Ransomware as a service is becoming more popular as malware campaigns grow in sophistication. One way that ransomware developers make their product more dangerous is by providing it to third parties and affiliates who, in turn, are responsible for causing further infections or finding potential infection vectors. Moreover, affiliates that are accepted into the criminal network of ransomware developers also often get some form of monetary compensation from successfully infecting an organization or a number of users.

Ranked as one of the most successful ransomware affiliate groups, Conti first attacked in February 2020, targeting companies with malicious files with the extension “.сonti." In a span of two years, the Conti Ransomware group successfully leaked information from 859 companies, with 37% of the targets being US companies. However, authorities believed the actual number of victims to be significantly higher.

Another prolific ransomware gang, LockBit is responsible for 42% of ransomware attacks from July to September 2022. The group also uses ransomware affiliates for their malware campaign, targeting US companies mostly, specifically the industrial goods and services sector. LockBit is also suspected of several politically-motivated extortion attacks, many of which are believed to be state-sponsored.

The Incentive for Developers

Using affiliates, ransomware developers can spend more time developing their ransomware product and focus more on gaining a profit from the successful infections. In some cases, ransomware developers allow other criminal networks to use their ransomware in order to prevent them from getting caught following successful ransomware infections. On the other hand, affiliates use this as an opportunity to focus on matching the infection quota set by the ransomware developers. This essentially develops a model where the ransomware developers and their affiliates all stick to their specific areas of technical expertise.

The Incentive for Affiliates

The upside for affiliates in the RaaS model is that the affiliates can focus on spreading the ransomware and infecting as many victims as possible to essentially create an assembly line of ransom payouts which are split between the developer and themselves. Using this model, the developers can keep their focus on making their ransomware more sophisticated and harder to detect, while the affiliates keep their focus on generating ransom payouts.

Each ransomware developer or criminal network develops a payout model to split the monetary gain. According to research gathered by many threat reporting companies, the payouts differ based on how big the network is, as well as the country the network originates from. Here are some examples:

  • A ransomware variant dubbed “Satan,” discovered by a threat researcher named Xylitol, allows people to become an affiliate by letting them register through their forum. On this ransomware’s webpage, the affiliate can specify the ransom amount as well as the distribution settings, however, the developer of Satan maintains full control over the monetary gain from the campaign. For this campaign, the developer takes a 30% cut of the victims payouts and may reduce their cut depending on how successful the campaign is. The model below details what the affiliate sees on Satan’s webpage. 

(Source: Bleeping Computer)

  • In Russia, the average payout per infected host is about $300 against 30 ransomware payouts a month. The split averages around 60 percent of the proceeds going to the ransomware developer, and the rest going to their affiliates.
  • The DarkSide ransomware developers have developed an affiliate program in which 75% to 90% is paid out to affiliates, depending on the size of the ransom collected.

How The Developer and Affiliate Model Works

In order for the affiliate model to work with ransomware developers, the developers generate specific code within the ransomware to their affiliates, with a unique identifier embedded within it. This causes the ransom payout to get directed to the affiliate that infected the victim. It also gets split with the developer from this unique ID.

There are plenty of risks associated with becoming an affiliate for a ransomware developer, including:

  • It is a criminal activity. In addition to getting caught for their roles in ransomware schemes, they also run the risk of being outed by developers themselves if their nefarious schemes are not executed as planned.
  • If an affiliate does something wrong, it also looks bad for the developer. In some cases, the developer makes a public statement declaring that the affiliate was punished for doing something wrong during a ransomware campaign. 
  • Additionally, a failed campaign could leave behind identifying data that could link the ransomware to the developer.
  • Furthermore, a failed campaign could also damage the reputation of the ransomware leading to disinterest among potential affiliates.

New call-to-action

Guide: Learn more about ransomware
and how to prevent it through this guide


Ransomware as a service is becoming more prominent in today's cybersecurity landscape, and the incentive for ransomware developers to employ affiliates is simple to understand. The developers can spend more time developing the ransomware and network architecture for the service, while affiliates are focusing on the spread and infection of victims. While the financial gain can be high in some ransomware campaigns, the risks associated with becoming an affiliate must also be taken into account. In some cases, developers reveal their affiliates who fail, or attack the wrong victim, to law enforcement which causes the affiliate to be liable for damages or even face jail time.

To protect your organization from ransomware attacks, it is important to understand that the ransomware itself is only one piece of the puzzle. Taking the proper security measures to safeguard against malware attacks should always be one of the first goals of an organization. 

The Safeguard Cyber platform defends against malware and is built to detect a wide range of threats across collaboration, social media, and mobile chat applications. Our platform provides a malware sandbox that analyzes potential malware sent through digital applications, and we automatically quarantine the message so that it is not able to infect the recipient.

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.

Explore Security Product