CHAPTER 2
Behind the Scenes in the Ransomware Ecosystem
What has happened in the inner workings of the ransomware ecosystem that led to a rise in attacks on the healthcare industry?
By understanding the evolution and dynamics of ransomware groups, affiliates, and recent disruptions in the landscape, we gain insight into the forces driving ransomware attacks in healthcare.
Meet the Players: 'Dark Unicorns' and Affiliates
What are “Dark Unicorns”?
In business, a unicorn is a company—usually less than ten years old—that reaches a valuation of $1 billion or more, symbolizing rarity and exceptional value. But there are also Dark Unicorns. Once seen as mischievous hackers working from basements, ransomware gangs have grown into highly organized, powerful entities within a multi-billion-dollar cybercrime ecosystem. Their ruthless tactics and extensive reach have transformed ransomware from isolated attacks to a lucrative industry on a global scale. This org chart shows just how sophisticated ransomware businesses can be.
Meet the Players: 'Dark Unicorns' and Affiliates
What are “Dark Unicorns”?
In business, a unicorn is a company—usually less than ten years old—that reaches a valuation of $1 billion or more, symbolizing rarity and exceptional value. But there are also Dark Unicorns. Once seen as mischievous hackers working from basements, ransomware gangs have grown into highly organized, powerful entities within a multi-billion-dollar cybercrime ecosystem. Their ruthless tactics and extensive reach have transformed ransomware from isolated attacks to a lucrative industry on a global scale. This org chart shows just how sophisticated ransomware businesses can be.
Structure of Ransomware Gangs
Who are the Affiliates?
Affiliates are independent attackers who partner with ransomware operators to carry out attacks in exchange for a share of the ransom. These affiliates are the foot soldiers in the ransomware economy, bringing agility and resilience to ransomware operations by diversifying both the attackers and the targets. A battle for talent has made affiliates some of the most empowered players in the ransomware ecosystem, driving the pace, frequency, and intensity of attacks worldwide. This graph illustrates the fluid network where affiliates freely transition between groups, taking their skills where they find the best fit or opportunity.
Affiliate Transitions Between Ransomware Groups
The Change Healthcare Incident – A Major Inflection Point
Previously, ransomware groups maintained control, but the rise of an affiliate-driven market has transformed the landscape. The ransomware attack on Change Healthcare in February 2024 marked a pivotal moment in the shift to the affiliate-centric model. A failed payment to an affiliate led to widespread distrust in the ransomware groups they work for. The ripple effects from this event continue to influence the ransomware ecosystem. It prompted affiliates to reevaluate their partnerships and seek arrangements that prioritized their interests, giving affiliates unprecedented bargaining power and fundamentally altering the way ransomware operations were structured. The evolving nature of cybercrime highlights the need for organizations to adopt proactive and adaptive defenses.
Law Enforcement Takedowns and Power Shifts
The dismantling of prominent groups AlphV in December 2023 and LockBit in February 2024 by law enforcement disrupted the ransomware landscape, temporarily reducing attacks but also opening the door for new groups to emerge and adopt aggressive recruitment tactics. RansomHub, for example, attracted disillusioned affiliates by offering a 90% payout and allowing affiliates to handle transactions directly.
If we look at the top ransomware groups over time, we see that the majority of the top groups today were not in the top 10 a year ago, if they even existed then.
Unlike their predecessors, these groups operate with fewer restrictions, targeting sectors like healthcare and critical infrastructure without hesitation. The Change Healthcare incident thus stands as a significant inflection point in ransomware history. It not only revealed vulnerabilities within ransomware organizations but also reshaped the landscape, empowering affiliates and encouraging the formation of new groups that are more adaptable, aggressive, and independent.