Ransomware Inc. and the startup approach to cybercrime

COMMENTARY: Q1 2025 brought forth a record-breaking 1,961 ransomware and digital extortion incidents. Fast forward to now: the number of incidents has decreased, but they still resulted in an increase year-over-year from 2024 and 2023.

This data shows us that ransomware operations are far from slowing down. In fact, many would say that these operators are thriving, having adapted and evolved their playbooks for success.

But in creating a mental picture of those gangs, don’t fall for the idea of a powerful (cyber) overlord commanding the forces of darkness from a high tower surrounded by black clouds and lightning bolts. In truth, ransomware gangs behave more like dysfunctional tech startups than they do evil masterminds.

If you want to protect your data and applications, knowing your enemy begins with understanding how they operate.

The numbers can make it seem like ransomware gangs hold all the cards. But by shedding light on their methods of operation, we can gain a new perspective on — and better understanding of — these gangs.

Ransomware gangs operate like startups, just without ethics

In many ways, cybercriminals mimic the organizational structures, workflows, talent acquisition strategies, and growing pains of new tech companies. This includes co-founder dynamics similar to those in startups, their approaches to product innovation, and even how internal friction within the group can result in some members breaking off to form competing gangs.

Related reading:

Ransomware gangs likely start with co-founders, a new malware tool, and a vision for the operation, and from there, like with startups, the gang tends to work fast. They experiment with people and tactics, pivot quickly to new approaches, and, in their own way, compete for market share.

Ransomware ops have a model similar to that of agile development shops, which constantly churn out new versions of applications, fix bugs, and roll out new features. But while DevOps teams focus on customer service, ransomware ops groups are thinking about new targets and techniques.

CISOs need to expect that kind of start-up level agility from ransomware gangs and other threat actors. They can’t rely on static defenses; instead, they must strive to protect their networks at the same speed. Detection, response, and threat intelligence cycles must be equally agile, which requires awareness of new versions and tools that threat actors are developing. Knowing when a 2.0 variant appears can give defenders a strategic advantage.

Personalities come into play

Cybercriminals are people too, complete with a full set of human failings. Egos, greed, and burnout tear gangs apart as often as law enforcement does — and sometimes more quickly. Leadership clashes can break apart an organization, spawning new ransomware “brands.” Disgruntled developers can splinter off, taking code and talent with them, fracturing the gang’s ecosystem.

In the dark web ecosystem, we’re consistently seeing new groups emerge from established gangs. For example, Chaos, a newer ransomware-as-a-service group, just emerged following the crackdown of BlackSuit. But recall, BlackSuit was a spin-off of Royal ransomware, which was claimed to have been founded by former Conti members. Groups rebrand, evolve, spin off, and merge (like ShinyHunters, Scattered Spider, and LAPSUS$) similarly to startups.

Watchful CISOs and other cyber defenders can use behavioral intelligence to detect signs of instability before a group collapses. Keep an eye out for affiliate dissatisfaction and reputation hits, which often precede code leaks or arrests. Gang infighting can have the same impact as corporate restructuring, creating divisions that expose vulnerabilities and new intelligence windows that defenders can exploit to help protect their own networks.

Follow the org chart, not just the money

Ransomware gangs are mostly in it for the money, and the flow of cryptocurrency payments can indicate their profits. But understanding the social dynamics within gangs — including who leads, who builds, and who carries out attacks — can show where the power resides and where future fissures could occur.

Viewing ransomware operations as you would an evolving organization can help defenders align defenses to their best advantage. Using organizational mapping and “people analytics” can help CISOs forecast which groups are ascendant and which are ripe for disruption.

Understanding these gangs may offer only a slight edge in the fight against ransomware, but considering the advantages gangs already have, every little bit helps.