Qilin pays its affiliates 85 cents on every extorted dollar. DragonForce takes only 20%. LockBit, rebuilding after the 2024 Operation Cronos takedown, advertises up to 90% for top performers. These splits are not marketing — they are the core competitive instrument of a multi-billion-dollar criminal economy that is, by most measures, paying its workers less than it did a year ago even as attack volume keeps climbing.
The story of RaaS affiliate economics in 2026 is the story of a labor market under pressure. Total ransom revenue is down. Payment rates have collapsed. Law enforcement has fragmented the once-stable platform layer. Yet the number of attacks rose 47% in 2025, and Brandefense projects more than 2,200 confirmed incidents in Q2 2026 alone. The contradiction resolves once you stop looking at ransomware as a malware category and start looking at it as a two-sided platform business. Operators compete for affiliate attention. Affiliates chase the highest expected value per intrusion. Both are responding rationally to a market where each successful payday is harder to extract than the last.
How the Money Actually Splits
The textbook RaaS arrangement is a revenue share between four parties: the operator (develops the locker, runs the leak site, manages negotiations), the affiliate (executes the intrusion and deploys the payload), the initial access broker (sells pre-compromised network access), and increasingly a commodity-for-money-laundering provider (C2P) that mules the cryptocurrency proceeds. Each layer takes a cut. The affiliate sits in the middle and absorbs most of the operational risk.
Operator splits in 2024 typically ran 70/30 or 80/20 in the affiliate’s favor. By late 2025 that ratio had shifted further toward affiliates as platforms competed harder for talent. Qilin advertises an 85/15 split. DragonForce takes only 20%. LockBit 5.0, launched on the RAMP forum on September 3, 2025, offers between 70% and 90% to affiliates depending on performance tier. ISC2 reports operator cuts across the broader market now sit between 15% and 40%, a meaningful compression from where they sat two years ago.
The headline percentage hides where the real money goes. Affiliates rarely operate alone. An Initial Access Broker selling a working VPN credential or a pre-installed Cobalt Strike beacon typically takes a flat fee or a smaller percentage off the top — anywhere from a few hundred dollars for a low-value SMB foothold to five figures for enterprise access. C2P services that lease bulletproof infrastructure and laundering rails take their slice. By the time a $1 million ransom clears, the affiliate who actually breached the network may be netting 50–60% of the headline figure, not the 85% the marketing implies.
Why Splits Got So Generous
The affiliate market tightened sharply after a series of high-profile platform exits. ALPHV/BlackCat disbanded in early 2024 after the Change Healthcare attack, in what affiliates widely interpreted as an exit scam — the operators kept the $22 million paid by Change Healthcare and stiffed the affiliate who breached it. LockBit lost its infrastructure to Operation Cronos in February 2024. RansomHub, which had inherited much of LockBit’s and ALPHV’s affiliate base by late 2024, went dark on April 1, 2025, with no warning.
Each of these events spilled hundreds of skilled, experienced affiliates onto the market simultaneously. According to Group-IB, Qilin’s data leak site disclosures doubled between February and April 2025 as RansomHub talent migrated. Qilin, with its stable Rust locker and generous 85% payout split, was the primary beneficiary of this exodus. DragonForce, which had restructured itself as a self-described “cartel” in March 2025, courted the same audience with a 20% take rate and a white-label option that lets affiliates ship under their own brand using DragonForce infrastructure.
Operators are also adding services that affiliates used to procure separately. The newly formed Chaos group bundles DDoS-as-a-service with every affiliate package. DragonForce introduced “data audit” services in August 2025 — its operators analyze stolen datasets and tell affiliates which files to lead the extortion with. Several platforms now offer AI-assisted negotiation chatbots. Qilin promotes new extortion tools on RAMP that include automated regulatory complaint filing, modeled on the SEC complaint that ALPHV famously filed against MeridianLink in 2023 to pressure payment.
Read these features as employee benefits. The platforms are competing for skilled labor in a market where the supply of capable intruders is finite and the demand for them is rising.
The Affiliate Economics Are Worse Than They Look
The generous splits exist because the underlying business is shrinking on a per-victim basis. Several converging trends are squeezing what an affiliate actually clears:
Payment rates collapsed. Data-only extortion is losing effectiveness — payment rates dropped to roughly 25% in Q4 2025, signaling diminishing returns from the pivot to encryption-free extortion that dominated 2024 and early 2025. More victims are choosing not to pay, relying on backups, or being prevented from paying by law, insurance, or regulator pressure. The percentage of US states with active laws regulating ransomware payments reached an estimated 30% by end of 2025.
