{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,27]],"date-time":"2026-03-27T09:22:06Z","timestamp":1774603326873,"version":"3.50.1"},"reference-count":191,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:00:00Z","timestamp":1760140800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers & Security"],"published-print":{"date-parts":[[2026,1]]},"DOI":"10.1016\/j.cose.2025.104705","type":"journal-article","created":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T15:11:24Z","timestamp":1760195484000},"page":"104705","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":1,"special_numbering":"C","title":["Inside ransomware groups: An analysis of their origins, structures, and dynamics"],"prefix":"10.1016","volume":"160","author":[{"given":"Andrew","family":"Phipps","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4118-1680","authenticated-orcid":false,"given":"Jason R.C.","family":"Nurse","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2025.104705_bib0001","unstructured":"Abdul G. & Milmo, D. (2024) Hacked London NHS hospitals data allegedly published online. Retrieved August 6, 2025, from The Guardian: https:\/\/www.theguardian.com\/society\/article\/2024\/jun\/21\/hacked-london-nhs-hospitals-data-allegedly-published-online."},{"key":"10.1016\/j.cose.2025.104705_bib0002","unstructured":"Abrams, L. (2021a). Largest U.S. pipeline shuts down operations after ransomware attack. Retrieved August 27, 2024, from Bleeping Computer: https:\/\/www.bleepingcomputer.com\/news\/security\/largest-us-pipeline-shuts-down-operations-after-ransomware-attack\/."},{"key":"10.1016\/j.cose.2025.104705_bib0003","unstructured":"Abrams, L., (2021b). Angry Conti Ransomware Affiliate Leaks Gang...s Attack Playbook. Retrieved August 27, 2024, from Bleeping Computer: https:\/\/www.bleepingcomputer.com\/news\/security\/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook\/."},{"key":"10.1016\/j.cose.2025.104705_bib0004","unstructured":"Abrams, L. (2023). FBI disrupts Blackcat ransomware operation, creates decryption tool. Retrieved August 27, 2024, from Bleeping Computer: https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-disrupts-blackcat-ransomware-operation-creates-decryption-tool\/."},{"key":"10.1016\/j.cose.2025.104705_bib0005","unstructured":"Abrams, L. (2025). M&S confirms social engineering led to massive ransomware attack. Retrieved July 9, 2025, from Bleeping Computer: https:\/\/www.bleepingcomputer.com\/news\/security\/mands-confirms-social-engineering-led-to-massive-ransomware-attack\/."},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0006","doi-asserted-by":"crossref","DOI":"10.1093\/cybsec\/tyy006","article-title":"A taxonomy of cyber-harms: defining the impacts of cyber-attacks and understanding how they propagate","volume":"4","author":"Agrafiotis","year":"2018","journal-title":"J. Cybersecur."},{"key":"10.1016\/j.cose.2025.104705_bib0007","series-title":"Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec)","first-page":"323","article-title":"Understanding cyber terrorism: the grounded theory method applied","author":"Ahmad","year":"2012"},{"key":"10.1016\/j.cose.2025.104705_bib0008","unstructured":"Akamai. (n.d.). What is BlackCat Ransomware? Retrieved September 7, 2024, from Akamai: https:\/\/www.akamai.com\/glossary\/what-is-blackcat-ransomware."},{"key":"10.1016\/j.cose.2025.104705_bib0009","unstructured":"Arghire, I. (2024). RansomwareBlackCat ransomware successor Cicada3301 emerges. Retrieved November 7, 2024, from Security Week: https:\/\/www.securityweek.com\/blackcat-ransomware-successor-cicada3301-emerges\/."},{"key":"10.1016\/j.cose.2025.104705_bib0010","unstructured":"Barry, C. (2024). ALPHV-BlackCat ransomware group goes dark. Retrieved August 25, 2024, from Barracuda: https:\/\/blog.barracuda.com\/2024\/03\/06\/alphv-blackcat-ransomware-goes-dark."},{"key":"10.1016\/j.cose.2025.104705_bib0012","unstructured":"BBC. (2022). BA tries to poach rival cabin crew staff with \u00a31000 bonus. Retrieved August 23, 2024, from BBC News: https:\/\/www.bbc.co.uk\/news\/business-61104230."},{"key":"10.1016\/j.cose.2025.104705_bib0013","unstructured":"Benge, A. (2023). BlackCat (ALPHV): what we know about the MGM hack. Retrieved September 7, 2024, from ReversingLabs: https:\/\/www.reversinglabs.com\/blog\/what-we-know-about-blackcat-and-the-mgm-hack."},{"key":"10.1016\/j.cose.2025.104705_bib0014","unstructured":"Bhasin, K. (2011). The 12 most intense marketing wars ever. Retrieved September 7, 2024, from Business Insider: https:\/\/www.businessinsider.com\/epic-marketing-wars-2011-6."},{"key":"10.1016\/j.cose.2025.104705_bib0015","unstructured":"Bing, C. (2022). Russia-based ransomware group Conti issues warning to Kremlin foes. Retrieved September 7, 2024, from Reuters: https:\/\/www.reuters.com\/technology\/russia-based-ransomware-group-conti-issues-warning-kremlin-foes-2022-02-25\/."},{"key":"10.1016\/j.cose.2025.104705_bib0017","unstructured":"Borges, E. (2024). Most popular ransomware groups. Retrieved from Recorded Future: https:\/\/www.recordedfuture.com\/threat-intelligence-101\/cyber-threats\/ransomware-groups."},{"key":"10.1016\/j.cose.2025.104705_bib0018","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1365\/s43439-023-00106-w","article-title":"How does one negotiate with ransomware attackers?","volume":"5","author":"Boticiu","year":"2023","journal-title":"Int. Cybersecur. Law Rev."},{"issue":"3","key":"10.1016\/j.cose.2025.104705_bib0019","first-page":"505","article-title":"Analyzing the ethical implications of research using leaked data","volume":"53","author":"Boustead","year":"2020","journal-title":"PS: Polit. Sci. Polit."},{"issue":"2","key":"10.1016\/j.cose.2025.104705_bib0020","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1191\/1478088706qp063oa","article-title":"Using thematic analysis in psychology","volume":"3","author":"Braun","year":"2006","journal-title":"Qual. Res. Psychol."},{"key":"10.1016\/j.cose.2025.104705_sbref0021","series-title":"APA Handbook of Research Methods in psychology, Vol. 2. Research designs: Quantitative, qualitative, neuropsychological, and Biological","first-page":"57","article-title":"Thematic analysis","author":"Braun","year":"2012"},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0022","first-page":"1","article-title":"An analysis of the nature of groups engaged in cyber crime. An analysis of the nature of groups engaged in cyber crime","volume":"8","author":"Broadhurst","year":"2014","journal-title":"Int. J. Cyber Criminol."},{"key":"10.1016\/j.cose.2025.104705_bib0023","series-title":"Group processes: Dynamics within and Between Groups","author":"Brown","year":"2019"},{"key":"10.1016\/j.cose.2025.104705_bib0024","series-title":"Social Research Methods","author":"Bryman","year":"2016"},{"key":"10.1016\/j.cose.2025.104705_bib0025","unstructured":"Burgess, M. (2022a). The workaday life of the world's most dangerous ransomware gang. Retrieved September 7, 2024, from Wired: https:\/\/www.wired.com\/story\/conti-leaks-ransomware-work-life\/."