Ransomware Ecosystem¶

Actor Profile at a Glance

Category: Organized Cybercrime Objective: Financial extortion via data encryption and/or exfiltration Business Model: Ransomware-as-a-Service (RaaS) Activity Level: Very High -- 126% YoY increase in Q1 2025 (Symantec) Est. Payments (2024): $813 million (Chainalysis) Key Segments Impacted: Endpoint Security, SIEM/SOAR, MDR, Data Security, Identity & Access, Cloud Security, Email Security, Backup & Recovery Primary Victims: Healthcare, Education, Manufacturing, Government, Financial Services, Critical Infrastructure

Ecosystem Overview¶

Ransomware has evolved from a nuisance -- individual operators distributing screen lockers via spam -- into the most financially impactful cybercrime category in operation. The modern ransomware ecosystem functions as a mature underground economy with specialization, division of labor, and franchise-like business models.

The RaaS Business Model¶

Ransomware-as-a-Service (RaaS) mirrors legitimate SaaS models. Operators (also called developers or core teams) build and maintain the ransomware payload, encryption routines, negotiation portals, leak sites, and backend infrastructure. Affiliates are the operators' customers -- they conduct the actual intrusions, move laterally through victim networks, exfiltrate data, and deploy the ransomware. Revenue is split, typically 70--80% to the affiliate and 20--30% to the operator, though terms vary by program and affiliate reputation.

This separation of concerns allows each side to specialize. Operators focus on malware development, cryptographic implementation, and infrastructure resilience. Affiliates focus on intrusion tradecraft, often purchasing initial access from yet another specialist layer -- Initial Access Brokers (IABs).

Evolution Timeline¶

The ransomware threat has undergone several generational shifts:

Era	Period	Characteristics
Screen Lockers	2012--2014	Fake law enforcement warnings, no encryption, easily removable
Crypto-Ransomware	2014--2017	CryptoLocker, CryptoWall; actual file encryption; Bitcoin payments
WannaCry / NotPetya	2017	Wormable ransomware exploiting EternalBlue; state-sponsored actors enter the space
Big Game Hunting	2018--2020	Targeted attacks on enterprises; Ryuk, Maze; manual intrusions replace spray-and-pray
Double Extortion	2020--2022	Maze pioneered encrypt + exfiltrate; became industry standard
Triple Extortion	2021--present	Adding DDoS, customer notification, regulatory reporting threats
RaaS Maturation	2022--present	Franchise models, affiliate programs, IAB integration, professionalization
Exfil-Only	2024--present	Some groups (BianLian, Karakurt) drop encryption entirely, rely solely on data theft threats

The Hydra Effect¶

Law enforcement operations -- Operation Cronos (LockBit), Hive takedown, ALPHV seizure -- repeatedly demonstrate a hydra effect: disrupting one group scatters its affiliates to competing programs, often increasing the total number of active operations. When ALPHV/BlackCat exit-scammed in March 2024, its affiliates migrated en masse to RansomHub and other programs, which saw immediate surges in activity. The total volume of ransomware attacks has not meaningfully declined despite multiple high-profile takedowns.

Economics¶

Revenue & Payment Trends¶

Metric	2022	2023	2024	2025 (est.)
Total Known Payments	$457M	$1.1B	$813M	TBD
Payment Rate	~79%	~46%	~33%	~28%
Median Ransom Demand	$500K--$800K	$800K--$1.5M	$1M--$2M	$1.5M--$2.5M
Average Payment	$250K--$400K	$400K--$600K	$500K--$750K	TBD
Median Payment	~$200K	~$300K	~$400K	TBD

Sources: Chainalysis, Coveware, Sophos State of Ransomware reports. Figures are approximate; actual totals are likely significantly higher due to unreported payments.

Declining Payment Rates

The single most important trend in ransomware economics is the collapse of payment rates -- from ~79% in 2022 to an estimated ~28% in early 2025 (Coveware). This is driven by: improved backup resilience, law enforcement pressure, regulatory/legal risks of paying, and insurer pushback. However, attackers are compensating by increasing volume and demand sizes, meaning total revenue has not proportionally declined.

Cost Structure¶

Cost to launch a RaaS operation: Estimated at $50K--$200K for a technically capable team, covering:

Encryptor development (or purchase/modification of leaked builders like LockBit 3.0, Babuk, Conti)
Tor infrastructure (negotiation portal, leak site, admin panel)
Bulletproof hosting
Initial affiliate recruitment

Profit margins: Operators running established RaaS programs with high affiliate counts can achieve margins exceeding 80--90% on their cut, as infrastructure costs are relatively fixed while revenue scales with affiliate activity.

Cryptocurrency & Laundering¶

Ransomware payments flow almost exclusively through cryptocurrency, primarily Bitcoin, though some groups accept or prefer Monero for its enhanced privacy features. Laundering pathways include:

Mixers/tumblers (e.g., Tornado Cash, Sinbad -- both sanctioned)
Cross-chain bridges to move between blockchains
Nested exchanges and OTC desks in jurisdictions with weak KYC
Peel chains -- splitting payments into progressively smaller amounts across hundreds of wallets
DeFi protocols for obfuscation

Law enforcement has improved tracing capabilities (Chainalysis, TRM Labs), leading to some notable seizures (Colonial Pipeline recovery of $2.3M), but the majority of ransomware proceeds are still successfully laundered.

Cyber Insurance Dynamics¶

Cyber insurance plays a complex role in the ransomware economy:

Insurers initially facilitated payments -- some policies explicitly covered ransom payments, and insurers employed negotiation firms
Rising claims drove premium increases of 50--100%+ in 2021--2023
Insurers now increasingly mandate security controls (MFA, EDR, offline backups) as preconditions for coverage
Some insurers have excluded ransomware payments from policies or added sub-limits
Debate continues on whether insurance availability encourages targeting of insured organizations
Lloyd's of London mandated state-backed cyber attack exclusions starting 2023, affecting coverage for ransomware linked to nation-states

Known Groups & Attribution¶

The following table covers major ransomware groups, both currently active and historically significant. Status reflects best available intelligence as of early 2026.

