Reconceptualising organised (cyber)crime: The case of ransomware

The concept of organised cybercrime has been the subject of much debate over the last decade. Many researchers who have applied scholarly definitions of organised crime to cyber-criminal groups have concluded that such groups are not “organised criminal groups” and do not engage in “organised crime”. This paper adopts a different perspective to argue that certain cyber-criminal groups involved in ransomware can and should be considered organised crime if a more contemporary and flexible framework for conceptualising organised crime is adopted. We make this argument using three primary domains of organised crime first described by von Lampe: criminal activities, offender social structures, and extra-legal governance. We narrow in on the concepts of violence and extra-legal governance in particular as they have been interpreted to hold significant differences for criminal groups operating in physical and digital domains. The paper argues that it is time to move on from criminological debates regarding whether organised cybercrime can exist to focus on the many rich questions that researchers can take from organised crime scholarship and apply to cyber-criminal groups. We put forward a reconceptualisation of organised cybercrime towards this end.


Introduction
Organised crime is a concept that has suffered definitional confusion and controversy for decades (e.g., Varese, 2010).The term has, however, been applied quite broadly by governments and policy makers in relation to a wide range of crime types (see, e.g., Lavorgna, 2019).Scholars have also applied the concept of organised crime to various categories of cybercrime, including ransomware (see, e.g., Wall, 2021).However, there is considerable debate in the criminological literature about the extent to which groups of criminals operating online can be considered "organised cyber-criminal groups" and indeed whether the activities conducted by such groups can be classified as organised crime (e.g., Broadhurst et al., 2014;Lavorgna, 2019;Leukfeldt et al., 2017a).While some have left scope for potential exceptions (Leukfeldt et al., 2019), many researchers who have applied scholarly definitions of organised crime to cyber-criminal groups have concluded that such groups are not "organised criminal groups" and do not engage in organised crime (e.g., Lavorgna, 2016Lavorgna, , 2019;;Lavorgna & Sergi, 2016;Leukfeldt et al., 2017a;Musotto & Wall, 2020).These conclusions are based on varied definitions of organised crime and organised criminal groups, including those that apply a narrow view of organised crime, and one that is most aligned with prototypical "mafia groups".The primary argument as to why cyber-criminal groups cannot be considered organised crime include a perceived absence of extra-legal governance, including the use or threat of violence to coerce others, and meaningful capacities to control markets and territories (e.g., Lusthaus, 2013).
In this paper, inspired in part from others who have sought to question the distinction between offline/online or physical/digital crimes, we argue that certain cyber-criminal groups can and should be considered organised crime if a more contemporary and flexible framework for conceptualising organised crime is adopted.As recent scholarship advancing a "digital criminology" has argued, framing technological and non-technological as distinct from, or oppositional to, each other is no longer helpful or relevant in contemporary society (see Powell et al., 2018).This approach has been applied to a range of crime and justice issues, most notably various forms of technology-facilitated violence (e.g., Henry et al., 2020) but more recently to types of cybercrime (Mackenzie, 2022), cyber security (Dupont & Whelan, 2021), and organised crime (Di Nicola, 2022).Di Nicola (2022) advanced an interpretive framework that reflects the many potential ways in which new technologies may bring about changes in the organisation of criminals and their activities.Using the concept of "digital organised crime", Di Nicola ultimately presents organised crimes in digital society along a continuum, with the extent to which criminal groups leverage new technologies determining where they sit along that continuum.Although we view the idea of a continuum as useful, this approachalong with others who have sought to show the relevance of conceptualisations of organised crime to cybercrime (e.g., Broadhurst et al., 2014;Wall, 2015) does not explicitly address some of the more contentious elements of organised crime definitions (i.e., extralegal governance as a core feature of organised crime).We agree that narrow, inflexible definitional approaches applying "partially obsolete paradigms" (Di Nicola, 2022) to the concept of organised crime have outlived their usefulness.The paper advances scholarship by proposing an approach to organised crime that is appropriate for both traditional organised crime and organised cybercrime.We use the case example of ransomware groups to argue that the concepts of violence and territory, central to existing understandings of extra-legal governance, require reconceptualising to appreciate their physical and digital properties.
