In March 2024, an affiliate of the BlackCat ransomware gang took to a cybercrime forum with a complaint. They’d carried out the attack on Change Healthcare – one of the largest healthcare data breaches in U.S. history – but never got their cut of the $22 million ransom payment. BlackCat’s operators had taken the money and vanished, putting up a fake FBI seizure notice on their leak site to cover the exit.
The grievance almost feels like a contractor dispute. Strip away the criminal element along with the apparent double-cross, and what’s left is (hints of) something any company executive might recognize: business arrangements complete with supply chains, pricing, competition, and customers who expect their money’s worth. Today’s ransomware runs on this very logic.
From the outside, however, you wouldn’t know it. To the untrained eye, the attacks seem like a break-in with a ransom note attached – someone gets in, locks (and steals) the critical files, leaves a crude demand, and waits for their rewards. Clear and simple, but almost certainly incomplete. Understandably, the blast and especially its impact draw the headlines, while everything that fed it stays ‘off camera.’ But that’s only where the operation finally surfaces. Much of what made the attack possible and successful happened where no one was looking.
Too cheap to fail
Behind the ransomware ‘storefront’ sits a kind of franchise operation, or perhaps a gig economy, complete with labor and tooling markets, subscription services, suppliers and partners, and something akin to service-level agreements between the parties involved. Collectively, they pave the way for the intrusion long before the ransom note arrives. If your organization views a ransomware incident only as a near-random break-in that happened almost as if out of nowhere, its defenses may be built accordingly. But they may also fail to account for how well-resourced and iterative the threat actually is.
The industry is designed so that each participant only needs to be competent at their (narrow) function. The developer who maintains the ransomware platform and the brand never has to bother touching a victim’s environment to earn their rewards. The affiliate pays a cut or a fee for access using credentials they didn’t harvest themselves. The initial access broker who sells a foothold into a corporate network doesn’t (even need to) know what the buyer plans to do with the logins.
But together, they have applied the logic of the franchise to the ancient ‘art’ of the shakedown, splitting the weight of blame along the way. And whenever an industry structures itself this way, volume follows.
ESET’s detection data shows ransomware rising by 13 percent in the second half of 2025 compared to the prior six months, following a 30-percent increase in the first half of 2025. Meanwhile, Verizon’s 2025 Data Breach Investigations Report (DBIR) recorded a jump from 32% to 44% in the share of breaches involving ransomware, while the median ransom payment fell from $150,000 to $115,000. The targets are shifting, too. Mandiant’s analysis shows a move toward smaller organizations with less mature defenses.
More (and softer) targets plus smaller bites equate to a textbook volume play.
Ransomware is hardly random
Ransomware operations are built to scale regardless of whether any individual participant possesses formidable skills. Admittedly, the inner workings of what’s often known as ransomware-as-a-service (RaaS) are messier than those of, say, a fast food chain – coordination is loose and turf wars are real and occasionally public. Still, the underlying logic holds. The ransomware industry lives and dies by trust among its participants and the incentives that bind them. Incentives are famously known to determine outcomes more than anything else.
So much so that the field is crowded accordingly. Competition among humans in general enlarges its own form – first between individuals, then families, then communities, then nations. In the digital world, individual hackers competing for notoriety morphed into organized groups competing for territory, which became an interconnected network of specialists competing for market share. Unencumbered by borders or bureaucracies, cybercriminals compressed an arc that took legitimate industries decades into a couple of years.
Law enforcement doesn’t stand idly by, of course, and targeted disruptions create real uncertainty and impose real costs. But shutting down a firm in a competitive market doesn’t shut down the market. As the incentives stay aligned, the demise of a ransomware group triggers competition among survivors to take its spot. New entrants emerge, others rebrand or team up with peers, customers choose new suppliers, proven playbooks survive. Even the infighting among cybercrime groups amounts to the market purging its weaker players – competition working as advertised.