Knowledge Gap

Attribution in ransomware is inherently uncertain. Group names often represent brands under which multiple independent affiliates operate. "Revenue estimates" are based on blockchain analysis and leak site data, which undercount actual payments. Active periods are approximate.

Group	Status	Active Period	Known Affiliations / Lineage	Revenue Est.	Notable TTPs
LockBit (3.0)	Active (resurfaced Sep 2025)	2019--present	Formerly largest RaaS; Russian-speaking operator "LockBitSupp"	$500M+ lifetime	StealBit exfil tool, bug bounty program, intermittent encryption, cross-platform (Windows/Linux/ESXi/macOS), Operation Cronos disruption Feb 2024
ALPHV/BlackCat	Defunct (Mar 2024)	2021--2024	Rust-based; ties to DarkSide/BlackMatter alumni	$300M+ lifetime	First Rust ransomware, Sphynx variant, filed SEC complaint against victim, exit-scammed affiliates after $22M Change Healthcare payment
Cl0p	Active	2019--present	FIN11 / TA505 nexus; Russian-speaking	$500M+ (MOVEit alone ~$100M)	Zero-day exploitation specialist (Accellion, GoAnywhere, MOVEit, Cleo); exfil-only model; mass exploitation over manual intrusion
RansomHub	Active	2024--present	Absorbed ALPHV/BlackCat affiliates post-exit scam	$100M+ est. (2024)	Rapid growth, competitive affiliate terms (90/10 split reported), cross-platform, aggressive recruitment
Akira	Active	2023--present	Possible Conti connections	$42M+ (FBI, through Jan 2024)	Cross-platform (Windows/Linux), targets Cisco VPN vulnerabilities, PowerShell-heavy
Black Basta	Active	2022--present	Conti successor; members from Conti Team 2	$100M+ through 2024	QakBot/DarkGate for initial access, SystemBC for persistence, targets VMware ESXi, rapid encryption
Royal / BlackSuit	Active (as BlackSuit)	2022--present	Conti successor; rebranded to BlackSuit mid-2023	$275M+ (FBI, through 2024)	Demands up to $60M, callback phishing, custom encryptor
Rhysida	Active	2023--present	Unknown origin	$50M+ est.	Targets healthcare, education, government; British Library attack; auction model for stolen data
Play	Active	2022--present	Possibly linked to Hive alumni	$50M+ est.	Exploits Fortinet/Citrix vulns, custom tools (Grixba info-stealer), intermittent encryption
Medusa	Active	2023--present	Distinct from MedusaLocker	$30M+ est.	Tor-based leak site with countdown timers, targets education/healthcare, BYOVD for EDR evasion
BianLian	Active (exfil-only since 2024)	2022--present	Unknown origin; Go-based encryptor	$20M+ est.	Shifted to exfiltration-only after Avast released decryptor (Jan 2023); focuses on data theft extortion
Scattered Spider / Octo Tempest	Active	2022--present	Loosely organized English-speaking collective; ALPHV affiliate	Unknown	Social engineering (SIM swapping, help desk impersonation), MFA fatigue, targets identity providers, MGM/Caesars attacks
Qilin	Active	2023--present	Russian-speaking	$20M+ est.	Rust-based, cross-platform, targets VMware ESXi, credential harvesting via Chrome browser
Hunters International	Active	2023--present	Acquired/inherited Hive source code	$15M+ est.	File-tagging exfiltration, targets healthcare, World-Check data breach claim
INC Ransom	Active	2023--present	Unknown origin	$10M+ est.	Targets healthcare (NHS Scotland), government, Citrix Bleed exploitation
8Base	Disrupted (2025)	2022--2025	Phobos variant; infrastructure seized	$10M+ est.	Targeted SMBs, used Phobos ransomware with custom branding
Cactus	Active	2023--present	Unknown origin	$10M+ est.	Self-encrypts binary to evade AV, exploits VPN vulnerabilities, targets Qlik Sense servers
Vice Society	Reduced activity	2021--2024	Unknown; targeted education sector	$20M+ est.	Focused on K-12 and universities; used multiple third-party ransomware strains rather than custom encryptor
Conti	Disbanded (May 2022)	2020--2022	TrickBot group; members scattered to Royal, Black Basta, Akira, Zeon	$700M+ lifetime	Costa Rica national emergency, ContiLeaks exposed internal operations, Russian government ties
REvil / Sodinokibi	Defunct (2022)	2019--2022	GandCrab successor; Russian FSB arrests	$200M+ lifetime	Kaseya supply chain attack, massive demands ($70M), affiliate panel
DarkSide / BlackMatter	Defunct (2021)	2020--2021	Rebranded to BlackMatter, then to ALPHV/BlackCat	$90M+	Colonial Pipeline ($4.4M paid, $2.3M recovered), claimed to avoid hospitals/infrastructure
Hive	Taken down (Jan 2023)	2021--2023	FBI infiltrated for 7 months before takedown	$100M+	Targeted hospitals during COVID, FBI provided 300+ decryption keys during infiltration
Phobos	Reduced (post-arrests)	2018--present	Distributed RaaS; low-sophistication affiliates	$16M+	Targets SMBs via exposed RDP, low ransom demands ($1K--$50K), high volume
Cuba	Reduced activity	2019--2024	Russian-speaking	$60M+ (FBI)	BugHole exploit, Veeam vulns, targets US critical infrastructure
NoEscape	Defunct (exit scam 2023)	2023	Avaddon rebrand; exit-scammed affiliates	Unknown	Short-lived; notable for rapid affiliate abandonment
Trigona	Disrupted (2023)	2022--2023	Infrastructure taken down by Ukrainian Cyber Alliance	Unknown	Targeted MSSQL servers, ColdFusion exploitation
AvosLocker	Reduced activity	2021--2024	Unknown	Unknown	Targeted critical infrastructure, used open-source tools, safe-mode rebooting to disable AV

Lineage & Rebranding Chains¶

Ransomware groups frequently rebrand to evade law enforcement attention and sanctions:

TTPs (Tactics, Techniques, and Procedures)¶

The following breaks down ransomware TTPs by kill chain phase. Most modern ransomware intrusions take 1--10 days from initial access to encryption deployment, though some groups (Black Basta) have been observed achieving domain-wide encryption in under 12 hours.