The paper proceeds as follows.First, we consider existing approaches to defining and understanding organised crime.We do this not by applying a single or even varying definitions of organised crime but through the application of three primary domains of organised crime as articulated by von Lampe (2015): criminal activities, criminal structures, and extra-legal governance.Indeed, von Lampe (2015) developed this framework in an explicit attempt to move the field out of the quagmire produced by competing and often conflicting definitions of organised crime.Second, we consider how existing research on organised cybercrime has interpreted these definitional properties of organised crime.We suggest that there is a need to apply more nuanced understandings of violence and extra-legal governance within definitions and frameworks of organised crime as they apply to criminal activity that occurs online.Third, we focus on ransomware criminal groups as a case example of organised cyber-criminal groups.It is important to emphasise that we do not aim to provide an empirical analysis of these groups or their activities.Our focus is instead at a conceptual level whereby we seek to examine how: (a) existing concepts and frameworks of organised crime can enrich scholarly understandings of ransomware groups; and (b) what is known about select ransomware criminal groups contributes to emerging criminological research on organised cybercrime.We conclude by reflecting on areas for further research on cyber-criminal groups.

Existing concepts and frameworks of organised crime
Decades of scholarship in the field of organised crime have not produced a universally accepted definition of the term organised crime.Some definitions focus on the criminal activities that characterise organised crime, sometimes including recognition that the activities may be undertaken by a group of actors without specifying any specific characteristics of such groups (e.g., Desroches, 2007, p. 831).Some definitions of organised crime privilege criminal activities such as drug trafficking, but do not mention anything about the organised criminal groups involved (e.g., Hagan, 2006).Other definitions focus only on the structure and characteristics of the groups (e.g., Federal Bureau of Investigation, 2020).Indicative of the problem, von Lampe (2022) has collected over 200 definitions of organised crime from various sources.
Scholars have argued that the heart of these definitional problems is the modifier "organised" (e.g., Bright & Whelan, 2021;Finckenauer, 2005;van Dijk, 2007).Confusingly, the term "organised" is used to refer to the organisation of complex criminal activities (e.g., drug trafficking) and to the social organisation of criminals who conduct such activities (i.e., organised criminal groups).Finckenauer (2005) argued that some types of crime can be committed by an individual acting alone or by two or more individuals coordinating activities (note that most definitions of organised criminal groups require three or more actors).However, as noted by Finckenauer (2005), some crimes are too complex to be committed by lone actors.These include multifaceted activities involving multiple stages and interlocking events requiring a range of skills, knowledge, and roles (e.g., transnational drug trafficking).In this framework, these more complex crimes can be considered those that are organised, requiring collaboration between individuals.Even readers new to the organised crime space should be able to see the significant problems and circuitous reasoning that characterise these concepts and definitions.The substantive problem with the term organised crime relates to the conflation of criminal activities or "crime that is organised" with the social organisation of criminals who undertake such activities (i.e., organised criminal groups).
As with the term organised crime, scholars have critiqued the construct of organised criminal groups.Von Lampe (2015) argued that to be effective at carrying out a range of criminal activities over time, organised criminal groups require at least some type of social structure and a system for issuing orders.Similarly, Finckenauer (2005) suggested that organised criminal groups can fall along a continuum to the extent that they display a range of features including criminal sophistication such as planning of complex activities, diverse knowledge and skills among members, and durability across time; organisational structure including division-oflabour and lines of authority or leadership; self-identification in which actors identify as members of that group; and authority of reputation in which the group can utilise its reputation (e.g., for violence) in lieu of actual action and to facilitate its criminal activities.The idea of a continuum is useful because it recognises that although some classic forms of organised crime (e.g., mafias) may be at the extreme end on all four features, it does not suggest that organised crime and mafia are the same thing.It is also these characteristics that distinguish organised criminal groups from "gangs", with very few gangs meeting the threshold in terms of criminal sophistication, organisational structure, and authority of reputation to be considered "organised crime" (Decker et al., 2022).
In an attempt to overcome definitional issues, von Lampe (2015) suggested that rather than seeking an overarching definition of organised crime, the construct could be analysed across three broad domains: criminal activities, criminal structure, and extra-legal governance.In von Lampe's (2015) view, useful definitions of organised crime will organically emerge from this conceptual work.Criminal activities can lie on a continuum from spontaneous, impulsive events through to criminal activities that require a complex, integrated plan involving multiple stages of interlocking activities, specialised skills over many months.More complex crimes often require collaboration among offenders (see Finckenauer, 2005).To successfully commit such crimes, certain routines, activities, and techniques need to be undertaken, often in a sequential order.To meet the threshold to be considered organised crime, these activities therefore need to be sufficiently complex and of a certain level of seriousness.Criminal structure refers to the social or organisational structures that underpin how criminals connect and interact with each other (including competition and collaboration).Although there are a variety of ways that criminals can interact, and a number of different frameworks for explaining such interactions, there are three primary social structures: market-based interactions, hierarchies, and networks (von Lampe, 2015).Importantly, these three structures are ideal categories, meaning that in reality social structures may be hybrids of two or even all three of these categories.
