Organized and Criminal, Ransomware Gangs Run Up Profits
None
<p><span data-contrast="none">Move over, Michael Corleone and Tony Soprano, there’s a new godfather or two — or 200 — in town. Ransomware is up by 49% this year in part because gangs are operating — and successfully so — like organized criminal enterprises, according to new data from NordStellar.</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">The </span><a href="https://nordstellar.com/blog/ransomware-statistics-2025-q2/?articleOrCategory=ransomware-statistics-2025-Q2" target="_blank" rel="noopener"><span data-contrast="none">research points to</span></a><span data-contrast="none"> more than 200 ransomware groups, with 60 of those still active. Vakaris Noreika, a cybersecurity expert at NordStellar, says that defenders often make a big mistake thinking that ransomware operators are lone wolves. “Ransomware groups are organized crime, and it’s extremely dangerous to underestimate how equipped they are to carry out their attacks. They function like a corporation, with different individuals assigned to specific tasks so that the operation runs smoothly,” Noreika said in a release. “They also train their members, sharing knowledge and ensuring their expertise meets their requirements. Some even have insiders in the company they’re targeting, granting them easy access to sensitive resources.” </span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">And they recruit like HR departments on steroids, with Noreika explaining they’re by and large looking for top cybersecurity talent with “an experienced background in specific fields and a proven track record” and who are put through “a meticulous screening before they can join the group, minimizing the risk of their being compromised.” And they’re part of an exclusive pool of candidates who “can only be invited by already established individuals.”</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p><span data-contrast="none">Ransomware teams, “like every other criminal organization, are businesses. Ransoms are usually paid <a href="https://securityboulevard.com/2021/08/the-role-of-cryptocurrency-in-ransomware-attacks/" target="_blank" rel="noopener">via cryptocurrency</a>, and those values have been back on the rise since Q4 2023,” says Trey Ford, chief strategy and trust officer at Bugcrowd.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Their high organizational structure also accounts for the efficiency of their attacks. </span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="e7873be4539404b8416756fa-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="e7873be4539404b8416756fa-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div><p><span data-contrast="none">Offering their wares on a ransomware-as-a-service (RaaS) model, these groups lower the barrier to entry and help scale ransomware “even more exponentially.” With more bad actors launching attacks, the ransomware group’s profits are maximized. Some groups, Noreika explains, “even use RaaS themselves” to scale their operations “without the need for additional human resources.”</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">The cybersecurity industry has “also seen ransomware tactics move away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods, says Nathaniel Jones, vice president, security and AI strategy, and field CISO at Darktrace. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Rather than relying solely on encrypting a target’s data for ransom, Jones notes, “threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Those trends clearly show that “attackers now have a more widely accessible toolbox that reduces their barriers, leaving more organizations vulnerable to attack,” he says.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Not surprisingly, the data shows the top target is critical infrastructure, and the U.S. is the region assailed most frequently. However, other sectors draw this organized crime element as well. </span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">“Organized cybercrime groups are usual suspects for targeting retail services,” whose high-traffic volume and operational pressures during holidays can be used to increase the negotiating power of cybercriminals”, says Fletcher Davis, senior security research manager at BeyondTrust.</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Noting how disruptive and disastrous ransomware can be to an organization, Ngoc Bui, a cybersecurity expert at Menlo Security, urges businesses to “prioritize protecting operations and stakeholders.” Those that do suffer a ransomware attack should “use it as a learning opportunity to adjust their security measures and ensure they are using actionable intelligence to do so.”</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">How do defenders go up against organized criminals and win? Hint: It has nothing to do with teaming with a rival gang, becoming an informant or staging an ambush at a toll plaza (good luck even finding one of those these days). And no horse heads to send a warning. “For IT administrators and practitioners, it is vital to prioritize your vulnerability management program and establish possible attack paths across your estate to prevent unauthorized access,” says Davis, including applying best practices across the business and wider IT teams.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Ford says that “foundational controls still matter,” regardless of the actor behind an attack. “Knowing your total attack surface, testing your environment — with an eye toward efficient remediation is key,” he says. “Enterprise controls, including visibility (logging, EDR) and hardening (privileged account management, careful inventory of service accounts, and multi-factor authentication) for domain admin and remote access, are paramount.” </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">That firm list of foundational controls that insurance underwriters require for policyholders speaks volumes. “If those controls are not effective, cyber insurance underwriters might have to pay out,” he says. In addition, security pros should “be open with management about which of those controls are effective and lacking — and secure funding to get them online as fast as possible.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p>Davis emphasizes the importance of <span data-contrast="none">implementing “strict vendor access controls with time-limited permissions and continuous monitoring of third-party activities, establishing robust IT help desk verification processes that require multi-factor authentication (MFA) before password resets or system changes, and creating clear protocols for validating identity through multiple channels before granting access.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">Building layered defenses around the most common attack vectors, “limiting vendor access to only what’s absolutely necessary and making it much harder for attackers to social engineer their way into critical systems through help desk manipulation,” Davis says.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">If a ransomware attack slips past defenses, Ngoc Bui, a cybersecurity expert at Menlo Security, says businesses should “use it as a learning opportunity to adjust their security measures and ensure they are using actionable intelligence to do so.”</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><p><span data-contrast="none">No doubt, defenders must up their game to spurn these gangsters…or be prepared to kiss the ring and pay the protection to get their data back.</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":240}'> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/08/organized-and-criminal-ransomware-gangs-run-up-profits-2/" data-a2a-title="Organized and Criminal, Ransomware Gangs Run Up Profits "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Forganized-and-criminal-ransomware-gangs-run-up-profits-2%2F&linkname=Organized%20and%20Criminal%2C%20Ransomware%20Gangs%20Run%20Up%20Profits%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Forganized-and-criminal-ransomware-gangs-run-up-profits-2%2F&linkname=Organized%20and%20Criminal%2C%20Ransomware%20Gangs%20Run%20Up%20Profits%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Forganized-and-criminal-ransomware-gangs-run-up-profits-2%2F&linkname=Organized%20and%20Criminal%2C%20Ransomware%20Gangs%20Run%20Up%20Profits%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Forganized-and-criminal-ransomware-gangs-run-up-profits-2%2F&linkname=Organized%20and%20Criminal%2C%20Ransomware%20Gangs%20Run%20Up%20Profits%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Forganized-and-criminal-ransomware-gangs-run-up-profits-2%2F&linkname=Organized%20and%20Criminal%2C%20Ransomware%20Gangs%20Run%20Up%20Profits%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>