Average payments are down. Total ransom revenue declined in 2025 versus 2024 even as the volume of attacks rose 47%. The math is unforgiving: more work, less money per job.
Detection windows are narrower but not closed. IBM data cited by Vectra puts the median time from initial access to ransomware deployment at 3.84 days in 2025, down from 60+ days in 2019. Faster operations mean affiliates have less time to escalate privilege, identify high-value data, and stage exfiltration cleanly. Mistakes get caught.
Infrastructure costs rose after RAMP. The FBI’s seizure of the RAMP forum in January 2026 dispersed an estimated 14,000+ users to private Telegram channels, encrypted messengers, and referral-only networks. Affiliates now pay more for vetting, lose recruitment efficiency, and face higher friction sourcing IAB access. Some platforms reportedly require deposits as high as 0.05 BTC or proof of prior successful operations to onboard new affiliates.
The business response, on both sides, is to chase volume. Affiliates run more operations, accept smaller payouts, and broaden their target list. Operators court more affiliates with better splits, more services, and larger geographic recruiting reach.
The Initial Access Broker Layer
Affiliates rarely produce their own initial access anymore. The IAB market is now an essential supplier to the affiliate workflow — a labor specialization that mirrors how legitimate SaaS companies separate sales development from closing.
A typical IAB sale prices on a few axes. Access type matters most: a Citrix or Fortinet appliance with valid administrator credentials commands a premium over an RDP foothold on a workstation. Victim revenue and sector matter next: financial services and healthcare access lists run higher than retail or hospitality. Persistence quality — whether the access has been stable for weeks, whether EDR has been disabled, whether the credentials still rotate — sets the final price. ReliaQuest reported that 23% of 2025 ransomware attacks were initiated through compromised credentials, much of that volume sourced through IABs.
The post-RAMP dispersal hurt this market badly. Buyers and sellers used the forum’s reputation system and escrow to vet counterparties. Without it, more deals happen in private Telegram groups where scams are common and recourse is impossible. The friction is showing up as price volatility and longer sales cycles for IABs, which translates downstream into either higher costs for affiliates or lower-quality access at the same price.
Where Affiliates Are Coming From
The geography of affiliate recruitment is shifting. Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it , reflecting the rapid globalization of the ecosystem. This does not mean Russian-speaking operators are declining — they are not — only that the supply of new affiliates is increasingly drawn from elsewhere.
The recruitment channels are also changing. Halcyon’s 2025 Ransomware Evolution Report documents that 78% of incidents involved abuse of legitimate remote management tools, suggesting an affiliate population already skilled in IT operations rather than novel malware development. Some affiliates are outright IT and security professionals moonlighting. The Scattered Spider cluster, whose social engineering tradecraft has powered some of DragonForce’s most prominent intrusions including the 2025 attacks on UK retailers, is composed largely of native English speakers operating from Western countries.
Insider recruitment is the most aggressive frontier. The most public 2025 example was an attempted recruitment of a BBC reporter by a ransomware group. Private incident reporting suggests insider recruitment attempts grew significantly through 2025 and will continue if corporate layoffs persist. The FBI has separately advised that ransomware groups are using gig work platforms to source on-the-ground help when remote intrusion fails — for instance, hiring someone via a freelance site to plug a USB into a target machine after a help-desk social engineering call has primed the victim.
The Cartel Question
In October 2025, ReliaQuest reported that DragonForce, LockBit, and Qilin had announced a coalition on DragonForce’s leak site, inviting other groups to join. Press coverage labeled it a “cartel.” The reality is messier and more interesting than the term implies.
DragonForce had already been using the cartel framing to describe its own internal model — affiliates run independent campaigns under DragonForce’s brand and infrastructure, paying a 20% cut. Folding LockBit and Qilin in extends that pattern to peer operators. The collaboration is expected to facilitate the sharing of techniques, resources, and infrastructure, strengthening each group’s operational capabilities, per ReliaQuest’s reading. In practice this looks less like price-fixing and more like a federated network: shared IAB pipelines, cross-group affiliate recruitment, mutual escrow for high-value deals, and possibly shared leak-site mirroring for resilience against takedowns.
