Ransomware group profits are rising faster than FTSE 350 firms
Sophisticated infrastructure allows servers, leak sites, and negotiation portals to be quickly rebuilt after disruption
Ransomware is still a booming business, according to new research from Rapid7 Labs. So much so that cyber criminal gangs are outperforming major companies.
Analysis from the cybersecurity firm found ransomware groups made an estimated $529.2 million in the first quarter of this year, with total revenues up by 39% year-on-year.
That's a better performance than FTSE 350 companies have managed in the same period, not one of which showed year-on-year revenue growth of over 30% during the quarter.
A number of major cyber crime outfits are profiting from the boom, and it’s been a particularly good year for the Qilin ransomware group. Rapid7 researchers noted the group made an estimated $193 million between July 2025 and March 2026.
The Gentleman group, meanwhile, made an estimated $52 million over the same period.
“Ransomware groups are not the isolated, hooded hacking crews in dark rooms," said Thom Langford, CTO EMEA at Rapid7. "Instead, many resemble highly efficient businesses generating revenue growth that would make legitimate organizations envious.”
Booming ransomware revenues
One reason for the booming revenues is the rise of initial access brokers, which has lowered the barriers to entry by shifting cyber crime from technically specialized malware development to a mature underground marketplace.
Access, tooling, and full attack services are now commercially available to almost anyone. Modern cyber crime operations involve distributed networks of specialists handling initial access, malware and ransom negotiations, and working like legitimate supply chains.
Servers, leak sites, and negotiation portals can be quickly rebuilt after disruption, while law enforcement takedowns take longer to coordinate and execute.
“The problem is they are demonstrating, very publicly, that ransomware can be a successful criminal enterprise, and ironically, in some ways, they’re more resilient than businesses themselves,” said Langford.
“Removing one group, one server, or one piece of infrastructure rarely collapses the wider operation because the ecosystem is designed to keep functioning around the damage."
Battling continued ransomware threats
Rapid7 said organizations should prioritize identifying and reducing exposed attack surfaces on a continuous basis, focusing on misconfigurations, isolated assets, and internet-facing vulnerabilities.
These are all commonly exploited in initial access brokerage markets, the study noted.
Elsewhere, security teams should leverage threat intelligence more proactively to map adversary behavior patterns, infrastructure, tooling, and access pathways.
Notably, researchers said defenses should shift toward preventing credential and access compromise at source. This includes implementation of stronger identity controls, enforcement of least privilege rules, and monitoring for early indicators of credential resale or misuse in underground ecosystems.
“To give ransomware groups the economic crash they deserve, we need to shift to earlier visibility and earlier action," said Langford.
"That means businesses understanding exposure, reducing attack surface, tightening identity controls, and using threat intelligence to intervene earlier in the chain before ransomware becomes an outcome rather than a possibility.”
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Cato Networks opens new London hub in regional R&D driveNews The new R&D site aims to capitalize on the UK’s tech ecosystem to drive AI and security innovation
-
Nvidia wants its RTX Spark ‘superchip’ to fuel the AI PC boomNews The new RTX Spark chip is designed to keep AI inference local for security and safety
