Cybersecurity Today — CST Replay: The Ransomware Ecosystem with Tammy Harper

Host: Jim Love
Guest: Tammy Harper, Senior Threat Intelligence Researcher at Flare I.O.
Date: September 20, 2025

Episode Overview

This replay episode features a deep dive into the ransomware ecosystem, drawing on the extensive expertise of guest Tammy Harper. Jim Love and Tammy explore how ransomware has evolved, the criminal business models that fuel its proliferation, notable ransomware groups and their tactics, the dark web’s role, negotiation processes, and how the ecosystem has shifted in recent years. The conversation is both accessible and detailed, making complex cybercriminal operations understandable for cybersecurity professionals and interested business leaders alike.

Key Topics & Insights

1. Introduction to the Ransomware Ecosystem

[02:20]

Tammy Harper introduces her background: senior threat intelligence researcher and certified dark web investigator at Flare.
Defines the “ransomware ecosystem” as a business platform, largely structured as an affiliate model—often described as an MLM or pyramid.
- “Ransomware as a service is built as an MLM. So it’s like a bit like a pyramid scheme.” — Tammy [02:35]
Explains the economic breakdown:
- Affiliates typically get 80% of ransoms; platform providers retain 20%.
- “Initial access brokers” are specialists who guarantee unique, fresh access into targeted environments.

2. Key Terminology & Business Model

[05:05]

Initial Access Brokers (IABs): Provide exclusive, high-value access not typically obtained from mass-leaked credentials.
- “Initial access brokers can almost guarantee that the access is fresh and has never been sold to anyone.” — Tammy [06:01]
Double and Triple Extortion:
- Encryption (locking systems), exfiltration (stealing data), and additional extortions like DDoS or regulatory threats.
Leak Sites:
- Public shaming platforms on the dark web (“Happy Blog,” etc.) where groups post victims and count down to leaks.
- “With the pseudo-anonymity of ransomware, you need to have that calling card and ransom note because it builds legitimacy...” — Tammy [08:54]
Tools: Builders for encryptor/decryptor pairs; victims face timed threats to increase pressure.

3. Dark Web Monitoring & Public Awareness

[10:21]

Open-source tools (“Ransom Look” etc.) scrape and monitor leak sites, enabling real-time tracking of attacks.
- “We’re currently tracking like 473 groups across 2,000 unique onions.” — Tammy [10:21]

4. A Brief History of Ransomware

[11:17]

From the AIDS Trojan in 1989 to early file lockers in the 2000s, ransomware evolved as encryption methods improved.
The affiliate model began around 2016; by 2017, web-based control panels (like Satan RaaS) professionalized operations.
The explosion of activity post-2020, especially during the pandemic, due to pseudo-anonymous crypto payments.
- “The ability to receive crypto payments is what really started to change everything.” — Tammy [16:12]
Double extortion pioneered by Maze (2020), with increasingly sophisticated, business-like groups.

5. Structure of Major Groups: The Case of Conti

[19:45]

Conti’s corporate structure: included HR, payroll, technical support, managers.
- “They had helpdesks, recruiters, even HR—literally a business just like any large IT company.” — Jim [20:43]
Conti’s 2022 leaks exposed internal chats, salaries, and operating procedures.
Motivation for joining: lucrative payouts in regions with limited legitimate opportunities.
- “In these parts of the world, sometimes this is the only choice you have.” — Tammy [21:06]

6. Technical Anatomy of an Attack

[26:03]

The "attack kit”:
- Emotet: Dropper worm; polymorphic, evades signature-based detection.
- IcedID (BackBot): Banking trojan; enables lateral movement in Active Directory.
- TrickBot: Post-exploitation; dumps credentials, mapping, operational persistence.
- Modern shift: Cobalt Strike and custom tools now prevalent.
Speed and sophistication increased:
- “Now, people can attack and leave within a week.” — Tammy [31:33]

7. Ransomware Group Fragmentation and Evolution

[32:00+]

Conti’s disintegration: Fractured into many subgroups (Black Basta, Royal, Quantum, Black Suit, Chaos).
- Affiliates share tools, knowledge, and sometimes personnel.
Lockbit: Known for fast lockers and aggressive affiliate recruitment; slick marketing tactics.
- Paid users for Lockbit tattoos (!) and encouraged forum engagement.
- “Lockbit always tried to push the victims into panic, while Conti used a soft clock... law firm on retainer.” — Tammy [45:19]
Collateral projects: National Hazard Agency and the massive “ransomware manual” for $10,000.

