Market analysis

Analysis

Positioning

Cybercrime is an industry-shaped subject — a criminal market with identifiable supply-side 'firms' (RaaS brands), buyer/affiliate behaviour, competitive rivalry between brands, and substitutes (insurance vs. payment vs. resilience). The competitive exhibit below treats the leading ransomware-as-a-service brands as 'competitors' in the criminal market for ransomware capability, with SWOT and Porter's Five Forces evaluating the dynamics of that market from a defender's analytic perspective.

Competitors

LockBitformer market leader by victim count (disrupted Feb 2024, partial re-emergence under successor brands)
Until February 2024 the most prolific RaaS brand; Operation Cronos seized infrastructure across 10 countries.
BlackCat / ALPHVsecond-most-prolific RaaS brand before Dec 2023 takedown
1,000+ victims in 18 months; >US$300M ransoms; Rust-written; FBI seized leak site Dec 2023.
Conti / Wizard Spiderearlier-generation Russia-based RaaS — historical leader 2020-2022
Major leak in 2022 (Conti Leaks) exposed internal operations; brand subsequently rebranded into multiple successors.
REvil / Sodinokibiformer Russian-speaking RaaS market participant
FSB action January 2022; high-profile Quanta/Apple supplier extortion.
Scattered Spider / UNC3944affiliate / operator partnering with multiple RaaS brands
Social-engineering specialist that has rented capability from BlackCat and successors.
Lazarus Group (DPRK)state-sponsored adjacent operator — does NOT compete in RaaS but competes for criminal proceeds (crypto theft)
Largest single-incident crypto theft on record (Bybit US$1.5B, Feb 2025).

SWOT

Strengths

Industrialised supply chain — RaaS, IABs, droppers, mixers each specialise Division of labor reduces required skill per actor and increases throughput; the supplier layer is resilient even when one brand is taken down.
Cryptocurrency-native monetisation Cross-border value transfer without traditional KYC permits scale that legacy financial-crime channels cannot match.
Jurisdictional safe havens Russia / DPRK / Iran provide insulation from Western law-enforcement reach; 77% of state-sponsored ops trace to four such jurisdictions.
AI-enabled tooling advantage in phishing/vishing Voice cloning and AI-generated pretexts let attackers automate convincing fraud at scale before defender tooling catches up.

Weaknesses

Brand fragility — single takedowns collapse confidence and supplier relationships ALPHV, LockBit and Hydra all suffered measurable affiliate flight after seizure announcements.
On-chain traceability erodes operational security Chainalysis-class blockchain analytics make laundering increasingly difficult and have supported numerous indictments.
Decentralisation raises coordination cost ENISA documents the post-takedown decentralisation explicitly — it preserves capability but raises friction for affiliates choosing partners.

Opportunities

Generative AI for phishing/vishing scale Documented US$25M single-incident deepfake CEO scam case; rapidly falling cost of voice-clone tooling.
Edge-device exploit pipeline (Ivanti, Fortinet, Citrix, SonicWall) KEV-tracked edge appliances are repeatedly weaponised by ransomware affiliates as the access stage; 35 Ivanti CVEs on KEV alone.
Cross-criminal-state arbitrage DPRK's hybrid model — crypto-heist proceeds funding state programs — demonstrates a viable new operating model others may replicate.

Threats

Coordinated multi-agency law-enforcement disruption Operation Cronos, Operation Endgame Phases 1 and 3, ALPHV seizure — Western LE has demonstrated repeatable capability to dismantle infrastructure.
OFAC sanctions and prosecutions raising affiliate risk US sanctions against LockBit affiliates and Russian-national indictments raise the personal-risk side of the ledger for individual operators.
Crypto-regulator action against mixers and no-KYC exchanges Tornado Cash sanctions, Bitzlato seizures, growing exchange compliance — monetisation rails are tightening.
Insurance-market discipline reducing willingness to pay Cyber-insurance underwriters increasingly require backups + IR-readiness and may decline ransom-payment coverage; victims with mature backups don't need to pay.

Porter's Five Forces

Threat of New Entry high

RaaS commoditisation and the existence of affiliate programs explicitly designed for non-technical entrants make entry extremely easy — the supplier layer (droppers, IABs, mixers) supplies all the missing capability. AI-tooling for phishing further lowers entry barriers.

Supplier Power moderate

Initial-access brokers and dropper-as-a-service operators have meaningful pricing power because they hold rare access; but the supplier layer is wide enough (Endgame Phase 1 named six distinct dropper families) that no single supplier can dictate terms. Crypto-mixer supplier power has fallen as enforcement closed major mixers.

Competitive Rivalry high

Multiple RaaS brands compete for the same affiliate pool (LockBit, BlackCat, Conti successors, etc.); brand-collapse following takedowns creates rapid market-share churn. The defender side also operates competitively — multiple national agencies racing to claim credit for takedowns.

Buyer Power moderate

Affiliates can shop between RaaS brands and increasingly demand better cuts; victim buyer power (the ransom payer) has risen as insurance/back-up adoption improves and median payments depend more on negotiation — though willingness-to-pay remains the dominant variable.

Threat of Substitution moderate

For the criminal market, substitution comes from alternative fraud types (BEC, AI-deepfake CEO fraud, crypto-exchange heists) and from victims investing in resilience (backups, EDR, MFA) instead of paying ransoms. ENISA documents ransomware decentralising precisely because affiliates substitute when a brand is taken down.