The ransomware ecosystem has fragmented. An area once dominated by big names like LockBit and Conti is now filled with countless smaller, more agile threat actors. While this fragmentation could be seen as a win for defenders, it also poses a new threat: due to their ability to shift tactics, move operations, and quickly rebrand, these smaller groups are harder to target.
Because this trend of fragmentation shows no signs of stopping, cybercrime responses must adapt accordingly.
A fragmented cybercrime and ransomware ecosystem
Cybercrime is booming. The UK’s National Cyber Security Centre (NCSC) dealt with a record number of 204 nationally significant cyberattacks last year, up from 89 in 2024. One of the primary reasons for this growth is that the online criminal ecosystem has matured to a point where it effectively supports malicious operations from start to finish, with specialised expertise distributed across each stage of the attack chain. Tools and services designed for all aspects of cybercrime are widely available, lowering the barrier to entry for aspiring threat actors and proliferating malicious cyber capabilities.
Among these threats, ransomware stands out as particularly pernicious. This is because it’s relatively easy to deploy, hard to recover from, financially devastating, and disruptive beyond IT infrastructure itself. As a result, ransomware groups like LockBit, BlackCat (ALPHV), Conti, Cl0p, RansomHub, and Qilin have become household names within the security community. The ransomware ecosystem is, however, now undergoing a significant – but easily overlooked – transformation.
In the past, ransomware operations were characterised by large, centralised services that underpinned much of the activity. These included major access marketplaces (where cybercriminals trade unauthorised access to digital identities and systems) such as Genesis, cybercriminal forums such as RAMP, and dominant affiliate programmes – involving a main group that allows affiliates to use its ransomware for attacks – most notably LockBit.
Today, that centralisation is giving way to a more dispersed and fragmented landscape. Rather than relying on large marketplaces, access credentials are increasingly traded through peer-to-peer interactions on platforms such as Telegram.
Additionally, in February 2024, the UK’s National Crime Agency (NCA) led the takedown of LockBit, which was the largest ransomware-as-a-service (RaaS) group operating within the ecosystem at the time. No clear market-leading RaaS platform has emerged to replace it and other now-defunct behemoths.
The growing number of increasingly diverse threat actors operating within the ransomware ecosystem is also moving away from the vertically integrated hierarchies of the past towards flatter and more flexible organisational structures.
Lastly, the threat landscape is no longer dominated exclusively by Russian speaking groups, although they remain significant. Instead, a broader geographical range of actors is emerging. Some also have motivations that extend beyond financial gain, such as Scattered Spider, which appears to prioritise notoriety, media attention, and status as much as, or even more than, direct profit.
Notably, fragmentation in the cybercrime ecosystem that supports and enables ransomware operations does not necessarily translate to fragmentation in other areas of cybercrime, especially those that are less technically sophisticated and require high levels of interpersonal social engineering. For example, frauds such as ‘pig butchering’ scams, where threat actors cultivate fake relationships with victims over a long period, require lots of people and time. Organised crime groups have found that the most efficient way to organise those scams is by setting up compounds, often in Southeast Asia, where many of those involved are, sadly, themselves trafficked and exploited.
What has caused this fragmentation?
There are several schools of thought on why this fragmentation has occurred. One view is that the ecosystem was always likely to fragment and that this represents a natural stage in its development. Another is that the shift was catalysed, or at least accelerated, by events that undermined confidence in the large, centralised platforms used by many threat actors.
The NCA takedown of LockBit served as a clear signal of the risks to threat actors associated with working on highly visible, centralised platforms – attractive targets for law enforcement due to the scale and impact of their operations. The disruption also damaged trust between ransomware operators and the affiliates who relied on the platform to conduct attacks. Affiliates would likely have had less confidence in the main operators’ continued ability to function and significant concerns about their ‘opsec’ and associated risks of exposure.
This erosion of trust isn’t solely the result of law enforcement activity. In March 2024, the BlackCat/ALPHV group, known for ransomware attacks impacting Change Healthcare and MGM Resorts, carried out an exit scam. After reportedly receiving a ransom of around $20 million, the administrators behind the platform staged a fake law enforcement takedown and disappeared, avoiding payment to affiliates and further undermining confidence in large-scale criminal services.
And, just last month, we saw the well-known cybercriminal forum Russian Anonymous Marketplace (RAMP) reportedly taken down by law enforcement. This forum – much like Genesis Market – was widely relied upon by ransomware groups and the disruption of its operations will have a significant impact.
Taken together, these events highlight how fragmentation is driven by both risk and opportunity. Large, centralised services increasingly appear to threat actors as an operational liability. They are vulnerable to law enforcement disruption and to internal failures, including administrators breaking agreements or exploiting affiliates through exit scams. As a result, there is a clear incentive to move towards more decentralised ways of operating, reducing reliance on prominent, shared platforms to run cybercriminal activity.
At the same time, fragmentation creates new opportunities. Threat actors now require fewer people and less technical expertise than in the past, largely due to the widespread availability of cybercrime capabilities. This has led to a greater number of smaller groups. Smaller teams can make decisions more quickly, reconfigure themselves with greater ease, and optimise profits with less internal friction. Operating at this scale also makes it easier to avoid law enforcement attention, while allowing group identities to be abandoned or rebranded if scrutiny does increase.
Rethinking approaches to the ransomware threat
Law enforcement and policymakers must recognise that the threat has changed. With more small threat actors operating within the cybercrime ecosystem, attacks are increasing in volume, groups are more adaptable and resilient to disruption, and there is a greater range in the skill and criminal ‘professionalism’ of ransomware groups than ever before. With these changes come unexpected risks, like ransomware code so broken that even its perpetrators are unable to decrypt its files.
These diversified threats will require an equally varied range of disruptive approaches. Some efforts should still aim to disrupt those fundamental enablers of cybercrime – such as hosting, financial and communication services – that continue to support ransomware operations, albeit in more decentralised forms. Other approaches could include studying law enforcement tactics in arenas that have seen analogous moves from larger groups to wider fragmentation, such as in counterterrorism. This field could be a particularly fruitful source of knowledge, given the decades of research and practice that might be drawn on to combat this adapted ransomware threat.
We must remain wary of the threats that emerge from the vacuum left behind by takedowns of large-scale threat actors. Novel ways of thinking and creative solutions will be key to combatting this new world of ransomware.
Related Posts
Is misogyny an overlooked training ground for cybercrime?
13 January 2026
