Examining the activities and careers of ransomware criminal groups

A graph showing analysis of ransomware attacks
Whelan, Chad
Bright, David
Martin, James
Jones, Callum
Dupont, Benoit
ISSN
1836-2206
ISBN
9781922877970
Published Date
Subject
Cybercrime
Comparative analysis
Peer-reviewed
Series
Trends & issues in crime and criminal justice
719
Jurisdictions
Australia
Canada
New Zealand
United Kingdom
Abstract

Ransomware is one of the most prolific and economically damaging cybercrime threats of the contemporary era. This exploratory study aims to enhance knowledge about ransomware criminal groups. Our focus is on ransomware criminal groups that targeted organisations in Australia, Canada, New Zealand and the United Kingdom between 2020 and 2022. The paper examines the evolution and activities of ransomware criminal groups. Results reveal the most active ransomware criminal groups, the median range of their careers and the most targeted victim organisations by country and sector type. 

References

URLs correct as at April 2025

Abrams L 2021. DarkSide ransomware gang returns as new BlackMatter operation. BleepingComputer. https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/

Alzahrani S, Xiao Y & Sun W 2022. An analysis of Conti ransomware leaked source codes. IEEE Access 10: 100178-100193. https://ieeexplore.ieee.org/document/9895237

Australian Signals Directorate 2023. Understanding ransomware threat actors: LockBit. Australian Signals Directorate. https://www.cyber.gov.au/about-us/advisories/understanding-ransomware-threat-actors-lockbit

Australian Signals Directorate 2022. 2022-004: ASD’s ACSC ransomware profile—ALPHV (aka BlackCat). Australian Signals Directorate. https://www.cyber.gov.au/about-us/advisories/2022-004-asdacsc-ransomware-profile-alphv-aka-blackcat

Bhardwaj A, Avasthi V, Sastry H & Subrahmanyam G 2016. Ransomware digital extortion: A rising new age threat. Indian Journal of Science and Technology 9(14): 1–5

Brill A & Thompson E 2019. Ransomware, a tool and opportunity for terrorist financing and cyberwarfare. Defence Against Terrorism Review 12

Datta PM & Acton T 2022. Ransomware and Costa Rica’s national emergency: A defense framework and teaching case. Journal of Information Technology Teaching Cases: 20438869221149042

Department of Justice 2021. Department of Justice launches global action against NetWalker ransomware. Media release, 27 January. Office of Public Affairs, United States Department of Justice. https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware

Dupont B & Whelan C 2021. Enhancing relationships between criminology and cybersecurity. Journal of Criminology 54(1): 76–92

Gatlan S 2021. Biden asks Putin to crack down on Russian-based ransomware gangs. BleepingComputerhttps://www.bleepingcomputer.com/news/security/biden-asks-putin-to-crack-down-on-russian-based-ransomware-gangs/

Georgescu E 2022. Avaddon Ransomware: Everything You Need to Know. Heimdal Security. https://heimdalsecurity.com/blog/avaddon-ransomware/

Gray IW, Cable J, Brown B, Cuiujuclu V & McCoy D 2022. Money over morals: A business analysis of Conti ransomwareIn Proceedings of the 2022 APWG Symposium on Electronic Crime Research, eCrime 2022. IEEE Computer Society: 1–12

Greig J 2023. Cybercrime groups find a new target: Religious institutions. The Record. Recorded Future. https://therecord.media/cybercrime-groups-find-new-target-churches

Gumarin JR 2022. Vice Society: Profiling a persistent threat to the education sector. Unit 42. https://unit42.paloaltonetworks.com/vice-society-targets-education-sector/

Hacquebord F, Kenefick I & Mercês F 2022. A deep dive into Water Roc, one of the most relentless ransomware groupsTrend Micro Research. https://vblocalhost.com/conference/presentations/a-deep-dive-into-water-roc-one-of-the-most-relentless-ransomware-groups/