Initial Access¶

Technique	MITRE ATT&CK	Details
IAB-Purchased Access	T1078 (Valid Accounts)	Affiliates purchase pre-established access (VPN credentials, web shells, RDP) from Initial Access Brokers; prices range $500--$50K+ depending on target revenue/industry
Exploitation of Edge Devices	T1190	Heavy targeting of VPN/firewall vulnerabilities: Fortinet FortiOS (CVE-2023-27997, CVE-2024-21762), Cisco ASA/FTD (CVE-2023-20269), Citrix NetScaler (CVE-2023-4966 "Citrix Bleed"), Ivanti Connect Secure (CVE-2024-21887), Palo Alto PAN-OS (CVE-2024-3400)
Phishing / Callback Phishing	T1566	BazarCall-style callback phishing (Royal/BlackSuit); malicious attachments delivering loaders; HTML smuggling
Valid Credentials	T1078	Credential stuffing, purchased credentials from infostealer logs (Raccoon, RedLine, Vidar), MFA fatigue attacks (Scattered Spider)
RDP Brute Force	T1110	Phobos and lower-tier groups heavily target exposed RDP; automated scanning tools
Zero-Day Exploitation	T1190	Cl0p specializes in mass exploitation of zero-days in file transfer appliances (MOVEit, GoAnywhere, Cleo)

Execution¶

Technique	MITRE ATT&CK	Details
Custom Loaders	T1059	Groups deploy custom or purchased loaders to deliver post-exploitation tools; BumbleBee, IcedID, QakBot historically popular
DLL Side-Loading	T1574.002	Abusing legitimate signed binaries to load malicious DLLs; common with Black Basta and Akira
PowerShell / Scripting	T1059.001	Encoded PowerShell for payload delivery, reconnaissance, and disabling security tools
WMI / DCOM	T1047	Remote execution across endpoints for mass deployment

Persistence¶

Technique	MITRE ATT&CK	Details
Multiple Backdoors	T1505	Deploying several persistence mechanisms simultaneously to survive partial remediation
Web Shells	T1505.003	Planted on compromised web-facing servers; IIS, Exchange, Citrix
RMM Tool Abuse	T1219	Legitimate remote management tools (AnyDesk, TeamViewer, Atera, Splashtop, ConnectWise ScreenConnect) installed as covert backdoors
Scheduled Tasks / Services	T1053 / T1543	Persistence through Windows Task Scheduler or creating new services

Defense Evasion¶

Technique	MITRE ATT&CK	Details
BYOVD (Bring Your Own Vulnerable Driver)	T1068	Loading vulnerable kernel drivers to disable EDR/AV; tools include Terminator (Spyboy), AuKill, Backstab, KillAV. Major trend in 2024--2025.
Safe Mode Boot	T1562.009	Rebooting into Windows Safe Mode where security tools don't load, then running encryptor (AvosLocker, BlackBasta)
Process Injection	T1055	Injecting into legitimate processes to evade behavioral detection
Disabling Security Tools	T1562.001	PowerShell commands, Group Policy, or registry modifications to disable Windows Defender, EDR agents
Indicator Removal	T1070	Log clearing, timestamp modification, deleting forensic artifacts
Obfuscation	T1027	Packing, encoding, and encrypting payloads; Cl0p and Cactus self-encrypt binaries

Discovery & Credential Access¶

Technique	MITRE ATT&CK	Details
Network Scanning	T1046	Advanced IP Scanner, SoftPerfect Network Scanner, netscan.exe
AD Enumeration	T1087.002	BloodHound, ADRecon, PowerView, SharpHound for mapping Active Directory attack paths
Mimikatz	T1003.001	LSASS memory dumping for credential extraction; virtually ubiquitous
LSASS Dump	T1003.001	Using procdump, comsvcs.dll MiniDump, or direct memory access
Kerberoasting	T1558.003	Requesting TGS tickets for service accounts and cracking offline
Credential from Backup	T1552	Extracting credentials from Veeam backup databases, configuration files, Group Policy Preferences
DCSync	T1003.006	Replicating domain controller credentials via Directory Replication Service

Lateral Movement¶

Technique	MITRE ATT&CK	Details
PsExec / SMBExec	T1570	Remote service creation for payload execution across the domain
RDP	T1021.001	Using compromised credentials for interactive lateral movement
WMI	T1047	Windows Management Instrumentation for remote code execution
Group Policy	T1484.001	Deploying ransomware via Group Policy Object; mass deployment method
SMB File Shares	T1021.002	Copying payloads to admin shares (C$, ADMIN$)
SSH (Linux)	T1021.004	Lateral movement in Linux/ESXi environments

Collection & Exfiltration¶

Technique	MITRE ATT&CK	Details
Data Staging	T1074	Aggregating files into staging directories before exfiltration
Rclone	T1567.002	Command-line tool for syncing data to attacker-controlled cloud storage (MEGA, pCloud)
WinSCP / FileZilla	T1048	SFTP-based exfiltration to attacker infrastructure
MEGA Client	T1567.002	Direct upload to MEGA cloud storage; popular due to encrypted storage
Custom Exfil Tools	T1041	StealBit (LockBit), ExMatter (BlackMatter/ALPHV), Exbyte (BlackByte)
Cloud Storage Abuse	T1567	Using legitimate cloud services to blend with normal traffic

