anticipate what may come next, whether it involves new affiliate structures, more aggressive branding tactics, or the integration of emerging technologies like generative AI.
Global law enforcement agencies continue to discourage organizations from paying ransoms following an attack, instead advising victims to file a report with the IC3, reinforcing broader efforts to build up cyber resilience.
Defenders must continue to focus on early detection and disruption to stop attacks before they escalate. On this Anti-Ransomware Day, the best defense is awareness, preparedness, and continued vigilance.
Stay safe out there.