},{"key":"10.1016\/j.cose.2025.104705_bib0026","unstructured":"Burgess, M. (2022b). Conti's attack against Costa Rica sparks a new ransomware era. Retrieved October 25, 2024, from Wired: https:\/\/www.wired.com\/story\/costa-rica-ransomware-conti\/."},{"key":"10.1016\/j.cose.2025.104705_bib0027","unstructured":"Burgess, M. (2024). A global police operation just took down the notorious LockBit ransomware gang. Retrieved August 25, 2024, from Wired: https:\/\/www.wired.com\/story\/lockbit-ransomware-takedown-website-nca-fbi\/."},{"key":"10.1016\/j.cose.2025.104705_bib0028","series-title":"Profile: ALPHV\/BlackCat Ransomware","year":"2023"},{"key":"10.1016\/j.cose.2025.104705_bib0029","unstructured":"Carlisle, D. (2023). Ransomware & crypto: the growing compliance challenge. Retrieved August 17, 2024, from Reuters: https:\/\/www.reuters.com\/legal\/legalindustry\/ransomware-crypto-growing-compliance-challenge-2023-05-01\/."},{"key":"10.1016\/j.cose.2025.104705_bib0030","unstructured":"Center for Internet Security. (n.d.). Breaking down the BlackCat ransomware operation. Retrieved September 7, 2024, from Center for Internet Security: https:\/\/www.cisecurity.org\/insights\/blog\/breaking-down-the-blackcat-ransomware-operation."},{"key":"10.1016\/j.cose.2025.104705_bib0031","unstructured":"Chainalysis. (2024a). Ransomware payments exceed $1 billion in 2023, hitting record high after 2022 Decline. Retrieved September 9, 2024, from Chainalysis: https:\/\/www.chainalysis.com\/blog\/ransomware-2024\/."},{"key":"10.1016\/j.cose.2025.104705_bib0032","unstructured":"Chainalysis. (2024b). 2024 Crypto crime mid-year update part 1: cybercrime climbs as exchange thieves and ransomware attackers grow bolder. Retrieved September 9, 2024, from Chainalysis: https:\/\/www.chainalysis.com\/blog\/2024-crypto-crime-mid-year-update-part-1\/."},{"key":"10.1016\/j.cose.2025.104705_bib0033","unstructured":"CheckPoint. (2022a). Check point research reveals leaks of Conti Ransomware group. Retrieved September 7, 2024, from Check Point: https:\/\/blog.checkpoint.com\/security\/check-point-research-revels-leaks-of-conti-ransomware-group\/."},{"key":"10.1016\/j.cose.2025.104705_bib0034","unstructured":"CheckPoint. (2022b). Leaks of Conti ransomware group paint picture of a surprisingly normal tech start-up\u2026 sort of. Retrieved August 25, 2024, from Check Point: https:\/\/research.checkpoint.com\/2022\/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of\/."},{"key":"10.1016\/j.cose.2025.104705_bib0035","unstructured":"Cimpanu, C. (2021). Darkside ransomware gang says it lost control of its servers & money a day after Biden threat. Retrieved August 25, 2024, from The Record: https:\/\/therecord.media\/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat."},{"key":"10.1016\/j.cose.2025.104705_bib0036","unstructured":"Cluley, G. (2024). The LockBit ransomware gang rears its ugly head again, after law enforcement takedown. Retrieved June 20, 2025, from Bitdefender: https:\/\/www.bitdefender.com\/en-gb\/blog\/hotforsecurity\/the-lockbit-ransomware-gang-rears-its-ugly-head-again-after-law-enforcement-takedown."},{"key":"10.1016\/j.cose.2025.104705_bib0037","unstructured":"Cluley, G. (2025a). SafePay ransomware: what you need to know. Retrieved July 1, 2025, from Fortra: https:\/\/www.fortra.com\/blog\/safepay-ransomware-what-you-need-know."},{"key":"10.1016\/j.cose.2025.104705_bib0038","unstructured":"Cluley, G. (2025b). AiLock ransomware: what you need to know. Retrieved July 5, 2025, from Fortra: https:\/\/www.fortra.com\/blog\/ailock-ransomware."},{"key":"10.1016\/j.cose.2025.104705_bib0039","unstructured":"Coker, J. (2024). LockBit most prominent ransomware actor in May 2024. Retrieved August 25, 2024, from Infosecurity Magazine: https:\/\/www.infosecurity-magazine.com\/news\/lockbit-prominent-ransomware-may."},{"key":"10.1016\/j.cose.2025.104705_bib0040","unstructured":"Coker, J. (2025). New hellcat ransomware gang employs humiliation tactics. Retrieved January 29, 2025, from Infosecurity Magazine: https:\/\/www.infosecurity-magazine.com\/news\/hellcat-ransomware-humiliation\/."},{"key":"10.1016\/j.cose.2025.104705_bib0041","unstructured":"Collier, K. (2024). Global law enforcement takes down ransomware group that targeted U.S. hospitals and schools. Retrieved August 25, 2024, from NBC News: https:\/\/www.nbcnews.com\/tech\/lockbit-ransomware-arrest-website-bust-rcna139533."},{"key":"10.1016\/j.cose.2025.104705_bib0042","series-title":"IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","first-page":"177","article-title":"Applying neutralisation theory to better understand ransomware offenders","author":"Connolly","year":"2023"},{"key":"10.1016\/j.cose.2025.104705_bib0043","unstructured":"Corera, G. (2024). Lockbit: UK leads disruption of major cyber-criminal gang. Retrieved September 7, 2024, from BBC News: https:\/\/www.bbc.co.uk\/news\/technology-68344987."},{"key":"10.1016\/j.cose.2025.104705_bib0044","unstructured":"Counter Ransomware Initiative (CRI). (2023) Counter ransomware Initiative (CRI). Retrieved October 1, 2024, from CRI: https:\/\/counter-ransomware.org\/aboutus."},{"key":"10.1016\/j.cose.2025.104705_bib0045","unstructured":"Coveware. (2020). Ransomware demands continue to rise as Data Exfiltration becomes common, and Maze subdues. Retrieved October 7, 2024, from Coveware: https:\/\/www.coveware.com\/blog\/q3-2020-ransomware-marketplace-report."},{"key":"10.1016\/j.cose.2025.104705_bib0046","unstructured":"Cyber Monitoring Centre (CMC). (2025). Cyber Monitoring Centre Statement on ransomware incidents in the retail sector \u2013 June 2025. Retrieved August 27, from CMC: https:\/\/cybermonitoringcentre.com\/2025\/06\/20\/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025\/."},{"key":"10.1016\/j.cose.2025.104705_bib0047","unstructured":"Cyberint. (2022). To Be CONTInued? Conti ransomware heavy leaks. Retrieved September 7, 2024, from Cyberint: https:\/\/cyberint.com\/blog\/research\/contileaks\/."},{"key":"10.1016\/j.cose.2025.104705_bib0048","unstructured":"Cybersecurity & Infrastructure Security Agency (CISA). (2023a). #StopRansomware: LockBit 3.0. Retrieved September 7, 2024, from CyberSecurity & Infrastructure Security Agency: https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-075a."},{"key":"10.1016\/j.cose.2025.104705_bib0049","unstructured":"Cybersecurity & Infrastructure Security Agency (CISA). (2023b). Understanding ransomware threat actors: lockBit. Retrieved September 7, 2024, from CyberSecurity & Infrastructure Security Agency: https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-165a."},{"key":"10.1016\/j.cose.2025.104705_bib0050","unstructured":"Cybersecurity & Infrastructure Security Agency (CISA). (2023c). #StopRansomware: Play Ransomware. Retrieved September 7, 2024, from CyberSecurity & Infrastructure Security Agency: https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-352a."