8. Ransom Negotiation Processes

[41:22]

Ransom Chat: Publicly available logs of real ransomware negotiations, showing both the pressure tactics and professional demeanor.
Distinct negotiation flavors:
- Conti: “Calm, structured, businesslike; reputation meant everything.”
- Lockbit: “Manipulative, aggressive, spectacle-driven, inconsistent.”
- “Conti would say, ‘We always keep the terms of the contract’... Lockbit: ‘You think I’m a fool. I have your files.’” — Tammy [43:07]
On professional negotiators: Follow insurance and legal advice; sometimes policies include authorized negotiators.
- “Whatever your insurance tells you to do, that’s what you should do.” — Tammy [46:00]

9. The Modern Landscape: New Groups & Trends

[47:56]

Constantly shifting field: Tracking tools (e.g., Ransom Look) reveal rapid turnover as law enforcement pressures increase.
Notable current groups:
- Medusa: Leveraged spear phishing and “living off the land” tools (AnyDesk, etc.)
- Killin/Quilin: Now collaborate with English-speaking social engineers (“Scattered Spider”).
- Ransom Hub: Opportunistically absorbed Lockbit and Black Cat/ALPHV affiliates, but abruptly disappeared (possible exit scam).
- Dragonforce: Tries to “white-label” ransomware operations, offering turn-key platforms and infrastructure rentals.
- Akira: Adopts Rust for stealth and cross-platform capacity, targeting public-facing services and buying credentials from infostealer logs.

10. Scattered Spider Phenomenon

[60:48]

Not a single group but a network of English-speaking, often young “criminal influencers” skilled at social engineering and SIM swapping.
- “Recruitment happens on clear web... It’s about the lifestyle: money, cars, drugs, notoriety.” — Tammy [54:04]
Sometimes absorbed into larger groups (e.g., Killin, Dragonforce).
Part of a new wave of adversaries blending technical know-how with psychological manipulation.

11. Initial Access Markets: The Bedrock of Attacks

[65:21]

Complex dark web ads for “made-to-order” access to enterprise networks (with price, privileges, even vertical targeting).
Some groups (e.g., Broker) became major initial access suppliers, often providing targeted, never-before-seen access.

12. The Ecosystem as a Business

[49:40, 50:12]

Host and guest acknowledge the criminal ecosystem’s efficiency and persistence.
- “You can’t underestimate them… These are successful businesses.” — Jim [50:12]
Constant innovation to attract affiliates: Offering “in house” toolkits, call centers, even in-house lawyers.

13. Future Outlook & Law Enforcement Response

[70:26]

Tammy’s prediction: Greater “stratification” with subgroups under big names, as affiliates play a larger role in innovation.
Law enforcement takedowns are disrupting brands and creating reputational risk for associating with known groups (e.g., Lockbit’s implosion).
- “Nobody wants to publicly affiliate with Lockbit anymore.” — Tammy [72:15]
But the field is hypercompetitive, with constant rebranding and new talent pipelines.

Notable Quotes & Moments

“Ransomware as a service is built as an MLM... someone who offers the platform, they'll take usually an 80/20 cut...” — Tammy [02:35]
“Initial access brokers… can almost guarantee that the access is fresh.” — Tammy [06:01]
“With the pseudo-anonymity... you need that calling card and ransom note because it builds legitimacy.” — Tammy [08:54]
“The ability to receive crypto payments is what really started to change everything… crypto is just a vessel.” — Tammy [16:12]
“They had HR, payroll, tech support, managers... really, really well structured.” — Tammy on Conti [20:43]
“Now... attacks are getting conducted way, way faster. ...they get into a network in a week and by the end of the week, they’re done.” — Tammy [31:33]
“Conti was calm, structured... their reputation was everything. Lockbit was all about media spectacle.” — Tammy [47:56]
“Recruitment for Scattered Spider happens on clear web platforms… a lot of the teens get absorbed in this lifestyle.” — Tammy [54:04]
“The disruptions are working. Absolutely. The biggest example is Lockbit… destroyed the reputation.” — Tammy [72:15]

