The ransomware landscape has entered a “post-trust ecosystem,” where fragmented and increasingly mistrustful cybercrime groups operate in a climate of heightened law enforcement scrutiny, according to William Lyne of the UK’s National Crime Agency (NCA).
The result is a more unpredictable and potentially more perilous threat environment for organizations worldwide.
In recent years, a series of high-profile law enforcement takedowns has disrupted some of the most notorious ransomware groups. Now the dust is settling and a cybercrime landscape that's more splintered than ever is emerging.
As the Head of Intelligence at the NCA’s National Cyber Crime Unit (NCCU), Lyne was one of the leading figures involved in the takedown of the Evil Corp ransomware syndicate in 2019 and Operation Destabilise, which disrupted a multi-billion-dollar global Russian illicit finance network.
He will join a panel of speakers during the upcoming Infosecurity Europe 2025 conference to discuss the latest ransomware trends and what we can expect to happen in this field over the following months.
The session, titled ‘Ransomware 3.0: How Attackers Are Changing Their Thinking,’ will take place on Tuesday, June 3 at 16.40 BST. Lyne’s fellow speakers include Jeremy Banks, a City of London Police officer who works on the National Police Chiefs Council Cyber Crime Team, Magnus Jelen, the Lead Director of Incident Response for UK and EMEA at Coveware and Jen Ellis, Founder of NextJenSecurity and co-chair of the UK’s Ransomware Task Force.
2024, A Pivotal Year in Ransomware History
For Lyne, 2024 was a pivotal year for the future of ransomware.
“There was a huge range of law enforcement disruptions, but also a number of significant developments within the ecosystem,” he explained.
He specifically mentioned the BlackCat/ALPHV “exit scam” in March 2024 and Operation Cronos, a global law enforcement operation led by the NCA against LockBit in April 2024. These two groups were among the most prolific across the ransomware landscape and their disruptions had a significant impact on the overall activity of financially motivated cybercriminals.
Aside from taking down the ransomware groups’ infrastructure and forcing them to rebuild, those recent operations also impacted their reputation within the broader cybercrime ecosystem, with achievements like:
- The group administrators’ operational security (opsec) failures being exposed
- Their names revealed (e.g. LockBit’s main administrator, LockBitSupp, whose suspected identity has been revealed as Dmitry Yuryevich Khoroshev)
- Ransomware decryptors shared with the victims
Additionally, the latest operations have placed a strong emphasis on the psychological impact of the takedowns, employing innovative tactics to publicize their successes, such as hijacking the ransomware groups' own leak sites to showcase the operations' achievements or even engaging directly with the perpetrators on social media.
“With the LockBit operation, for instance, we were really looking to try to undermine the trust and confidence between the group and other members of the cybercrime ecosystem with innovative approaches,” said Lyne.
Ransomware Enters a Post-Trust Era
These disruptions have left a ransomware landscape entering a new phase which Lyne called the “post-trust ecosystem.”
He explained: “Previously, threats to actors operating within the ransomware ecosystem would have gone to large as-a-service platforms to pull together the different elements that they might require for their cybercriminal business models.” This was the heyday of the Ransomware-as-a-Service (RaaS) model.
However, Lyne said that recently no “market leader” has emerged that would account for an equivalent market share to LockBit’s at its prime.
“Today, the ecosystem is quite fragmented. It feels like some of the trust has drained away from some of those big platforms. We are now seeing many more but smaller, potentially more agile, groups, no longer utilizing big platforms and RaaS affiliate programs but operating in a more peer-to-peer (P2P) way,” Lyne added.
According to the law enforcement officer, this shift can be explained by several factors.
First, the recent wave of law enforcement operations against ransomware gangs led to a decrease in ransomware payments, forcing ransomware affiliates to diversify.
This conclusion was drawn from a Chainalysis report in May 2024 and subsequently confirmed by several studies published in early 2025, including those by BlackFog, Cyble, Comparitech and Rapid7.
Additionally, Lyne argued that some cybercriminals no longer require large syndicates to generate income.
“The online cybercrime ecosystem constantly lowers the barrier of entry to get into cybercrime. With the help of open source projects and, more and more, with AI tools, you no longer necessarily need to be proficient in certain languages – both spoken and programming languages – that used to be key to deploy a cyber-attack. You can cobble together what you need to run a cybercrime scheme nowadays in a way that you perhaps couldn't have in the past,” Lyne said.
“This is what Recorded Future’s Allan Liska calls Franken-ransomware,” he added.
This lower barrier to entry for new ransomware actors is underscored by the rise of encryption-less extortion schemes.
“Getting the encryption payload to work properly is probably the most technically complex aspect of any ransomware operation – and the most expensive,” he explained.
Finally, Lyne believes that ransomware newcomers have also come to understand that the more exposed a ransomware brand is, the more likely it is to be disrupted or even taken down.
“They recognize that being part of those big, branded groups is putting them in the spotlight and alerting law enforcement and the cybersecurity community to activate a strong response. Response,” he said.
Emergence of the Ransomware Cartel Model
One evolution of this fragmentation in the ransomware ecosystem, Lyne argued, is the emergence of ‘ransomware cartels’.
Under this model, white-label services are offered by a ransomware group that allows an affiliated group, rather than affiliated individuals traditionally involved in the RaaS model, to use the group’s tooling while rebranding the ransomware under a different name.
“RaaS was the commoditization of the different elements of the ransomware business model on a single platform for people to buy into. Now, the ransomware cartel model is another natural evolution of RaaS, where people are commoditizing the ransomware service game in its totality,” Lyne said.
DragonForce, one of the first groups to publicly announce its intentions to launch a ransomware cartel model, is believed to have supplied Scattered Spider with the tools used in the cyber-attacks targeting three UK retailers, Marks & Spencer, Co-op, and Harrods, in the Spring of 2025.
Learn More About Ransomware Trends at Infosecurity Europe
The evolution of the ransomware ecosystem will be a primary focus of this edition of Infosecurity Europe. Register here to attend and discover the latest trends from cyber threat intelligence experts.
The full program can be viewed here.
The 2025 event will celebrate the 30th anniversary of Infosecurity Europe, taking place at the London ExCel from June 3-5, 2025.
No tags.