},{"key":"10.1016\/j.cose.2025.104705_bib0051","unstructured":"Cybersecurity and Infrastructure Security Agency (CISA). (2024a). #StopRansomware: ALPHV Blackcat. Retrieved August 25, 2024, from Cybersecurity and Infrastructure Security Agency: https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-353a."},{"key":"10.1016\/j.cose.2025.104705_bib0052","unstructured":"Cybersecurity and Infrastructure Security Agency (CISA). (2024b). #StopRansomware: ransomHub ransomware. Retrieved October 25, 2024, from Cybersecurity and Infrastructure Security Agency: https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa24-242a."},{"issue":"2\u20133","key":"10.1016\/j.cose.2025.104705_bib0053","doi-asserted-by":"crossref","first-page":"175","DOI":"10.1080\/17440572.2013.801015","article-title":"Reputation in a dark network of online criminals","volume":"14","author":"D\u00e9cary-H\u00e9tu","year":"2013","journal-title":"Glob. Crime"},{"key":"10.1016\/j.cose.2025.104705_bib0054","unstructured":"Department of Justice (DOJ), US. (2021). Department of Justice seizes $2.3 million in cryptocurrency paid to the ransomware extortionists darkside. Retrieved August 21, 2024, from Office of Public Affairs, U.S. Department of Justice: https:\/\/www.justice.gov\/opa\/pr\/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside."},{"key":"10.1016\/j.cose.2025.104705_bib0055","unstructured":"Department of Justice (DOJ), US. (2023). U.S. Department of Justice disrupts hive ransomware variant. Retrieved October 25, 2024, from Office of Public Affairs, U.S. Department of Justice: https:\/\/www.justice.gov\/opa\/pr\/us-department-justice-disrupts-hive-ransomware-variant."},{"key":"10.1016\/j.cose.2025.104705_bib0056","unstructured":"Department of Justice (DOJ), US. (2024). Two foreign nationals plead guilty to participating in LockBit Ransomware Group. Retrieved October 25, 2024, from Office of Public Affairs, U.S. Department of Justice: https:\/\/www.justice.gov\/opa\/pr\/two-foreign-nationals-plead-guilty-participating-lockbit-ransomware-group."},{"key":"10.1016\/j.cose.2025.104705_bib0057","unstructured":"Deslandes, N., & Corvin, A.-M. (2022). Ransomware: the hackers and their marketplace. Retrieved August 25, 2024, from Tech Informed: https:\/\/techinformed.com\/ransomware-the-hackers-and-their-marketplace\/."},{"key":"10.1016\/j.cose.2025.104705_bib0058","unstructured":"DiMaggio, J. (2023a). A behind the scenes look into investigating conti leaks. Retrieved August 25, 2024, from Medium: https:\/\/medium.com\/ @jon.dimaggio\/a-behind-the-scenes-look-into-investigating-conti-leaks-f57064a2afd2."},{"key":"10.1016\/j.cose.2025.104705_bib0059","unstructured":"DiMaggio, J. (2023b). Ransomware Diaries: volume 1. Retrieved August 25, 2024, from Analyst1: https:\/\/analyst1.com\/ransomware-diaries-volume-1\/."},{"key":"10.1016\/j.cose.2025.104705_bib0060","unstructured":"DiMaggio, J. (2023c). Ransomware Diaries: volume 2 \u2013 A Ransomware Hacker Origin Story. Retrieved August 25, 2024, from Analyst1: https:\/\/analyst1.com\/ransomware-diaries-volume-2\/."},{"key":"10.1016\/j.cose.2025.104705_bib0061","unstructured":"Emisoft. (2019). Caution! Ryuk ransomware decryptor damages larger files, even if you pay. https:\/\/www.emsisoft.com\/en\/blog\/35023\/bug-in-latest-ryuk-decryptor-may-cause-data-loss\/."},{"key":"10.1016\/j.cose.2025.104705_bib0062","unstructured":"eSentire. (2022). Conti ransomware gang claims 50+ new victims including oil terminal operator sea-invest disrupting operations at 24 seaports across Europe and Africa. Retrieved September 25, 2024, from eSentire: https:\/\/www.esentire.com\/security-advisories\/conti-ransomware-gang-claims-50-new-victims-including-oil-terminal-operator-sea-invest."},{"key":"10.1016\/j.cose.2025.104705_bib0063","unstructured":"eSentire. (2023a). LockBit ransomware gang attacks an MSP and two manufacturers using RMM tools. Retrieved August 25, 2024, from eSentire: https:\/\/www.esentire.com\/blog\/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers."},{"key":"10.1016\/j.cose.2025.104705_bib0064","unstructured":"eSentire. (2023b). The notorious ALPHV\/BlackCat ransomware gang is attacking corporations and public entities using Google ads laced with malware, warns eSentire. Retrieved September 7, 2024, from eSentire: https:\/\/www.esentire.com\/blog\/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire."},{"key":"10.1016\/j.cose.2025.104705_bib0065","unstructured":"European Union (EU). (n.d.). Glossary:commonwealth of Independent States (CIS). Retrieved August 9, 2024, from EU: https:\/\/ec.europa.eu\/eurostat\/statistics-explained\/index.php?title=Glossary:Commonwealth_of_Independent_States_(CIS)."},{"key":"10.1016\/j.cose.2025.104705_bib0066","unstructured":"Europol. (2024). Law enforcement disrupt world\u2019s biggest ransomware operation. Retrieved September 7, 2024, from Europol: https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/law-enforcement-disrupt-worlds-biggest-ransomware-operation."},{"key":"10.1016\/j.cose.2025.104705_bib0067","unstructured":"Europol. (2025). Key figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown. Retrieved July 1, 2025, from Europol: https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/key-figures-behind-phobos-and-8base-ransomware-arrested-in-international-cybercrime-crackdown."},{"key":"10.1016\/j.cose.2025.104705_bib206","unstructured":"Edwards, C. (2025). Co-op says cyber-attack cost it \u00a3206m in lost sales. Retrieved August 8, 2025, from BBC: https:\/\/www.bbc.co.uk\/news\/articles\/ckgq9dke4e5o."},{"key":"10.1016\/j.cose.2025.104705_bib0068","unstructured":"Farrell, J. (2024). Change Healthcare blames \u2018Blackcat\u2019 Group for cyber attack that disrupted pharmacies and health systems. Retrieved September 7, 2024, from Forbes: https:\/\/www.forbes.com\/sites\/jamesfarrell\/2024\/02\/29\/change-healthcare-blames-blackcat-group-for-cyber-attack-that-disrupted-pharmacies-and-health-systems\/."},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0069","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1177\/160940690600500107","article-title":"Demonstrating rigor using thematic analysis: a hybrid approach of inductive and deductive coding and theme development","volume":"5","author":"Fereday","year":"2006","journal-title":"Int. J. Qual. Methods"},{"key":"10.1016\/j.cose.2025.104705_bib0070","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103268","article-title":"Cyber expert feedback: experiences, expectations, and opinions about cyber deception","volume":"130","author":"Ferguson-Walter","year":"2023","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2025.104705_bib0071","doi-asserted-by":"crossref","first-page":"1926","DOI":"10.1109\/TIFS.2023.3256706","article-title":"Human and social capital strategies for Mafia network disruption","volume":"18","author":"Ficara","year":"2023","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"10.1016\/j.cose.2025.104705_bib0072","unstructured":"Fier, J. (2021, December 7). Conti ransomware group finds new double extortion avenues. Retrieved September 7, 2024, from DarkTrace: https:\/\/darktrace.com\/blog\/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation."},{"key":"10.1016\/j.cose.2025.104705_bib0073","unstructured":"Flashpoint. (2021). Disgruntled Conti affiliate leaks ransomware training documents. Retrieved August 25, 2024, from Flashpoint: https:\/\/flashpoint.io\/blog\/disgruntled-conti-affiliate-leaks-ransomware-training-documents\/."},{"key":"10.1016\/j.cose.2025.104705_bib0074","unstructured":"Flashpoint. (2022). Conti ransomware: inside one of the world\u2019s most aggressive ransomware groups. Retrieved August 25, 2024, from FlashPoint: https:\/\/flashpoint.io\/blog\/history-of-conti-ransomware\/."},{"key":"10.1016\/j.cose.2025.104705_bib0075","unstructured":"Flashpoint. (2023). LockBit Ransomware: inside the world\u2019s most active ransomware group. Retrieved from Flashpoint: https:\/\/flashpoint.io\/blog\/lockbit\/."},{"key":"10.1016\/j.cose.2025.104705_bib0078","unstructured":"Geary, C. (2023). Lockbit ransomware gang - longevity or downfall? Retrieved September 7, 2024, from ThreatSpike: https:\/\/www.threatspike.com\/blogs\/lockbit-ransomware-gang."},{"key":"10.1016\/j.cose.2025.104705_bib0081","doi-asserted-by":"crossref","unstructured":"Gray, I.W., Cable, J., Brown, B., Cuiujuclu, V., & McCoy, D. (2022). Money over morals: a business analysis of Conti ransomware. 2022 APWG Symposium on Electronic Crime Research (eCrime) (pp. 1\u201312). Boston: IEEE. doi:10.1109\/eCrime57793.2022.10142119.","DOI":"10.1109\/eCrime57793.2022.10142119"},{"key":"10.1016\/j.cose.2025.104705_bib0082","unstructured":"Greig, J. (2024). Europol, DOJ, NCA deny involvement in recent AlphV\/BlackCat \u2018shutdown\u2019. Retrieved August 25, 2024, from The Record: https:\/\/therecord.media\/europol-doj-nca-deny-involvement-in-alphv-blackcat-ransomware-takedown."},{"key":"10.1016\/j.cose.2025.104705_bib0083","unstructured":"Greig, J. (2025a). IT company Ingram Micro says ransomware targeted internal systems. Retrieved June 2, 2024, from https:\/\/therecord.media\/ingram-micro-ransomware-attack."},{"key":"10.1016\/j.cose.2025.104705_bib0084","unstructured":"Greig, J. (2025b). Two Russian nationals arrested in takedown of Phobos ransomware infrastructure. Retrieved April 2, 2024, from The Record: https:\/\/therecord.media\/phobos-ransomware-takedown-arrests-russian-nationals."},{"key":"10.1016\/j.cose.2025.104705_bib0085","unstructured":"Grossman, T., & Smith, T. (2024). 2023 RTF global ransomware incident map: attacks increase by 73%, big game hunting appears to surge. Retrieved from Institute for Security and Technology: https:\/\/securityandtechnology.org\/blog\/2023-rtf-global-ransomware-incident-map\/."},{"key":"10.1016\/j.cose.2025.104705_bib0086","unstructured":"Gutierrez, A. (2025). CBS Evening News cyberattack that crippled Nevada's systems reveals vulnerability of smaller government agencies to hackers. Retrieved August 26, 2025, from CBS News: https:\/\/www.cbsnews.com\/news\/cyberattack-cripples-nevada-state-systems\/."},{"key":"10.1016\/j.cose.2025.104705_bib0088","unstructured":"Harpur, R. (2024). Ransomware focus: lockBit attacks in 2024. Retrieved September 9, 2024, from BlackFog: https:\/\/www.blackfog.com\/lockbit-attacks-2024\/."},{"key":"10.1016\/j.cose.2025.104705_bib0089","unstructured":"Heimdal. (2024). All about Conti ransomware. From $180 million yearly revenue to internal data leakage. Retrieved September 7, 2024, from Heimdal: https:\/\/heimdalsecurity.com\/blog\/what-is-conti-ransomware\/."},{"key":"10.1016\/j.cose.2025.104705_bib0090","unstructured":"Hill, J. (2023). BlackCat Ransomware (ALPHV). Retrieved September 7, 2024, from Varonis: https:\/\/www.varonis.com\/blog\/blackcat-ransomware."},{"key":"10.1016\/j.cose.2025.104705_bib0092","unstructured":"Hostetler, S. & Campbell, S. (2024). Follow-on extortion campaign targeting victims of Akira and royal ransomware. Retrieved July 17, 2024, from Arctic Wolf: https:\/\/arcticwolf.com\/resources\/blog\/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware\/."},{"key":"10.1016\/j.cose.2025.104705_bib0093","unstructured":"Ikeda, S. (2022). Conti Ransomware group voluntarily shuttered, but members expected to splinter off to smaller groups. Retrieved September 7, 2024, from CPO Magazine: https:\/\/www.cpomagazine.com\/cyber-security\/conti-ransomware-group-voluntarily-shuttered-but-members-expected-to-splinter-off-to-smaller-groups\/."},{"key":"10.1016\/j.cose.2025.104705_bib0094","unstructured":"Ikeda, S. (2024). LockBit\u2019s claimed hack on US Federal Reserve turns out to Be a publicity stunt; stolen data came from just one US bank. Retrieved August 25, 2024, from CPO Magazine: https:\/\/www.cpomagazine.com\/cyber-security\/lockbits-claimed-hack-on-us-federal-reserve-turns-out-to-be-a-publicity-stunt-stolen-data-came-from-just-one-us-bank\/."},{"key":"10.1016\/j.cose.2025.104705_bib0095","unstructured":"Ilascu, I. (2024). BlackCat ransomware shuts down in exit scam, blames the \"feds\". Retrieved August 25, 2024, from Bleeping Computer: https:\/\/www.bleepingcomputer.com\/news\/security\/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds."},{"key":"10.1016\/j.cose.2025.104705_bib0096","unstructured":"Imano, S. & Slaughter, J. (2022). Ransomware Roundup \u2013 Play. Retrieved September 20, 2024, from Fortinet: https:\/\/www.fortinet.com\/blog\/threat-research\/ransomware-roundup-play-ransomware."},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0099","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1080\/03071847.2025.2458143","article-title":"Invisible lines, visible impact: how territorial security influences Russian cyber security strategy","volume":"170","author":"Johansmeyer","year":"2025","journal-title":"RUSI J"},{"key":"10.1016\/j.cose.2025.104705_bib0100","unstructured":"Jones, C. (2023). BlackCat ransomware crims threaten to directly extort victim's customers. Retrieved September 7, 2024, from The Register: https:\/\/www.theregister.com\/2023\/12\/05\/alphvblackcat_shakes_up_tactics_again\/."},{"key":"10.1016\/j.cose.2025.104705_bib0101","unstructured":"Kaspersky. (2024a). State of ransomware in 2024. Retrieved August 25, 2024, from SecureList: https:\/\/securelist.com\/state-of-ransomware-2023\/112590\/."},{"key":"10.1016\/j.cose.2025.104705_bib0102","unstructured":"Kaspersky. (2024c). LockBit ransomware What You Need to Know. Retrieved September 7, 2024, from Kaspersky: https:\/\/www.kaspersky.com\/resource-center\/threats\/lockbit-ransomware."},{"key":"10.1016\/j.cose.2025.104705_bib0103","unstructured":"Kaspersky. (2024b). Understanding BlackCat ransomware: Threat overview and protective measures. Retrieved September 7, 2024, from Kaspersky: https:\/\/www.kaspersky.com\/resource-center\/threats\/blackcat-ransomware."},{"key":"10.1016\/j.cose.2025.104705_bib0104","series-title":"From Prepaid Cards to bitcoin: How did Ransomware Hackers Adopt cryptocurrencies? Journal of Cyber Policy","author":"Katagiri","year":"2023"},{"key":"10.1016\/j.cose.2025.104705_bib0105","first-page":"82","article-title":"Double-extortion ransomware: a technical analysis of maze ransomware","volume":"360","author":"Kerns","year":"2021","journal-title":"Proc. Future Technol. Conf. (FTC)"},{"key":"10.1016\/j.cose.2025.104705_bib0106","first-page":"71","article-title":"A method for decrypting data infected with Hive ransomware","author":"Kim","year":"2022","journal-title":"J. Inf. Secur. Appl"},{"key":"10.1016\/j.cose.2025.104705_bib0108","unstructured":"Kovacs, E. (2022). Conti ransomware operation shut down after brand becomes toxic. Retrieved September 7, 2024, from SecurityWeek: https:\/\/www.securityweek.com\/conti-ransomware-operation-shut-down-after-brand-becomes-toxic\/."},{"key":"10.1016\/j.cose.2025.104705_bib0109","unstructured":"Kovacs, E. (2023). Law enforcement reportedly behind takedown of BlackCat\/Alphv ransomware website. Retrieved September 7, 2024, from SecurityWeek: https:\/\/www.securityweek.com\/law-enforcement-reportedly-behind-takedown-of-blackcat-alphv-ransomware-website\/."},{"key":"10.1016\/j.cose.2025.104705_bib0110","unstructured":"Krebs, B. (2021). Ransomware gangs and the name game distraction. Retrieved August 25, 2024, from KrebsonSecurity: https:\/\/krebsonsecurity.com\/2021\/08\/ransomware-gangs-and-the-name-game-distraction\/."},{"key":"10.1016\/j.cose.2025.104705_bib0111","unstructured":"Krebs, B. (2022). Conti Ransomware Group Diaries, part I to part IV. Retrieved September 7, 2024, from KrebsonSecurity: https:\/\/krebsonsecurity.com\/2022\/03\/conti-ransomware-group-diaries-part-i-evasion\/, https:\/\/krebsonsecurity.com\/2022\/03\/conti-ransomware-group-diaries-part-ii-the-office\/, https:\/\/krebsonsecurity.com\/2022\/03\/conti-ransomware-group-diaries-part-iii-weaponry\/, https:\/\/krebsonsecurity.com\/2022\/03\/conti-ransomware-group-diaries-part-iv-cryptocrime\/."},{"key":"10.1016\/j.cose.2025.104705_bib0112","unstructured":"Krebs, B. (2023). BlackCat ransomware raises ante after FBI disruption. Retrieved September 7, 2024, from KrebsonSecurity: https:\/\/krebsonsecurity.com\/2023\/12\/blackcat-ransomware-raises-ante-after-fbi-disruption\/."},{"key":"10.1016\/j.cose.2025.104705_bib0114","unstructured":"Krebs, B. (2024). Category archives: ransomware. Retrieved August 25, 2024b, from KrebsonSecurity: https:\/\/krebsonsecurity.com\/category\/ransomware\/."},{"key":"10.1016\/j.cose.2025.104705_bib0115","unstructured":"Lakshmanan, R. (2023). Play ransomware goes commercial - now offered as a service to cybercriminals. Retrieved July 21, 2024, from Hacker News: https:\/\/thehackernews.com\/2023\/11\/play-ransomware-goes-commercial-now.html."},{"key":"10.1016\/j.cose.2025.104705_bib0116","unstructured":"Levison, J. (2024). Lockbit ransomware gang's origins, tactics and past targets - and what next after policing breakthrough. Retrieved September 6, 2024, from Sky News: https:\/\/news.sky.com\/story\/lockbit-ransomware-gangs-origins-tactics-and-past-targets-and-what-next-after-policing-breakthrough-13075988."},{"issue":"3","key":"10.1016\/j.cose.2025.104705_bib207","doi-asserted-by":"crossref","first-page":"287","DOI":"10.1007\/s10610-016-9332-z","article-title":"Organised cybercrime or cybercrime that is organised? An assessment of the conceptualisation of financial cybercrime as organised crime","volume":"23","author":"Leukfeldt","year":"2017","journal-title":"Euro. J. Cri. Pol. Res."},{"key":"10.1016\/j.cose.2025.104705_bib0117","unstructured":"Lyngaas, S. (2024). FBI and allies seize dark-web site of world\u2019s most prolific ransomware gang. Retrieved September 7, 2024, from CNN: https:\/\/edition.cnn.com\/2024\/02\/19\/politics\/fbi-ransomware-lockbit-dark-web-site\/index.html."},{"key":"10.1016\/j.cose.2025.104705_bib0118","unstructured":"MalwareHunterTeam. (2023). BlackCat ransomware gang says that they just reported\u2026 retrieved August 22, 2024, from Twitter\/X: https:\/\/x.com\/malwrhunterteam\/status\/1724902112755384487."},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0119","article-title":"Ransomware through the lens of state crime: conceptualizing ransomware groups as cyber proxies, pirates, and privateers","volume":"12","author":"Martin","year":"2023","journal-title":"J. Int. State Crime Initiat."},{"key":"10.1016\/j.cose.2025.104705_bib0120","first-page":"1","article-title":"Ransomware HR: human resources practices and organizational support in the Conti Ransomware group","author":"Martin","year":"2024","journal-title":"Deviant Behav."},{"key":"10.1016\/j.cose.2025.104705_bib0121","unstructured":"Martinez, F. (2022). BlackCat ransomware. Retrieved August 25, 2024, from LevelBlue: https:\/\/cybersecurity.att.com\/blogs\/labs-research\/blackcat-ransomware."},{"key":"10.1016\/j.cose.2025.104705_bib205","first-page":"1","article-title":"Your files have been encrypted: A crime script analysis of ransomware attacks","author":"Matthijsse","year":"2023","journal-title":"Trends Organiz. Crime"},{"key":"10.1016\/j.cose.2025.104705_bib0122","series-title":"Threat Actor Type Inference and Characterization within Cyber Threat Intelligence. 13th International Conference On Cyber Conflict (CyCon)","first-page":"327","author":"Mavroeidis","year":"2021"},{"key":"10.1016\/j.cose.2025.104705_bib0124","article-title":"Ransomware Reloaded: re-examining its trend, research and mitigation in the era of data exfiltration","author":"McIntosh","year":"2024","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.cose.2025.104705_bib0125","unstructured":"Medlock, B. (2023). Conti ransomware: prepare and protect your clients. Retrieved September 7, 2024, from ConnectWise: https:\/\/www.connectwise.com\/blog\/cybersecurity\/what-is-conti-ransomware-how-to-prepare."},{"key":"10.1016\/j.cose.2025.104705_bib0126","unstructured":"Meegan-Vickers, J. (2023). The rise and fall of the Conti ransomware group. Retrieved August 25, 2024, from Global Initiative Against Transnational Organized Crime: https:\/\/globalinitiative.net\/analysis\/conti-ransomware-group-cybercrime\/."},{"key":"10.1016\/j.cose.2025.104705_bib0127","unstructured":"Meegan-Vickers, J. (2024). The LockBit takedown. Retrieved September 7, 2024, from Global Initiative Against Transnational Organized Crime: https:\/\/globalinitiative.net\/analysis\/the-lockbit-takedown-law-enforcement-trolls-ransomware-gang\/."},{"key":"10.1016\/j.cose.2025.104705_bib0128","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2020.101762","article-title":"The ransomware-as-a-service economy within the darknet","volume":"92","author":"Meland","year":"2020","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2025.104705_bib0129","unstructured":"Menn, J., & Sands, L. (2024). 11-nation operation takes down world's 'most harmful' cybercriminal group. Retrieved September 7, 2024, from The Washington Post: https:\/\/www.washingtonpost.com\/business\/2024\/02\/20\/lockbit-ransomware-cronos-nca-fbi\/."},{"key":"10.1016\/j.cose.2025.104705_bib0130","unstructured":"Mersinas, K., Liu, A., & Panteli, N. (2024). Analysing the cultural dimensions of cybercriminal groups - A case study on the Conti ransomware group. Human Factor in Cybercrime (HFC) Conference."},{"key":"10.1016\/j.cose.2025.104705_bib0131","series-title":"Ransomware: How attacker\u2019s effort, Victim Characteristics and Context Influence Ransom requested, Payment and Financial loss. 2022 APWG Symposium on Electronic Crime Research (eCrime)","first-page":"1","author":"Meurs","year":"2022"},{"key":"10.1016\/j.cose.2025.104705_bib0132","first-page":"128","article-title":"Between a rock and a hard(ening) place: cyber insurance in the ransomware era","author":"Mott","year":"2023","journal-title":"Comput. Secur."},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0133","doi-asserted-by":"crossref","DOI":"10.1093\/cybsec\/tyae013","article-title":"There was a bit of PTSD every time I walked through the office door\u2019: ransomware harms and the factors that influence the victim organization\u2019s experience","volume":"10","author":"Mott","year":"2024","journal-title":"J. Cybersecur."},{"key":"10.1016\/j.cose.2025.104705_bib0134","unstructured":"Muncaster, P. (2023). BlackCat ransomware group reports victim to SEC. Retrieved September 7, 2024, from Infosecurity Magazine: https:\/\/www.infosecurity-magazine.com\/news\/ransomware-group-reports-victim-to\/."},{"key":"10.1016\/j.cose.2025.104705_bib0135","unstructured":"Muncaster, P. (2024). Cicada3301 Ransomware group emerges from the ashes of ALPHV. Retrieved September 2, 2024, from InfoSecurity Magazine: https:\/\/www.infosecurity-magazine.com\/news\/cicada3301-ransomware-group-alphv\/."},{"key":"10.1016\/j.cose.2025.104705_bib0136","unstructured":"National Crime Agency (NCA). (2017). Pathways into cyber crime. Retrieved June 28, 2025, from National Crime Agency: https:\/\/www.nationalcrimeagency.gov.uk\/who-we-are\/publications\/6-pathways-into-cyber-crime-1\/file."},{"key":"10.1016\/j.cose.2025.104705_bib0137","unstructured":"National Crime Agency (NCA). (2024a). International investigation disrupts the world\u2019s most harmful cybercrime group. Retrieved August 25, 2024, from National Crime Agency: https:\/\/www.nationalcrimeagency.gov.uk\/news\/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group."},{"key":"10.1016\/j.cose.2025.104705_bib0138","unstructured":"National Crime Agency (NCA). (2024b). LockBit leader unmasked and sanctioned. Retrieved August 25, 2024, from National Crime Agency: https:\/\/www.nationalcrimeagency.gov.uk\/news\/lockbit-leader-unmasked-and-sanctioned."},{"key":"10.1016\/j.cose.2025.104705_bib0139","unstructured":"National Cyber Security Centre (NCSC). (2024). Ransomware-resistant backups. Retrieved August 25, 2024, from NCSC: https:\/\/www.ncsc.gov.uk\/collection\/ransomware-resistant-backups\/principles-for-ransomware-resistant-cloud-backups."},{"key":"10.1016\/j.cose.2025.104705_bib0140","unstructured":"Nield, D. (2024) Samsung roasts Apple's lack of foldable innovation in new ad \u2013 as a flexible iPhone is tipped for 2027. Retrieved November 25, 2024, from TechRadar: https:\/\/www.techradar.com\/phones\/iphone\/samsung-roasts-apples-lack-of-foldable-innovation-in-new-ad-as-a-flexible-iphone-is-tipped-for-2027."},{"key":"10.1016\/j.cose.2025.104705_bib0141","series-title":"The Oxford handbook of Cyberpsychology","first-page":"691","article-title":"The group element of cybercrime: types, dynamics, and criminal operations","author":"Nurse","year":"2018"},{"key":"10.1016\/j.cose.2025.104705_bib0142","series-title":"Methods of Criminology and Criminal Justice Research","first-page":"47","article-title":"Criminal group dynamics and network methods","author":"Ouellet","year":"2019"},{"key":"10.1016\/j.cose.2025.104705_bib0143","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3514229","article-title":"A survey on ransomware: evolution, taxonomy, and defense solutions","author":"Oz","year":"2022","journal-title":"ACM Comput. Surv. (CSUR)"},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0144","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1186\/s40878-022-00297-x","article-title":"Transnational gangs and criminal remittances: a conceptual framework","volume":"10","author":"Paarlberg","year":"2022","journal-title":"Comp. Migr. Stud"},{"key":"10.1016\/j.cose.2025.104705_bib0145","unstructured":"Paganini, P. (2024). Ukraine Police arrested a hacker who developed a crypter used by Conti and LockBit ransomware operation. Retrieved August 25, 2024, from SecurityAffairs: https:\/\/securityaffairs.com\/164475\/breaking-news\/developer-crypter-conti-lockbit-ransomware.html."},{"key":"10.1016\/j.cose.2025.104705_bib0146","doi-asserted-by":"crossref","unstructured":"Page, M.J. (2021). PRISMA 2020 explanation and elaboration: updated guidance and exemplars for reporting systematic reviews. doi: https:\/\/doi.org\/10.1136\/bmj.n160.","DOI":"10.1136\/bmj.n160"},{"key":"10.1016\/j.cose.2025.104705_bib0147","doi-asserted-by":"crossref","DOI":"10.1093\/cybsec\/tyz003","article-title":"Ransomware payments in the Bitcoin ecosystem","volume":"5","author":"Paquet-Clouston","year":"2019","journal-title":"J. Cybersecur."},{"key":"10.1016\/j.cose.2025.104705_bib0148","doi-asserted-by":"crossref","unstructured":"Paternoster, C., Nazzari, M., Jofre, M., & Uberti, T.E. (2024). Inside the leak: exploring the structure of the Conti ransomware group. CrimRxiv. doi: https:\/\/doi.org\/10.21428\/cb6ab371.75a348ed.","DOI":"10.21428\/cb6ab371.75a348ed"},{"key":"10.1016\/j.cose.2025.104705_bib0149","first-page":"132","article-title":"Learning from cyber security incidents: a systematic review and future research agenda","author":"Patterson","year":"2023","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2025.104705_bib0150","first-page":"139","article-title":"I don't think we're there yet\u201d: the practices and challenges of organisational learning from cyber security incidents","author":"Patterson","year":"2024","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2025.104705_bib0151","first-page":"261","article-title":"It\u2019s more than just money: the real-world harms from ransomware attacks. Human aspects of information security and assurance","volume":"674","author":"Pattnaik","year":"2023","journal-title":"Springer"},{"key":"10.1016\/j.cose.2025.104705_bib0152","unstructured":"Plumb, T. (2022). Lockbit 3.0 and the ransomware business model. Retrieved August 25, 2024, from VentureBeat: https:\/\/venturebeat.com\/security\/lockbit-3-0-and-the-ransomware-business-model\/."},{"key":"10.1016\/j.cose.2025.104705_bib0153","unstructured":"Poireault, K. (2024). LockBit admins tease a new ransomware version. Retrieved December 21, 2024, from Infosecurity: https:\/\/www.infosecurity-magazine.com\/news\/lockbit-admins-tease-a-new\/."},{"key":"10.1016\/j.cose.2025.104705_bib0154","unstructured":"PRISMA. (2020). PRISMA Statement. Retrieved August 25, 2024, from PRISMA Statement: https:\/\/www.prisma-statement.org\/."},{"key":"10.1016\/j.cose.2025.104705_bib0155","unstructured":"PSBE Cyber News Group. (2022). Conti ransomware attack causes State of emergency in Costa Rica! Retrieved September 7, 2024, from PSBE Cyber News Group: https:\/\/www.cybernewsgroup.co.uk\/2022\/05\/11\/conti-ransomware-attack-causes-state-of-emergency-in-costa-rica\/."