Timestamps for Critical Segments

[02:20] – Ransomware ecosystem overview, affiliate model
[05:05] – Initial access brokers explained
[10:21] – Dark web monitoring and leak tracking
[11:17] – Ransomware’s historical evolution
[19:45] – Conti’s structure and the corporateization of ransomware
[26:03] – Technical breakdown of attack stages
[31:33] – Shift in attack speed; response to improved EDRs
[32:00+] – Fragmentation and evolution after Conti
[41:22] – Ransom negotiation processes and behavioral differences
[47:56] – Modern group landscape and group fluidity
[54:04] – The social engineering surge—Scattered Spider
[65:21] – Anatomy of initial access markets
[70:26] – The future: stratification and law enforcement response
[72:15] – The real-world impact of law enforcement disruption

Summary

This episode serves as a masterclass on the ransomware ecosystem, exploring its business dynamics, technical methods, historical roots, and the psychological/social underpinnings driving its operators.

Tammy Harper’s firsthand research and insider stories reveal ransomware as an ever-shifting, hyper-professionalized criminal industry—one blending technical sophistication, dark web commerce, and real-world economic pressures. Listeners come away with a nuanced, current understanding of both the threats businesses now face and the organizational ingenuity of cybercriminals behind those threats.

Links & Further Reading (as mentioned):

Ransom Look
Ransom Chat (Negotiation logs)
Tammy Harper’s LinkedIn (for research and further contact)

Listeners are encouraged to send their follow-up questions for possible inclusion in a future Q&A episode.

Cybersecurity Today — CST Replay: The Ransomware Ecosystem with Tammy Harper

Host: Jim Love
Guest: Tammy Harper, Senior Threat Intelligence Researcher at Flare I.O.
Date: September 20, 2025

Episode Overview

Key Topics & Insights

1. Introduction to the Ransomware Ecosystem

[02:20]

Tammy Harper introduces her background: senior threat intelligence researcher and certified dark web investigator at Flare.
Defines the “ransomware ecosystem” as a business platform, largely structured as an affiliate model—often described as an MLM or pyramid.
- “Ransomware as a service is built as an MLM. So it’s like a bit like a pyramid scheme.” — Tammy [02:35]
Explains the economic breakdown:
- Affiliates typically get 80% of ransoms; platform providers retain 20%.
- “Initial access brokers” are specialists who guarantee unique, fresh access into targeted environments.

2. Key Terminology & Business Model

[05:05]

Initial Access Brokers (IABs): Provide exclusive, high-value access not typically obtained from mass-leaked credentials.
- “Initial access brokers can almost guarantee that the access is fresh and has never been sold to anyone.” — Tammy [06:01]
Double and Triple Extortion:
- Encryption (locking systems), exfiltration (stealing data), and additional extortions like DDoS or regulatory threats.
Leak Sites:
- Public shaming platforms on the dark web (“Happy Blog,” etc.) where groups post victims and count down to leaks.
- “With the pseudo-anonymity of ransomware, you need to have that calling card and ransom note because it builds legitimacy...” — Tammy [08:54]
Tools: Builders for encryptor/decryptor pairs; victims face timed threats to increase pressure.

3. Dark Web Monitoring & Public Awareness

[10:21]

Open-source tools (“Ransom Look” etc.) scrape and monitor leak sites, enabling real-time tracking of attacks.
- “We’re currently tracking like 473 groups across 2,000 unique onions.” — Tammy [10:21]

4. A Brief History of Ransomware

[11:17]

From the AIDS Trojan in 1989 to early file lockers in the 2000s, ransomware evolved as encryption methods improved.
The affiliate model began around 2016; by 2017, web-based control panels (like Satan RaaS) professionalized operations.
The explosion of activity post-2020, especially during the pandemic, due to pseudo-anonymous crypto payments.
- “The ability to receive crypto payments is what really started to change everything.” — Tammy [16:12]
Double extortion pioneered by Maze (2020), with increasingly sophisticated, business-like groups.