Impact¶

Technique	MITRE ATT&CK	Details
File Encryption	T1486	AES-256 + RSA/ECC hybrid encryption; intermittent encryption (encrypting every other block) is a growing trend for speed
Volume Shadow Copy Deletion	T1490	`vssadmin delete shadows /all /quiet` -- near-universal in ransomware operations
Backup Destruction	T1490	Targeting Veeam, Commvault, Veritas, and other backup infrastructure; deleting snapshots
ESXi Targeting	T1486	Linux variants specifically target VMware ESXi hypervisors to encrypt entire virtual machine fleets simultaneously
System Recovery Disabling	T1490	Disabling Windows Recovery Environment, deleting boot configuration data
Print Bombing	T1491	Some groups (LockBit) print ransom notes on all network printers

Supply Chain & Tooling¶

Ransomware operations depend on a layered supply chain of tools and services, most of which are shared across multiple groups.

Initial Access Supply¶

Initial Access Brokers (IABs): Sell pre-established footholds (VPN credentials, web shells, RDP access) on forums like Exploit, XSS, and RAMP. Prices: $500 for SMB access, $10K--$50K+ for large enterprise/government targets. See Initial Access Brokers for deep dive.
Infostealer Logs: Credentials harvested by Raccoon, RedLine, Vidar, Lumma, and others are sold in bulk on Russian Market, Genesis Market (taken down 2023), and Telegram channels. Often provide VPN/RDP credentials that directly enable ransomware access.

Malware-as-a-Service (MaaS) Loaders¶

Loader	Status	Used By
QakBot / Qbot	Disrupted Aug 2023; partially resurfaced	Black Basta, REvil, Conti
IcedID / BokBot	Reduced activity post-2023	Conti, REvil, Maze
BumbleBee	Intermittently active	Conti successors, Black Basta
Emotet	Disrupted 2021; intermittent returns	Conti, Ryuk
DarkGate	Active	Black Basta, various affiliates
Pikabot	Active since 2023	Multiple affiliate groups
SystemBC	Active	Black Basta, REvil, DarkSide

Post-Exploitation / C2 Frameworks¶

Tool	Type	Notes
Cobalt Strike	Commercial C2 (widely pirated)	Used by majority of ransomware groups; cracked versions ubiquitous
Brute Ratel C4	Commercial C2	Designed to evade EDR; adopted by BlackCat, BlackBasta
Sliver	Open-source C2	Growing adoption as Cobalt Strike detections improve
Metasploit	Open-source framework	Used for exploitation and post-exploitation
Havoc	Open-source C2	Emerging framework
Mythic	Open-source C2	Modular framework gaining traction

BYOVD / EDR Evasion Tools¶

Tool	Method	Used By
Terminator (Spyboy)	Loads vulnerable Zemana driver to kill EDR processes	Multiple affiliates; sold on RAMP forum
AuKill	Abuses Process Explorer driver	Medusa, Play
Backstab	Leverages RTCore64.sys driver	LockBit, ALPHV affiliates
KillAV	Various vulnerable drivers	Scattered across groups
GhostEngine / REF4578	Uses multiple vulnerable drivers in sequence	Emerging toolset

Legitimate Tools Abused¶

RMM and IT administration tools are heavily abused because they blend with legitimate enterprise software and are often whitelisted:

AnyDesk, TeamViewer -- Remote access persistence
ConnectWise ScreenConnect -- Remote access (CVE-2024-1709 widely exploited)
Atera, Splashtop -- RMM tools for persistent access
PsExec -- Remote execution and lateral movement
Rclone -- Data exfiltration to cloud
WinSCP, FileZilla -- SFTP-based exfiltration
Advanced IP Scanner, SoftPerfect -- Network reconnaissance
7-Zip -- Data compression before exfiltration

Notable Campaigns & Operations¶

Campaign / Incident	Date	Actor	Impact	Details
WannaCry	May 2017	Lazarus Group (DPRK)	200K+ systems in 150 countries; $4B+ est. damage	EternalBlue worm; NHS UK severely impacted; inadvertent kill switch discovered
NotPetya	Jun 2017	Sandworm (Russia GRU)	$10B+ est. damage	Disguised as ransomware; actually destructive wiper; M.E.Doc supply chain
Colonial Pipeline	May 2021	DarkSide	Largest US fuel pipeline shut down 6 days	$4.4M ransom paid (DOJ recovered $2.3M); triggered national emergency; drove US executive order on cybersecurity
JBS Foods	Jun 2021	REvil	World's largest meat processor shut down	$11M ransom paid; highlighted food supply chain vulnerability
Kaseya VSA	Jul 2021	REvil	1,500+ businesses via MSP supply chain	Demanded $70M; exploited zero-day in Kaseya VSA; FBI obtained decryption key
Costa Rica Government	Apr--May 2022	Conti	National emergency declared; government systems offline for weeks	First ransomware attack to trigger national emergency; $20M demand; motivated by Conti's support of Russia
Medibank (Australia)	Oct 2022	REvil-linked	9.7M customer health records stolen	Data published after refusal to pay; drove Australian regulatory changes
Royal Mail UK	Jan 2023	LockBit	International mail services disrupted for weeks	$80M demand; highlighted critical infrastructure vulnerability
MOVEit	May--Jun 2023	Cl0p	2,700+ organizations; 90M+ individuals affected	Zero-day in Progress MOVEit Transfer (CVE-2023-34362); mass exploitation; no encryption deployed
British Library	Oct 2023	Rhysida	Major cultural institution; systems offline for months	Demonstrated devastating impact on underfunded public sector organizations
MGM Resorts	Sep 2023	Scattered Spider (ALPHV affiliate)	$100M+ estimated losses; casino/hotel operations disrupted 10 days	Social engineering of IT help desk; MFA fatigue attack; highlighted identity security gaps
Caesars Entertainment	Sep 2023	Scattered Spider (ALPHV affiliate)	$15M ransom paid	Social engineering attack; paid to prevent customer data leak
Change Healthcare	Feb 2024	ALPHV/BlackCat	Largest US healthcare disruption; $22M paid; claims processing halted nationwide	ALPHV exit-scammed; affiliate "Notchy" may have been paid separately; exposed single-point-of-failure in US healthcare payments
CDK Global	Jun 2024	BlackSuit	15,000+ US auto dealerships disrupted for 2+ weeks	Highlighted software supply chain risk in automotive retail
Cleo (Harmony, VLTrader)	Dec 2024--Jan 2025	Cl0p	Hundreds of organizations via zero-day (CVE-2024-50623, CVE-2024-55956)	Repeated Cl0p's MOVEit playbook against another file transfer product
NHS Synnovis (UK)	Jun 2024	Qilin	London hospital pathology services disrupted; 10,000+ appointments cancelled	Highlighted healthcare sector vulnerability; patient data leaked

Healthcare Under Siege

Ransomware actors have increasingly targeted healthcare despite early pandemic-era pledges to avoid hospitals. In 2024, healthcare was the single most impacted sector by ransomware. The Change Healthcare attack alone demonstrated how a single compromise can cascade across an entire national healthcare system. Multiple hospital systems reported delayed patient care and diverted ambulances during active ransomware incidents.

Law Enforcement & Disruption¶

Takedown Timeline¶

Operation	Date	Target	Outcome
Emotet Takedown	Jan 2021	Emotet botnet	Multinational operation; infrastructure seized; botnet later partially reconstituted
REvil Arrests	Jan 2022	REvil / Sodinokibi	Russian FSB arrested 14 members; infrastructure seized; group did not reconstitute
Hive Takedown	Jan 2023	Hive ransomware	FBI infiltrated infrastructure for 7 months, provided 300+ decryption keys saving $130M+ in potential payments; servers seized in multinational op
Genesis Market Seizure	Apr 2023	Genesis Market (credential marketplace)	119 arrests across 17 countries; disrupted major infostealer log marketplace feeding IABs
QakBot Disruption	Aug 2023	QakBot / Qbot	Operation Duck Hunt; FBI pushed uninstall commands to 700K+ infected machines; $8.6M in crypto seized
ALPHV/BlackCat Seizure	Dec 2023	ALPHV/BlackCat infrastructure	FBI seized Tor sites; ALPHV "unseized" them hours later in tug-of-war; group continued operating until exit scam in Mar 2024
LockBit Operation Cronos	Feb 2024	LockBit infrastructure	NCA-led multinational operation; infrastructure seized; LockBitSupp identified as Dmitry Khoroshev (sanctioned); 7K+ decryption keys recovered; group resurfaced Sep 2025
Phobos/8Base Arrests	2024--2025	Phobos operators; 8Base infrastructure	Multiple arrests; 8Base infrastructure seized early 2025

Assessment: The Hydra Effect in Practice¶

Why Takedowns Haven't Reduced Volume

Every major takedown has been followed by affiliate migration, not retirement. The pattern is consistent:

Group A is disrupted
Affiliates (who possess the intrusion skills) migrate to Groups B, C, D
Competing groups actively recruit displaced affiliates
Total attack volume remains stable or increases
New groups emerge to fill market gaps

This dynamic means that law enforcement operations are necessary but insufficient. They impose costs, recover some funds, and provide decryption keys to victims -- but they do not reduce the total addressable threat. Sustained pressure on the financial infrastructure (cryptocurrency mixers, exchanges) and safe havens (Russia, CIS countries) remains critical.

Defensive Implications¶

Ransomware defense requires a layered strategy addressing each phase of the kill chain. The following maps defensive priorities to the TTPs documented above.

Priority 1: Prevent Initial Access¶

Control	Rationale
Patch edge devices aggressively	VPN/firewall exploitation (Fortinet, Cisco, Citrix, Ivanti, Palo Alto) is the #1 initial access vector for ransomware affiliates. Patch within 24--48 hours of advisory.
MFA on all remote access	Eliminates credential-based access via stolen/purchased credentials. Phishing-resistant MFA (FIDO2) preferred.
Email security with URL sandboxing	Blocks phishing and callback phishing campaigns.
Vulnerability management for edge devices	Continuous scanning of internet-facing infrastructure; prioritize CISA KEV catalog entries.
IAB monitoring	Dark web monitoring for organizational credentials and access listings.

Priority 2: Detect & Contain Intrusions¶

Control	Rationale
EDR/XDR with behavioral detection	Must detect BYOVD attempts, credential dumping, lateral movement patterns. Signature-only tools are insufficient.
Identity threat detection (ITDR)	Credential abuse (Mimikatz, Kerberoasting, DCSync) is the primary method for privilege escalation and lateral movement.
Network segmentation	Limits blast radius; prevents domain-wide encryption from a single compromised endpoint.
RMM tool allowlisting	Block unauthorized remote management tools; alert on new RMM installations.
SOC monitoring / MDR	24/7 detection and response capability; ransomware deployment often occurs outside business hours (weekends, holidays).

Priority 3: Survive & Recover¶

Control	Rationale
Immutable, offline backups	3-2-1 backup rule with at least one air-gapped or immutable copy. Test restoration regularly.
Backup infrastructure hardening	Ransomware actors specifically target backup systems (Veeam, Commvault). Segregate backup admin credentials.
Ransomware-specific IR playbooks	Pre-established procedures for containment, negotiation, legal/regulatory notification, recovery.
Incident response retainer	Pre-negotiated retainer with IR firm for rapid engagement.
Cyber insurance	Coverage for business interruption, IR costs, potential ransom payment (if elected). Review exclusions carefully.

