Analysing the Structure and Dynamics of Ransomware Criminal Groups
Version 2 2025-06-04, 21:41
Version 1 2025-06-04, 01:02
report
posted on 2025-06-04, 21:41 authored by James MartinJames Martin, Chad WhelanChad Whelan, David Bright, James MartinAnalysing the Structure and Dynamics of Ransomware Criminal Groups
Funding
Analysing the structure and dynamics of ransomware criminal groups | Funder: Cyber Security Research Centre Limited | Grant ID: C25-00285
History
Pagination
1-27Open access
- No
Language
engResearch statement
Background Ransomware has rapidly evolved into a dominant form of cybercrime, yet scholarly understanding of its organisational structures and operational dynamics remains limited. Existing frameworks often overlook the decentralised, service-based nature of ransomware groups and their adaptive responses to enforcement. This research intervenes in critical debates on cybercrime disruption by examining ransomware through a criminological lens, asking how these distributed offender networks function, innovate, and persist. It challenges linear threat models and repositions ransomware as a complex, evolving ecosystem requiring integrated analytical and policy responses. Contribution This commissioned report offers a novel synthesis of criminological theory and cyber threat intelligence to analyse the ransomware ecosystem. It adapts crime script analysis and the MITRE ATT&CK framework, which are typically used separately, as integrated tools to map offender behaviours and network structures across the ransomware lifecycle. The work reconceptualises ransomware as a distributed, service-based ecosystem rather than a coordinated hierarchical enterprise, challenging prevailing enforcement and policy assumptions. Its scale and scope reflect interdisciplinary collaboration across criminology, cybersecurity, and public policy, producing new con Significance This report was commissioned by the Cyber Security Research Centre Limited and developed in collaboration with recognised experts in criminology and cybersecurity. The report underwent internal peer review by the commissioning body. The report’s significance lies in its interdisciplinary integration of criminological theory and technical threat analysis, and in its development of a novel analytical framework for understanding the structures and behaviours underpinning ransomware operations. It makes a meaningful contribution to national-level discourse on cybercrime by advancing both conPublication classification
A6 Research report/technical paperPublisher
Cyber Security Cooperative Research CentreUsage metrics
Categories
No categories selectedKeywords
Licence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC