We used to talk about cybercrime as the “cost of doing business.” But that thinking is obsolete. As the LockBits, RansomHubs, Plays, and Akiras of the world evolve — this is now the cost of delay.
From American fast food empires to oil giants, from universities to semiconductor suppliers, an evolving cast of cybercriminal groups has turned ransomware into a billion-dollar business model — scalable, relentless, and increasingly hard to stop.
If ransomware had a logo, it might belong to LockBit. Omnipresent, aggressively marketed, and disturbingly efficient.
LockBit’s malware uses AES and RSA encryption, API hashing, and self-spreading functions — all built with polished performance in C++. In January 2024, LockBit claimed it had breached Subway’s systems and siphoned off sensitive financial data. A year earlier, they forced Royal Mail to halt international deliveries for six weeks — a ransom demand of £65.7 million dropped to £33 million. It was one of the most disruptive cyberattacks on UK infrastructure ever recorded.
TSMC, the world's leading chipmaker, was also hit — LockBit asked for $70 million to walk away. They operate everywhere: North America, Europe, and APAC. Since 2020, they’ve racked up over 1,700 U.S. victims and pulled in roughly $91 million in ransom payments.
BlackBasta didn’t emerge from nowhere — it carries the fingerprints of ransomware veterans. Cybersecurity analysts widely believe the group’s founding members were once part of the notorious Conti gang, which disbanded in 2022.
The resemblance is hard to ignore: from the structure of their leak sites to their negotiation tactics and malware behavior, BlackBasta feels like Conti 2.0 — more refined, just as ruthless.
But that’s only half the story. Investigators have also linked BlackBasta to FIN7, a financially driven threat group with a long history of targeting businesses worldwide. The connection? Both groups appear to share infrastructure, including overlapping command-and-control servers, and deploy similar custom tools to evade endpoint detection.
While LockBit may be the old guard, RansomHub has become the new syndicate on the rise. First spotted in early 2024, the group exploded onto the scene after recruiting talent from defunct gangs like ALPHV and Conti.
Their model? Double extortion. Encrypt first, leak later.
In August last year, they hit Halliburton — one of the world’s biggest energy services companies — forcing internal systems offline and triggering losses estimated at $35 million.
Their malware, written in a blend of Go and C++, uses advanced obfuscation, including AST manipulation. It’s the sort of trickery more common in espionage than ransomware. Their attack chain covers spear-phishing voice calls, compromised VPNs, PowerShell scripts, PsExec — all stitched together with chilling precision.
Play emerged in mid-2022, and they’ve become a textbook case of how ransomware groups can borrow tactics from intelligence agencies. They don’t run a big affiliate program. They keep their circle tight. That gives them stealth. That gives them control.
They’ve deployed their ransomware in over 300 cases — quietly and effectively. In 2024, they targeted Microchip Technology, an American semiconductor firm, adding the company to their leak site and disrupting key business systems.
Behind the scenes, Play has been exploiting everything from Fortinet SSL VPN flaws to Microsoft Exchange bugs. Their encryption technique is intermittent — just enough to turn off files, not enough to get caught.
In a chilling twist, Play was recently linked to North Korea’s APT 45, signaling a possible alliance between nation-states and criminal groups.
Akira may sound soft — but its attacks are anything but. Another group likely born from the ashes of the Conti Group, Akira now operates independently, fine-tuning its attacks on healthcare, education, and manufacturing sectors across the U.S., EU, and Australia.
They use hybrid encryption with AES and RSA. They love SonicWall VPN vulnerabilities. They even built a Rust-based variant to go after Linux environments running VMware’s ESXi — a move that screams technical maturity.
By early 2024, Akira had hit more than 300 organizations, pulling in $50 million in ransom payments.