The Industrialisation of Extortion & Mapping the True Scale of the Ransomware Economy

For deeper insights into ransomware threat intelligence, listen to the full podcast episode with Tom Exelby, Head of Cyber Security at Red Helix, and Ross Asquith from Halcyon: https://open.spotify.com/episode/710RHYz5Oq4VvEYxULEGbM 

Ransomware has officially moved past the point of being an operational headache for IT departments. It is now a genuine macroeconomic threat to the UK, to the extent that recent figures show it is actively dragging down the country’s Gross Domestic Product. For any CISO or business leader, it is undisputedly the most pressing risk on the horizon. 

From a £150 Cheque to Multi-Million Pound Campaigns 

It is easy to forget just how rudimentary this threat was when it first emerged. The timeline of modern digital extortion effectively started in 1989 with the “PC Cyborg Attack.” Orchestrated by an evolutionary biologist named Dr Joseph Popp, the attack targeted attendees of a WHO AIDS conference. He managed to get hold of their postal addresses and sent them all 5.25-inch floppy disks. The ransom demand was a grand total of $189, which victims were asked to post via a physical cheque to a PO Box in Panama. 

By 2017, the threat had completely transformed with the arrival of WannaCry. This was a self-propagating worm that ripped through unpatched, legacy Windows systems globally. It famously crippled substantial parts of the NHS, costing the health service an estimated £92 million and causing billions of pounds in damages worldwide. It proved that extortion could be scaled up to cause mass societal disruption. 

Today, we are looking at a highly commercialised Ransomware-as-a-Service (RaaS) era. Attacks are no longer random, automated blitzes. Instead, they are hands-on corporate campaigns run by organised syndicates that employ their own marketing teams, technical developers, and front-line helpdesks to negotiate payouts. 

The Mechanics of the Underground Economy 

The modern cybercrime ecosystem mirrors a legitimate software industry, built entirely on specialisation. The groups building the malware rarely deploy it themselves. Instead, they rely on a distinct supply chain of criminals to get the job done. 

First, Initial Access Brokers do the heavy lifting of breaking into a corporate network. They do this by exploiting unpatched firewalls, or by using social engineering and voice phishing to trick employees into resetting passwords. Once they have a stable foothold in a company’s system, they sell that access to the highest bidder on the dark web. 

Next come the RaaS Operators. These are the major brands like Qilin or Akira that develop the encryption engines and run the leak sites where stolen data is published. They license their software to “affiliates” who are the tactical executioners buying the access from the brokers and carry out the raid inside the victim’s network. The final ransom payout is then split between the affiliate and the operator. 

Velocity and Volatility 

The efficiency of this business model has allowed syndicates to scale up their operations dramatically over the last two years. According to data tracked on dark web leak sites, the sheer volume of successful breaches across top-tier threat groups has surged since 2024: 

Qilin: Rose from around 180 recorded victims in 2024 to well over 1,000. 

LockBit: Maintained high volumes despite international law enforcement sanctions, pushing past 1,000 victims. 

Akira: Scaled up its operations from roughly 300 targets to around 750. 

While these massive enterprise breaches dominate the news cycle, mid-market companies and SMEs are taking the brunt of the damage. Payout demands for smaller businesses usually sit around the £80,000 mark. This is entirely deliberate. The attackers will actively audit a company’s financial records and insurance policies while hiding in the system, calculation a figure that causes maximum financial pain without forcing the business straight into bankruptcy. Even with this calculated approach, roughly 67% of SMEs that suffer an attack report falling into severe financial distress due to immediate cash flow collapse. 

Weaponising Compliance and Public Markets 

The tactics used to force a payout have evolved far beyond locking up servers because companies have poured money into robust backup systems, criminals have developed multi-layered extortion methods to bypass traditional recovery strategies. 

If a company refuses to pay to decrypt their systems, the attackers pivot to double extortion, threatening to dump sensitive corporate data onto public shame sites. If that fails, they move to triple extortion by contacting the company’s clients, suppliers, or patients directly, warning them that their personal information is about to be leaked unless individual micro-ransoms are paid. 

More recently, we have seen the rise of quadruple extortion, where criminals weaponise the regulatory state. Attackers have started reporting their own victims to the Information Commissioner’s Office (ICO) for data protection failures to trigger massive fines.  

Even more sophisticated is the practice of short selling a victim’s stock on the public market just before publicising the hack, allowing the syndicate to profit from the company’s falling share price regardless of whether the ransom is paid. 

Bypassing the Primary Line of Defence 

The most alarming takeaway from recent threat intelligence is how easily these syndicates render standard security tools useless. 

Almost every high-profile victim hit recently had an Endpoint Detection and Response (EDR) platform running. The reality is that attackers know exactly how to neutralise them. For a few thousand pounds on the dark web, affiliates can buy turn-key tools that can blind standard EDR agents. 

Once that primary line of defence is down, the attackers “live off the land.” They stop using obvious malicious software and instead hijack the legitimate, built-in administrative tools already present in Windows. To a monitoring team or automated platform, it simply looks like standard network maintenance, right up until the moment the systems go dark. 

Relying on a single defensive layer is a strategy that is no longer fit for purpose. Survival requires continuous, behavioural monitoring across the entire network, air-gapped recovery systems that criminals cannot reach, and a security posture that treats even routine internal administrative tasks with a healthy dose of suspicion.