What Makes Ransomware Groups Successful? TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Site Takeover Flaw Affects 400K WordPress SitesCritical Site Takeover Flaw Affects 400K WordPress SitesbyElizabeth Montalbano, Contributing WriterNov 5, 20253 Min ReadApplication SecurityRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolbyNate Nelson, Contributing WriterNov 5, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCyberattacks & Data BreachesCybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables.Inside the Playbook of Ransomware's Most Profitable PlayersInside the Playbook of Ransomware's Most Profitable PlayersInside the Playbook of Ransomware's Most Profitable PlayersSuccessful ransomware groups have three key elements in common. Spoiler alert: indicators of success don't all revolve around artificial intelligence.Arielle Waldman, Features Writer, Dark ReadingNovember 4, 20255 Min Read Ivelin Radkov via Alamy Stock PhotoRansomware gangs' continued success is well documented, from reports of substantial payouts and financial fallouts to prolonged disruptions. Each year, certain groups emerge in the top rankings, and what sets them apart is becoming clearer. Success can be measured by a variety of factors including financial gains, brand reputation, victim downtime, activity, and for the ransomware-as-a-service (RaaS) model, the number of affiliates. Due to its effectiveness, highlighted by steady, alarming numbers recorded over the past five years, the threat continues to evolve to combat enterprise's defenses. However, research revealed what elements contribute to the top RaaS groups' success, which in turn can influence security strategies. The biggest hurdle is keeping pace with how quickly attackers' evolve. Automation: A Need for Speed Recent research from ReliaQuest measured ransomware success by the number of victims posted to a group's data leak site. Threat actors use data leak sites to publicly shame victims into paying a ransom, and the added pressures did pay off for groups. Based on those parameters, ReliaQuest discovered three facets of thriving ransomware groups. ReliaQuest crowned the Qilin ransomware as a "market leader" and warned that LockBit 5.0 is gaining traction by using the techniques listed below. Related:Elusive Iranian APT Phishes Influential US Policy Wonks"Ransomware platforms built on automation, customization, and advanced tooling likely attract the most skilled affiliates and appear to create the most successful ransomware-as-a-service (RaaS) groups, judging from data-leak site victim counts," ReliaQuest wrote in the report.Automation comprised the most important component. Researchers found that 80% of RaaS groups they analyzed included some automation and artificial intelligence (AI) in their platforms. Automation contributed to effectiveness by ramping up the speed of attacks. The average breakout time is now 18 minutes, leaving defenders with significantly less time to react, the report warned. How Are Ransomware Groups Using AI?Additional researchers observed a similar trend. While groups increasingly use AI to further attack success, the tactic is still early-stage and unevenly adopted, explains Christiaan Beek, senior director of threat intelligence and analytics at Rapid7. Ransomware crews are experimenting with AI, mostly to speed up reconnaissance, craft more convincing phishing, or to automate parts of their operations. But what's evolving faster is the attackers' mindset, he adds. "Attackers are starting to think in AI-driven workflows, blending automation and data-driven targeting," Beek tells Dark Reading. "It doesn't make them unstoppable, but it does make them faster, more adaptive, and harder to predict."Related:Europe Sees Increase in Ransomware, Extortion AttacksMultiple reports have emerged on threat actors increasing and lucrative use of AI for reconnaissance and social engineering. Ransomware groups also use AI to automate target selection and scale operations faster than before, warns Tom Hegel, threat research at SentinelOne. AI advances also lowered the barrier to entry, allowing less-skilled affiliates to conduct sophisticated campaigns - expanding the ransomware landscape even more. "While we're not yet seeing fully autonomous ransomware operations (excluding prototypes), AI-driven automation is already shortening breakout times and boosting overall success," Hegel reveals. "It's another force multiplier in an ecosystem built around speed, scale, and leverage."Beware of EDR Bypass Tactics Customization was another driver of success, offered by 60% of RaaS groups ReliaQuest analyzed. It's importance lays in how it can "dynamically change how the ransomware operates during an attack." For example, it gives attackers' the ability to prioritize the strength or speed of encryption. Stronger encryption makes it more difficult for organizations to restore data without paying the ransom, while faster encryption can make it harder to contain the threat as the malware spreads to more files.Related:SesameOp Backdoor Uses OpenAI API for Covert C2Advanced tooling came in at number three because only 50% of ransomware groups analyzed offered those capabilities on their platform. However, it poses a significant risk to enterprises despite any defenses that are deployed. "Top-tier groups typically offer scripts that can bypass and disable EDR [endpoint detection and response] and antivirus tools on a compromised endpoint, as well as tools for deleting an organization's backups during ransomware deployment," the report stated.Forget the Ransomware, Altogether Weaponized intelligence also fuels RaaS operators' success rates. The most profitable groups use intelligence to harvest victims' cloud data, map finance, and insurance postures, and assess sector sensitivities, tailoring their extortion demands, explains Beek.In many instances, Rapid7 researchers observed them forgo the use of a ransomware binary entirely. Instead, they threatened to publicize the victims' stolen data and that was enough to elicit a payment. "For example, we recently observed Crimson Collective has focused on stealing data from AWS environments for extortion, while Clop has run large data-theft extortion campaigns tied to enterprise application exploits rather than always relying on encrypting binaries," Beek says. Overall, the RaaS operation model was designed for success. Operators build reliable tooling, leak sites, and payment infrastructure, while affiliates focus on intrusion and extortion, says Hegel, adding how the division of labor scales operations massively. The ecosystem consists of initial access brokers, multi-extortion tactics, strong operational security and decentralized infrastructure to survive takedowns."The result is a repeatable, scalable enterprise with the efficiency of a SaaS [software-as-a-service] company - just on the wrong side of the law," Hegel says. Not a Triple Threat. Yet. Good news to come out of the ReliaQuest report is that "fewer than half of the RaaS groups analyzed can provide the complete trifecta of capabilities." While the report highlighted the most successful ransomware gangs, the researchers urged enterprises to focus security strategies on the ecosystem as a whole and the tactics, techniques and procedures shared among them versus any individual group.   Actions to take include implementing automated containment and response plays to keep pace with attackers' increasing speed, enforcing strict network segmentation to limit blast radius, and developing strategies that bolster visibility in the wake of advanced attacker tooling. About the AuthorArielle WaldmanFeatures Writer, Dark ReadingArielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.   See more from Arielle WaldmanMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Edge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsLatest Articles in The EdgeZombie Projects Rise Again to Undermine SecurityOct 30, 2025|7 Min ReadFrom Power Users to Protective Stewards: How to Tune Security Training for Specialized EmployeesOct 29, 2025|7 Min ReadInside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden RiskOct 28, 2025|4 Min ReadFrom Chef to CISO: An Empathy-First Approach to Cybersecurity LeadershipOct 28, 2025Read More The EdgeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Ransomware groups’ sustained success is a complex phenomenon, driven by more than just sophisticated encryption. Research from ReliaQuest, as outlined in a Dark Reading report, identifies three key elements that distinguish the most profitable and effective ransomware-as-a-service (RaaS) operations. These aren’t simply about utilizing advanced technology, but rather a confluence of operational strategies and a deliberate ecosystem configuration. The primary drivers of success, according to the report, can be categorized as automation, customization, and weaponized intelligence.