Priority 4: Reduce Exposure¶

Control	Rationale
Least privilege / tiered admin model	Limit domain admin accounts; implement admin tiering to prevent single-hop to domain controller.
Disable legacy protocols	SMBv1, NTLM where possible; reduce lateral movement attack surface.
Data classification and access controls	Reduce volume of sensitive data accessible from a single compromised account.
ESXi hardening	Restrict management access, enable lockdown mode, dedicated management VLAN.

Market Impact¶

Ransomware is the single largest driver of cybersecurity spending across virtually every segment. It is the threat that boards of directors understand and the risk that justifies budget increases.

Segment-Level Demand Impact¶

Segment	Ransomware-Driven Demand	Key Vendors
Endpoint Security (EDR/XDR)	Primary detection/prevention layer; BYOVD evasion drives continuous innovation; behavioral detection is table stakes	CrowdStrike, SentinelOne, Microsoft, Palo Alto, Sophos
MDR / MSSP	24/7 monitoring critical since ransomware deploys off-hours; SMBs lack in-house SOC capability	CrowdStrike, Arctic Wolf, Sophos, Huntress, Expel
Backup & Recovery	Immutable backup is last line of defense; ransomware-specific recovery features (clean room, orchestrated recovery)	Rubrik, Cohesity, Veeam, Commvault, Druva
Identity Security	Credential abuse is the primary lateral movement method; ITDR is the fastest-growing sub-segment	CrowdStrike, SentinelOne, Microsoft, Silverfort, Semperis
Email Security	Phishing remains a top initial access vector; callback phishing requires behavioral analysis	Proofpoint, Mimecast, Abnormal Security, Microsoft
SIEM / SOAR	Correlation of signals across kill chain; automated response playbooks for ransomware containment	Splunk (Cisco), Microsoft Sentinel, CrowdStrike LogScale, Palo Alto XSIAM
Network Security	Segmentation limits blast radius; edge device patching/hardening is critical	Palo Alto, Fortinet, Cisco, Zscaler, Illumio (microsegmentation)
Vulnerability Management	Edge device vulnerabilities are #1 initial access vector; CISA KEV prioritization	Tenable, Rapid7, Qualys, CrowdStrike Falcon Exposure Management
Incident Response	Ransomware drives majority of IR engagement volume; retainers are standard for enterprises	CrowdStrike, Mandiant (Google), Unit 42 (Palo Alto), Secureworks, Kroll
Cyber Insurance	Ransomware is the dominant claims driver; premium and underwriting directly tied to ransomware risk	Coalition, Corvus, At-Bay, Beazley, AXA XL
Cloud Security	Ransomware targeting cloud workloads and ESXi; data exfiltration from SaaS/cloud storage	Wiz, Orca, Palo Alto Prisma, Lacework

Vendor Differentiation on Ransomware¶

Vendors increasingly market ransomware-specific capabilities as competitive differentiators:

CrowdStrike -- Ransomware prevention warranty (up to $1M); Identity Threat Detection; Falcon Complete managed service
SentinelOne -- Ransomware warranty ($1M+); Singularity Identity; automated rollback capability
Sophos -- Managed Detection and Response with ransomware focus; Active Adversary report series
Rubrik -- "Ransomware Recovery Guarantee" ($5M); immutable backup architecture; anomaly detection on backup data
Cohesity -- DataHawk threat scanning on backup data; FortKnox SaaS vault; clean room recovery
Veeam -- Inline malware detection; immutable repositories; hardened Linux repository for backup
Illumio -- Microsegmentation to contain lateral movement; "ransomware containment" positioning
Semperis -- Active Directory-specific protection; ITDR for AD tier-zero assets; post-breach AD recovery
Halcyon -- Purpose-built anti-ransomware platform; capture-and-decrypt approach; emerging vendor

Insurance Market Dynamics¶

The cyber insurance market is deeply entangled with the ransomware economy:

Premium trajectory: Rates increased 50--100%+ in 2021--2023 as ransomware claims surged; stabilized somewhat in 2024--2025 as underwriting matured
Minimum security requirements: Most insurers now mandate MFA, EDR, offline backups, patch management as preconditions for coverage
Payment controversy: Ongoing debate about whether insurance-funded payments sustain the ransomware economy; some jurisdictions considering bans on ransom payments
Loss ratios: Ransomware accounts for 60--75% of cyber insurance claims by value (source: Coalition, Corvus reports)

Recent Activity (2024--2026)¶

Q1 2025: Record-Breaking Quarter

Q1 2025 saw a 126% YoY increase in ransomware activity, driven by: RansomHub's rapid growth absorbing ALPHV affiliates, Cl0p's Cleo exploitation campaign, continued exploitation of edge device vulnerabilities, and proliferation of new smaller groups. This represents the highest single-quarter volume on record.

Key Trends¶

RansomHub Ascendancy (2024--2025): Following ALPHV/BlackCat's exit scam in March 2024, RansomHub emerged as the dominant RaaS operation by mid-2024. Its competitive affiliate terms (reported 90/10 split) and willingness to accept experienced affiliates from disrupted groups fueled rapid growth. By Q4 2024, RansomHub consistently posted the highest monthly victim counts.
LockBit Resurgence (Sep 2025): Despite Operation Cronos (Feb 2024) seizing infrastructure and identifying operator Dmitry Khoroshev, LockBit resurfaced in September 2025 with updated infrastructure. The resurgence underscored the difficulty of permanently dismantling RaaS operations when the operator remains at liberty in a non-extraditing jurisdiction.

