Inside the World Ransomware

$57 billion dollars a year is the annual revenue of Goldman Sachs, but according to Cybersecurity Ventures it's also the annual damages caused by ransomware. Ransomware is a growing threat that has expanded across nearly every industry, with over 2,600 companies reported in 2024, and that number is increasing every year. Despite its scale, most people don't understand the inner workings of these criminal organizations. Ransomware groups operate closer to a Fortune 500 company than your local street gang.

While the number of victims is growing, the number of ransomware groups is actually shrinking, not out of weakness, but consolidation. The main groups out there are Qilin, known for hacking London NHS/Synnovis in 2024; Akira, named after the 1988 cyberpunk anime; LockBit, which has resurfaced multiple times despite law enforcement takedowns; and a few others like Clop, DragonForce, and INC Ransom. These groups frequently rebrand under new names to evade detection and shake off reputational damage from law enforcement pressure. 

What do McDonald's and ransomware have in common? They both run as franchises. In the world of ransomware, this is officially called Ransomware-as-a-Service (RaaS). The central group offers franchise opportunities on the dark web to cyber criminal organizations that want to make money from ransomware. The advantage of this is that cyber criminals don't have to build their own ransomware but can subscribe to the service and get deployable malware, customer support, and infrastructure. The RaaS provider handles software updates, encryption key management, and victim payments. You may think this sounds exactly like any other SaaS that you buy, and you would be right. 

While ransomware groups are run on the black market and by criminals, the actual operations have rules and brand reputation to protect. LockBit has been one of the most famous ransomware groups for the past few years. You would think that these groups are run by criminals who don't have much of a moral or ethical compass. LockBit actually enforced a code of ethics on what the franchises were allowed to ransom. The groups were not allowed to target healthcare facilities, social services, educational institutions, or charity organizations. In fact, one franchise of LockBit ransomed one of the largest children's hospitals in Canada, and LockBit formally apologized and provided the hospital a free decryptor to recover their data, and permanently banned the affiliate from the platform.

To pressure victims into paying, ransomware groups run dark web leak sites that publicly shame companies and countdown to the release of their stolen data. The payment tiers on these sites reveal just how calculated the operation is. Victims can pay to suppress the leak entirely, pay a smaller fee to extend the deadline, or in a particularly ruthless twist, a third party can pay to have the data released immediately. For high-profile targets, these transactions reach into the millions of dollars 

On the clear web, LockBit, for example, had an X (formerly Twitter) account that made public announcements and promoted the platform. Affiliates of LockBit were also very active, publicly communicating with other criminals and threat intelligence experts. One affiliate even sold a $10,000 course on how to hack corporate networks. The customer service operation is equally open. Victims receive guided support on how to pay ransoms and purchase cryptocurrency. If a victim goes quiet and appears to be recovering their data without paying, affiliates follow up with cold calls using prepared scripts to create more pressure and fear, the same processes any legitimate business would have. 

Most of the ransomware groups are Russian-linked. While not all the groups publicly state their national ties, there are ways researchers determine the Russian association. Russian groups don't attack their own; researchers have reverse engineered the malware and found that it skips former Soviet Union countries. They also operate on Russian time zones and recruit on popular Russian-language underground forums. European and American law enforcement have difficulty, as Russia doesn't have established extradition treaties. This is the reason that groups like LockBit were able to openly taunt agencies like the FBI on X.

LockBit's public confidence ultimately made them a target. In February 2024, Operation Cronos was launched, led by the UK's National Crime Agency and the FBI. Investigators infiltrated LockBit's systems by exploiting a known PHP vulnerability, the same method LockBit itself used against victims. Authorities seized 34 servers across 8 countries, froze 200 cryptocurrency accounts, and identified 14,000 rogue accounts involved in data exfiltration. The entire operation was completed in just 12 hours, and 194 affiliates were identified in the process. 

The operation was not without impact. The FBI recovered 7,000 decryption keys and worked directly with victims to restore their data. But LockBit proved harder to kill than anyone anticipated. Just four days after the takedown, they were back online. Within a week they were attacking new victims. The operation cost LockBit millions in seized assets and months of disruption, but produced zero arrests of LockBit leadership. They remain in Russia today, protected by the same lack of extradition treaties, there is however a $10 million reward by the US Department of State for anyone with information that would lead to their arrest.

Today the model of ransomware has changed. Since the takedown of LockBit and the mainstreaming of ransomware defense, the criminals have adapted. They realized that encrypting data for ransom had a flaw: with resilient disaster recovery in place, companies were able to restore their data from backups. The real threat is the leaking of data to the public. One of the most prominent groups doing this is ShinyHunters, which has completely ditched encrypting data and instead focuses on stealing it and extorting companies for money. We saw this recently just a few months ago in April 2026, when ShinyHunters attacked Canvas, a learning management system used by over 9,000 schools, putting the personal data of students and educators at risk with no encryption involved at all.

Ransomware is a billion dollar criminal industry, and it has produced an equally billion dollar industry built to fight back. Threat intelligence teams monitor the dark web, underground forums, and social media around the clock, working with law enforcement and other companies to build a clearer picture of the current threat landscape. Incident response firms deploy immediately when an attack occurs, focusing on containment and recovery. 

Insurance companies have also entered the equation, now offering dedicated cyber insurance policies that cover ransom payments, recovery costs, and loss of business. To qualify, companies must meet a baseline set of security standards, raising the floor of protection across the industry as a whole. Security vendors have built entire platforms and product lines around resilience and protection. The defenders have had to become just as organized and sophisticated as the attackers. 

Ransomware is no longer a unique threat for only high valued companies, it’s a mature, global industry with structure and sophistication that mirror the legitimate businesses it preys upon. The $57 billion in annual damages is not the result of lone hackers, but of franchises, customer service teams, ethics policies, and rebranding strategies. The defense industry has risen to meet that challenge, but the attackers continue to adapt. As long as there is money to be made, ransomware will evolve. Cyber defense will need to continue to evolve and keep pace as these threats aren’t slowing down.