Inside ransomware groups: an analysis of their origins, structures, and dynamics

Ransomware is a major cybersecurity threat facing organisations worldwide and has evolved into a highly lucrative criminal enterprise. Over the past five years, Conti, LockBit, and BlackCat/ALPHV have emerged as three of the most prominent ransomware groups, responsible for major cyberattacks across sectors including healthcare, banking, and critical national infrastructure. While these groups are well-known by name and have been discussed in industry articles, blogs, and government briefs, there remains a notable lack of academic research into the groups themselves, particularly regarding their origins, values, membership, and organisational structures. This paper addresses this research gap and aims to advance academic understanding of these and other ransomware threat actors, contributing to the evidence base through which they may be better understood and disrupted. Drawing on the PRISMA systematic review approach and a critical analysis of over 500 dispersed sources, including ransomware group communications, we examine the origins, structure, organisation, dynamics and nature of Conti, LockBit, and BlackCat/ALPHV. Our findings reveal that, while each group is unique, they share several noteworthy similarities: Russian origins, business-like operations, an emphasis on brand-building, strong leadership structures, a propensity for retaliation, use of ransomware-as-a-service models, and deployment of multi-level extortion tactics. These insights provide an evidence-based understanding of how such groups function and compare, while also offering important leads for wider mitigation strategies. Consequently, we make several actionable recommendations to disrupt the ransomware ecosystem including undermining ransomware group branding, targeting affiliate networks, and publicly exposing key members. To our knowledge, this is the first academic study to leverage an understanding of these groups, to synthesise such an extensive body of dispersed material, and to apply robust qualitative methods to derive comparative insights for the security research community. In addition, we leverage our findings to introduce a new conceptual framework through which other ransomware groups can be studied, profiled, and compared in the future.