Anatomy of a Ransomware Gang: How Short-Lived Criminal Groups Inflict Massive Damage
The Australian Institute of Criminology has unveiled a comprehensive study exposing the inner workings of ransomware syndicates and their impact on Australia and allied nations. Researchers analyzed 865 attacks recorded between 2020 and 2022 across Australia, Canada, New Zealand, and the United Kingdom. While the total number of incidents dipped slightly in 2022, that year alone accounted for 309 attacks carried out by 42 groups.
The study’s central finding is the brevity of these criminal enterprises’ lifespans. The average operational period of a ransomware gang was just 1.36 years, with only three groups remaining active for the entire three-year window. Despite their short-lived existence, the damage they inflicted was severe. Conti led the list with 141 confirmed attacks, operating consistently until its voluntary shutdown in mid-2022. Close behind was LockBit, responsible for 129 attacks under various iterations, showcasing a persistent ability to rebrand and adapt tactics.
A particularly striking revelation was the selectivity of their targets. The industrial sector bore the brunt with 239 incidents, followed by consumer goods at 150 attacks, while real estate, finance, and technology each surpassed 90 cases. In Australia alone, there were 135 attacks over the three years, with the industrial sector consistently the most affected. By 2021–2022, the technology and consumer goods sectors also faced a sharp rise in targeting.
The report highlights the prominence of the Ransomware-as-a-Service (RaaS) model, which separates core developers from their affiliate networks. Developers create the malware and manage ransom payments, while affiliates infiltrate victim networks and conduct negotiations. This structure not only scales attack volume but also extends the lifespan of ransomware groups. Notably, NetWalker, after adopting this model in 2020, executed a record 35 attacks in a single year. Statistics reveal that RaaS operators tend to endure longer and operate at greater scale than their traditional counterparts.
The role of law enforcement interventions is also emphasized. Joint U.S.–Russian operations crippled groups like NetWalker and REvil, in some cases dismantling them entirely. Yet the ecosystem quickly filled the void: as old actors vanished, new ones such as Karakurt, ALPHV (BlackCat), and Black Basta emerged in 2022.
Professor Chad Whelan, who led the study from Deakin University’s Centre for Cybersecurity, stressed that high-risk sectors require tailored defenses. Recommended measures include industry-specific awareness programs, regular audits and penetration tests, and the adoption of advanced threat detection solutions.
Researchers further urged closer collaboration between government agencies and private cybersecurity firms, along with broader data sharing, to craft more effective countermeasures.
The findings underscore a sobering reality: ransomware remains one of the most formidable threats of the digital age. Understanding its internal dynamics offers a crucial opportunity to develop more precise and resilient strategies of defense.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
