Ransomware is one of the most prolific and economically damaging cybercrime threats of the contemporary era. This exploratory study aims to enhance knowledge about ransomware criminal groups, principally using crime script analysis. Our focus is on ransomware criminal groups that targeted organisations in Australia, Canada, New Zealand and the United Kingdom between 2020 and 2022. The project examines the evolution, lifespan and methods of ransomware criminal groups. Results reveal the most active ransomware criminal groups, the median range of their careers and the most targeted victim organisations by country and sector type. By combining crime script approaches with existing cybersecurity frameworks, the study advances understanding of the criminal processes used by ransomware criminal groups over time.
References
URLs correct at April 2025
Abrams L 2023. Avaddon ransomware shuts down and releases decryption keys. BleepingComputer. https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/
Abrams L 2022. Conti ransomware shuts down operation, rebrands into smaller units. BleepingComputer. https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/
Abrams L 2021. Egregor ransomware affiliates arrested by Ukrainian, French police. BleepingComputer. https://www.bleepingcomputer.com/news/security/egregor-ransomware-affil…
Alwashali AAMA, Abd Rahman NA & Ismail N 2021. A survey of ransomware as a service (RaaS) and methods to mitigate the attack. In 2021 14th International Conference on Developments in eSystems Engineering (DeSE): 92–96
Alzahrani S, Xiao Y & Sun W 2022. An analysis of Conti ransomware leaked source codes. IEEE Access 10: 100178–100193. https://ieeexplore.ieee.org/document/9895237
Australian Banking Association 2023. Banking by numbers: SMEs 2023 [infographic]. https://www.ausbanking.org.au/insight/banking-by-numbers-smes-2023/
Australian Signals Directorate 2023. Understanding ransomware threat actors: LockBit. Australian Signals Directorate. https://www.cyber.gov.au/about-us/advisories/understanding-ransomware-threat-actors-lockbit
Australian Signals Directorate 2022. 2022-004: ASD's ACSC ransomware profile – ALPHV (aka BlackCat). Australian Signals Directorate. https://www.cyber.gov.au/about-us/advisories/2022-004-asdacsc-ransomware-profile-alphv-aka-blackcat
Bátrla M & Harašta J 2022. ‘Releasing the hounds?’ Disruption of the ransomware ecosystem through offensive cyber operations. In 2022 14th international conference on cyber conflict: Keep moving! (CyCon) 700: 93–115
Beaman C, Barkworth A, Akande TD, Hakak S & Khan MK 2021. Ransomware: Recent advances, analysis, challenges and future research directions. Computers & Security 111: 102490
Berlusconi G 2013. Do all the pieces matter? Assessing the reliability of law enforcement data sources for the network analysis of wire taps. Global Crime 14(1): 61–81
Bhardwaj A, Avasthi V, Sastry H & Subrahmanyam G 2016. Ransomware digital extortion: A rising new age threat. Indian Journal of Science and Technology 9(14): 1–5
Blessing J, Drean J & Radway S 2022. Survey and analysis of US policies to address ransomware. MIT Science Policy Review 3: 38–46
Borrion H 2013. Quality assurance in crime scripting. Crime Science 2: 1–12
Bradley LP 2022. Was the Colonial cyberattack the first act of cyberwar against the US? Finding the threshold of war for ransomware attacks. St. John's Law Review 96(2): 487–515
Bright D, Brewer R & Morselli C 2021. Using social network analysis to study crime: Navigating the challenges of criminal justice records. Social Networks 66: 50–64
Bright D, Greenhill C, Britz T, Ritter A & Morselli C 2017. Criminal network vulnerabilities and adaptations. Global Crime 18(4): 424–441
Bright D & Whelan C 2021. Organised crime and law enforcement: A network perspective. London: Routledge
Brill A & Thompson E 2019. Ransomware, a tool and opportunity for terrorist financing and cyberwarfare. Defence Against Terrorism Review 12
