Ransomware’s business model reshapes costs as cybercrime hits USD $10.5 trillion
Trustwave has highlighted the role of ransomware as a central driver in the global cybercrime economy, outlining how its shift from isolated disruption to profit-driven operations is reshaping organisational risks and costs worldwide.
The rise of economic logic
Recent analysis points to ransomware's evolution into a financially calculated enterprise, which now mirrors aspects of legitimate business models. Modern ransomware operations are facilitated by structured, professional networks, giving rise to a mature ecosystem.
Ransomware-as-a-Service (RaaS) offers affiliates pre-packaged toolkits, access dashboards, and even customer support, lowering the technical barrier for would-be attackers and creating a stable revenue flow through subscription fees and commissions.
Craig Searle, Director, Consulting and Professional Services (Pacific) and Global Leader of Cyber Advisory at Trustwave, explained, "The economic logic of ransomware is clear: extract maximum payment at the lowest possible cost."
"Attackers no longer rely solely on encryption. Double and triple extortion techniques add new revenue streams by threatening to leak stolen data or target an organisation's supply chain if payments are not made. These tactics increase pressure on victims, boosting the likelihood of payment while minimising the need for repeat compromise. The result is a scalable model where each compromise offers multiple opportunities for monetisation."
According to data from the World Economic Forum, the global cost of cybercrime is forecast to reach USD $10.5 trillion by 2025, placing the scale of cybercriminal operations on par with some of the world's largest economies.
Australian exposure and impact
Searle highlighted Australia's exposure to this model, citing factors such as high internet penetration and rapid digital adoption, noting that recent high-profile ransomware incidents involving organisations like Medibank and Latitude Financial have exposed the broader costs associated with cyber extortion.
"Australia is particularly exposed to this model due to its relative wealth, high internet penetration, and rapid digital adoption. Local organisations from Medibank to Latitude Financial have experienced the consequences of ransomware's economic efficiency."
"These attacks revealed how cyber extortion both damages immediate business operations and generates long-term costs through reputational harm, regulatory scrutiny, and customer attrition. These same factors strengthen negotiating leverage for attackers, as victims weigh the financial burden of payment against uncertain recovery costs."
Role of cryptocurrency
The process is further fuelled by the use of cryptocurrency. Anonymity and ease of international transfer allow cybercriminals to move funds beyond the reach of traditional oversight mechanisms. Attackers frequently route payments through mixing services or stablecoins, complicating efforts by authorities to trace transactions and disrupt criminal revenue streams.
This cycle of ransomware payments, as Trustwave notes, encourages continuous reinvestment and technological advancement within the cybercriminal economy.
Governmental response
In response to the challenge, governments are introducing regulations that focus on shifting the financial equation. New rules in Australia, for instance, now mandate organisations with annual turnovers exceeding AUD $3 million, as well as critical infrastructure operators, to report ransomware and cyber extortion payments within 72 hours-outlining payment details and communications with attackers to relevant agencies.
Searle stated, "Governments are responding by reshaping the financial dynamics of ransomware through mandatory reporting regimes. Mandatory ransomware and cyber extortion payment reporting came into effect on 30 May 2025 for Australian organisations with an annual turnover above $3 million, as well as critical infrastructure operators, who must now report ransomware or cyber extortion payments within 72 hours. These reports must include details of the payment, method, and communications with attackers, providing government agencies with intelligence to disrupt the business model. Similar frameworks in the United States and United Kingdom demonstrate an international shift towards discouraging ransom payments and constraining the profitability of cyber extortion.
"This regulatory shift highlights a critical economic principle: ransomware thrives because victims pay. Governments aim to reduce the incentive structure that makes cyber extortion lucrative by mandating transparency. The idea is that the cost-benefit equation begins to tilt if attackers believe that payments will be reported, traced, or even blocked. This could erode the financial foundations of ransomware over time, though success depends on consistent global enforcement and the willingness of organisations to resist making payments."
Evolving cyber risks
While reporting regimes and regulatory changes seek to dampen the profitability of ransomware, the secondary market for ransomware kits, stolen data, and exploit tools remains robust, often facilitated in dark web forums. State-sponsored actors have also adopted similar tactics, complicating distinctions between financial and political motivations, and broadening potential security impacts for businesses and governments alike.
Searle identified high net worth businesses, celebrities, and political figures as particularly attractive targets in this cybercrime ecosystem. "Businesses that are primarily the domain of high net worth (HNW) can often be targeted as this provides criminals with access to credentials for people that are more likely to have the means to pay. There is also a higher chance of these businesses having credentials of a celebrity or politician. From the attacker's perspective, this increases the value of the credentials on the basis that they use them themselves to launch further attacks, or sell the credential sets on the black market."
Defensive strategies
Trustwave's analysis suggests that combating ransomware requires understanding its economic motivations as much as its technical aspects. Searle advised reframing security spending as an economic countermeasure, not just a technical safeguard.
"Understanding ransomware as an economic system, rather than a technical nuisance, is essential for modern businesses. Security investment should be framed as a way to alter the financial calculus of attackers, not just as a critical defensive measure. Stronger cyber hygiene, multi-factor authentication (MFA), and supply chain risk management reduce the likelihood of compromise, while clear incident response strategies minimise the power criminals can exert. Each measure increases the cost of attack, lowering expected returns for adversaries and weakening the overall market."
Shifting dynamics
Ransomware's success as a business model is sustained by continual profit and reinvestment. Defensive tactics, including the new reporting obligations, are focused on undermining the profitability that enables such scale within the ransomware industry.
Searle concluded, "Ransomware economics will continue to evolve if left unchecked. However, organisations and policymakers can begin to erode its profitability by recognising ransomware as a business and responding accordingly. Reducing cybercrime ROI is the only way to disrupt the cycle and weaken the financial model that has made ransomware one of the most pervasive threats of the digital age."
