Why we don't have beaten ransomware yet? The economics of digital extortion

Despite increased awareness and significant law enforcement actions over the past 18 months, ransomware remains a persistent and evolving threat. The cybercrime landscape has transformed with fewer but more sophisticated criminal organizations operating like structured enterprises. Recent operations like "Endgame" have disrupted major players such as LockBit, yet the void was quickly filled by more aggressive groups. The financial impact remains staggering, with companies like IKEA losing €20 million from a single attack. So why do we still face this threat despite our collective efforts?

The Insane Economics of Ransomware

Let’s explain the problem on three examples of threat actors that have driven the scene in the past 12 month, specifically also in Europe. RansomHub, Argonauts, BlackBasta and DragonForce.

RansomHub

RansomHub has emerged as a significant threat, responsible for 12.5% of all ransomware attacks in Italy during the second half of 2024. The group operates with a sophisticated business structure, employing specialized teams for malware development, operations, and negotiations. Their effectiveness stems from strategic use of AI for autonomous victim negotiations, removing human intervention from the extortion process. After the takedown of LockBit, RansomHub quickly expanded to fill the market gap, demonstrating the resilience of the ransomware ecosystem. Their operations have intensified across Europe, particularly targeting financial and manufacturing sectors.

Argonauts

The Argonauts group represents the new generation of ransomware operators who have embraced AI-powered attack methodologies. They've developed sophisticated phishing techniques that leverage legitimate services like Gamma AI to create convincing Microsoft SharePoint login portals. This "living-off-trusted-sites" approach helps bypass email authentication checks like SPF, DKIM, and DMARC. Their multi-stage attack methodology makes detection extremely difficult for conventional security tools. The group has been particularly active in European markets, with a focus on professional services and financial institutions. Their business model includes selling access to compromised networks to other criminal groups.

BlackBasta

BlackBasta has maintained its position as one of the most resilient ransomware groups despite law enforcement pressure. In February 2025, their internal communications were leaked by an unnamed hacker, revealing connections to bulletproof hosting provider Media Land. This leak exposed their operational structure, including their use of malware command and control servers, ransomware infrastructure, phishing kits, and code-signing systems. Despite this setback, BlackBasta continues to operate, demonstrating the difficulty in permanently disrupting these organizations. Their attacks have caused millions in damages across Europe, with a particular focus on manufacturing and healthcare sectors.

DragonForce

DragonForce, also behind the recent attacks on retailers in UK, has dramatically expanded its operations, quintupling its presence in Italy alone during the second half of 2024. The group gained notoriety after hacking RansomHub's dark web leak site, triggering a migration of affiliates between ransomware groups. This competitive behavior illustrates the business-like nature of modern ransomware operations. DragonForce employs a sophisticated affiliate model, providing ransomware-as-a-service to partners who conduct the actual attacks while sharing profits. Their technical capabilities include advanced encryption methods and data exfiltration techniques. Recent European targets have included critical infrastructure and government entities.

Conclusion

The ransomware ecosystem thrives on asymmetric economics: low-cost operations yielding potentially enormous returns. With Malware-as-a-Service models democratizing access to sophisticated attack tools, the barrier to entry has dramatically decreased. Meanwhile, AI has revolutionized every aspect of the attack chain, from generating convincing phishing emails to automating negotiations. The 2024 Risk Report by Tinexta Cyber shows a 28.3% increase in attacks despite a 5.5% decrease in active gangs, indicating greater efficiency and consolidation. The €20 million IKEA loss in Greece, Cyprus, Romania and Bulgaria last November demonstrates the devastating potential of these attacks. The uncomfortable truth remains: threat actors are adapting faster than organizations.