Hendery S 2023. Ransomware victims clobbered by repeat attacks. SC Media. https://www.scmagazine.com/news/ransomware-victims-clobbered-by-repeat-attacks

Kara I & Aydos M 2022. The rise of ransomware: Forensic analysis for windows based ransomware attacks. Expert Systems with Applications 190: 116198

Lee H & Choi KS 2021. Interrelationship between Bitcoin, ransomware, and terrorist activities: Criminal opportunity assessment via cyber-routine activities theoretical framework. Victims & Offenders 16(3): 363–384

Lubin A 2022. The law and politics of ransomware. Vanderbilt Journal of Transnational Law 55: 1177–1216

Lusthaus J, van Oss J & Amann P 2023. The Gozi group: A criminal firm in cyberspace? European Journal of Criminology 20(5): 1701–1718

Madhira N, Pelletier JM, Johnson D & Mishra S 2023. Code red: A nuclear nightmare-navigating ransomware response at an Eastern European power plant. Journal of Information Technology Teaching Cases0(0):20438869231155934

Mago M & Madyira FF 2018. Ransomware software: Case of WannaCry. International Research Journal of Advanced Engineering and Science 3(1): 258–261

Martin J & Whelan C 2023. Ransomware through the lens of state crime. State Crime Journal 12(1): 4–28

Martin J, Whelan C & Bright D 2024. Ransomware HR: Human resources practices and organizational support in the Conti Group. Deviant Behavior. Advance online publication. https://doi.org/10.1080/01639625.2024.2419905

Matthijsse SR, van ‘t Hoff-de Goede M & Leukfeldt ER 2023. Your files have been encrypted: A crime script analysis of ransomware attacks. Trends in Organized Crime. https://doi.org/10.1007/s12117-023-09496-z

MSCI 2023. Definitions of GICS Sectors effective close of March 17, 2023. https://classification.codes/classifications/industry/gics

Paquet-Clouston M & García S 2022. On the motivations and challenges of affiliates involved in cybercrime. Trends in Organized Crime December: 1–30

Ryan M 2021. Ransomware revolution: The rise of a prodigious cyber threat. Berlin/Heidelberg, Germany: Springer

Searchlight Cyber 2023. Everest Ransomware group increases initial access broker activity. Searchlight Cyber Analysts. https://www.slcyber.io/everest-ransomware-group-increases-initial-access-broker-activity/

Stevens K 2009. The underground economy of the Pay-Per-Install (PPI) business. https://www.blackhat.com/presentations/bh-dc-10/Stevens_Kevin/BlackHat-DC-2010-Stevens-Underground-wp.pdf

Voce I & Morgan A 2021. Ransomware victimisation among Australian computer users. Statistical Bulletin no. 35. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sb78382

Wall DS 2021a. Cybercrime as a transnational organized criminal activity. The Routledge Handbook of Transnational Organized Crime. Routledge

Wall DS 2021b. The transnational cybercrime extortion landscape and the pandemic: Changes in ransomware offender tactics, attack scalability and the organisation of offending. European Law Enforcement Research Bulletin 22

Warikoo A 2023. Perspective chapter: Ransomware. In B Eduard (ed), Malware. Rijeka: IntechOpen

Westbrook AD 2021. A safe harbor for ransomware payments: Protecting stakeholders, hardening targets and defending national security. New York University Journal of Law and Business 18(2): 391–469

Whelan C, Bright D & Martin J 2024. Reconceptualising organised (cyber)crime: The case of ransomware. Journal of Criminology 57(1): 45–61

Whelan C & Martin J 2023. ‘Hacking the hackers’: Reflections on state implemented disruption as a ‘new model’ for cyber policing. Current Issues in Criminal Justice. Advance online publication. https://doi.org/10.1080/10345329.2023.2281071

Wilner A et al. 2019. On the social science of ransomware: Technology, security, and society. Comparative Strategy 38(4): 347–370