},{"key":"10.1016\/j.cose.2025.104705_bib0156","unstructured":"Quorum Cyber. (n.d.). ALPHV threat actor profile. Retrieved September 7, 2024, from Quorum Cyber: https:\/\/www.quorumcyber.com\/threat-actors\/alphv-threat-actor-profile\/."},{"key":"10.1016\/j.cose.2025.104705_bib0157","unstructured":"Reddick, J. (2024). Teenage suspect in MGM Resorts hack arrested in Britain. Retrieved October 7, 2024, from The Record: https:\/\/therecord.media\/mgm-hack-teenager-arrest-britain."},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0158","doi-asserted-by":"crossref","first-page":"98","DOI":"10.1186\/s43058-022-00344-9","article-title":"Development of a qualitative data analysis codebook informed by the i-PARIHS framework","volume":"3","author":"Ritchie","year":"2022","journal-title":"Implement. Sci. Commun."},{"key":"10.1016\/j.cose.2025.104705_bib0159","unstructured":"Ro, C. (2024). Why some cyber-attacks hit harder than others. Retrieved October 11, 2024, from The BBC: https:\/\/www.bbc.co.uk\/news\/business-68225892."},{"key":"10.1016\/j.cose.2025.104705_bib0160","unstructured":"Rosendahl, T., & Burton, H. (2024). The LockBit story: why the ransomware affiliate model can turn takedowns into disruptions. Retrieved September 7, 2024, from Cisco Talos Blog: https:\/\/blog.talosintelligence.com\/ransomware-affiliate-model\/."},{"issue":"16","key":"10.1016\/j.cose.2025.104705_bib0161","article-title":"Conti Inc.: understanding the internal discussions of a large ransomware-as-a-service operator with machine learning","volume":"13","author":"Ruellan","year":"2024","journal-title":"Crime Sci"},{"key":"10.1016\/j.cose.2025.104705_bib0162","unstructured":"Sangfor. (2022). Conti ransomware attack throws Costa Rica into a national State of emergency. Retrieved August 25, 2024, from Sangfor: https:\/\/www.sangfor.com\/blog\/cybersecurity\/conti-ransomware-attack-throws-costa-rica-national-state-emergency."},{"key":"10.1016\/j.cose.2025.104705_bib0163","unstructured":"Sangfor. (2024). LockBit group resurfaces after its recent takedown by US and UK law enforcers. Retrieved September 7, 2024, from Sangfor: https:\/\/www.sangfor.com\/blog\/cybersecurity\/lockbit-ransomware-group-taken-down-us-and-uk-enforcers-announce."},{"key":"10.1016\/j.cose.2025.104705_bib0164","unstructured":"SC Media. (2023). Hacker group files SEC complaint against its own victim. Retrieved September 7, 2024, from SC Media: https:\/\/www.scworld.com\/news\/hacker-group-files-sec-complaint-against-its-own-victim."},{"key":"10.1016\/j.cose.2025.104705_bib0165","unstructured":"Scroxton, A. (2024). Royal ransomware crew puts on a BlackSuit in rebrand. Retrieved August 25, 2024, from Computer Weekly: https:\/\/www.computerweekly.com\/news\/366602360\/Royal-ransomware-crew-puts-on-a-BlackSuit-in-rebrand."},{"key":"10.1016\/j.cose.2025.104705_bib0166","unstructured":"Seals, T. (2024). LockBit ransomware takedown strikes deep into brand's viability. Retrieved August 25, 2024, from Dark Reading: https:\/\/www.darkreading.com\/threat-intelligence\/lockbit-ransomware-takedown-strikes-brand-viability."},{"key":"10.1016\/j.cose.2025.104705_bib0167","unstructured":"Secureworks. (2023). Law enforcement takes action against ALPHV\/BlackCat ransomware. Retrieved August 25, 2024, from Secureworks: https:\/\/www.secureworks.com\/blog\/law-enforcement-takes-action-against-alphv-blackcat-ransomware."},{"key":"10.1016\/j.cose.2025.104705_bib0168","unstructured":"Securin. (2022). All about Conti ransomware. Retrieved August 25, 2024, from Securin: https:\/\/www.securin.io\/articles\/all-about-conti-ransomware\/."},{"key":"10.1016\/j.cose.2025.104705_bib0169","unstructured":"Securin. (2023). All about LockBit ransomware. Retrieved August 25, 2024, from Securin: https:\/\/www.securin.io\/articles\/all-about-lockbit-ransomware\/."},{"key":"10.1016\/j.cose.2025.104705_bib0170","doi-asserted-by":"crossref","first-page":"137","DOI":"10.1007\/s12117-021-09415-0","article-title":"Shaping space. A conceptual framework on the connections between organised crime groups and territories: an introduction to the special issue on \u2018Spaces of Organised Crime","volume":"24","author":"Sergi","year":"2021","journal-title":"Trends Organ. Crime"},{"key":"10.1016\/j.cose.2025.104705_bib0171","unstructured":"Sharma. (2024). LockBit lied: stolen data is from a bank, not US Federal Reserve. Retrieved July 22, 2024, from BleepingComputer: https:\/\/www.bleepingcomputer.com\/news\/security\/lockbit-lied-stolen-data-is-from-a-bank-not-us-federal-reserve\/."},{"key":"10.1016\/j.cose.2025.104705_bib0172","unstructured":"SOCRadar. (2022). Dark Web Profile: blackCat (ALPHV). Retrieved September 7, 2024, from SOCRadar: https:\/\/socradar.io\/dark-web-profile-blackcat-alphv\/."},{"key":"10.1016\/j.cose.2025.104705_bib0173","unstructured":"SOCRadar. (2023). Dark web profile: lockBit 3.0 ransomware. Retrieved September 7, 2024, from SOCRadar: https:\/\/socradar.io\/dark-web-profile-lockbit-3-0-ransomware\/."},{"key":"10.1016\/j.cose.2025.104705_bib0175","unstructured":"Sophos. (2025). The State of Ransomware 2025. https:\/\/www.sophos.com\/en-us\/content\/state-of-ransomware."},{"key":"10.1016\/j.cose.2025.104705_bib0176","unstructured":"Symantec. (2022). Noberus ransomware: darkside and BlackMatter successor continues to evolve its tactics. Retrieved August 25, 2024, from https:\/\/symantec-enterprise-blogs.security.com\/threat-intelligence\/noberus-blackcat-ransomware-ttps."},{"key":"10.1016\/j.cose.2025.104705_bib0177","article-title":"Threat assessment: blackCat ransomware","volume":"42","author":"Tanner","year":"2022","journal-title":"Unit"},{"key":"10.1016\/j.cose.2025.104705_bib0178","unstructured":"Tata Communications. (2024). Unmasking the black cat ransomware: a deep dive into the threat. Retrieved September 7, 2024, from Tata Communications: https:\/\/www.tatacommunications.com\/knowledge-base\/guide-to-blackcat-ransomware-attacks\/."},{"key":"10.1016\/j.cose.2025.104705_bib0179","unstructured":"Temple-Raston, D., & Powers, S. (2024). Exclusive: after LockBit\u2019s takedown, its purported leader vows to hack on. Retrieved August 25, 2024, from The Record: https:\/\/therecord.media\/after-lockbit-takedown-its-purported-leader-vows-to-hack-on."},{"key":"10.1016\/j.cose.2025.104705_bib0180","unstructured":"Temple-Raston, D., Powers, S., & Abdul-Malik, J. (2024). In interview, LockbitSupp says authorities outed the wrong guy. Retrieved August 25, 2024, from The Record: https:\/\/therecord.media\/lockbitsupp-interview-ransomware-cybercrime-lockbit."},{"key":"10.1016\/j.cose.2025.104705_bib0181","unstructured":"The British Library. (2024). Learning lessons from the cyber-attack. Retrieved July 7, 2025, from The British Library: https:\/\/blogs.bl.uk\/living-knowledge\/2024\/03\/learning-lessons-from-the-cyber-attack.html."