The cartel framing may also be partly performative. DragonForce defaced the leak sites of competitors BlackLock and Mamona within 24 hours of announcing its cartel model in March 2025, so any “alliance” has a clear hierarchy. Whether this becomes a durable structure or fragments under the same affiliate-trust pressures that broke RansomHub remains an open question. The Qilin-DragonForce-LockBit triad has held through Q1 2026, but each group continues to compete for affiliates with its own splits and services.
The 2026 Outlook for Affiliate Pay
Two scenarios are visible from the current data, and they pull in opposite directions.
Scenario one: continued compression. Payment rates keep falling. Regulatory and insurance pressure further suppresses payouts. Law enforcement maintains pressure on infrastructure. Affiliates take home less per job, churn between platforms, and a wave of new actors enters the market chasing the residual margins. Total volume rises but the affiliate-side income distribution becomes more unequal: top performers thrive, the long tail starves out.
Scenario two: consolidation around fewer dominant platforms. Qilin, DragonForce, and LockBit 5.0 capture the bulk of skilled affiliate activity. Smaller groups fail to maintain affiliate trust and exit the market. Splits stabilize because the surviving platforms are large enough to enforce de facto pricing. This is the implicit assumption behind the cartel framing.
Both can happen at once at different layers — fragmentation at the long tail, concentration at the top. The data through Q1 2026 supports exactly that: 124 tracked groups overall, but Qilin, Akira, INC Ransom, Play, and SafePay accounted for roughly 47% of all global ransomware and digital extortion incidents in Q2 and Q3 2025.
FAQ
How much does the average affiliate earn per successful attack? Estimates vary widely because they depend on operator split, IAB cost, and laundering overhead. ISC2 cites a $250-per-month subscription model returning up to $21,000 per successful infection at the low end. Mid-tier affiliates working with platforms like Qilin or DragonForce on enterprise targets clear meaningfully more per successful payday — often six figures — but with far longer dwell time, more risk, and lower hit rates. Net annual income for a productive affiliate is plausibly in the low-to-mid six figures USD, well below the headline ransom figures suggest.
Why do operators take such a small cut? Operators run a software business with low marginal cost. Once the locker, leak site, negotiation portal, and infrastructure exist, each additional affiliate costs them very little. A 15% cut on hundreds of attacks compounds. Operators also bear less direct legal risk than affiliates, whose intrusion activity is what generates evidence trails. The split reflects who is exposed to what.
What happens to an affiliate when their operator gets taken down? Historically, they migrate. RansomHub’s April 2025 shutdown sent affiliates primarily to Qilin and DragonForce. Operation Cronos pushed LockBit affiliates to RansomHub and ALPHV before those also collapsed. Affiliate skills are portable; operator infrastructure is not. The bigger threat to an affiliate is not a takedown but an exit scam — operators absconding with funds owed — which is what ALPHV is widely believed to have done with the Change Healthcare ransom.
Is paying a ransom illegal yet in the US? Not federally, but the regulatory envelope has tightened sharply. OFAC sanctions create significant exposure for paying sanctioned groups (LockBit affiliates, certain Russian-linked operators). Roughly 30% of US states had laws regulating ransomware payments by end of 2025, ranging from outright bans for public-sector entities to disclosure mandates. Insurers increasingly attach pre-conditions or refuse to cover payments. The practical effect is that the legal cost of paying has risen even where direct prohibition has not.
Defender Implications
Treat affiliate behavior, not malware family, as the relevant signal. Two affiliates working under the Qilin brand may produce intrusions that look almost nothing alike — different IABs, different living-off-the-land tradecraft, different exfiltration tooling. The locker is the last 10% of the operation. The 90% that matters happens at identity, network, and lateral-movement layers, and that is where the consistent affiliate fingerprints actually live.
The economic squeeze on affiliates is good news for defenders only if exploited. Lower payouts, higher friction sourcing access, and shorter dwell times mean affiliates are working closer to the margin of profitability. Hardening identity (phishing-resistant MFA, conditional access, VPN appliance patching), monitoring for RMM abuse, segmenting backups, and rehearsing recovery enough that paying the ransom is genuinely optional all push individual targets below the threshold where an affiliate’s expected value justifies the work. The goal is not to be unhackable. The goal is to be uneconomic.