Knowledge Gap

Details on LockBit's post-resurgence operational tempo, affiliate count, and infrastructure changes are still emerging. The degree to which the resurfaced operation matches its pre-Cronos scale is uncertain.

Cl0p's Continued Zero-Day Exploitation (2024--2025): Cl0p continued its pattern of mass-exploiting zero-days in file transfer appliances, targeting Cleo Harmony and VLTrader (CVE-2024-50623, CVE-2024-55956) in late 2024/early 2025. This follows the same playbook used against Accellion (2021), GoAnywhere (2023), and MOVEit (2023). Cl0p's approach is distinctive: mass exploitation, data exfiltration, extortion -- with no encryption deployed.
BianLian's Shift to Exfiltration-Only (2024): BianLian abandoned encryption entirely in 2024, relying solely on data theft and extortion. This trend is notable because it removes the "smoking gun" of encrypted files, potentially delaying detection and complicating insurance claims that may have encryption-specific triggers.
ESXi Targeting Proliferation: Nearly every major group now maintains Linux/ESXi variants of their encryptor. Targeting VMware ESXi hypervisors allows encryption of entire virtual machine fleets simultaneously, maximizing disruption from a single execution.
Continued Healthcare Targeting: Despite periodic pledges by some groups to avoid healthcare, the sector remained the most targeted in 2024--2025. The Change Healthcare attack ($22M payment, nationwide disruption) demonstrated catastrophic cascading effects.
BYOVD Becomes Standard: Bring Your Own Vulnerable Driver attacks for EDR evasion transitioned from a novel technique to a standard component of the ransomware playbook by 2025. Multiple commercial and custom tools (Terminator, AuKill, Backstab) are widely available.
Edge Device Exploitation Dominance: Exploitation of internet-facing VPN, firewall, and remote access appliances overtook phishing as the leading initial access vector for ransomware in 2024--2025. Fortinet, Citrix, Ivanti, Cisco, and Palo Alto products were all impacted by critical vulnerabilities actively exploited by ransomware affiliates.

Sources & Further Reading¶

Ongoing Reports¶

Chainalysis Crypto Crime Report -- Annual cryptocurrency-based ransomware payment analysis
Coveware Quarterly Ransomware Reports -- Payment trends, demand sizes, payment rates, attack vectors
Sophos State of Ransomware -- Annual survey of ransomware impact on organizations
Mandiant M-Trends -- Annual threat landscape report with ransomware statistics
CrowdStrike Global Threat Report -- Annual threat intelligence including ransomware ecosystem analysis
Unit 42 Ransomware and Extortion Report -- Palo Alto Networks' annual ransomware analysis
CISA #StopRansomware Advisories -- Joint advisories on specific ransomware groups with IOCs and TTPs
Recorded Future Insikt Group -- Ongoing ransomware tracking and analysis
Dragos OT Cybersecurity Year in Review -- Ransomware impact on industrial/OT environments

Key References¶

Chainalysis (2025). Ransomware Revenue Down as More Victims Refuse to Pay. chainalysis.com
Coveware (2025). Quarterly Ransomware Trends. coveware.com
FBI IC3 (2024). Internet Crime Report. ic3.gov
CISA (2023--2025). #StopRansomware Joint Advisories. cisa.gov
Europol (2024). Operation Cronos. europol.europa.eu
DOJ (2024). LockBit Disruption. justice.gov
Sophos (2024). State of Ransomware 2024. sophos.com

Disclaimer

Revenue estimates, payment figures, and attribution in this document are drawn from publicly available sources including blockchain analysis firms, incident response companies, and law enforcement announcements. Actual figures are likely significantly higher due to unreported incidents. Group attributions are based on best available intelligence and are subject to revision. This document reflects information available as of early 2026.

Glossary¶

This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.

A¶

Term	Definition
ACL	Access Control List — rules determining which users/systems can access resources
APT	Advanced Persistent Threat — a prolonged, targeted cyberattack where an intruder gains and maintains unauthorized access
ASM	Attack Surface Management — continuous discovery, inventory, and risk assessment of an organization's external-facing assets
ASPM	Application Security Posture Management — unified visibility and risk management across the application lifecycle
AV	Antivirus — software designed to detect, prevent, and remove malware

B¶

Term	Definition
BAS	Breach and Attack Simulation — automated tools that simulate real-world attacks to test security controls
BEC	Business Email Compromise — a social-engineering attack targeting employees with access to company finances or data

C¶

Term	Definition
C2	Command and Control — infrastructure used by attackers to communicate with compromised systems
CASB	Cloud Access Security Broker — a security policy enforcement point between cloud consumers and providers
CCPA	California Consumer Privacy Act — California state law granting consumers rights over their personal data
CIAM	Customer Identity and Access Management — managing and securing external customer identities and authentication
CIEM	Cloud Infrastructure Entitlement Management — managing identities and privileges in cloud environments
CTEM	Continuous Threat Exposure Management — a program for continuously assessing and prioritizing threat exposures
CNAPP	Cloud-Native Application Protection Platform — integrated security for cloud-native applications across the full lifecycle
CSPM	Cloud Security Posture Management — continuous monitoring of cloud infrastructure for misconfigurations and compliance risks
CWPP	Cloud Workload Protection Platform — security for workloads running in cloud environments (VMs, containers, serverless)
CVE	Common Vulnerabilities and Exposures — a standardized identifier for publicly known cybersecurity vulnerabilities

D¶

Term	Definition
DAST	Dynamic Application Security Testing — testing a running application for vulnerabilities by simulating attacks
DCS	Distributed Control System — a control system for managing industrial processes across multiple locations
DLP	Data Loss Prevention — tools and processes to prevent unauthorized data exfiltration or leakage
DORA	Digital Operational Resilience Act — EU regulation on ICT risk management for financial entities
DSPM	Data Security Posture Management — discovering, classifying, and protecting sensitive data across cloud environments

