There are certainly criminals who know what they're doing, but there are also plenty of them that don't.
Also, the C&C kind of does need to be online because it needs to hand out keys to paying "customers" instantly. I mean, it doesn't have to be, but not doing it is probably worse for business than losing a couple days worth of ransom from time to time.
Edit: Also keep in mind that the good people can often get decently paid legit jobs. Ransomware is profitable, but when you consider how many people will be splitting the loot, the need for tech support, the need to launder the money, the higher risk (translating to higher costs) of being a criminal, it's probably not even profitable enough to attract the best. Hiring competent people for security jobs is hard even for legit companies, and being a criminal gang won't make it easier.
It's an arms race. The incompetent criminals are being weeded out while the system lets the apt ones thrive. It's telling that computer fraud has grown while low-hanging fruit is being showcased.
Also, competent engineers are not employed by mafias, they are coerced into. Money is just an added bonus.
There are certainly criminals who know what they're doing, but there are also plenty of them that don't.
Also, the C&C kind of does need to be online because it needs to hand out keys to paying "customers" instantly. I mean, it doesn't have to be, but not doing it is probably worse for business than losing a couple days worth of ransom from time to time.
Edit: Also keep in mind that the good people can often get decently paid legit jobs. Ransomware is profitable, but when you consider how many people will be splitting the loot, the need for tech support, the need to launder the money, the higher risk (translating to higher costs) of being a criminal, it's probably not even profitable enough to attract the best. Hiring competent people for security jobs is hard even for legit companies, and being a criminal gang won't make it easier.