Ep. 15: The Economics of Ransomware in 2025

Today I have two guests with unique perspectives on ransomware. Special Agent Reeves spent 15 years in the FBI's cyber division, including leading investigations into major ransomware operations. And Nick — who goes by his first name only — is a professional ransomware negotiator who has handled over 200 incidents.

Thanks Alex. Ransomware is the single biggest cybercrime problem we face, and it's important to understand the economics driving it.

I'm on the other side of the table from the FBI, in a sense. I negotiate with the gangs on behalf of victims. The economics are fascinating and terrifying in equal measure.

Agent Reeves, how much money are we talking about? What do these operations actually make?

The top-tier operations — LockBit, BlackCat before the takedown, now groups like RansomHub — we estimate revenues in the $100 to $200 million range annually. And that's just what we can trace. The ransomware-as-a-service model has industrialized the whole thing. The core gang provides the malware and infrastructure, affiliates do the actual attacks, and they split the payment 20-80 or 30-70.

From my side, the average demand I see is about $2.5 million. We typically negotiate that down to 30 to 40 percent of the initial ask. But the volume is staggering — I've handled over 200 cases in 4 years, and that's just one negotiator. There are dozens of us.

Should companies pay? That's the question everyone asks.

It's more nuanced than the headlines suggest. If you have robust, tested, offline backups, paying is rarely necessary. But I've seen hospitals where patient data is encrypted and the backup strategy failed. I've seen manufacturers where every production line is down and they're losing $5 million a day. In those situations, the ethical calculus changes.

The FBI's official position is that we don't recommend paying. Payment funds criminal enterprises and creates incentive for more attacks. But I understand the reality that Nick describes. The best defense is making sure you never face the decision — incident response plans, tested backups, network segmentation.

What's changed about ransomware economics in 2025 compared to a few years ago?

Double and triple extortion have become standard. It's not just encryption anymore. They exfiltrate data first, then encrypt, then threaten to publish. Some groups also DDoS the victim or contact their customers directly. The business model has become incredibly sophisticated.

The professionalism is what strikes me. These groups have customer service portals, SLAs for decryption key delivery, and even satisfaction surveys. They're running it like a legitimate business, which makes it both easier to negotiate with them and more disturbing.

What's the single most effective defense against ransomware?

Offline backups that are regularly tested. Full stop. Everything else — EDR, network segmentation, email filtering — is important but secondary. If you can restore from backup, the ransomware loses its leverage entirely.

I'd add that incident response planning is equally critical. The companies that handle ransomware best aren't the ones with the most expensive tools. They're the ones that practiced their response before the incident happened.

Agent Reeves, Nick — thank you for pulling back the curtain on ransomware economics. This is the kind of honest conversation the industry needs.