E¶

Term	Definition
EASM	External Attack Surface Management — discovering and monitoring internet-facing assets for exposures
EDR	Endpoint Detection and Response — tools that monitor endpoints for threats and provide investigation and response capabilities
EPP	Endpoint Protection Platform — integrated endpoint security combining prevention, detection, and response

F/G¶

Term	Definition
FAIR	Factor Analysis of Information Risk — a quantitative model for understanding, analyzing, and measuring information risk
GRC	Governance, Risk, and Compliance — integrated framework for aligning IT with business goals, managing risk, and meeting regulations
GDPR	General Data Protection Regulation — EU regulation on data protection and privacy for individuals

H¶

Term	Definition
HIPAA	Health Insurance Portability and Accountability Act — US law governing the privacy and security of health information

I¶

Term	Definition
IAB	Initial Access Broker — specialized cybercriminals who compromise networks and sell access to ransomware operators and other buyers
IAM	Identity and Access Management — framework for managing digital identities and controlling access to resources
ICS	Industrial Control System — control systems used in industrial production and critical infrastructure
IDS	Intrusion Detection System — a system that monitors network traffic for suspicious activity and alerts
ITDR	Identity Threat Detection and Response — detecting and responding to identity-based attacks and compromises
IoT	Internet of Things — network of physical devices embedded with sensors, software, and connectivity
IPS	Intrusion Prevention System — a system that monitors and actively blocks detected threats in network traffic

L¶

Term	Definition
LOTL	Living Off the Land — attack technique using legitimate, pre-installed system tools and binaries rather than custom malware to evade detection

M¶

Term	Definition
MaaS	Malware-as-a-Service — cybercrime business model where malware developers sell or rent their tools to other criminals
MDR	Managed Detection and Response — outsourced security service providing 24/7 threat monitoring, detection, and response
MITRE ATT&CK	MITRE Adversarial Tactics, Techniques, and Common Knowledge — a knowledge base of adversary behaviors and techniques
MSSP	Managed Security Service Provider — a third-party provider offering outsourced monitoring and management of security devices
MFA	Multi-Factor Authentication — requiring two or more verification factors to gain access to a resource

N¶

Term	Definition
NDR	Network Detection and Response — detecting and responding to threats by analyzing network traffic patterns
NERC CIP	North American Electric Reliability Corporation Critical Infrastructure Protection — security standards for the electric grid
NGAV	Next-Generation Antivirus — advanced antivirus using behavioral analysis, AI, and machine learning beyond signature-based detection
NIS2	Network and Information Systems Directive 2 — updated EU directive on cybersecurity for essential and important entities
NIST CSF	National Institute of Standards and Technology Cybersecurity Framework — a voluntary framework for managing cybersecurity risk

O¶

Term	Definition
OT	Operational Technology — hardware and software that monitors and controls physical devices and processes
OWASP	Open Worldwide Application Security Project — a nonprofit focused on improving software security through open-source projects and guidance

P¶

Term	Definition
PAM	Privileged Access Management — securing, managing, and monitoring privileged accounts and access
PCI DSS	Payment Card Industry Data Security Standard — security standards for organizations that handle credit card data
PII	Personally Identifiable Information — any data that could identify a specific individual
PLC	Programmable Logic Controller — an industrial computer used to control manufacturing processes

R¶

Term	Definition
RaaS	Ransomware-as-a-Service — cybercrime business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks, splitting profits
RGB	Reconnaissance General Bureau — North Korea's primary intelligence agency responsible for clandestine operations including cyber operations

S¶

Term	Definition
SASE	Secure Access Service Edge — converged network and security-as-a-service architecture delivered from the cloud
SAST	Static Application Security Testing — analyzing source code for vulnerabilities without executing the application
SBOM	Software Bill of Materials — a formal inventory of components, libraries, and dependencies in a software product
SCA	Software Composition Analysis — identifying open-source components and known vulnerabilities in a codebase
SCADA	Supervisory Control and Data Acquisition — a system for monitoring and controlling industrial processes remotely
SD-WAN	Software-Defined Wide Area Network — a virtual WAN architecture that simplifies branch networking and optimizes traffic
SEG	Secure Email Gateway — a solution that filters inbound and outbound email to block threats and enforce policies
SIEM	Security Information and Event Management — aggregating and analyzing log data for threat detection and compliance
SOAR	Security Orchestration, Automation, and Response — tools that automate and coordinate security operations workflows
SOC	Security Operations Center — a centralized team and facility for monitoring, detecting, and responding to security incidents
SOX	Sarbanes-Oxley Act — US law mandating financial reporting and internal control requirements for public companies
SSE	Security Service Edge — the security component of SASE, delivering SWG, CASB, and ZTNA as cloud services
SWG	Secure Web Gateway — a solution that filters web traffic to enforce security policies and block threats

T¶

Term	Definition
TAM	Total Addressable Market — the total revenue opportunity available for a product or service
TCO	Total Cost of Ownership — the complete cost of acquiring, deploying, and operating a solution over its lifetime
TIP	Threat Intelligence Platform — a system for aggregating, correlating, and operationalizing threat intelligence data
TLS	Transport Layer Security — a cryptographic protocol that provides secure communication over a network
TTP	Tactics, Techniques, and Procedures — the patterns of behavior and methods used by threat actors to conduct cyber operations

V¶

Term	Definition
VM	Vulnerability Management — the ongoing process of identifying, evaluating, treating, and reporting security vulnerabilities

X¶

Term	Definition
XDR	Extended Detection and Response — unified threat detection and response across endpoints, network, cloud, and email

Z¶

Term	Definition
ZTNA	Zero Trust Network Access — a security model that grants access based on identity verification and least-privilege principles