Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Is ransomware really organised crime?

Max Smeets 25 November 2024
Share On:
Without the need for monopolies, territory, or violence, ransomware groups have more similarities to tech start-ups than the mafia
Main Top Image
Image created using DALL-E 2 and Chat GPT-4o

Is ransomware a form of organised crime? At first glance, the question seems almost stupid, the answer self-evident. Ransomware groups like REvil, Clop, and LockBit operate with a high level of structure, mirroring corporate organisations – complete with departments, specialised roles, and multi-step processes. These groups carefully plan each phase of their attacks: gaining access, stealing data, encrypting files, starting negotiations, processing payments, and reinvesting the earnings. In ‘Ransom War: How Cyber Crime Became a Threat to National Security,’ to be published in February 2025, I discuss the inner workings of Conti, the most prominent ransomware group in 2021. Leaks of private conversations between members show that Conti leaders even debated remote versus in-office productivity and implemented a bonus and penalty system to reward and discipline employees. 

But does this mean ransomware groups are ‘organised crime’ in the traditional sense? Not exactly. Nobel Prize-winning economist Thomas Schelling’s seminal work ‘What is the Business of Organized Crime?’ dives into its dynamics. He argues that organised crime is not just crime that is organised; it is crime that establishes control over territories or markets, often through violence or coercion, to monopolise a specific illicit service. Think of the mafia’s control over gambling rings or loan sharking within a defined area. These activities do not just happen to be organised – they are intentionally organised to dominate a certain market, using force if necessary. This territorial monopolising is not something ransomware groups do.

Monopolising illicit behaviour

For Schelling, the essence of organised crime lies in monopolistic control – having an extortionist grip on a specific industry or territory. Organised crime groups are not just organised in their operations; they aim to be the only game in town. Take gambling rings, for example. Organised crime syndicates do not merely provide opportunities for gambling; they often dominate it in their area, preventing rivals from entering the scene. Burglars, by contrast, do not bother with such monopolisation. They focus on their own thefts and do not compete for control of neighbourhoods or seek to push other burglars out. But if a group of burglars did begin policing their area, forcing other burglars to fall in line or leave and making deals with local authorities to secure their operations, they would enter the realm of organised crime.

Schelling notes that monopolisation is only viable for certain illicit activities, where exclusivity can be enforced. Bank robbers or pickpockets, for instance, might occasionally cross paths, but they do not need exclusive control. Two robbers targeting the same bank at the same time may compete briefly, but this is not the norm. Their work does not require them to establish territorial dominance or monopolise ‘clients’.

Global targeting without territory

Ransomware groups do not need to monopolise their target pool either. They have a vast range of potential victims to choose from, and occasional overlap is tolerated. A SophosLabs report illustrates this with the case of a Canadian healthcare provider attacked simultaneously by Conti and another group, Karma. Both gained access through the same Microsoft Exchange server vulnerability. Karma breached the network first, stealing data without encrypting the files, apparently due to moral concerns about encrypting healthcare data. Conti, however, had no such qualms: they stole 10.7 gigabytes of data, encrypted the systems, and left a ransom note.

Such double targeting is not common practice, but it demonstrates how ransomware groups operate in a virtually unlimited market. They do not need to secure exclusive ‘rights’ over targets or territories to thrive. Russia-based ransomware groups, for instance, typically avoid companies based in Russia and allied countries but have no other geographic restrictions. They are free to choose from hundreds of thousands of global organisations, each offering a potential ransom payout.

This open market also allows ransomware groups to coexist. Two major ransomware groups can work from the same city, even the same street or building, without conflict. Leaks like those from Conti, which expose private conversations between members, contain no talk of violence against affiliates or rival groups. The groups operate without the coercive, territorial dominance that characterises traditional organised crime.

Where competition is most fierce

Competition between ransomware groups can arise, however, in the recruitment of talent. Ransomware operators require a basic set of technical skills, and many groups enforce entry barriers by mandating exams or vetting processes for newcomers. While it has become easier in recent years to enter the field, the supply of skilled operators is still limited. Since the 2022 invasion of Ukraine, Russia-based ransomware groups have also become more cautious in recruiting beyond their borders, although Ukrainian talent remains active in some largely Russian-run groups.

Ransomware groups often poach from rivals and employ innovative strategies to attract talent. For example, Conti actively sought recruits from former competitors, like REvil. In a memorable stunt, REvil once deposited about $1 million of Bitcoin in a visible crypto wallet on a hacker forum as part of a recruitment effort, showing that they were a serious player. This prompted a flurry of discussion in the forum, which Conti’s human resources department took advantage of by collecting contacts and spamming the list with job offers.

Yet individual ransomware operators enjoy a degree of freedom and choice not found in traditional criminal enterprises. As Jonathan Lusthaus also notes in the ‘Industry of Anonymity’ and other research, cybercriminals can only enforce compliance through limited measures. Without the physical presence or coercive power to hold affiliates captive, cyber-criminal groups rely on declining future collaboration as a primary deterrent. Though they may resort to virtual threats, they lack the violent control that is so central to organised crime.

More like a Silicon Valley startup than organised crime?

Ransomware groups resemble Silicon Valley startups more than traditional organised crime as defined by Schelling. They compete for talent, innovate rapidly, and expertly adapt to ever changing global circumstances. Unlike traditional organised crime, they have no need to control territories or monopolise markets. Instead, ransomware groups thrive in a digital ‘open market’. The result is a globally dispersed ecosystem that challenges conventional understandings of organised crime.

avatar
Max Smeets

Related

Featured image
Binding Edge
Responsible AI principles in an ‘apolitical’ industry
Cat Easdon 29 October 2024
Read more arrow
Featured image
Binding Edge
The EU’s Human Rights Sanction Regime could target malicious spyware vendors
Mailyn Fidler 12 July 2024
Read more arrow
Featured image
Binding Edge
‘Safety by design’ could prevent domestic abuse through smart devices
Andi Brown 28 February 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.