Extra-legal governance refers to the exercise of social and political power by organised criminal groups and usually involves actual or threatened violence (e.g., Barker, 2014;Sergi, 2022;Varese, 2017).Extra-legal governance is facilitated by quasi-governmental structures that allow criminals to control other criminals, regulate behaviour, protect contractual and property rights, provide protection against predatory criminals and law enforcement, and offer dispute resolution services.In return for these services and protections, criminal groups providing governance may also tax illegal income generated by other criminals.Extra-legal governance is often discussed with reference to the use or threat of violence to ensure compliance (e.g., Campana & Varese, 2018;von Lampe, 2015) and to monopolise illegal markets (e.g., Abadinsky, 2012).However, not all illegal markets are equally violent, and not all violence is directed against competitors.Some violence occurs within groups to control the behaviour of subordinates or because of factional wars.Violence is often used as a last resort as it tends to be costly in terms of resources and personnel, can attract unwanted attention from law enforcement, and can damage the reputation and business credentials of groups that seek to engender trust in their associates, business partners, and customers (see Reuter, 1985;von Lampe, 2015).Indeed, research on violence in illicit markets suggests that competition over market share accounts for a small proportion of observable violence and most violence occurs within networks and groups (Hopkins et al., 2013;Schlegel, 1987).To demonstrate how these characteristics can be used to examine cyber-criminal groups, we apply these categories to the case example of ransomware groups to explore whether such groups can be incorporated under the umbrella term organised crime.Before we do this, we provide some background on existing scholarship on organised cybercrime.

Revisiting organised cybercrime
Researchers have highlighted concerns regarding the applicability of concepts and definitions of organised crime to cybercrime.For example, McGuire (2012) suggested that as much as 80% of cybercrime could be the result of some form of organised criminal activity.Most criminal groups were described as loosely connected networks, an observation that others have used to describe notions of (dis)organised cybercrime (Broadhurst et al., 2014;Wall, 2015).Others have adopted a more critical position.For example, some have argued that the notion of "cyberorganised crime" may be a case of moral panic (Lavorgna, 2019) and/or represents the conflation of organised crime with "serious crime" in law enforcement and political discourse (Lavorgna & Sergi, 2016).Among other things, researchers have examined the internal dynamics of various dark web forums facilitating illicit transactions, with Lusthaus (2013) making a case for distinguishing between such forums and the individuals or groups behind their operations.Ultimately, Lusthaus (2013) concluded that even if such forums were administered by criminal groups, it is very difficult to consider such groups as organised crime (see also Leukfeldt et al., 2017a).Leukfeldt et al. (2017a) reached a similar conclusion, suggesting that the cybercrimes they analysed would meet only "broader definitions" of organised crime that do not require evidence of corruption, threats of violence, and attempts at market monopolisation.This does not mean, for Leukfeldt et al. (2017a), that cybercrimes are necessarily any less serious than organised crime.Instead, they emphasise the need for better ways of describing and analysing harm, threat, and risk for specific cybercrimes.
We offer three main observations on the literature critiquing the relevance of research on organised crime to the field of cybercrime.First, there has been a subtle, underlying focus on organised crime in a rather narrow form: that is, as conceptualisation of mafia.It is not surprising, we would argue, that cyber-criminal groups would appear as "disorganised" networks (Wall, 2015) that are "more like Amazon than Mafia" (Musotto & Wall, 2020).Mafia groups, in our view, are relatively unique in their accumulation of social and political power and their engagement in extra-legal governance.Non-mafia groups are rarely able to match the same degree of such power, and some are unable to exert it outside their territories.Furthermore, extant research on organised crime has highlighted the extent to which traditional hierarchical groups are best understood through a network lens (e.g., Bouchard, 2020;Bright & Whelan, 2021;Morselli, 2009).Those groups providing "crime-as-a-service" (Paquet-Clouston & Garcia, 2022), which as we will see include groups involved in ransomware, appear mindful of the competitive nature of their business model and therefore the need to offer compelling value and service relative to their competitors in a similar way to legitimate businesses (see also Lusthaus et al., 2022;Paquet-Clouston & Garcia, 2023).We agree that cyber-criminal groups will display different dynamics compared with mafia-type groups; however, like others (e.g., Di Nicola, 2022), we contend that it is not the lack of hierarchical organisation that distinguishes cyber groups from traditional organised crime but rather the different markets in which they operate.We will return to this point below.
