Cybercrime Cartels: The Organized Threat Groups Behind Ransomware-as-a-Service (RaaS)

MINAKSHI DEBNATH | DATE: MAY 7, 2025

In the shadowy underworld of cybercrime, Ransomware-as-a-Service (RaaS) has emerged as a formidable force, transforming the landscape of digital extortion. This model enables cybercriminals to outsource the development and deployment of ransomware, creating a thriving ecosystem that mirrors legitimate software-as-a-service businesses. At the heart of this ecosystem are sophisticated cybercrime cartels like LockBit and BlackCat (also known as ALPHV), whose operations span the globe, leaving a trail of disrupted organizations and hefty ransom payments.

The RaaS Model: A Cybercrime Revolution

RaaS operates on a simple yet effective premise: skilled developers create ransomware tools and lease them to affiliates, who then execute attacks on chosen targets. This division of labour lowers the barrier to entry for cybercriminals, allowing even those with limited technical expertise to participate in lucrative ransomware campaigns.

Affiliates typically gain access to ransomware payloads, payment portals, and even customer support from the RaaS operators. In return, they share a portion of the ransom proceeds, often ranging from 20% to 30%, with the developers. This model not only scales efficiently but also complicates attribution and law enforcement efforts, as the decentralized nature of operations makes it challenging to pinpoint the masterminds behind attacks.

LockBit: The Prolific Ransomware Syndicate

Emerging in 2019, LockBit has rapidly ascended to become one of the most prolific ransomware groups globally. Operating under a RaaS model, LockBit has targeted a diverse array of sectors, including healthcare, education, and critical infrastructure. Their ransomware is known for its speed and efficiency, often encrypting systems within minutes of deployment.

LockBit's affiliate program is particularly notable for its flexibility and appeal to cybercriminals. Affiliates are granted significant autonomy, including control over ransom negotiations and payments, a departure from traditional models where operators maintained tight control.

LockBit's adoption of the Ransomware-as-a-Service (RaaS) model has significantly expanded its operational reach by attracting a diverse network of affiliates. This decentralized approach allows individuals with varying levels of technical expertise to conduct ransomware attacks using LockBit's tools and infrastructure. By lowering the barrier to entry, LockBit has enabled a broader range of cybercriminals to participate in its operations, thereby amplifying the group's overall impact.

However, LockBit's operations have not gone unchecked. In a coordinated international effort dubbed Operation Cronos, law enforcement agencies from the U.S., U.K., and other countries dismantled LockBit's infrastructure, seizing servers and arresting key figures. Notably, Dmitry Yuryevich Khoroshev, identified as the group's leader, faces multiple charges, including conspiracy to commit fraud and extortion These developments underscore LockBit's resilience and adaptability, highlighting the persistent threat posed by ransomware-as-a-service (RaaS) operations. Organizations must remain vigilant and proactive in their cybersecurity measures to counteract such evolving threats.

BlackCat (ALPHV): The Sophisticated Successor

BlackCat, also known as ALPHV, surfaced in late 2021 and quickly garnered attention for its sophisticated operations and use of the Rust programming language, enhancing its ability to evade detection. Like LockBit, BlackCat operates under a RaaS model, offering its ransomware to affiliates who conduct attacks across various sectors.

What sets BlackCat apart is its innovative tactics, including the use of "malvertising" and "SEO poisoning" to distribute malware. By manipulating search engine results, BlackCat lures unsuspecting users to download malicious software disguised as legitimate applications.

Additionally, the group employs advanced techniques like exploiting vulnerabilities in Remote Desktop Protocol (RDP) and using tools like Cobalt Strike for lateral movement within networks.

BlackCat's operations have been linked to high-profile attacks, including those on MGM Resorts International and Caesars Entertainment, resulting in significant financial losses. The group's connections to previous ransomware entities like DarkSide and BlackMatter suggest a continuity of expertise and tactics, further complicating efforts to dismantle their operations.

The Hierarchy and Profit Models of Cybercrime Cartels

Both LockBit and BlackCat exemplify the structured hierarchy prevalent in modern cybercrime cartels. At the top are the core developers who create and maintain the ransomware tools. In the LockBit ransomware-as-a-service (RaaS) framework, affiliates play a pivotal role in executing attacks and generating revenue. These individuals or groups are granted access to LockBit's sophisticated ransomware tools and infrastructure, enabling them to infiltrate target systems, deploy the malware, and manage ransom negotiations directly with victims. Unlike traditional models where operators handle ransom collection, LockBit's approach allows affiliates to receive payments directly from victims and subsequently remit a predetermined percentage, typically around 20%, to the core LockBit team. This structure not only incentivizes affiliates by granting them greater control and a larger share of the proceeds but also streamlines operations for the LockBit organization. By decentralizing the attack process, LockBit effectively expands its reach and operational capacity, leveraging the diverse skills and resources of its affiliate network to conduct widespread and efficient ransomware campaigns.This structure mirrors legitimate business models, with clear roles, revenue-sharing agreements, and even performance incentives.

