The RaaS Economy: How Ransomware Became a Franchise Model

Ransomware Is a Business, Not a Crime Spree

The popular image of a ransomware attacker is a lone hacker in a hoodie, working from a basement. The reality in 2026 is closer to a well-run franchise operation. Ransomware-as-a-Service (RaaS) groups operate with the structure and discipline of legitimate software companies. They have developers who build and maintain the encryption payload. They have affiliate managers who recruit and support the operators who deploy the ransomware. They have negotiators who handle victim communications and payment processing. Some even have help desks that walk victims through purchasing cryptocurrency and submitting payment. This is organised crime operating at industrial scale, and South African organisations are firmly in the crosshairs.

Double and Triple Extortion: Raising the Stakes

The original ransomware model was straightforward: encrypt the victim's data and demand payment for the decryption key. When organisations improved their backup strategies and began recovering without paying, attackers adapted. Double extortion adds data theft to the equation. Before encrypting systems, the attackers exfiltrate sensitive data and threaten to publish it on leak sites if the ransom is not paid. Triple extortion goes further, targeting the victim's customers, partners, or patients directly. South African organisations handling personal information under POPIA face a particularly harsh calculus. A data breach requires notification to the Information Regulator and affected data subjects.

Ransomware groups do not hack for ideology or curiosity. They are profit-maximising businesses. They target organisations that can pay, that have inadequate defences, and that have data worth stealing. South African enterprises tick all three boxes with alarming frequency.

Why Traditional Antivirus Fails Against RaaS

Signature-based antivirus was designed for a world where malware was written once and deployed widely. RaaS operations generate unique payloads for each affiliate, each campaign, and sometimes each target. Polymorphic code, fileless execution techniques, living-off-the-land binaries, and encrypted command-and-control channels render traditional AV largely ineffective. Moreover, RaaS affiliates typically spend days or weeks inside a network before deploying ransomware, using legitimate administrative tools like PowerShell, PsExec, and Remote Desktop Protocol. None of these activities trigger traditional antivirus alerts because the tools themselves are legitimate.

Building Ransomware Resilience

Effective ransomware defence is not a single technology. It is a layered strategy that assumes breach and focuses on containment, detection, and recovery. Start with Zero Trust principles: least-privilege access, micro-segmentation, and continuous verification. Implement robust, tested, air-gapped backups. Deploy endpoint detection and response across every endpoint, including servers. Run tabletop exercises that simulate ransomware scenarios. Include your legal team, communications team, executive leadership, and your cyber insurance provider.