5. Structure of Major Groups: The Case of Conti

[19:45]

Conti’s corporate structure: included HR, payroll, technical support, managers.
- “They had helpdesks, recruiters, even HR—literally a business just like any large IT company.” — Jim [20:43]
Conti’s 2022 leaks exposed internal chats, salaries, and operating procedures.
Motivation for joining: lucrative payouts in regions with limited legitimate opportunities.
- “In these parts of the world, sometimes this is the only choice you have.” — Tammy [21:06]

6. Technical Anatomy of an Attack

[26:03]

The "attack kit”:
- Emotet: Dropper worm; polymorphic, evades signature-based detection.
- IcedID (BackBot): Banking trojan; enables lateral movement in Active Directory.
- TrickBot: Post-exploitation; dumps credentials, mapping, operational persistence.
- Modern shift: Cobalt Strike and custom tools now prevalent.
Speed and sophistication increased:
- “Now, people can attack and leave within a week.” — Tammy [31:33]

7. Ransomware Group Fragmentation and Evolution

[32:00+]

Conti’s disintegration: Fractured into many subgroups (Black Basta, Royal, Quantum, Black Suit, Chaos).
- Affiliates share tools, knowledge, and sometimes personnel.
Lockbit: Known for fast lockers and aggressive affiliate recruitment; slick marketing tactics.
- Paid users for Lockbit tattoos (!) and encouraged forum engagement.
- “Lockbit always tried to push the victims into panic, while Conti used a soft clock... law firm on retainer.” — Tammy [45:19]
Collateral projects: National Hazard Agency and the massive “ransomware manual” for $10,000.

8. Ransom Negotiation Processes

[41:22]

Ransom Chat: Publicly available logs of real ransomware negotiations, showing both the pressure tactics and professional demeanor.
Distinct negotiation flavors:
- Conti: “Calm, structured, businesslike; reputation meant everything.”
- Lockbit: “Manipulative, aggressive, spectacle-driven, inconsistent.”
- “Conti would say, ‘We always keep the terms of the contract’... Lockbit: ‘You think I’m a fool. I have your files.’” — Tammy [43:07]
On professional negotiators: Follow insurance and legal advice; sometimes policies include authorized negotiators.
- “Whatever your insurance tells you to do, that’s what you should do.” — Tammy [46:00]

9. The Modern Landscape: New Groups & Trends

[47:56]

Constantly shifting field: Tracking tools (e.g., Ransom Look) reveal rapid turnover as law enforcement pressures increase.
Notable current groups:
- Medusa: Leveraged spear phishing and “living off the land” tools (AnyDesk, etc.)
- Killin/Quilin: Now collaborate with English-speaking social engineers (“Scattered Spider”).
- Ransom Hub: Opportunistically absorbed Lockbit and Black Cat/ALPHV affiliates, but abruptly disappeared (possible exit scam).
- Dragonforce: Tries to “white-label” ransomware operations, offering turn-key platforms and infrastructure rentals.
- Akira: Adopts Rust for stealth and cross-platform capacity, targeting public-facing services and buying credentials from infostealer logs.

10. Scattered Spider Phenomenon

[60:48]

Not a single group but a network of English-speaking, often young “criminal influencers” skilled at social engineering and SIM swapping.
- “Recruitment happens on clear web... It’s about the lifestyle: money, cars, drugs, notoriety.” — Tammy [54:04]
Sometimes absorbed into larger groups (e.g., Killin, Dragonforce).
Part of a new wave of adversaries blending technical know-how with psychological manipulation.

11. Initial Access Markets: The Bedrock of Attacks

[65:21]

Complex dark web ads for “made-to-order” access to enterprise networks (with price, privileges, even vertical targeting).
Some groups (e.g., Broker) became major initial access suppliers, often providing targeted, never-before-seen access.

12. The Ecosystem as a Business

[49:40, 50:12]

Host and guest acknowledge the criminal ecosystem’s efficiency and persistence.
- “You can’t underestimate them… These are successful businesses.” — Jim [50:12]
Constant innovation to attract affiliates: Offering “in house” toolkits, call centers, even in-house lawyers.

