{"id":"https://openalex.org/W4415076502","doi":"https://doi.org/10.1016/j.cose.2025.104705","title":"Inside ransomware groups: An analysis of their origins, structures, and dynamics","display_name":"Inside ransomware groups: An analysis of their origins, structures, and dynamics","publication_year":2025,"publication_date":"2025-10-11","ids":{"openalex":"https://openalex.org/W4415076502","doi":"https://doi.org/10.1016/j.cose.2025.104705"},"language":"en","primary_location":{"id":"doi:10.1016/j.cose.2025.104705","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.cose.2025.104705","pdf_url":null,"source":{"id":"https://openalex.org/S12529635","display_name":"Computers & Security","issn_l":"0167-4048","issn":["0167-4048","1872-6208"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers &amp; Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1016/j.cose.2025.104705","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5119954964","display_name":"Andrew Phipps","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Andrew Phipps","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5075453550","display_name":"Jason R. C. Nurse","orcid":"https://orcid.org/0000-0003-4118-1680"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jason R.C. Nurse","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5119954964"],"corresponding_institution_ids":[],"apc_list":{"value":3190,"currency":"USD","value_usd":3190},"apc_paid":{"value":3190,"currency":"USD","value_usd":3190},"fwci":3.2836,"has_fulltext":true,"cited_by_count":1,"citation_normalized_percentile":{"value":0.94082891,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":"160","issue":null,"first_page":"104705","last_page":"104705"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.996999979019165,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.996999979019165,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9940999746322632,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9930999875068665,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/ransomware","display_name":"Ransomware","score":0.9574999809265137},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.5925999879837036},{"id":"https://openalex.org/keywords/extortion","display_name":"Extortion","score":0.5809999704360962},{"id":"https://openalex.org/keywords/government","display_name":"Government (linguistics)","score":0.5074999928474426},{"id":"https://openalex.org/keywords/function","display_name":"Function (biology)","score":0.4027000069618225},{"id":"https://openalex.org/keywords/outsourcing","display_name":"Outsourcing","score":0.3580000102519989}],"concepts":[{"id":"https://openalex.org/C2777667771","wikidata":"https://www.wikidata.org/wiki/Q926331","display_name":"Ransomware","level":3,"score":0.9574999809265137},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.5925999879837036},{"id":"https://openalex.org/C2779066997","wikidata":"https://www.wikidata.org/wiki/Q6452087","display_name":"Extortion","level":2,"score":0.5809999704360962},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.5575000047683716},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5379999876022339},{"id":"https://openalex.org/C2778137410","wikidata":"https://www.wikidata.org/wiki/Q2732820","display_name":"Government (linguistics)","level":2,"score":0.5074999928474426},{"id":"https://openalex.org/C14036430","wikidata":"https://www.wikidata.org/wiki/Q3736076","display_name":"Function (biology)","level":2,"score":0.4027000069618225},{"id":"https://openalex.org/C46934059","wikidata":"https://www.wikidata.org/wiki/Q61515","display_name":"Outsourcing","level":2,"score":0.3580000102519989},{"id":"https://openalex.org/C2777212580","wikidata":"https://www.wikidata.org/wiki/Q2475641","display_name":"Megaproject","level":2,"score":0.34779998660087585},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.3334999978542328},{"id":"https://openalex.org/C83860907","wikidata":"https://www.wikidata.org/wiki/Q135005","display_name":"Phishing","level":3,"score":0.32690000534057617},{"id":"https://openalex.org/C29852176","wikidata":"https://www.wikidata.org/wiki/Q373338","display_name":"Critical infrastructure","level":2,"score":0.31209999322891235},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.31119999289512634},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.28859999775886536},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.2728999853134155},{"id":"https://openalex.org/C171769113","wikidata":"https://www.wikidata.org/wiki/Q849340","display_name":"Cyberwarfare","level":2,"score":0.2590999901294708}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1016/j.cose.2025.104705","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.cose.2025.104705","pdf_url":null,"source":{"id":"https://openalex.org/S12529635","display_name":"Computers & Security","issn_l":"0167-4048","issn":["0167-4048","1872-6208"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers &amp; Security","raw_type":"journal-article"},{"id":"pmh:oai:kar.kent.ac.uk:111891","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.cose.2025.104705>)","pdf_url":"https://kar.kent.ac.uk/111891/1/COSE-Nurse-2026-ransomware.pdf","source":{"id":"https://openalex.org/S4377196264","display_name":"Kent Academic Repository (University of Kent)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I20581793","host_organization_name":"University of Kent","host_organization_lineage":["https://openalex.org/I20581793"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"PeerReviewed"}],"best_oa_location":{"id":"doi:10.1016/j.cose.2025.104705","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.cose.2025.104705","pdf_url":null,"source":{"id":"https://openalex.org/S12529635","display_name":"Computers & Security","issn_l":"0167-4048","issn":["0167-4048","1872-6208"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers &amp; Security","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":41,"referenced_works":["https://openalex.org/W1971604028","https://openalex.org/W1979290264","https://openalex.org/W2054963893","https://openalex.org/W2116985963","https://openalex.org/W2133674686","https://openalex.org/W2140564944","https://openalex.org/W2475524498","https://openalex.org/W2896921551","https://openalex.org/W2912527882","https://openalex.org/W2913409763","https://openalex.org/W2947987298","https://openalex.org/W2963604227","https://openalex.org/W3009492331","https://openalex.org/W3041647388","https://openalex.org/W3123893780","https://openalex.org/W3132588576","https://openalex.org/W3145494921","https://openalex.org/W3202962123","https://openalex.org/W3205163562","https://openalex.org/W3209947356","https://openalex.org/W3217043955","https://openalex.org/W4235741769","https://openalex.org/W4281848652","https://openalex.org/W4282581096","https://openalex.org/W4295700858","https://openalex.org/W4311029901","https://openalex.org/W4322505540","https://openalex.org/W4324116378","https://openalex.org/W4366777291","https://openalex.org/W4378594123","https://openalex.org/W4378905504","https://openalex.org/W4379528889","https://openalex.org/W4387059119","https://openalex.org/W4389392882","https://openalex.org/W4390869558","https://openalex.org/W4399574931","https://openalex.org/W4401108144","https://openalex.org/W4402056280","https://openalex.org/W4403252764","https://openalex.org/W4404144706","https://openalex.org/W4407749746"],"related_works":[],"abstract_inverted_index":{"Ransomware":[0],"is":[1,163,245],"a":[2,13,70,130,181,289],"major":[3,39],"cybersecurity":[4],"threat":[5,106],"facing":[6],"organisations":[7],"worldwide":[8],"and":[9,25,46,57,65,86,95,103,120,129,149,154,189,206,236,266,302],"has":[10],"evolved":[11],"into":[12,76],"highly":[14],"lucrative":[15],"criminal":[16],"enterprise.":[17],"Over":[18],"the":[19,32,77,110,124,144,225,246,277,305],"past":[20],"five":[21],"years,":[22],"Conti,":[23,152],"LockBit,":[24,153],"BlackCat/ALPHV":[26],"have":[27,58],"emerged":[28],"as":[29],"three":[30],"of":[31,73,101,133,151,186,191,201,254,263],"most":[33],"prominent":[34],"ransomware":[35,105,139,226,230,296],"groups,":[36,256],"responsible":[37],"for":[38,183,213,276],"cyberattacks":[40],"across":[41],"sectors":[42],"including":[43,138,228],"healthcare,":[44],"banking,":[45],"critical":[47,131],"national":[48],"infrastructure.":[49],"While":[50],"these":[51,102,255],"groups":[52,78,204,297],"are":[53],"well-known":[54],"by":[55],"name":[56],"been":[59],"discussed":[60],"in":[61,304],"industry":[62],"articles,":[63],"blogs,":[64],"government":[66],"briefs,":[67],"there":[68],"remains":[69],"notable":[71],"lack":[72],"academic":[74,99,248],"research":[75,93,279],"themselves,":[79],"particularly":[80],"regarding":[81],"their":[82],"origins,":[83,145,171],"values,":[84],"membership,":[85],"organisational":[87],"structures.":[88],"This":[89],"paper":[90],"addresses":[91],"this":[92,244],"gap":[94],"aims":[96],"to":[97,109,223,250,257,267,272,287],"advance":[98],"understanding":[100,200,253],"other":[104,295],"actors,":[107],"contributing":[108],"evidence":[111],"base":[112],"through":[113,293],"which":[114,294],"they":[115,165],"may":[116],"be":[117,299],"better":[118],"understood":[119],"disrupted.":[121],"Drawing":[122],"on":[123,176],"PRISMA":[125],"systematic":[126],"review":[127],"approach":[128],"analysis":[132],"over":[134],"500":[135],"dispersed":[136,264],"sources,":[137],"group":[140,162,231],"communications,":[141],"we":[142,218,283],"examine":[143],"structure,":[146],"organisation,":[147],"dynamics":[148],"nature":[150],"BlackCat/ALPHV.":[155],"Our":[156],"findings":[157,286],"reveal":[158],"that,":[159],"while":[160,208],"each":[161],"unique,":[164],"share":[166],"several":[167,220],"noteworthy":[168],"similarities:":[169],"Russian":[170],"business-like":[172],"operations,":[173],"an":[174,198,252,260],"emphasis":[175],"brand-building,":[177],"strong":[178],"leadership":[179],"structures,":[180],"propensity":[182],"retaliation,":[184],"use":[185],"ransomware-as-a-service":[187],"models,":[188],"deployment":[190],"multi-level":[192],"extortion":[193],"tactics.":[194],"These":[195],"insights":[196,275],"provide":[197],"evidence-based":[199],"how":[202],"such":[203,259],"function":[205],"compare,":[207],"also":[209],"offering":[210],"important":[211],"leads":[212],"wider":[214],"mitigation":[215],"strategies.":[216],"Consequently,":[217],"make":[219],"actionable":[221],"recommendations":[222],"disrupt":[224],"ecosystem":[227],"undermining":[229],"branding,":[232],"targeting":[233],"affiliate":[234],"networks,":[235],"publicly":[237],"exposing":[238],"key":[239],"members.":[240],"To":[241],"our":[242,285],"knowledge,":[243],"first":[247],"study":[249],"leverage":[251,284],"synthesise":[258],"extensive":[261],"body":[262],"material,":[265],"apply":[268],"robust":[269],"qualitative":[270],"methods":[271],"derive":[273],"comparative":[274],"security":[278],"community.":[280],"In":[281],"addition,":[282],"introduce":[288],"new":[290],"conceptual":[291],"framework":[292],"can":[298],"studied,":[300],"profiled,":[301],"compared":[303],"future.":[306]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-03-27T14:29:43.386196","created_date":"2025-10-12T00:00:00"}