},{"key":"10.1016\/j.cose.2025.104705_bib0182","unstructured":"The Guardian. (2021). Colonial Pipeline confirms it paid $4.4m ransom to hacker gang after attack. Retrieved August 25, 2024, from The Guardian: https:\/\/www.theguardian.com\/technology\/2021\/may\/19\/colonial-pipeline-cyber-attack-ransom."},{"key":"10.1016\/j.cose.2025.104705_bib0183","series-title":"Proceedings of the 2017 Internet Measurement Conference","first-page":"445","article-title":"Ethical issues in research using datasets of illicit origin","author":"Thomas","year":"2017"},{"key":"10.1016\/j.cose.2025.104705_bib0184","unstructured":"Tidy, J. (2023). Ransomware hackers 'wreaking havoc' arrested in Ukraine. Retrieved October 22, 2024, from BBC: https:\/\/www.bbc.co.uk\/news\/technology-67556607."},{"key":"10.1016\/j.cose.2025.104705_bib0185","unstructured":"Tologonov, J., & Fokker, J. (2024). The LockBit\u2019s attempt to stay relevant, its imposters and new opportunistic ransomware groups. Retrieved September 7, 2024, from Trellix: https:\/\/www.trellix.com\/blogs\/research\/the-lockbits-attempt-to-stay-relevant-its-imposters-and-new-opportunistic-ransomware-groups\/."},{"key":"10.1016\/j.cose.2025.104705_bib0186","unstructured":"Toulas, B. (2024). Russian ransomware gangs account for 69% of all ransom proceeds. Retrieved October 7, 2024, from Bleeping Computer: https:\/\/www.bleepingcomputer.com\/news\/security\/russian-ransomware-gangs-account-for-69-percent-of-all-ransom-proceeds\/."},{"key":"10.1016\/j.cose.2025.104705_bib0187","unstructured":"TrendMicro. (2022a). LockBit, Conti, and BlackCat lead pack amid rise in active RaaS and extortion groups. Retrieved from Trend Micro: https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-by-the-numbers\/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022."},{"key":"10.1016\/j.cose.2025.104705_bib0188","unstructured":"TrendMicro. (2022b). Research: ransomware spotlight: blackCat. Retrieved September 7, 2024, from TrendMicro: https:\/\/www.trendmicro.com\/vinfo\/gb\/security\/news\/ransomware-spotlight\/ransomware-spotlight-blackcat."},{"key":"10.1016\/j.cose.2025.104705_bib0189","unstructured":"TrendMicro. (2024). LockBit attempts to stay afloat with a new version. Retrieved September 7, 2024, from TrendMicro: https:\/\/www.trendmicro.com\/en_gb\/research\/24\/b\/lockbit-attempts-to-stay-afloat-with-a-new-version.html."},{"key":"10.1016\/j.cose.2025.104705_bib0191","unstructured":"TRM. (2022). TRM analysis corroborates suspected ties between Conti and Ryuk ransomware groups and wizard spider. Retrieved September 7, 2024, from TRM: https:\/\/www.trmlabs.com\/post\/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider."},{"key":"10.1016\/j.cose.2025.104705_bib0192","unstructured":"Tsipershtein, M. & Ananin, E. (2025). Ransomware gangs collapse as Qilin seizes control. Retrieved 2025, from Cybereason: https:\/\/www.cybereason.com\/blog\/threat-alert-qilin-seizes-control."},{"key":"10.1016\/j.cose.2025.104705_bib0193","series-title":"Criminal profiling: An introduction to Behavioral Evidence Analysis","author":"Turvey","year":"2011"},{"key":"10.1016\/j.cose.2025.104705_bib0194","unstructured":"UK Government. (2023). No place to hide: serious and organised crime strategy 2023 to 2028. Retrieved 2024, from GOV.UK: https:\/\/www.gov.uk\/government\/publications\/serious-and-organised-crime-strategy-2023-to-2028\/no-place-to-hide-serious-and-organised-crime-strategy-2023-to-2028-accessible-version#chapter-2-executive-summary."},{"key":"10.1016\/j.cose.2025.104705_bib0195","unstructured":"UK Government. (2025). Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting. Retrieved June 27, 2025 from GOV.UK: https:\/\/www.gov.uk\/government\/consultations\/ransomware-proposals-to-increase-incident-reporting-and-reduce-payments-to-criminals\/ransomware-legislative-proposals-reducing-payments-to-cyber-criminals-and-increasing-incident-reporting-accessible."},{"key":"10.1016\/j.cose.2025.104705_bib0196","unstructured":"Unit 42. (2024). Jumpy Pisces engages in play ransomware. Retrieved June 10, 2025 from Unit 42: https:\/\/unit42.paloaltonetworks.com\/north-korean-threat-group-play-ransomware\/."},{"key":"10.1016\/j.cose.2025.104705_bib0197","unstructured":"Vicens, A. (2022). Conti ransomware group announces support of Russia, threatens retaliatory attacks. Retrieved September 7, 2024, from CyberScoop: https:\/\/cyberscoop.com\/conti-ransomware-russia-ukraine-critical-infrastructure\/."},{"key":"10.1016\/j.cose.2025.104705_bib0198","unstructured":"Wadhwani, S. (2023). LockBit apologizes for ransomware attack on hospital, releases free decryptor. Retrieved September 7, 2024, from SpiceWorks: https:\/\/www.spiceworks.com\/it-security\/security-general\/news\/lockbit-ransomware-apologizes-sickkids-decryptor\/."},{"key":"10.1016\/j.cose.2025.104705_bib0199","first-page":"80","volume":"16","author":"Wang","year":"2018"},{"key":"10.1016\/j.cose.2025.104705_bib0200","unstructured":"Warminsky, J. (2022). Notorious cybercrime gang Conti 'shuts down,' but its influence and talent are still out there. Retrieved August 7, 2024, from The Record: https:\/\/therecord.media\/conti-ransomware-gang-digital-infrastructure-shut-down."},{"issue":"1","key":"10.1016\/j.cose.2025.104705_bib0202","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1177\/26338076231199793","article-title":"Reconceptualising organised (cyber)crime: the case of ransomware","volume":"57","author":"Whelan","year":"2024","journal-title":"J. Criminol."},{"key":"10.1016\/j.cose.2025.104705_bib0203","unstructured":"Winder, D. (2024). Ransomware hackers fail to produce \u2018stolen\u2019 Donald Trump court files. Retrieved from Forbes: https:\/\/www.forbes.com\/sites\/daveywinder\/2024\/02\/29\/stolen-donald-trump-court-files-will-be-published-february-29-hackers-say\/."},{"key":"10.1016\/j.cose.2025.104705_bib0204","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1007\/s41125-019-00039-8","article-title":"On the economic impact of crypto-ransomware attacks: the State of the art on enterprise systems","volume":"4","author":"Zimba","year":"2019","journal-title":"Eur. J. Secur. Res."}],"container-title":["Computers & Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404825003943?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404825003943?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,11,25]],"date-time":"2025-11-25T14:19:26Z","timestamp":1764080366000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404825003943"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1]]},"references-count":191,"alternative-id":["S0167404825003943"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2025.104705","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,1]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Inside ransomware groups: An analysis of their origins, structures, and dynamics","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2025.104705","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2025 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"104705"}}