Ever wonder what makes ransomware groups successful? You’re in good, and maybe bad, company. And I imagine, like everyone else in this industry, you have some thoughts… But now, ReliaQuest has identified a trio of factors that distinguish those gangs that enjoy success. 

After analyzing Ransomware-as-a-Service (RaaS) recruitment posts on the dark web, the security firm came up with a three-factor model based on workflow automation, advanced tooling and attack customization. Platforms that include these capabilities draw the most alite of bad actors and lead to attacks that are more effective and likely more prosperous, the researchers revealed in a report, Threat Spotlight: How Automation, Customization, and Tooling Signal Next Ransomware.

“In the competitive ransomware-as-a-service (RaaS) ecosystem, a group’s success—defined here as victim count on its data-leak site—depends on the sophistication of its platform and its unique offerings,” the report said. “Such bespoke platforms attract the most skilled affiliates, who can often bypass stronger defenses to compromise higher-revenue organizations, increasing the likelihood of a successful extortion payment.”

Just like their counterparts in legit business, bad actors are keen on automating. There’s no doubt that automation is bringing the speed that adversaries need to create and launch ransomware attacks — 80% percent of the RaaS groups analyzed by ReliaQuest offer automation — or AI — on their platforms, including automatic EDR and antivirus detection. They also offer the ability to automatically kill the software that can prevent affiliates from executing ransomware attacks.  

Another goal of business — customization — has also crept into the ransomware landscape, with 60% of RaaS groups offering it. Customization lets adversaries dynamically change the way ransomware operates during attacks — one option is being able to prioritize encryption’s strength over speed. “The speed of attacks has dramatically increased — average breakout time is now just 18 minutes — and defenders have significantly less time to react,” the ReliaQuest report notes.  

Those RaaS groups that notch the best outcomes — who list the most victims on their data-leak sites — offer access to advanced tools and features. Still, only half of the groups offer those capabilities. 

The most successful RaaS groups — those with the most victims listed on their data-leak sites — also offer their affiliates access to advanced tools and features, but only 50% of the groups currently provide these capabilities. 

“The persistence of Cybercrime-as-a-Service (CaaS) models, particularly ransomware-as-a-service (RaaS) and malware-as-a-service (MaaS), is growing rapidly as less experienced threat actors gain access to new tools to carry out disruptive attacks,” says Nathaniel Jones, vice president, security & AI strategy, and field CISO, Darktrace.  

Attackers can find everything in the CaaS ecosystem from “pre-made malware to templates for phishing emails, payment processing systems and even helplines” that will give even bad actors with limited technical knowledge the tools they need to succeed, says Jones, who cites Darktrace’s 2024 Annual Threat Report that found “the use of MaaS tools rose 17% in the latter half 2024, from 40% in the first six months to 57% of campaign activity.” 

Jones says the growth of these RaaS marketplaces “places greater opportunity on the side of threat actors who no longer must extract ransom payments to see profit, as they can use subscription models to return revenue for their ransomware development and deployment.”

And ransomware tactics have moved away “from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods,” where “rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.” 

Researchers at ReliaQuest believe that, based on the factors outlined in their report, “emerging ransomware groups ‘The Gentlemen’ and ‘DragonForce’ are likely poised for success by offering the advanced features that market leaders like ‘Qilin’ advertise.” 

But regardless of the ransomware actor involved, “the foundational controls still matter,” says Trey Ford, chief strategy and trust officer at Bugcrowd. Knowing your total attack surface, testing your environment – with an eye toward efficient remediation is key. Enterprise controls, including visibility (logging, EDR), hardening (privileged account management, careful inventory of service accounts), and MFA for domain admin and remote access, are paramount. There is a strong correlational reason why cyber insurance underwriters care about those key controls and coverage in the application process. 

To counter the current surge in RaaS, “organizations must embrace a layered security strategy” that includes implementing a zero-trust security architecture to ensure “continuous verification of all network access,” says Darren Guccione, CEO and Co-founder at Keeper Security.  Regular vulnerability patching, combined with Privileged Access Management (PAM) and robust password management policies enforcing Multi-Factor Authentication (MFA), all help to close common attack vectors. Strong data backups, ongoing training for employees and clear incident response plans are vital to minimizing impact and recovery time.  

Even with aggressive defense and countermeasures, defenders, of course, won’t be able to shut down every ransomware adversary. “We are likely to continue to see larger, more successful ransomware groups enjoy heightened international attention from law enforcement organizations,” says Balazs Greksa, director, threat response, Ontinue. “With the increasing number of successful takedowns, extraditions, and arrests, some groups are expected to further fragment and rebrand themselves; however, only a small percentage might be deterred from continuing their cybercrime activities.”