Inside a Ransomware Gang: HR Departments, Salaries, and Bonuses

Conti leaks: the org chart

In February 2022, a Ukrainian security researcher leaked the internal communications of the Conti ransomware group. Over 60,000 messages from internal chat logs, along with source code, tooling documentation, and operational procedures, were published online. What they revealed was not a shadowy hacking collective. It was a mid-sized software company.

Conti employed over 60 people organized into departments:

• Developers maintaining the ransomware encryptor, decryptor, and C2 infrastructure
• Pentesters who conducted the actual intrusions and lateral movement
• Negotiators who handled victim communications and ransom payment logistics
• HR who recruited new talent, managed onboarding, and conducted interviews
• OSINT analysts who researched potential targets and estimated their revenue to calibrate ransom demands

Monthly salaries ranged from $1,800 to $2,500 for most staff, paid in cryptocurrency. Senior developers and team leads earned more. The total monthly operational overhead was $140,000 to $165,000, covering salaries, infrastructure (bulletproof hosting, VPN services, tooling licenses), and operational expenses.

Ransom negotiators worked on commission: 0.5% to 1% of each successful payment. On a $5 million ransom, the negotiator's cut was $25,000 to $50,000. This incentive structure motivated negotiators to close deals efficiently, offering "discounts" of 20 to 40% to victims who paid quickly.

LockBit: 25% of global attacks

LockBit emerged as the dominant ransomware operation in 2023 and 2024, responsible for approximately 25% of all ransomware attacks globally. Their affiliate model was more aggressive than Conti's: LockBit took a 20% cut from affiliates, who kept 80% of each ransom payment.

In February 2024, a coordinated international law enforcement operation called Operation Cronos seized LockBit's infrastructure. The FBI, NCA, Europol, and agencies from 10 countries took down 34 servers, seized cryptocurrency wallets, obtained 1,000 decryption keys, and arrested several affiliates. The LockBit administrator, known as LockBitSupp, was publicly identified as Dmitry Yuryevich Khoroshev, a Russian national.

LockBit appeared dead. It was not.

By September 2025, LockBit had rebuilt its infrastructure and released LockBit 5.0, a rewritten encryptor with improved evasion capabilities and multi-platform support (Windows, Linux, VMware ESXi). The group resumed operations within seven months of the takedown, demonstrating the resilience of decentralized criminal enterprises with strong financial incentives.

February 2026: where things stand

The ransomware ecosystem as of early 2026 includes 54 active ransomware operations tracked by threat intelligence firms. Collectively, these groups claim approximately 680 victims per month based on data leak site postings. The actual number of victims is higher, as many organizations pay quietly and never appear on leak sites.

The major active groups include:

• LockBit 5.0: rebuilt and operating at reduced but significant volume
• ALPHV/BlackCat: temporarily disrupted by the FBI in December 2023, resurfaced under new branding
• Play: targeting managed service providers to access multiple downstream victims
• 8Base: focusing on small and medium businesses in Latin America and Europe
• Akira: targeting VMware ESXi environments in healthcare and education

The RaaS model

Modern ransomware operates on a Ransomware-as-a-Service (RaaS) model. The core development team builds and maintains the malware, the C2 infrastructure, the data leak site, and the negotiation platform. Affiliates (independent hackers) pay for access and conduct the actual intrusions.

Entry costs are remarkably low. Some RaaS platforms charge a $500 buy-in for access to the encryptor, builder, and administrative panel. The affiliate handles initial access, lateral movement, privilege escalation, data exfiltration, and ransomware deployment. The RaaS operator handles decryption key management and, in many cases, victim negotiations.

This model has industrialized ransomware. An affiliate does not need to write malware, build infrastructure, or manage cryptocurrency wallets. They need only one skill: getting into corporate networks.

Initial access brokers: the supply chain

A separate criminal ecosystem supplies the initial network access that ransomware affiliates need. Initial Access Brokers (IABs) compromise corporate networks through phishing, credential stuffing, VPN vulnerabilities, and exposed services, then sell that access on dark web forums.

The IAB market generated an estimated $14 million in revenue in 2024 according to threat intelligence firm KELA. Access prices range from $500 for a small company's VPN credentials to $50,000+ for domain admin access to a Fortune 500 network. The median price is around $3,000.

A typical listing reads:

[SELL] US / Healthcare / Revenue $500M+
Access type: VPN (Fortinet SSL-VPN)
Privileges: Domain User, local admin on 3 hosts
Network size: 8,000+ endpoints
Price: $12,000

The buyer (a ransomware affiliate) purchases the access, escalates privileges, maps the network, exfiltrates sensitive data, and deploys ransomware. The whole operation, from purchasing access to demanding ransom, can take 3 to 7 days.

The economics of paying

The average ransomware payment in 2025 reached approximately $1 million, up from $258,000 in 2023. The median payment jumped 368% year over year in certain quarters, driven by larger organizations being targeted and by groups increasing their initial demands.

Organizations pay because the alternative is worse. A manufacturing company facing $5 million per day in downtime costs will pay a $2 million ransom. A hospital that cannot access patient records will pay to restore operations. Insurance companies, which cover ransom payments under cyber insurance policies, often advise paying when the business impact exceeds the ransom amount.

This rational economic calculation is exactly what the ransomware operators exploit. They research their victims' revenue, insurance coverage, and backup infrastructure before setting the ransom amount. The number is always calibrated to be less painful than the recovery cost.

Why it keeps growing

The ransomware business model is extraordinarily profitable with minimal personal risk for operators based in Russia and CIS countries. Russian law enforcement does not prosecute ransomware operators who target foreign victims. International law enforcement can disrupt infrastructure (as Operation Cronos demonstrated), but the operators rebuild and resume within months.

The fundamental economic dynamics favor the attackers:

• Low entry cost: $500 for a RaaS subscription, $3,000 for network access
• High return: average payment of $1 million
• Low risk: operators in non-extradition jurisdictions face minimal legal consequences
• Scalable: RaaS model allows one development team to support hundreds of simultaneous attacks
• Self-funding: each successful attack funds the next round of operations

Until these economic dynamics change, either through better defense, more aggressive law enforcement, international cooperation, or changes to cyber insurance practices, ransomware will continue to be the most profitable form of cybercrime.