Second, researchers have pointed out that violence, considered key for the capacity of organised crime groups' regulation and control of markets and territory (Lusthaus, 2013), cannot (yet) function in cyberspace in an equivalent manner to the physical world.We recognise there are significant differences between exerting physical violence resulting in physical harm or death, or the threat of such acts, and engaging in online attacks against rival individuals or groups and their infrastructure (Musotto & Wall, 2020).Yet, we note that new forms of violence are emerging that can exert impacts in the physical world.The tactic of "doxxing" is one example that could be weaponised by actors ascertaining and revealing the identity of rivals in ways that could compromise their physical safety (e.g., de Bruijne et al., 2017).Cryptomarket researchers have suggested that denial of service (DoS) attacks have been launched against those running competitor sites (Moeller et al., 2017;Zhou et al., 2020).If these claims are accurate, they represent examples of cybercrime groups using cyber-attacks against the infrastructure of rival groups in an attempt to monopolise or gain market share within highly profitable online illicit markets.We can add to this "deepfakes"largely thought of as a gendered cybercrime (e.g., Flynn et al., 2022;Henry & Flynn, 2020) which could also be used tactically by organised cyber-criminal groups for the purposes of coercion or control (e.g., Paterson & Hanley, 2020).It is easy to envisage circumstances where these strategies could be used to cause significant psychological and physical harm (e.g., by putting individuals or groups in harm's way of other violent individuals or groups).Doxxing, DoS attacks, and deepfakes are only three examples; there are many ways to inflict significant harm by attacking a rival groups' assets or infrastructure.
Given the rise of digital identities and spaces, the notion that violence committed by organised crime can only be physical is likely to become increasingly problematic.For example, should traditional organised crime groups utilise online methods of violence and coercion over physical ones, one would not expect this to mean that they fall outside of existing frameworks of organised crime.Indeed, as more empirical evidence comes to light, the full spectrum of criminal activities undertaken by cyber-criminal groups should be examined to reveal any intersections with more traditional organised criminal groups (see also Di Nicola, 2022; Leukfeldt et al., 2019).At this point, these questions remain unknown.However, violence brings attention from law enforcement and policy makers that could undermine criminal markets as well as threaten organised crime groups' survival.It is feasible that some groups may opt for more covert forms of "cyber violence" that might be just as effective in achieving their objectives while involving significantly less risk of detection.As such, while we recognise that there are differences, as argued at the outset of the paper, we feel it is time to reassess the extent to which a neat divide between our physical and digital selves continues to hold utility.We suggest, then, that a broader conceptualisation of violence in the context of organised crime and cybercrime is required.In our conceptualisation of violence in the context of organised crime, the key factor is the intent and capability of groups to cause significant harm while coercing others in the furtherance of their criminal objectives (see also Wood (2021) on humantechnology harms).The methods by which these groups can inflict such harm are not fixed.
Third, and relatedly, scholars have argued that cyber-criminal groups do not and cannot engage in extra-legal governance.For example, Lusthaus (2013) considered administrators and moderators of dark web forums' attempts to facilitate a level of governance within the cyber-criminal world, including restricting access and guaranteeing trust, and thereby supplying protection for their users.Lusthaus argued that this is insufficient to classify them as organised crime as such groups do not seek "to control the supply of protection" (Lusthaus, 2013, p. 55), as in attempting to control criminal markets and territory.For example, Lusthaus (2013) noted that a cyber-criminal who has been banned from an online forum or cryptomarket may create a new account that facilitates further access to the site, thereby undermining attempts at extra-legal governance by administrators.We provide two responses to this activity from the perspective of extra-legal governance.First, we note that attempts to regulate behaviour are likely to trigger attempts to sidestep such regulation, just as they are in the offline world.Such attempts to blunt the impact of regulation do not necessarily render such attempts at regulation moot or void.Second, opening a new account necessarily involves losing one's preexisting online reputation.Given that reputation is an essential indicator of trust and is critical to success in various online criminal forums (Przepiorka et al., 2017), creating a new account is a high risk and costly manoeuvre.Furthermore, those who violate site rules have also been known to suffer more serious forms of sanction, including doxxing, which can indeed result in "offline" harm (Morselli et al., 2017).This type of reputational damage, in a context where reputational capital is both expensive and sought after, is a significant punishment meted out by administrators in an attempt to regulate the behaviour of subordinates.In this way, we argue, such activities are akin to extra-legal governance.
