Ransomware as a service means anyone can buy a cyberattack. No coding. No hacking skills. Just money — and a willingness to be someone else's patsy.

Dr. Mike Saylor and I break down exactly how ransomware as a service works — and I mean the whole criminal operation. We're talking franchise models, affiliate programs, botnet rentals, dark web transactions, and yes, HR departments. These are not lone hackers in basements. These are organizations with project managers, payroll, PR campaigns, and their own cybersecurity teams. Let that sink in for a second.

Here's the thing that really changed how I see this: when you buy into ransomware as a service, you don't get a portal. You don't get a dashboard. You don't get a login. You have a chat on the TOR network, you hand over your Bitcoin, you tell them what you want — and then you just watch your wallet. That's the whole deal. And if law enforcement comes knocking? Guess whose name is all over the evidence. Yours.

Mike also walks us through the affiliate ecosystem — the initial access brokers who do nothing but collect and sell validated email addresses, the botnet operators renting millions of compromised computers by the hour, and the different "tiers" of buyers, from script kiddies throwing a few thousand dollars at it, all the way up to nation-state actors using ransomware as a distraction for something bigger.

We even get into the Conti group's attack on Costa Rica — which Mike and I believe was never really about the money. It was subterfuge, a massive attack designed to give the Conti group cover to dissolve and fade off into the woodwork while law enforcement was busy.

If you're responsible for protecting your organization's data, you need to understand what you're actually up against. Ransomware as a service has lowered the barrier to entry for cybercrime to almost zero. And your backups are the last line of defense.

This episode is part of our ongoing series with Dr. Mike Saylor, my co-author on "Learning Ransomware Response and Recovery," available on the O'Reilly Learning Platform.

Subscribe so you don't miss the next one.

Chapters:
00:00:00 - Episode Intro
00:01:17 - Introductions & Welcome
00:03:25 - Setting the Stage: CryptoLocker and the Birth of a Criminal Industry
00:07:17 - Defining Ransomware as a Service: The Franchise Model
00:10:36 - The Amazon/AWS Analogy and How Botnets Power the Attacks
00:17:10 - No Portal, No Dashboard: How Dark Web Transactions Actually Work
00:19:17 - Why Do RaaS Operators Offer the Service? The Lottery Ticket Theory
00:21:59 - The Affiliate Model: How the Criminal Ecosystem Specializes
00:26:33 - How Many RaaS Groups Exist — and Who's Buying?
00:29:36 - RaaS as Subterfuge: The Conti Group and the Costa Rica Attack
00:30:49 - Who Are These Criminals, Really?