For example, when LockBit and BlackCat were disrupted by law enforcement in 2024, their affiliates moved mainly to RansomHub. In 2025, DragonForce – a relatively minor player at the time – defaced the leak sites of several rivals and took down the site of RansomHub, the then-leading operation. When RansomHub went quiet, Akira and Qilin absorbed its market share. The pattern holds because the barrier to entry stays low, the tools are available as a service, and the labor is so disposable that the supply can’t be starved of participants.
The Red Queen’s race
Cybercrime never stands still. The ransomware playbook of yore – lock the files and demand a ransom – has given way to double extortion, where attackers steal corporate data before encrypting it and publish at least samples from the haul on dedicated leak sites. The FBI and CISA now routinely describe ransomware as a “data theft and extortion” problem.
But the specific dangers also change fast. Barely two years ago, ClickFix – a social engineering technique where a fake error message tricks users into copy-pasting and executing malicious commands – was on almost nobody’s radar. Now it’s widespread and used by state-backed and cybercrime groups alike.
Then again, this speed of adaptation is hardly surprising once you realize that a version of it has been playing out in nature since, well, forever. Species locked in competition must continuously adapt merely to hold their position. Predators get faster, so prey gets faster. Prey develops camouflage, so predators develop sharper vision. Biology calls this the Red Queen effect, named after a character in Lewis Carroll’s Through the Looking-Glass who must keep running just to stay in place.
Security practitioners will recognize the dynamic, although the more familiar names – such as an arms race and a cat-and-mouse game – may be underselling it. The Red Queen describes something more specific: adaptation that produces no net advantage because the other side adapts almost in parallel.
Its clearest manifestation yet inhabits the space between defenders’ tools and attackers’ anti-tools. Endpoint detection and response (and extended detection and response, or EDR/XDR) products are key to catching the kind of activity that ransomware affiliates conduct inside compromised networks. As the products have improved, criminals responded by building a clandestine market for tools designed to disable them.
And where there’s a market, there’s a product – typically, lots of it.
ESET researchers track almost 90 EDR killers in active use. Fifty-four exploit the same underlying technique: loading a legitimate but vulnerable driver onto the target machine and using it to gain the kernel-level privileges needed to shut the security product down. The technique is called Bring Your Own Vulnerable Driver (BYOVD), and the vulnerable drivers are a commodity – the same driver appears across unrelated tools, and the same tool migrates between drivers across campaigns.
The EDR killer market mirrors the ransomware economy it serves. These anti-tools come packaged with subscription-based obfuscation services that update regularly to stay ahead of detection. Affiliates, not the ransomware operators, typically choose which killer to deploy – the purchasing decision is made at the franchise level. When the defensive product updates, the obfuscation service follows. Red Queen, again.
The sheer investment in EDR killers is, somewhat perversely, the clearest measure of how much damage the detection tools inflict on the criminal business model. After all, you don’t build an entire product category around disabling something that isn’t hurting your bottom line.
And the anti-tools may scale further still as AI is making the market, not to mention the wider cybercrime economy, even easier to join. ESET researchers suspect that AI assisted in the development of some EDR killers – the wares of the Warlock gang are but one example. In fact, ESET experts have also spotted the first AI-powered ransomware, albeit not in actual attacks. Separately, other researchers have documented what they call ‘vibeware‘: AI-aided malware produced at volume and intended to flood the target environment with disposable code in the hopes that some will get through. The barrier to producing malware has dropped to a point where the constraint is intent, rather than formidable skills – much like what we’ve witnessed on the broader cybercrime scene itself.
Reading the market
Viewing ransomware only as an attack produces defenses built against attacks. But think about ransomware as an industry and additional priorities come into focus.
How is the Red Queen dynamic between defensive products and anti-tools evolving? Which malicious tools, techniques and procedures are doing the rounds now? Can your security stack ward off a BYOVD attack that uses the drivers now in circulation? What happens to your environment if an MSP in your supply chain is compromised? Which ransomware actors are actively targeting your sector, and which EDR killers are they buying?
If you can’t answer these and other pertinent questions, it could be that by the time the industry’s output reaches you, much of the chain has already executed. You can’t predict which group will target you, when, or through which vector. But you can maintain a current map of where the active groups are going – and whether any of those paths could lead to your door.
Click Here For The Original Source.
