Full Report
Lyne compared the underground landscape to a bar where threat actors can "get everything but a good drink." "It felt like cyber threats were all quite stovepiped. You had hacktivists, you had hostile state actors," Lyne explained, reflecting on his early career. Today, however, those lines have blurred. "Those kind of stovepipes... no longer really exist." While massive international law enforcement operations have successfully dismantled groups like LockBit and disrupted phishing as a service (PhaaS) platforms, Lyne cautioned that the criminal underground is rapidly adapting. Addressing the inevitable topic of AI, Lyne dispelled fears of autonomous systems launching end-to-end cyber attacks, but highlighted a pressing new risk for enterprise data privacy. "These guys are generally not innovative," Lyne noted, explaining they only change their methods if they are “systematically earning less money... or they spy an opportunity to make more money." Having stolen and hoarded petabytes of corporate data over the last decade, data that was rarely deleted even when victims paid the ransom, cyber criminals are now using AI tools to operationalize these massive "treasure troves" and mining historic datasets for new extortion and revenue streams.
Analysis Summary
# Industry News: Ransomware Landscape Shifts Toward Fragmentation and AI Data Mining
## Summary
The global cybercrime ecosystem is undergoing a fundamental transformation, transitioning from monolithic ransomware-as-a-service (RaaS) cartels to a fragmented landscape of volatile splinter groups. Following successful law enforcement operations, threat actors are decentralizing to evade detection while leveraging AI to operationalize a decade’s worth of hoarded corporate data for new extortion streams.
## Key Details
- **Date:** June 4, 2026
- **Companies Involved:** Metropolitan Police Service (UK), Infosecurity Europe, LockBit (disrupted), Scattered Spider
- **Category:** Market Analysis and Predictions / Threat Landscape Trends
## The Story
Speaking at Infosecurity Europe 2026, William Lyne, Head of Economic and Cybercrime at the Metropolitan Police, described an underground market that has become "commoditized." The traditional "stovepipes" of hacktivists, state actors, and criminals have blurred into a "bazaar" where services are easily purchased.
Heavy-handed law enforcement actions against giants like LockBit have inadvertently led to a "post-trust" era. To minimize risk, criminals are abandoning large, centralized brands in favor of independent, smaller cells. These splinter groups are often more aggressive and unpredictable, lacking the "internal moderation" of the old cartels. Furthermore, the barrier to entry has dropped due to the ease of "cashing out" via cryptocurrency, which has replaced complex money-mule networks.
## Business Impact
### For the Companies Involved
- **Law Enforcement:** Agencies must pivot from targeting "central hubs" to a broader, more intelligence-heavy approach to track diverse, transient groups from emerging hubs in Brazil and Türkiye.
### For Competitors (Cybersecurity Providers)
- **Service Evolution:** Security vendors must shift focus from "known entity" signatures to behavior-based detection and data-centric security, as the "who" is becoming harder to identify than the "how."
### For Customers (Enterprise Leaders)
- **Liability Increase:** The risk of "legacy" data breaches is rising. Cybercriminals are using AI to mine petabytes of stolen data from the last decade, meaning a company's past security failures are being weaponized for present-day extortion.
### For the Market
- **Insurance and Risk:** The volatility of splinter groups makes cyber-risk harder to model. Insurers may tighten requirements as attackers move from "spray and pray" to targeted exploitation of specific business vulnerabilities.
## Technical Implications
- **AI-Managed Extortion:** AI is not yet launching end-to-end autonomous attacks, but it is being used to automate the "mining" of unstructured stolen data to find high-value secrets or leverageable information.
- **RaaS Evolution:** The shift to "SystemBC" malware for covert tunneling and lateral movement indicates a technical refinement in how these smaller groups operate to evade EDR (Endpoint Detection and Response) systems.
## Strategic Analysis
- **Market Positioning:** Threat actors are moving from a "Volume/Brand" model to a "Stealth/Niche" model.
- **Competitive Advantage:** For criminals, the lack of a "brand" is now a survival advantage against international takedowns.
- **Challenges:** The primary challenge for businesses is "data debt." Storing old data that should have been deleted provides a permanent revenue stream for hackers via AI-assisted discovery.
## Industry Reactions
- **Met Police Expert Opinion:** Lyne notes that criminals are not "innovative" by nature; they change only when their earnings decrease or a massive new revenue opportunity (like AI) appears.
- **Market Response:** Analysts highlight that more than half of security leaders would still consider paying a ransom, despite the increasing volatility and lack of honor among new splinter groups.
## Future Outlook
- **Predictive Mining:** Expect a surge in "historical extortion" where companies are threatened with the release of data stolen years ago that has finally been parsed by AI.
- **Diversified Hubs:** Watch for increased activity originating from outside traditional Eastern European corridors, specifically Brazil and the English-speaking world.
## For Security Professionals
- **Data Hygiene is Priority One:** If you don't need the data, delete it. The "treasure troves" criminals are currently mining depend entirely on corporate data retention.
- **Expect Aggression:** Dealing with splinter groups is more dangerous than old-school cartels; negotiation outcomes are less certain, and "double extortion" is becoming the default.
- **Lateral Movement Monitoring:** Focus on detecting "covert tunneling" as groups move away from noisy, automated tools toward more surgical, manual lateral movement within networks.