Cybersecurity Today
Episode: Exploring the Ransomware Ecosystem with Tammy Harper
Host: Jim Love
Guest: Tammy Harper, Senior Threat Intelligence Researcher, Flare IO
Date: August 16, 2025
Overview
This episode offers a deep dive into the ransomware ecosystem—its history, structure, threat actors, business models, technical evolution, and real-world negotiation tactics. Guest Tammy Harper, a renowned threat intelligence researcher and certified dark web investigator, provides a detailed walkthrough of how ransomware operations work, how attacker groups function, and the shifting landscape of cybercrime. The episode promises not just technical insight, but also a nuanced discussion of the motivations and challenges faced by attackers and defenders alike.
Key Discussion Points & Insights
1. What Is the Ransomware Ecosystem? (01:51–05:17)
- Definition & Structure:
- Ransomware as a Service (RaaS) is compared to a multi-level marketing (MLM) scheme.
- Main operators provide the platform, taking ~20% of ransom proceeds; affiliates get 80%.
- Affiliates must launder money and pay others in the supply chain, such as initial access brokers.
- Ransomware as a Service (RaaS) is compared to a multi-level marketing (MLM) scheme.
- Role of Initial Access Brokers:
- Specialists who provide fresh and exclusive access to victim organizations, often through zero-day exploits rather than just harvesting leaked credentials.
Quote:
"Ransomware as a service is built as an MLM... where you have someone who offers the platform, they'll take usually an 80/20 cut of the total ransom."
— Tammy Harper [02:35]
2. Ransomware Extortion Models & Public "Leak Sites" (06:36–10:46)
- Double/Triple Extortion:
- Double extortion = encryption + data exfiltration; triple adds tactics like DDoS or contacting regulators.
- Public Shaming:
- Groups maintain public leak sites (blogs) on the dark web to threaten and pressure victims.
- Tools like Ransomlook monitor these sites—tracking over 473 groups—to notify researchers and even the public about new victims.
- TOR & Onion Services:
- Used for anonymity and to host these leak sites.
Quote:
"Most models today feature around double extortion... encryption and then exfiltration. And now we're seeing triple and quadruple extortion."
— Tammy Harper [06:36]
3. Brief History of Ransomware (10:48–19:15)
- Early Cases:
- AIDS Trojan (1989) — first augmented ransomware
- 2005–2006: Early, weakly encrypted file lockers (GP Code, Archiveus)
- Commercialization and Affiliates:
- 2013–2015: Emergence of RaaS platforms; affiliate models begin.
- 2017: WannaCry—global wormable ransomware outbreak.
- 2018–2019: Conti, Ryuk, Revil become prominent; infrastructure and affiliate models professionalized.
- Crypto Fuels Ransomware:
- Bitcoin enables anonymous, cross-border ransom payments, fueling RaaS growth.
- Recent Shifts:
- COVID-19 pandemic accelerates attacks.
- Law enforcement disrupts major groups (Lockbit) in 2024; field decentralizes and source code leaks lead to proliferation.
Quote:
"The ability to receive crypto payments is what really started to change everything."
— Tammy Harper [15:43]
4. Deep Dive: The Conti Group & Ransomware Corporate Structure (19:16–24:40)
- Conti as an Archetype:
- Operated like a business: HR, payroll, support, management.
- Leaked internal communications revealed strict structure and professionalization.
- Responsible for over 1,000 global attacks; made at least $150 million.
- Post-leak: Split into multiple major groups (Royal, Black Basta, Quantum, etc.)
Memorable Moment:
"A friend of mine got hit... His comment was, 'I wish my help desk was as efficient.'" — Jim Love [20:14]
5. Technical Tools of the Trade (26:00–31:21)
- Attack Supply Chain:
- Initial access: Emotet (spammed trojan), Trickbot, ICE ID/Backbot
- Post-exploitation: Trickbot, Mimikatz, Cobalt Strike, and now modular Trojans like Kylo Ren
- Attack Lifecycle:
- 2019–2022: Attacks often took 1–2 months.
- Now: Attacks executed within a week due to improved tooling and urgency (EDRs make long persistence risky).
Quote:
"They're not hanging around networks forever... attacks are getting conducted way, way, way faster."
