Law enforcement has disrupted more ransomware operations in the last two years than in the entire previous decade. LockBit’s infrastructure was seized and its leadership identified. BlackCat/ALPHV’s servers were taken down. Hive was dismantled. The FBI, Europol, and allied agencies have demonstrated that ransomware groups are not as operationally secure as they believed, and that international cooperation on cybercrime enforcement has reached a level of effectiveness that would have seemed optimistic five years ago.

Ransomware payments set a new record in 2024. The crackdowns are not solving the problem. Understanding why requires looking at the economics rather than the law enforcement scorecard.

The Ransomware-as-a-Service Model Is Resilient by Design

Modern ransomware operates through a franchise model — Ransomware-as-a-Service (RaaS) — that distributes both the capability and the risk. The ransomware developers build and maintain the encryption software, negotiation infrastructure, and cryptocurrency payment processing. Affiliates — independent operators who handle the actual intrusion, lateral movement, and payload deployment — license the tooling and keep 70-80% of ransom payments, with the remainder flowing to the developers.

This structure is resilient to law enforcement disruption in a specific way: taking down the developer operation does not take down the affiliates. When LockBit’s infrastructure was seized, the affiliates — who hold the intrusion capabilities, the victim access credentials, and the operational knowledge — migrated to alternative RaaS providers within weeks. The capability did not disappear. The franchise changed flags.

The Payment Decision

The ransom payment decision for a victim organization is an economic calculation that frequently resolves in favor of paying. The inputs: cost of downtime, cost of data recovery from backups (assuming backups exist and have not been encrypted), cost of breach notification and regulatory compliance, cost of reputational damage from data publication, and probability of successful recovery without payment. Against this: ransom demand, probability that decryption keys work after payment, and secondary risk of being targeted again.

For many organizations, particularly healthcare, manufacturing, and logistics companies where operational downtime has immediate revenue consequences, the math favors payment at ransom demands below a certain threshold. This threshold has been extensively researched by ransomware operators through years of negotiation data. Demands are calibrated to the victim’s apparent financial capacity and operational pain tolerance — not to the attacker’s cost basis.

The median ransom payment in 2025 was approximately $2.5 million for enterprise victims. The median downtime cost for a ransomware event in the same period was approximately $1.85 million per day. An organization facing 10 days of downtime to rebuild from backups is looking at $18.5 million in downtime costs against a $2.5 million ransom payment. The payment is cheaper. The economics persist regardless of law enforcement activity.

Initial Access: The Upstream Market

Ransomware groups do not typically compromise their own victims. They buy access. Initial access brokers — a distinct underground market category — compromise organizations through phishing, credential stuffing, vulnerability exploitation, and insider recruitment, then sell the access on dark web markets for prices ranging from a few hundred dollars for small businesses to tens of thousands for enterprise access with domain admin privileges.

The initial access broker ecosystem is less visible than ransomware operators because it does not interact directly with victims, but it is a critical upstream supplier. Disrupting ransomware operators without disrupting initial access brokers leaves the supply chain intact. Access to compromised enterprise environments is bought and sold as a commodity.

The Cyber Insurance Feedback Loop

Cyber insurance has played a role in the ransomware growth story that the insurance industry is now urgently trying to revise. The availability of cyber insurance coverage for ransomware payments reduced the payment decision friction for corporate victims — an insured organization paying a ransom is effectively transferring the cost to an insurer, which changes the economic calculation. If the ransom is covered, paying is always cheaper than prolonged downtime.

Insurers responded to escalating claims by tightening coverage terms, raising premiums, and introducing security control requirements as conditions of coverage. Organizations must demonstrate MFA deployment, EDR coverage, network segmentation, and backup procedures that meet minimum standards to obtain ransomware coverage at reasonable rates. This has had a genuine positive effect on baseline enterprise security posture — security improvements that regulators could not mandate, insurers have effectively required.

The feedback loop has not been broken. It has been tightened. The residual risk after insurance-mandated controls are in place is still sufficient to generate hundreds of millions in annual ransom payments globally.