There is no doubt that controlling online territory is a significantly different question to that of offline territory.The notion of "territory" has a qualitatively different meaning in the digital and physical worlds.However, this could indeed be viewed as an advantage for cyber-criminal groups (e.g., one market can be taken down and groups can create another, one group may attract too much attention and then rebrand under a different name).This difference between physical and digital markets and territory may appear to suggest that cyber-criminal groups cannot be understood using existing concepts of extra-legal governance.In contrast, we argue that there is a reason to rethink the role and function of illicit governance in the digital economy and society.Although we recognise that empirical evidence is limited, some cyber-criminal groups are widely believed to engage in corruption and leverage their relationships with states to launder funds and secure safe haven (Martin & Whelan, 2023).We have also seen some groups challenge others for status and recognition, and recently have even seen select groups threaten the governing power of states.In the next section, we use a case example of ransomware to unpack these arguments in the context of three core features of organised crime as theorised by von Lampe (2015) and discussed earlier: criminal activities, criminal structures, and extra-legal governance.

Applying the framework: a case example of ransomware
Ransomware is a form of malware (malicious software) designed to seek out vulnerabilities in computer networks and/or operating systems that allows the perpetrator to extract and/or encrypt data until a unique code (or "key") is used to unlock that data or device.Ransomware attacks can take many forms.Among the most common include requiring a ransom be paid in cryptocurrency before a key is provided to allow the victim to regain access to their device (e.g., Connolly & Wall, 2019).The United Kingdom's National Cyber Strategy refers to ransomware as the most significant cyber threat (Her Majesty's Government, 2022) while Europol's European Cybercrime Centre has identified ransomware as its highest priority, referring to it as "the most dominant threat … within as well as outside of Europe" (Europol, 2020, p. 25).Recent developments include the provision of Ransomware as a Service (RaaS) in which groups facilitate ransomware attacks by selling or licensing malicious code to criminal actors via forums on the dark web, and "big game hunting", where ransomware attacks target large corporations and demand ransoms that can reach into the tens of millions of dollars.Ransomware can therefore be characterised as a complex and sophisticated cybercrime that has evolved significantly in recent years.
Perhaps the most immediately striking aspect of contemporary ransomware is the scale and impact of attacks.Ransomware attacks have disrupted global food and fuel suppliesas with REvil's attacks against JBS Foods (DiMaggio, 2022) and DarkSide's attacks against the Colonial Pipeline (Russon, 2021), both occurring in mid-2021and, as a consequence of a series of attacks in 2022 against government departments in Costa Rica by Conti, caused the world's first national state of emergency in response to cybercrime (Recorded Future, 2022).Such high-profile attacks represent the tip of the iceberg of contemporary ransomware activity, with the majority of attacks targeted towards small to medium-sized enterprises, many of which risk going out of business if they do not pay a ransom (Voce & Morgan, 2021).The vast damage wreaked by ransomware attacks is facilitated by a diverse and rapidly growing ransomware ecosystem, with a variety of groups working in concert with one another to carry out attacks on an industrial scale (Wall, 2021).
We focus in this case example on the most prolific and sophisticated ransomware groups who have engaged in some of the most damaging attacks to date.Groups such as Conti, DarkSide, Evil Corp, Hive, LockBit, and REvil have all been attributed to significant ransomware attacks resulting in substantial economic and social harms.Recent analysis of cryptocurrency transactions has found these groups have extorted between USD25 million and USD180 in identifiable transactions each in 2021 alone (Chainalysis, 2022).The United States (US) has recently declared many of these groups "transnational organised crime groups" (US State Department [DoS], 2021[DoS], , 2022)).Although relatively little empirical data exist about these groups and their criminal histories, we believe that there is sufficient evidence to suggest that examining them from an organised crime perspective has considerable utility.We further argue that the lack of clarity as to whether ransomware criminal groups should be considered organised crime reinforces the need for a reconceptualisation of organised cybercrime.In the remainder of the paper, we identify and examine existing definitions and frameworks of organised crime to reveal elements that require rethinking to incorporate contemporary developments in cybercrime using the activities of ransomware criminal groups as a case in point.

Criminal activities of ransomware groups
Organised crime can include a broad array of criminal activities reaching a certain level of complexity and seriousness.Market-based crimes are those that typically involve the provision of illegal goods or services.Predatory crimes are characterised by harmful interactions between offenders and victims, including financial crimes (e.g., fraud) and exploitation (e.g., human trafficking).Finally, regulatory or governance crimes are characterised by the establishment and enforcement of behavioural norms and adjudicating disputes.
