Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Ecosystem Evolves Amid Profitability Decline

Darkened underground lair with modern computer equipment and a lone figure hunched over a laptop.

A new analysis finds a paradox at the heart of modern ransomware: the threat is both widespread and increasingly squeezed. In plain terms, ransomware remains a dominant danger across industries and regions even as the business model that fuels it shows signs of strain.

How we arrived here: commoditization and post‑compromise economics

The report, written by Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, and Genevieve Stark, traces a clear arc: beginning around 2018, many financially motivated actors shifted to post‑compromise ransomware deployments. That shift helped turn ransomware into one of the most pervasive threats facing organizations. Two market forces accelerated the spread: commoditization and specialization. Ransomware‑as‑a‑service (RaaS) lowered the barrier to entry by allowing different criminal specialists — code authors, access brokers, negotiators, and leak site operators — to operate within a commercialized ecosystem.

2025 snapshot: disruption, consolidation, and surprising outcomes

Despite the volume of activity, the report identifies multiple indicators that overall profitability for ransomware operations is declining. The authors point to several contributing dynamics: improved cybersecurity practices among defenders, greater organizational ability to recover from incidents, and falling ransom payment amounts and rates. Those factors, taken together, are squeezing the margins of what had been a highly lucrative enterprise.

At the same time, the ransomware ecosystem has been disrupted by both external and internal pressures. Law enforcement operations and internal conflicts among criminal actors have led to the disappearance or significant weakening of previously prolific RaaS groups, including LockBit, ALPHV, Basta, and RansomHub. Where some brands fell away, others rose to fill the vacuum: the report notes the emergence of the Qilin and Akira RaaS brands. Those two groups helped drive a record high number of victims posted to data leak sites (DLS) in 2025, even as the economics of the trade showed signs of decline.

Tactics, techniques, and procedures: what the authors observed

The report offers an overview of the ransomware landscape and the common tactics, techniques, and procedures (TTPs) observed in ransomware incidents that Mandiant Consulting responded to during 2025. In assembling that analysis the authors explicitly excluded activity focused only on data‑theft extortion, concentrating instead on post‑compromise ransomware operations. The combination of commoditized service offerings and specialized underground roles remains a defining feature of how adversaries operate and scale their campaigns.

Why this matters: perspectives for defenders, policymakers, and users

  • For technologists: the shift toward commoditization means defenders are often facing standardized playbooks. That can be an advantage — common patterns are detectable and mitigations can be reused — but it also means rapid reproduction of successful malicious techniques across many operators.
  • For policymakers and law enforcement: the ecosystem is resilient and adapts. Disrupting a prominent brand does not end the threat; it can create friction and reshuffle the field, but new operators can and do emerge to occupy the same market niches. The report’s documentation of both decline in profitability and the concurrent rise of new RaaS brands underscores the need for sustained, adaptable approaches to disruption.
  • For organizations and users: improving cybersecurity practices and incident recovery capabilities matters. According to the authors, such improvements are among the factors contributing to reduced profitability for attackers, signaling that investments in resilience and response can produce measurable effects.

The report paints a nuanced picture: success for defenders and pressure on criminal profits can coexist with a higher number of publicized victims. That apparent contradiction — squeezed economics alongside proliferating disclosures to data leak sites — reflects an ecosystem in transition, not collapse.

As the ransomware market reinvents itself, the central question remains practical and urgent: will continued improvements in defense and coordinated disruption be enough to change the calculus that makes RaaS attractive, or will the marketplace of illicit services simply evolve new ways to extract value? The report leaves that question squarely to policymakers, defenders, and the broader security community to answer.

https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/