The profit models employed by these groups vary:

Subscription-Based Model: 

Affiliates pay a recurring fee for access to ransomware tools and support.

Commission-Based Model: 

Affiliates use the tools for free but share a percentage of the ransom payments with the operators.

One-Time Fee Model: 

Affiliates pay a single fee for lifetime access, with no further obligations.

Tiered Service Levels: 

Different packages offer varying features, such as advanced encryption or anonymization techniques.

These models provide flexibility and cater to a wide range of cybercriminals, from novices to seasoned hackers, contributing to the widespread adoption of RaaS.

Global Operations and the Challenge of Dismantling RaaS Groups

The global nature of RaaS operations presents significant challenges for law enforcement. Cybercrime cartels often operate across multiple jurisdictions, exploiting differences in legal frameworks and enforcement capabilities. The decentralized structure of RaaS, with affiliates scattered worldwide, further complicates efforts to identify and apprehend perpetrators.

Despite these obstacles, coordinated international efforts have yielded some successes. Operations like Cronos have disrupted major ransomware groups, seizing infrastructure and arresting key figures. However, these victories are often temporary, as cybercriminals adapt quickly, rebranding and reemerging under new identities.

Moreover, the proliferation of leaked ransomware code and the availability of sophisticated tools on underground forums enable new actors to enter the scene, perpetuating the cycle of cybercrime. The persistent evolution of cyber threats, exemplified by the resilience of groups like LockBit, underscores the critical need for sustained and collaborative efforts to fortify cybersecurity defenses. As cybercriminals adopt increasingly sophisticated tactics, a unified approach involving public and private sectors becomes indispensable.

Strategies to Combat RaaS Threats

Addressing the menace of RaaS requires a multifaceted approach:

Enhanced Endpoint Security:

Implementing advanced Endpoint Detection and Response (EDR) solutions is essential for organizations aiming to enhance their cybersecurity posture. EDR systems provide continuous, real-time monitoring of endpoint activities, enabling the swift detection and mitigation of cyber threats such as ransomware, malware, and unauthorized access attempts.

Regular Security Audits: 

Conduct comprehensive assessments to identify and remediate vulnerabilities within IT infrastructures.

Employee Training: 

Educate staff on recognizing phishing attempts and adhering to cybersecurity best practices.

Robust Backup and Recovery Plans:

Implement regular data backups stored securely offline to facilitate recovery without paying ransoms.

Threat Intelligence and Collaboration: 

Engage in information sharing with industry peers and government agencies to stay informed about emerging threats and tactics.

By adopting these strategies, organizations can bolster their defenses against RaaS attacks and contribute to the broader effort to dismantle cybercrime cartels.

Conclusion

The rise of RaaS has revolutionized the cybercrime landscape, enabling organized threat groups like LockBit and BlackCat to operate with unprecedented efficiency and reach. Their structured hierarchies, innovative tactics, and adaptive strategies pose significant challenges to law enforcement and organizations worldwide. Combating this threat demands a concerted effort, combining technological defenses, employee awareness, and international collaboration. Only through such comprehensive measures can we hope to disrupt the operations of these cybercrime cartels and safeguard our digital infrastructure.

Citation/References:

1. Wikipedia contributors. (2025, March 22). BlackCat (cyber gang). Wikipedia. https://en.wikipedia.org/wiki/BlackCat_%28cyber_gang%29

2. Burgess, M., & Newman, L. H. (2023, January 24). The unrelenting menace of the LockBit ransomware gang. WIRED. https://www.wired.com/story/lockbit-ransomware-attacks

3. Rosendahl, T. (2024, April 4). The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions. Cisco Talos Blog. https://blog.talosintelligence.com/ransomware-affiliate-model/

4. (Cyber)Crime Kingpin – Lockbit ransomware Group’s evolution and rise to the top. (n.d.). Cyber Security Agency of Singapore. https://www.csa.gov.sg/resources/publications/-cyber-crime-kingpin---lockbit-ransomware-group-s-evolution-and-rise-to-the-top

5. Burgess, M. (2024, May 7). The alleged LockBit ransomware mastermind has been identified. WIRED. https://www.wired.com/story/lockbitsupp-lockbit-ransomware/

Image Citations

1. Pti, B. (2023, August 4). Ransomware cyber attacks surge over 2-fold in India in first half of 2023: Report. The Week. https://www.theweek.in/news/biz-tech/2023/08/04/ransomware-cyber-attacks-surge-over-2-fold-in-india-in-first-half-of-2023-report.html

2. Hackers think in all directions. End-to-end security is the answer. (2025, May 2). [Video]. Cisco. https://www.cisco.com/site/uk/en/learn/topics/security/what-is-cybercrime.html

3. Kovacs, E. (2023, December 20). BlackCat strikes back: Ransomware gang “Unseizes” website, vows no limits on targets. SecurityWeek. https://www.securityweek.com/blackcat-ransomware-group-responds-to-disruption-caused-by-law-enforcement/