Ransomware attacks are highly complex, require an integrated plan, multiple stages of interlocking activities, and require a range of specialised skills (Matthijsse et al., 2023).Ransomware attacks often take many months to complete (Wall, 2021).Ransomware attacks are both market-based crimes (developing and selling ransomware) and predatory crimes (theft and extortion).They are market-based crimes because they involve illicit markets for goods and services that are in demand (i.e., malicious code), and they are predatory crimes because they involve harms inflicted on victims by offenders.
Other activities of ransomware groups are not so straightforward to characterise within an organised crime framework.For example, Conti's attacks against Costa Rica in mid-2022 mentioned above appear to have been more motivated by seeking publicity than financial gain, perhaps also because it was the last attack before the group reportedly fragmented and subsequently relaunched in smaller components (Abrams, 2022).This overt display of power against a state is not dissimilar to the modus operandi of Central and South American drug cartels that frequently use spectacular acts of violence to demonstrate their power, undermine state legitimacy, and further entrench their position in the illicit economy (Trejo & Ley, 2018).The activities of ransomware groups such as Conti, DarkSide, and REvil therefore certainly appear to be analogous with criminal activities of other organised crime groups.As a consequence, we argue that ransomware groups can and should be examined through the lens of organised crime and that such examination will enrich our understanding of such groups.

Offender social structures of ransomware groups
Empirical accounts of the social structures of ransomware criminal groups remain limited and typically published by cybersecurity analysts.We are focused here only on what these insights reveal when considered in the context of current conceptualisations and frameworks applied to organised crime.Much of the extant evidence suggests many ransomware criminal groups discussed so far adopt a market and network-based social structure involving a "core" group and "affiliates" in the periphery of the network (see also Paquet-Clouston & Garcia, 2022).The core appears to comprise a relatively small number of individuals who develop the malware and coordinate the group's operations.Affiliates engage with the core on some form of contractual basis and are often those responsible for carrying out a significant proportion of the ransomware attacks.Available evidence suggests that ransomware groups have a profit-sharing arrangement whereby affiliates receive between 60% and 80% of the revenue from ransomware attacks they conduct (Liska, 2021).Affiliates appear to be in very high demand from ransomware criminal groups, with some engaging with more than one group at a time (DiMaggio, 2022).Furthermore, in early 2022, tens of thousands of internal communications between Conti members were leaked.Although largely in Russian and full of jargon, these leaks revealed a criminal organisation involving between 65 and 100 members (e.g., Forescout, 2022) and much about that group's sophisticated structure and division-of-labour, including coders, testers, administrators, reverse engineers, and hackers (e.g., Krebs, 2022).Like REvil (DiMaggio, 2022), skilled workers were promised sign-on bonuses, high salaries, and attractive work conditions.This form of social structure differs from the hierarchical structures characteristic of stereotypical mafia groups (Musotto & Wall, 2020).Instead, it appears that ransomware groups are structured more like legitimate businesses (Matthijsse et al., 2023), or criminal networks, that are the dominant contemporary structure for organised crime groups (Leukfeldt et al., 2017b(Leukfeldt et al., , 2019)).Indeed, ransomware groups appear to show a primarily networked form, consistent with offline organised crime groups, combined with some hierarchy and division-of-labour, making them more a hybrid form of organised crime group (see, e.g., Bright et al., 2012).The sophisticated division-of-labour characteristic of ransomware groups further suggests that there is not only leadership and some form of hierarchy, but also norms and formal protocols for decisionmaking.There are significant benefits associated with such groups adopting a network structure, such as enhanced security and resilience, efficient communication, and capacity for rapid adaptation (e.g., Bright & Whelan, 2021;Morselli, 2009).As such, there appears to be utility in examining the organisational structures of ransomware criminal groups through an organised crime lens.In particular, we see merit in applying market and network-based perspectives to examining the structure of ransomware criminal groups.