Buckley J 2021. The industrialisation of cyber extortion. Computer Fraud & Security 2021(12): 6–10
Chainalysis 2023. The Chainalysis 2023 crypto crime report. https://www.chainalysis.com/blog/2023-crypto-crime-report-introduction/
Chesti IA, Humayun M, Sama NU & Jhanjhi NZ 2020. Evolution, mitigation, and prevention of ransomware. In 2020 2nd international conference on computer and information sciences (ICCIS): 1–6
Choo KKR & Smith RG 2008. Criminal exploitation of online systems by organised crime groups. Asian Journal of Criminology 3(1): 37–59
Comizio VG et al. 2023. Combating ransomware: One year on. Joint PIJIP/TLS Research Paper Series 83
Cong LW, Harvey CR, Rabetti D & Wu ZY 2023. An anatomy of crypto-enabled cybercrimes. Social Science Research Network. https://doi.org/10.2139/ssrn.4188661
Connolly L & Wall D 2019. The risk of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. Computers & Security 87. https://doi.org/10.1016/j.cose.2019.101568
Cyberreason 2022. Ransomware: The true cost to business 2022. https://www.cybereason.com/ransomware-the-true-cost-to-business-2022
Dargahi T et al. 2019. A Cyber-Kill-Chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques 15: 277–305
Datta PM & Acton T 2022. Ransomware and Costa Rica’s national emergency: A defense framework and teaching case. Journal of Information Technology Teaching Cases 14(1): 56–67. https://doi.org/10.1177/20438869221149042
Davidoff S, Durrin M & Sprenger K 2022. Ransomware and cyber extortion: Response and prevention. Addison-Wesley Professional
Dehghanniri H & Borrion H 2021. Crime scripting: A systematic review. European Journal of Criminology 18(4): 504–525
Department of Home Affairs 2023. 2023–2030 Australian Cyber Security Strategy. https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy
Department of Justice 2021. Department of Justice launches global action against NetWalker ransomware. Press release, 27 January. Office of Public Affairs, United States Department of Justice. https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware
Diviák T, van Nassau CS, Dijkstra JK & Snijders TA 2022. Dynamics and disruption: Structural and individual changes in two Dutch Jihadi networks after police interventions. Social Networks 70: 364–374
Doshi N, Athalye A & Chien E 2010. Pay-per-install: The new malware distribution network. Symantec
Dupont B & Whelan C 2021. Enhancing relationships between criminology and cybersecurity. Journal of Criminology 54(1): 76–92
Falco G, Noriega A & Susskind L 2019. Cyber negotiation: A cyber risk management approach to defend urban critical infrastructure from cyberattacks. Journal of Cyber Policy 4(1): 90–116
Falk R & Brown AL 2021. Exfiltrate, encrypt, extort: The global rise of ransomware and Australia’s policy options. Policy Brief, Report No. 47/2021. Australian Strategic Policy Institute
Federal Bureau of Investigation 2023. U.S. Department of Justice disrupts Hive ransomware variant. Press release, 26 January. https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant
Federal Bureau of Investigation 2021. Increase in PYSA ransomware targeting education institutions. FBI Cyber Division. https://www.ic3.gov/CSA/2021/210316.pdf
Gatlan S 2021. Biden asks Putin to crack down on Russian-based ransomware gangs. BleepingComputer. https://www.bleepingcomputer.com/news/security/biden-asks-putin-to-crack-down-on-russian-based-ransomware-gangs/
Georgescu E 2022. Avaddon ransomware: Everything you need to know. Heimdal Security. https://heimdalsecurity.com/blog/avaddon-ransomware/
Goettl C 2021. Is ransomware winning? Cyber Security: A Peer-Reviewed Journal 5(1): 51–65
Grabosky P 2016. Cybercrime. Oxford University Press
Gray IW, Cable J, Brown B, Cuiujuclu V & McCoy D 2022. Money over morals: A business analysis of Conti ransomware. In Proceedings of the 2022 APWG symposium on electronic crime research, eCrime 2022. IEEE Computer Society: 1–12