13. Future Outlook & Law Enforcement Response

[70:26]

Tammy’s prediction: Greater “stratification” with subgroups under big names, as affiliates play a larger role in innovation.
Law enforcement takedowns are disrupting brands and creating reputational risk for associating with known groups (e.g., Lockbit’s implosion).
- “Nobody wants to publicly affiliate with Lockbit anymore.” — Tammy [72:15]
But the field is hypercompetitive, with constant rebranding and new talent pipelines.

Notable Quotes & Moments

“Ransomware as a service is built as an MLM... someone who offers the platform, they'll take usually an 80/20 cut...” — Tammy [02:35]
“Initial access brokers… can almost guarantee that the access is fresh.” — Tammy [06:01]
“With the pseudo-anonymity... you need that calling card and ransom note because it builds legitimacy.” — Tammy [08:54]
“The ability to receive crypto payments is what really started to change everything… crypto is just a vessel.” — Tammy [16:12]
“They had HR, payroll, tech support, managers... really, really well structured.” — Tammy on Conti [20:43]
“Now... attacks are getting conducted way, way faster. ...they get into a network in a week and by the end of the week, they’re done.” — Tammy [31:33]
“Conti was calm, structured... their reputation was everything. Lockbit was all about media spectacle.” — Tammy [47:56]
“Recruitment for Scattered Spider happens on clear web platforms… a lot of the teens get absorbed in this lifestyle.” — Tammy [54:04]
“The disruptions are working. Absolutely. The biggest example is Lockbit… destroyed the reputation.” — Tammy [72:15]

Timestamps for Critical Segments

[02:20] – Ransomware ecosystem overview, affiliate model
[05:05] – Initial access brokers explained
[10:21] – Dark web monitoring and leak tracking
[11:17] – Ransomware’s historical evolution
[19:45] – Conti’s structure and the corporateization of ransomware
[26:03] – Technical breakdown of attack stages
[31:33] – Shift in attack speed; response to improved EDRs
[32:00+] – Fragmentation and evolution after Conti
[41:22] – Ransom negotiation processes and behavioral differences
[47:56] – Modern group landscape and group fluidity
[54:04] – The social engineering surge—Scattered Spider
[65:21] – Anatomy of initial access markets
[70:26] – The future: stratification and law enforcement response
[72:15] – The real-world impact of law enforcement disruption

Summary

Links & Further Reading (as mentioned):

Ransom Look
Ransom Chat (Negotiation logs)
Tammy Harper’s LinkedIn (for research and further contact)

Listeners are encouraged to send their follow-up questions for possible inclusion in a future Q&A episode.

CST Replay: The Ransomware Ecosystem with Tammy Harper

Powered by Wave AI

Summary

Cybersecurity Today — CST Replay: The Ransomware Ecosystem with Tammy Harper

Episode Overview

Key Topics & Insights

1. Introduction to the Ransomware Ecosystem

2. Key Terminology & Business Model

3. Dark Web Monitoring & Public Awareness

4. A Brief History of Ransomware

5. Structure of Major Groups: The Case of Conti

6. Technical Anatomy of an Attack

7. Ransomware Group Fragmentation and Evolution

8. Ransom Negotiation Processes

9. The Modern Landscape: New Groups & Trends

10. Scattered Spider Phenomenon

11. Initial Access Markets: The Bedrock of Attacks

12. The Ecosystem as a Business

13. Future Outlook & Law Enforcement Response

Notable Quotes & Moments

Timestamps for Critical Segments

Summary

Links & Further Reading (as mentioned):

Summary

Cybersecurity Today — CST Replay: The Ransomware Ecosystem with Tammy Harper

Episode Overview

Key Topics & Insights

1. Introduction to the Ransomware Ecosystem

2. Key Terminology & Business Model

3. Dark Web Monitoring & Public Awareness

4. A Brief History of Ransomware

5. Structure of Major Groups: The Case of Conti

6. Technical Anatomy of an Attack

7. Ransomware Group Fragmentation and Evolution

8. Ransom Negotiation Processes

9. The Modern Landscape: New Groups & Trends

10. Scattered Spider Phenomenon

11. Initial Access Markets: The Bedrock of Attacks

12. The Ecosystem as a Business

13. Future Outlook & Law Enforcement Response

Notable Quotes & Moments

Timestamps for Critical Segments

Summary

Links & Further Reading (as mentioned):