Extra-legal governance by ransomware groups
There are four main types of extra-legal governance activities observed within territories or markets (see von Lampe, 2015).The first is regulation such as the control of who operates in a given territory or market, what activities criminals are permitted to undertake, and how the activities are undertaken.The second is conflict resolution, including interpersonal or contractual disputes.The third is protection against external threats, including protection from law enforcement through corruption.The fourth is taxation whereby a criminal group extracts a share of illicit profits from "the illegal enterprises under its control" (von Lampe, 2015, p. 204).There is some controversy over the nature of such taxation.For example, Schelling (1976) characterised such taxation as extortion, while according to Gambetta (1993), individuals and groups pay willingly because they receive critical services in return.Furthermore, in the context of the current paper, it is important to distinguish illegal governance from extortion.Although extortion rarely has benefits for victims, extra-legal governance provides benefits for criminal subordinates by reducing risks and uncertainty.Some organised criminal groups have been known to engage in all four types of governance and therefore represent an ideal form of illicit governance (e.g., Jacobs, 2020;von Lampe, 2015).For example, Cosa Nostra families seek to establish control over their territories or illicit markets using coercion.Only illegal entrepreneurs with the imprimatur of Cosa Nostra members are allowed to operate within the territories or markets under their control.In addition, Cosa Nostra offers dispute resolution services for a fee and regulates certain criminal activities, particularly those seen to be morally corrupt (Reuter, 1983).In these cases, the Cosa Nostra operates akin to an extra-legal government (Abadinsky, 2012;von Lampe, 2015).Illegal entrepreneurs who operate without the approval of Cosa Nostra members, or who violate the rules of the territory or market under Cosa Nostra control, may be targeted with violence and other means of coercion or punishment (Lombardo, 1994;Rudolph, 1995).By contrast, some organised criminal groups will engage in more limited forms of governance.For example, Outlaw Motorcycle Gangs have been known to attempt to regulate who operates within certain territories often using actual violence, will provide conflict resolution services, and engage corrupt facilitators such as lawyers and real estate agents in order to further their interests and protect against external threats (e.g., Lauchs et al., 2015).In another example, Bright andcolleagues (2012, 2019) studied a sophisticated methamphetamine trafficking group in Australia.They found no evidence that the group engaged in activities akin to regulation, conflict resolution, or taxation but did bribe police officers who tampered with potentially incriminating evidence.
As noted at the outset of this paper, it is largely the absence of regulationthe control of markets and territoriesthat scholars have used to conclude that cybercrime is incompatible with organised crime (e.g., Lusthaus, 2013).As previously discussed, the argument is that cyberspace offers limited capacities to threaten and/or inflict actual violence and to effectively control territory.We argue that this position needs to be reconsidered and that a more nuanced conceptualisation of extra-legal governance is required for a digital age.We recognise that there are qualitative differences between physical and digital territories but argue this alone should not be considered a sufficient feature prohibiting cyber-criminal groups from being viewed as organised crime.We argue that this interpretation needs to evolve in response to forms of criminal activity and groups that were largely unimaginable over the period in which most organised crime scholarship was conducted.In the case of ransomware groups, the scale and sophistication of attacks and the immediate threats that their victims experience are inherently violent.If such activities were to be replicated in the physical worldfor example, if it were otherwise possible for a group to hold a corporation, hospital or even a national government to ransom, or if the data stolen were physical datawe could not foresee a reluctance to view such groups as organised criminals engaged in predatory, harmful crime characterised by the exertion of social power and influence.
Moving on from regulation, it is entirely possible for cyber-criminal groups to engage in the other three forms of governanceconflict resolution, protection against external threats, and taxationin online settings.Importantly, these services are provided by ransomware groups for other cyber-criminals both within and outside their discrete group.For example, analysts have observed underworld forms of arbitration emerging to resolve disputes within and between criminal groups.One such example concerns a case brought forward by an affiliate of REvil against the core group for a claim of USD14 million.According to DiMaggio (2022), who gained access to the internal discussions between members of REvil, the affiliate alleged that REvil opened a backchannel with a company that the affiliate was in negotiations with regarding a ransom payment and offered to provide them with the decryption key for a significantly reduced amount.This ransom payment would likely have still resulted in a higher amount going to the core due to not having to share profits with the affiliate.Other rival ransomware groupsin this case, LockBitreportedly supported the claim of the affiliate while the arbitrator ultimately determined that there was insufficient evidence to support the claim in the absence of a proof of payment.Four days later, REvil purportedly deposited USD1 million in bitcoin to the forum where the arbitration took place (DiMaggio, 2022).
