What Makes Ransomware Groups Successful?

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Cybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables.Successful ransomware groups have three key elements in common. Spoiler alert: Indicators of success don't all revolve around artificial intelligence.November 4, 2025Ransomware gangs' continued success is well-documented, from reports of substantial payouts and financial fallouts to prolonged disruptions. Each year certain groups emerge in the top rankings, and what sets them apart is becoming clearer. Success can be measured by a variety of factors, including financial gains, brand reputation, victim downtime, activity, and for the ransomware-as-a-service (RaaS) model, the number of affiliates. Due to its effectiveness, highlighted by steady, alarming numbers recorded over the past five years, the threat continues to evolve to combat enterprise defenses. However, research reveals what elements contribute to the top RaaS groups' success, which, in turn, can influence security strategies. The biggest hurdle is keeping pace with how quickly attackers evolve. Recent research from ReliaQuest measures ransomware success by the number of victims posted to a group's data leak site. Threat actors use data leak sites to publicly shame victims into paying a ransom, and the added pressures paid off for groups. Based on those parameters, ReliaQuest discovered three facets of thriving ransomware groups. ReliaQuest crowned the Qilin ransomware as a "market leader" and warned that LockBit 5.0 is gaining traction. Related:SonicWall Firewall Backups Stolen by Nation-State Actor"Ransomware platforms built on automation, customization, and advanced tooling likely attract the most skilled affiliates and appear to create the most successful RaaS groups, judging from data-leak site victim counts," ReliaQuest states in the report.Automation comprises the most important component. Researchers found that 80% of RaaS groups they analyzed include some automation and artificial intelligence (AI) in their platforms. Automation contributes to their effectiveness by ramping up the speed of attacks. The average breakout time is now 18 minutes, leaving defenders with significantly less time to react, the report states. Additional researchers observe a similar trend. While groups increasingly use AI to further attack success, the tactic is still early-stage and unevenly adopted, explains Christiaan Beek, senior director of threat intelligence and analytics at Rapid7. Ransomware crews are experimenting with AI, mostly to speed up reconnaissance, craft more convincing phishing, or automate parts of their operations. But the attackers' mindset is evolving even faster, he says. "Attackers are starting to think in AI-driven workflows, blending automation and data-driven targeting," Beek tells Dark Reading. "It doesn't make them unstoppable, but it does make them faster, more adaptive, and harder to predict."Related:Nikkei Suffers Breach Via Slack CompromiseMultiple reports have emerged about threat actors' increasing and lucrative use of AI for reconnaissance and social engineering. Ransomware groups also use AI to automate target selection and scale operations faster than before, says Tom Hegel, threat researcher at SentinelOne. AI advances also lower the barrier to entry, allowing less-skilled affiliates to conduct sophisticated campaigns — expanding the ransomware landscape even more. "While we're not yet seeing fully autonomous ransomware operations [excluding prototypes], AI-driven automation is already shortening breakout times and boosting overall success," Hegel says. "It's another force multiplier in an ecosystem built around speed, scale, and leverage."Customization is another driver of success, offered by 60% of the RaaS groups ReliaQuest analyzed. Its importance lies in how it can "dynamically change how the ransomware operates during an attack." For example, it gives attackers the ability to prioritize the strength or speed of encryption. Stronger encryption makes it more difficult for organizations to restore data without paying the ransom, while faster encryption can make it harder to contain the threat as the malware spreads to more files.Related:Iran's Elusive "SmudgedSerpent' APT Phishes Influential US Policy WonksAdvanced tooling came in third because only 50% of ransomware groups analyzed offer those capabilities on their platforms. However, it poses a significant risk to enterprises despite any defenses that are deployed. "Top-tier groups typically offer scripts that can bypass and disable EDR [endpoint detection and response] and antivirus tools on a compromised endpoint, as well as tools for deleting an organization's backups during ransomware deployment," the report states.Weaponized intelligence also fuels RaaS operators' success rates. The most profitable groups use intelligence to harvest victims' cloud data, map finance and insurance postures, and assess sector sensitivities, tailoring their extortion demands, Beek explains.In many instances, Rapid7 researchers observed them forgo the use of a ransomware binary entirely. Instead, they threatened to publicize the victims' stolen data — and that was enough to elicit a payment. "For example, we recently observed Crimson Collective has focused on stealing data from AWS environments for extortion, while Clop has run large data-theft extortion campaigns tied to enterprise application exploits rather than always relying on encrypting binaries," Beek says. Overall, the RaaS operation model is designed for success. Operators build reliable tooling, leak sites, and payment infrastructure, while affiliates focus on intrusion and extortion, says Hegel, adding how the division of labor scales operations massively. The ecosystem consists of initial access brokers, multi-extortion tactics, strong operational security, and decentralized infrastructure to survive takedowns."The result is a repeatable, scalable enterprise with the efficiency of a SaaS [software-as-a-service] company — just on the wrong side of the law," Hegel says. Good news to come out of the ReliaQuest report is that "fewer than half of the RaaS groups analyzed can provide the complete trifecta of capabilities." While the report highlights the most successful ransomware gangs, the researchers urge enterprises to focus security strategies on the ecosystem as a whole as well as the tactics, techniques, and procedures shared among them versus any individual group.   Actions to take include implementing automated containment and response plays to keep pace with attackers' increasing speed, enforcing strict network segmentation to limit blast radius, and developing strategies that bolster visibility in the wake of advanced attacker tooling. Arielle WaldmanFeatures Writer, Dark ReadingArielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.   2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Zombie Projects Rise Again to Undermine SecurityFrom Power Users to Protective Stewards: How to Tune Security Training for Specialized EmployeesInside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden RiskFrom Chef to CISO: An Empathy-First Approach to Cybersecurity LeadershipCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.