Greig J 2023. Cybercrime groups find a new target: Religious institutions. The Record. https://therecord.media/cybercrime-groups-find-new-target-churches
Gumarin JR 2022. Vice Society: Profiling a persistent threat to the education sector. https://unit42.paloaltonetworks.com/vice-society-targets-education-sector/
Hacquebord F, Kenefick I & Mercês F 2022. A deep dive into Water Roc, one of the most relentless ransomware groups. Trend Micro Research. https://vblocalhost.com/conference/presentations/a-deep-dive-into-water-roc-one-of-the-most-relentless-ransomware-groups/
Harkin D, Whelan C & Chang L 2018. The challenges facing specialist police cyber-crime units: An empirical analysis. Police Practice and Research 19(6): 519–536
Hendery S 2023. Ransomware victims clobbered by repeat attacks. SC Media. https://www.scmagazine.com/news/ransomware-victims-clobbered-by-repeat-attacks
Holt TJ & Lee JR 2022. A crime script model of dark web firearms purchasing. American Journal of Criminal Justice March: 1–21
Hull G, John H & Arief B 2019. Ransomware deployment methods and analysis: Views from a predictive model and human responses. Crime Science 8: 1–22
Hyslip TS & Burruss GW 2023. Ransomware. In Don Hummer & JM Byrne (eds), Handbook on Crime and Technology. Edward Elgar Publishing: 86–104
Kapersky 2023. What is maze ransomware? Definition and explanation. https://www.kaspersky.com/resource-center/definitions/what-is-maze-ransomware
Kara I & Aydos M 2022. The rise of ransomware: Forensic analysis for Windows based ransomware attacks. Expert Systems with Applications 190: 116198
Karapapas C, Pittaras I, Fotiou N & Polyzos G 2020. Ransomware as a service using smart contracts and IPFS. In 2020 IEEE international conference on blockchain and cryptocurrency (ICBC): 1–5
KELA Cybercrime Prevention 2023. Ransomware victims and network access sales in Q1 2023. KELA Cybercrime Intelligence Centre. https://www.kelacyber.com/resources/research/
Kranenbarg MW 2021. ‘Cyber-dependent crime versus traditional crime: Empirical evidence for clusters of offenses and related motives’. In MW Kranenbarg & R Leukfeldt (eds), Cybercrime in context: The human factor in victimization, offending, and policing. Switzerland: Springer: 192–216
Lavorgna A 2019. Cyber-organised crime: A case of moral panic? Trends in Organized Crime 22(4): 357–374
Lavorgna A 2015. Organised crime goes online: Realities and challenges. Journal of Money Laundering Control 18(2): 153–168
Lee H & Choi KS 2021. Interrelationship between Bitcoin, ransomware, and terrorist activities: Criminal opportunity assessment via cyber-routine activities theoretical framework. Victims & Offenders 16(3): 363–384
Leukfeldt R 2015. Organised cybercrime and social opportunity structures: A proposal for future research directions. European Review of Organised Crime 2(2): 91–105
Leukfeldt R, Kleemans ER, Kruisbergen EW & Roks RA 2019. Criminal networks in a digitised world: On the nexus of borderless opportunities and local embeddedness. Trends in Organized Crime 22: 324–345
Leukfeldt R, Lavorgna A & Kleemans ER 2017. Organised cybercrime or cybercrime that is organised? An assessment of the conceptualisation of financial cybercrime as organised crime. European Journal on Criminal Policy and Research 23(3): 287–300
Lubin A 2022. The law and politics of ransomware. Vanderbilt Journal of Transnational Law 55: 1177–1216
Lusthaus J 2018. Industry of anonymity: Inside the business of cybercrime. Cambridge, MA: Harvard University Press
Lusthaus J 2013. How organised is organised cybercrime? Global Crime 14(1): 52–60
Lusthaus J, van Oss J & Amann P 2023. The Gozi group: A criminal firm in cyberspace? European Journal of Criminology 20(5): 1701–1718
Madhira N, Pelletier JM, Johnson D & Mishra S 2023. Code red: A nuclear nightmare-navigating ransomware response at an Eastern European power plant. Journal of Information Technology Teaching Cases. 14(1): 108–118. https://doi.org/10.1177/20438869231155934
