Abstract:
Ransomware is a major cybersecurity threat facing organisations worldwide and has evolved into a highly lucrative criminal enterprise. Over the past five years, Conti, LockBit, and BlackCat/ALPHV have emerged as three of the most prominent ransomware groups, responsible for major cyberattacks across sectors including healthcare, banking, and critical national infrastructure. While these groups are well-known by name and have been discussed in industry articles, blogs, and government briefs, there remains a notable lack of academic research into the groups themselves, particularly regarding their origins, values, membership, and organisational structures. This talk addresses this research gap and aims to advance academic understanding of these and other ransomware threat actors, contributing to the evidence base through which they may be better understood and disrupted. Drawing on the PRISMA systematic review approach and a critical analysis of over 500 dispersed sources, including ransomware group communications, we examine the origins, structure, organisation, dynamics and nature of Conti, LockBit, and BlackCat/ALPHV. Our findings reveal that, while each group is unique, they share several noteworthy similarities: Russian origins, business-like operations, an emphasis on brand-building, strong leadership structures, a propensity for retaliation, use of ransomware-as-a-service models, and deployment of multi-level extortion tactics. These insights provide an evidence-based understanding of how such groups function and compare, while also offering important leads for wider mitigation strategies. Consequently, we make several actionable recommendations to disrupt the ransomware ecosystem including undermining ransomware group branding, targeting affiliate networks, and publicly exposing key members. To our knowledge, this is the first academic study to leverage an understanding of these groups, to synthesise such an extensive body of dispersed material, and to apply robust qualitative methods to derive comparative insights for the security research community. In addition, we leverage our findings to introduce a new conceptual framework through which other ransomware groups can be studied, profiled, and compared in the future.
The talk is based on the following research paper:
Andrew Phipps and Jason Nurse (2026) Inside ransomware groups: An analysis of their origins, structures, and dynamics. Computers & Security, 160:104705, 25 pages. https://doi.org/10.1016/j.cose.2025.104705
Bio:
Dr Jason R.C. Nurse is a Reader in Cyber Security in the Institute of Cyber Security for Society and the School of Computing at the University of Kent. He also holds the roles of Associate Fellow at The Royal United Services Institute (RUSI), Visiting Fellow in Defence and Security at Cranfield University, and Research Member of Wolfson College, University of Oxford. His research interests include human aspects of cyber security, security culture, cyber harms, ransomware, cyber insurance, and corporate communications and cyber security. Dr Nurse has published over 120 peer-reviewed articles in prestigious security journals, and his research has been featured in national and international media including the BBC, Associated Press, The Wall Street Journal, The Washington Post, Newsweek, Wired, The Telegraph, and The Independent. Prior to joining Kent in 2018, Dr Nurse was a Senior Researcher in Cyber Security at the University of Oxford and before that, a Research Fellow in Psychology at the University of Warwick. More about him can be found at https://jasonnurse.github.io/.