Automation is a critical component, particularly evident in the dramatically reduced “breakout times” – the period between initial intrusion and data exfiltration – which have plummeted to just 18 minutes. This acceleration is achieved through extensive automation, allowing groups to rapidly deploy ransomware across multiple targets. The report highlights that roughly 80% of the RaaS groups analyzed incorporate automation and artificial intelligence (AI) into their platforms. This automation encompasses various aspects, including reconnaissance, targeting, and even the scaling of attacks. The rapid deployment capabilities directly impact the efficiency and effectiveness of the groups.

However, automation alone isn’t enough; customization is equally important. Approximately 60% of the identified RaaS groups employ customization strategies, allowing them to dynamically adjust their attack methodologies based on the target’s specific vulnerabilities and defenses. This adaptation can manifest as alterations to the encryption process, prioritizing speed over strength, or tailoring the attack to exploit specific software weaknesses. This dynamic approach significantly increases the chances of successful data acquisition and, consequently, a successful ransom payment.

Weaponized intelligence represents a third key element. The most successful RaaS groups don't simply employ ransomware; they actively leverage intelligence to target victims' cloud environments, map their financial processes, and assess sector sensitivities. Critically, many of these groups forgo deploying ransomware binaries entirely. Instead, they focus on stealing data and then threatening to publicly disclose that information, significantly increasing the likelihood of a payout. Examples cited in the report include Crimson Collective’s focus on AWS environments and Clop’s exploitation of enterprise application vulnerabilities.

The RaaS model itself is a central component of this success. The model’s success lies in the division of labor – initial access brokers scouting targets, affiliates conducting the intrusions and deploying ransomware, and operators providing the platform and infrastructure. This decentralized structure allows for rapid scaling, redundancy, and operational security, which makes it incredibly difficult for security teams to fully eradicate a group. It operates similarly to a SaaS (Software as a Service) company – efficient, scalable, and built for continuous operation.

Despite the seemingly straightforward factors at play, the landscape is constantly evolving. The report emphasizes that fewer than half of the analyzed RaaS groups can provide this “trifecta” of capabilities – automation, customization, and weaponized intelligence simultaneously. This highlights the importance of a holistic security strategy and ongoing monitoring to adapt to the evolving tactics of these groups. Furthermore, the report recommends proactive measures such as automated containment and response plays, network segmentation, and improved visibility to mitigate the risks posed by increasingly sophisticated attacks. The continuous adaptation displayed by these groups necessitates vigilance from organizations across all sectors.