Mago M & Madyira FF 2018. Ransomware software: Case of WannaCry. International Research Journal of Advanced Engineering and Science 3(1): 258–261
Martin J & Whelan C 2023. Ransomware through the lens of state crime. State Crime Journal 12(1): 4–28
Martin J, Whelan C & Bright D 2024. Ransomware HR: Human resources practices and organizational support in the Conti Ransomware Group. Deviant Behavior. Advance online publication. https://doi.org/10.1080/01639625.2024.2419905
Matthijsse SR, van ‘t Hoff-de Goede M & Leukfeldt ER 2023. Your files have been encrypted: A crime script analysis of ransomware attacks. Trends in Organized Crime. https://doi.org/10.1007/s12117-023-09496-z
McGuire M 2012. Technology, crime, and justice: The question concerning technomia. New York: Routledge
McGuire M & Dowling S 2013 Cyber crime: A review of the evidence. Chapter 1: Cyber-dependent crimes. Home Office Research Report 75. https://www.gov.uk/government/publications/cyber-crime-a-review-of-the-evidence
Meland PH, Bayoumy YFF & Sindre G 2020. The Ransomware-as-a-service economy within the darknet. Computers & Security 92: 101762
MITRE 2019. Execution. https://attack.mitre.org/tactics/TA0002/
MITRE nd. MITRE ATT&CK. https://attack.mitre.org/
Morselli C 2009. Inside criminal networks. New York: Springer
MSCI 2023. Definitions of GICS Sectors effective close of March 17, 2023. https://classification.codes/classifications/industry/gics
Musotto R & Wall D 2020. More Amazon than Mafia: Analysing a DDoS stressor service as organised cybercrime. Trends in Organized Crime 25: 173–191. https://doi.org/10.1007/s12117-020-09397-5
Mutalib MMA, Zainol Z & Halip MHM 2021. Mitigating malware threats at small medium enterprise (SME) organisation: A review and framework. In 2021 6th IEEE international conference on recent advances and innovations in engineering (ICRAIE) 6: 1–6
Nagy Z & Mezei K 2016. Organised cybercrime groups and their illicit online activities. Studia Iuridica Auctoritate Universitatis Pecs Publicata 154: 143
Nakamoto S 2008. Bitcoin: A peer-to-peer electronic cash system. Decentralized business review. https://bitcoin.org/en/bitcoin-paper
Nershi K & Grossman S 2022. Assessing the political motivations behind ransomware attacks. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4507111
O’Hara AC, Ko RK, Mazerolle L & Rimer JR 2020. Crime script analysis for adult image-based sexual abuse: A study of crime intervention points for retribution-style offenders. Crime Science 9: 1–26
O'Kane P, Sezer S & Carlin D 2018. Evolution of ransomware. Iet Networks 7(5): 321–327
Paquet-Clouston M & García S 2023. On the dynamics behind profit-driven cybercrime from contextual factors to perceived group structures, and the workforce at the periphery. Global Crime 24(2): 1–23
Paquet-Clouston M & García S 2022. On the motivations and challenges of affiliates involved in cybercrime. Trends in Organized Crime. https://doi.org/10.1007/s12117-022-09474-x
Payne BK 2020. ‘Defining cybercrime’. In TJ Holt & AM Bossler (eds), The Palgrave handbook of international cybercrime and cyberdeviance. Switzerland: Springer Nature: 3–26
Phillips K et al. 2022. Conceptualizing cybercrime: Definitions, typologies and taxonomies. Forensic Sciences 2(2): 379–398
Porath JC 2023. Typing a terrorist attack: Using tools from the war on terror to fight the war on ransomware. Pepperdine Law Review 50(1): 139–190
Razaulla S et al. 2023. The age of ransomware: A survey on the evolution, taxonomy, and research directions. IEEE Access. https://ieeexplore.ieee.org/document/10105244
Ryan M 2021. Ransomware revolution: The rise of a prodigious cyber threat. Berlin: Springer
Sancho D & Fuentes MR 2023. Inside the halls of a cybercrime business. https://www.trendmicro.com/vinfo/au/security/news/cybercrime-and-digital-threats/inside-the-halls-of-a-cybercrime-business