The Conti leaks also show evidence of dispute resolution between members, with some requesting certain members be expelled from the group for targeting hospitals when there was apparently an agreement that hospitals were to be off limits (Forescout, 2022).Furthermore, in relation to protection, there is limited evidence of any corruption, including in the Conti chat leaks, but scholars (e.g., Jensen et al., 2021;Martin & Whelan, 2023) and cybersecurity analysts (e.g., Recorded Future, 2021) have both speculated that many such groups have invested in varying forms of protection based on their proximity to state actors.Finally, it is possible to view members of the core "taxing" affiliates via their profit-sharing arrangements even though we recognise most affiliates may be happy to pay provided that they are satisfied with the level of service they receive in return.It is worth emphasising again that affiliates are not only paying for access to ransomware tools and infrastructure; they are also paying for the group's authority of reputation in much the same way that individual mafia members benefit from the reputation of their organisation.For all of these reasons, we believe that there are sufficient grounds for ransomware criminal groups to be viewed as engaging in extra-legal governance commensurate with traditional forms organised crime.

Conclusion
Scholars have raised many legitimate criticisms suggesting that existing frameworks and conceptualisations of organised crime are not useful for understanding the structure and operation of cyber-criminal groups (e.g., Lavorgna, 2016Lavorgna, , 2019;;Lavorgna & Sergi, 2016;Leukfeldt et al., 2017a).Some scholars have argued that organised crime and cybercrime are fundamentally distinct (e.g., Lusthaus, 2013).Others have argued, not unlike us, that cyber-criminal groups have more in common with legitimate businesses than mafias (e.g., Lusthaus, 2018;Musotto & Wall, 2020).Recent work by Di Nicola (2022) has added the prefix "digital" to organised crime as one approach to integrating concepts drawn from scholarship on organised crime and cybercrime.The notion of digital organised crime essentially refers to groups of individuals (and/or technologies) collaborating in any type of social structure to commit complex criminal activities over time in physical, digital, or hybrid forms.Although this framework provides a step forward in terms of extending existing conceptions of organised crime, the absence of one of the core features of organised crimeextra-legal governanceleaves scope for further work on definitions, interpretations, and theories of organised crime in digital society.
Our approach in this paper has sought to integrate these differing perspectives by incorporating the criminal activities and criminal organisation elements (see Di Nicola, 2022;von Lampe, 2015) in addition to the key concept of extra-legal governance (see Leukfeldt et al., 2017a;Varese, 2017).Thus, rather than existing definitions, we have advocated the use of core characteristics of organised crime as an optimal starting point for conceptualising organised (cyber)crime.We employed three such characteristics elucidated in a framework developed by von Lampe (2015).This framework addresses criminal structures and activities, which can clearly involve physical and digital forms (Broadhurst et al., 2014;Di Nicola, 2022;Wall, 2015), while recognising that extra-legal governance is a core feature of organised crime (Varese, 2010) and, as such, distinguishes organised crime from crime that is organised (Finckenauer, 2005).We have argued that the key concepts of violence and territory, which have been interpreted to hold qualitatively different meanings when comparing organised crime operating in physical and digital domains, require rethinking in the contemporary digital economy and society.Whereas traditional organised crime groups may seek to control markets and territories through physical violenceincluding the physical destruction of propertyransomware criminal groups can cause at least as much harm as most traditional groups via attacking data, systems, and networks.We have put forward a broader interpretation of violence that is based on the intent to inflict significant harm (including political, financial, and reputational harms) rather than only physical harm.We have also argued that extra-legal governanceparticularly in relation to the notion of territoryrequires a more nuanced approach in digital contexts.There are many ways that cyber-criminal groups can control and influence behaviour, including through fear, without needing to enact physical violence, much like many organised criminal groups who use reputational capital to govern and regulate illicit markets in physical domains.Following this approach, we have argued that many contemporary ransomware criminal groups can and should be analysed and understood through the lens of organised crime.
In conclusion, we have argued that criminological research should focus more on the similarities than on the differences between emerging cyber-criminal groups and more traditional organised criminal groups.Using our conceptual and theoretical approach, cybercrime (or cyber-criminal groups) can be considered organised crime (or organised criminal groups) where such activities and groups show evidence of the three core characteristics of organised crime.That is, where criminal activities and social structures are commensurate with contemporary understandings of organised crime, and where there are attempts to engage in illicit governance in physical and/or digital forms.Criminologists will no doubt continue scholarly debates concerning the concept of "organised crime".Alongside such debates, and to inform them, researchers should also focus on the range of rich questions that can be posited and explored by applying the advances made in organised crime scholarship to emerging cybercriminal groups.Empirical analyses using these frameworks will advance understanding about the extent to which select cyber-criminal groups should be viewed as contemporary examples of organised cybercrime and, in Di Nicola's (2022) words, where they sit along the digital organised crime continuum.As empirical data come to light, future research should examine the ways in which ransomware criminal groups organise their activities, are internally structured, and engage in extra-legal governance within the context of existing organised crime scholarship.