Abstract
Using Social Network Analysis (SNA), our study examines how cybercriminals organize and operate within Ransomware-as-a-Service (RaaS) networks by analyzing connections between 96 cybercriminals and 140 ransomware groups. We compared these online criminal networks to traditional organized crime groups to better understand their structure and operations. Initially, we expected to find RaaS networks operating similarly to traditional criminal organizations—with tight connections, central leadership, and close-knit teams. However, our analysis revealed that RaaS networks are more loosely organized and decentralized, with members being spread out rather than clustered in tight groups. However, similar to traditional organized crime groups, certain individuals play crucial roles as network "hubs" or "brokers" in RaaS networks. These key players maintain connections across different parts of the network and facilitate information sharing. Our statistical analyses, based on Ordinary Least Squares regression models with log-transformed outcomes, showed that individuals with more direct connections tend to be network “brokers”, helping bridge different parts of the network. These findings suggest that while ransomware groups share some similarities with traditional organized crime, they operate in distinct ways. By identifying and targeting key network players who keep ransomware operations running, law enforcement may be more effective in disrupting these criminal networks.