Searchlight Cyber 2023. Everest ransomware group increases initial access broker activity. https://www.slcyber.io/everest-ransomware-group-increases-initial-access-broker-activity/
Smilyanets D 2021. ‘I scrounged through the trash heaps …now I’m a millionaire:’ An interview with REvil’s Unknown. Recorded Future. https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown
Stevens K 2009. The underground economy of the Pay-Per-Install (PPI) business. https://www.blackhat.com/presentations/bh-dc-10/Stevens_Kevin/BlackHat-DC-2010-Stevens-Underground-wp.pdf
Szücs V, Arányi G & Dávid A 2021. Introduction of the ARDS—anti-ransomware defense system model—based on the systematic review of worldwide ransomware attacks. Applied Sciences 11(13): 6070
Tarabay J 2021. Ransomware hackers freeze millions in Papua New Guinea. Bloomberg. https://www.bloomberg.com/news/articles/2021-10-27/papua-new-guinea-s-finance-department-hit-with-ransomware-attack
Trautman LJ & Ormerod PC 2018. WannaCry, ransomware, and the emerging threat to corporations. Tennessee Law Review 86: 503–556
Turner AB, McCombie S & Uhlmann AJ 2019. A target-centric intelligence approach to WannaCry 2.0. Journal of Money Laundering Control 22(4): 646–665
Van Nguyen T 2022. The modus operandi of transnational computer fraud: A crime script analysis in Vietnam. Trends in Organized Crime 25(2): 226–247
Voce I & Morgan A 2021. Ransomware victimisation among Australian computer users. Statistical Bulletin no. 35. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sb78382
Wade M 2021. Digital hostages: Leveraging ransomware attacks in cyberspace. Business Horizons 64(6): 787–797
Wall DS 2021a. Cybercrime as a transnational organized criminal activity. In Felia Allum & Stan Gilmour (eds), The Routledge handbook of transnational organized crime. Routledge: Chapter 18
Wall DS 2021b. The transnational cybercrime extortion landscape and the pandemic: Changes in ransomware offender tactics, attack scalability and the organisation of offending. European Law Enforcement Research Bulletin August. https://ssrn.com/abstract=3908159
Wall DS 2001. Cybercrimes and the internet. In D Wall (ed), Crime and the Internet. Routledge: 1–17
Warikoo A 2023. Perspective chapter: Ransomware. In B Eduard (ed), Malware. Rijeka: IntechOpen. https://doi.org/10.5772/intechopen.108433
Waterman S 2022. Inside the Conti leaks rattling the cybercrime underground. README_.https://readme.security/the-conti-leaks-first-rumble-of-the-ukraine-earthquake-thats-rattling-the-cybercrime-underground-7abb23b0fb04
Westbrook AD 2021. A safe harbor for ransomware payments: Protecting stakeholders, hardening targets and defending national security. New York University Journal of Law and Business 18(2): 391–469
Whelan C, Bright D & Martin J 2024. Reconceptualising organised (cyber)crime: The case of ransomware. Journal of Criminology 57(1): 45–61
Whelan C et al. 2024. Expertise integration in cybercrime policing: Exploring civilian career lifecycles. Deviant Behavior. https://doi.org/10.1080/01639625.2024.2357810
Whelan C & Harkin D 2021. Civilianising specialist units: Reflections on the policing of cyber-crime. Criminology and Criminal Justice 24(4): 529–546
Whelan C & Martin J 2024. ‘Hacking the hackers’: Reflections on state implemented disruption as a ‘new model’ for cyber policing. Current Issues in Criminal Justice 37(1): 185–197 https://doi.org/10.1080/10345329.2023.2281071
Young A & Yung M 1996. Cryptovirology: Extortion-based security threats and countermeasures. In Proceedings 1996 IEEE symposium on security and privacy: 129–140
Zhao Y, Ge Y & Zhu Q 2021. Combating ransomware in internet of things: A games-in-games approach for cross-layer cyber defense and security investment. In International conference on decision and game theory for security. Springer International Publishing: 208–228