Ransomware Explained: The Business Model Behind the Billion-Dollar Cyber Threat

Ransomware is a billion-dollar industry and a prolific way of attacks that are forcing whole countries into a state of emergency, it’s now time we discussed about the growing threat of ransomware gangs, or “ransomware cartels”.

What is Ransomware

Okay, to briefly explain ransomware, it’s one of the most damaging types of malware. If you get targeted with a ransomware attack, it often means the loss of irreplaceable files and even spending weeks recovering access to computers. But with large entities, governments, and even countries being targeted, it has gotten a lot more concerning.

An important difference: interactive vs non-interactive

Cybercriminals use various attack vectors, old and new. Surprisingly, an IBM report shows that four of the top five vulnerability exploitation methods used in 2021 were, in fact, brand new. Yet, how does a ransomware attack happen? Speaking hypothetically, you receive an invoice in a Microsoft Word document; you’re rushing to get ready, and without a thought, you click it. Here’s the problem: you’ve unwittingly installed a common ransomware type. Slowly, the ransomware scrambles your files one by one. An ominous display message or text file is now presented on your background server or PC, stating a stern ultimatum: Pay up and retrieve your files or lose your files forever.

Now, that’s just one type of ransomware, usually spread via phishing campaigns or targeting devices. The bottom line: it would take some of your involvement for this ransomware to infect your device, the malicious Microsoft Office files or PDFs as an example here. Then there’s non-interactive ransomware. The infamous WannaCry virus is a commonly used example of standalone malware. It is a worm that infected a large number of computers and servers in 2017. In this type, there was no involvement of the victims, yet the result was the same. It still encrypted files and demanded a ransom for the decryption key.

Business Model of Ransomware Gangs

Now, you may be surprised to hear that in 2023, the numbers of ransomware are growing. Ransomware more than doubled in 2021 alone. It’s a profitable business for cybercriminals, and that leads us to the complexity of ransomware gangs and how they’ve created an entire business model with human resources departments and everything. 

From the AIDS Trojan to an entire business model, the evolution of ransomware is truly staggering. Ransomware cartel gangs are now offering ransomware as a service and are working with allies to increase their workforce to target organizations of all sizes.

In late 2019, the Maze Cartel attacked the University of Utah, which led to the university being forced to pay 457k ransom. Even though he had restored his data from backup, Mays was still threatening to leak students’ personal information to the outside. This kind of claim isn’t without threat. Some ransomware operators tend to advertise exfiltrated data from a company on the dark web, especially if they haven’t received their payment within a specific window.

How do ransomware gangs operate?

Now, whilst only a glimpse into the catastrophic damage that ransomware gangs cause, it’s worth noting the most aggressive gangs have anywhere up from 670 victims on their list and still growing. 

To talk about their operations, ransomware gangs are now trying to respond to their labor shortage by hiring new members. A few years ago, they would just blatantly put ads on hacker forums looking for affiliates. Today, this isn’t as common due to the focus on ransomware by legal entities. It can end up being a no-hiring situation.

Cracking down the hierarchy of such nefarious groups usually involves two major parties: the ransomware operators who develop the malware and the collaborators. These can include any number of people, and usually a very lucrative portion of the earnings is put on the table. In an example where our InfoSec researcher responded to a ransomware gang advertisement on a hacker forum, ransomware operatives were looking to take a mere 20 to 30% for themselves and offer 70% of earnings to the affiliates. To put it into perspective, the group’s biggest payout was supposedly a whopping 18 million, so we’re talking big figures here.

If you are curious about the reasoning behind the so-called pay gap, an affiliate would do most of the hard work. Initial compromises, hacking the company, and lateral movement. Affiliates work the network, choosing victims by buying access from access brokers, scanning for vulnerabilities, or just simply using social engineering or phishing to gain an initial foothold. It takes a lot of hard work, scouting affiliates, and seeing where they can cause the most damage, reputational or otherwise. And they attack when they have a better chance of going unnoticed. After the network has been compromised and data exfiltrated, the ransomware operators will provide the locker and the service to extort the money, and that’s a whole other kettle of fish.

Bitcoin tends to be a common form of payment, and they legitimize this in many different ways, often through third parties. You see, the UK, EU, and places like that have strict KYC checks and anti-money laundering policies. If the crypto is not registered in those places, it may bypass these checks, and it is much harder for law enforcement to work out where the money landed. That leads me to my next question: where’s the law enforcement in all this? Well, an IBM report found that ransomware gangs have a lifespan of about 17 months. Despite the growing efforts of law enforcement, ransomware gangs seem to easily relaunch and rename themselves to evade pressure. Just this year alone, Conti, one of the most nefarious gangs, was proclaimed dead, and then CIOP was brought back to life. That’s where they’ve made a true anchor in the ransomware market. Particular gangs may not last, but business models do.

With newcomers already joining the market and taking a good hold, Black Basta is a dangerous example, having managed to strike at least 26 victims within its first month. 

Changes in the ransomware landscape

Apart from the business model, there are still changes in the ransomware landscape, especially before and during the Ukrainian war. A significant change was members of the Russia-tied ransomware gang, Ransomware Evil, being arrested by Russia’s domestic intelligence service themselves. It would seem this is the first time Russia took public legal action against such groups and one of the most prolific takedowns to date. The message is clear: no cybercriminal is bulletproof.

Furthermore, the pro-Russia ransomware group, Conti, notorious for attacks against more than a thousand organizations in the US and other countries, has themselves been targeted by data leaks. A pro-Ukrainian insider, known as Conti Leaks on Twitter, has a clear agenda, posting sensitive data from internal chats and TrickBot sources, and even unmasking some members. This demonstrates a shift in the market, no doubt. 


So ransomware and the ransomware market is a complex cyber threats. With new gangs emerging from the woodwork and the profit margins are even growing, it is clear that ransomware attacks are here to stay. Yet, with law enforcement’s involvement and new sanctions being placed, the way ransomware gangs operate might not always be as successful as it previously was.