— Tammy Harper [31:04]
6. Group Evolution: Cartels, Affiliates, and Fragmentation (31:21–39:05)
- Conti Leaks (2022):
- Triggered a "diaspora" of threat actors—birth of new groups like Black Basta, Royal, Quantum.
- Lockbit:
- Innovative with marketing (tattoos, bug bounties), brutal & chaotic compared to Conti's professionalism.
- Pioneered triple extortion and aggressive harassment of victims.
- Subgroups like National Hazard Agency (NHA) emerged; notable playbooks & manuals distributed (sometimes sold for thousands).
- Proliferation of Groups:
- Entry barriers drop as more code and tools leak, decentralizing the ransomware landscape.
7. Ransom Negotiation Tactics & Psychological Warfare (40:28–47:27)
- Negotiation Dynamics:
- Professional negotiators (lawyers, law enforcement) sometimes represent victims.
- Conti: business-like, structured, with room for negotiation.
- Lockbit: aggressive, manipulative, unpredictable.
- Pressure Tactics:
- Conti sets business day countdowns, references contracts.
- Lockbit sets harsh timers, relentless pressure, public humiliation.
- Training and Simulation:
- Tools like Ransom Chat allow defenders to practice real negotiation scenarios.
Quote:
"Conti imposes business day countdowns... Lockbit just reference[s] the timer and nobody's going to wait for you." — Tammy Harper [44:50]
8. Trends in Modern Ransomware Groups (47:27–54:34)
- Shrinking and Absorbing:
- Many smaller or defunct groups (El Dorado, Lynx, Archus, etc.).
- Mergers, absorptions, and continuous brand changes mimic tech industry dynamics.
- Notable Groups:
- Medusa: Uses living-off-the-land attack techniques, spear phishes for credentials, maintains persistence with remote tools.
- Killin/Quillin: Now collaborates heavily with English-speaking “Scattered Spider” community for social engineering access.
- RansomHub: Stepped in post-AlphaV and Lockbit disruptions, attracted affiliates with favorable ransom splits.
Quote:
"A lot of this still seems like the tech industry... dominant players that absorb people."
— Jim Love [49:11]
9. Scattered Spider & The Youth Angle (54:34–63:00)
- Loose, Decentralized Community:
- Composed mostly of young, English-speaking social engineers (often 19–22 years old).
- Specialize in advanced social engineering (SIM swapping, IT desk impersonation).
- Motivated by thrills, fast money, and sometimes get "trapped" in the life.
- Collaboration and Escalation:
- These attackers become key partners for pro gangs, fueling high-profile breaches (e.g., MGM Resorts).
10. Technical Trends: Language, Tools, and Businessization (63:00–65:42)
- Attack Techniques:
- Shift toward Rust-based payloads (cross-platform, stealthy).
- Exploiting public-facing infrastructure (VPNs, RDP, backup software) and leveraging mass-acquired credentials.
- Marketplace:
- Sophisticated, advertisement-driven initial access markets.
- Sales tailored by geography, industry, access type; exclusive "one-hand" sales.
Quote:
"This is a $5,000 ad... domain admin, local user admin, root access... 500 computers, all Windows OS and the price is $5,000."
— Tammy Harper [65:42]
11. Market Dynamics, Law Enforcement, and Future Directions (69:57–73:10)
- Stratification & Subgrouping:
- Groups compete to attract top-tier attackers, offering in-house tools, AI-assisted negotiations, legal support, call centers.
- Law Enforcement Impact:
- Law enforcement’s recent seizures (e.g., Lockbit) are working—reputational damage can fracture major groups.
- The field is now more competitive; main groups are investing in training and operational support for next-gen attackers.
- Trend Watching:
- Expect more subgroups, more specialized offerings, increased use of AI and automation, and continued shifting alliances.
Quote:
"The disruptions are working, absolutely. The biggest example is Lockbit... their reputation destroyed, affiliates gone."
— Tammy Harper [71:46]
Notable Quotes & Memorable Moments
| Timestamp | Speaker | Quote | |-----------|---------|-------| | 02:35 | Tammy | "Ransomware as a service is built as an MLM... 80/20 cut..." | | 06:36 | Tammy | "...double extortion is... encryption and then exfiltration." | | 15:43 | Tammy | "The ability to receive crypto payments is what really started to change everything." | | 20:14 | Jim | A CIO: "I wish my help desk was as efficient." | | 31:04 | Tammy | "They're not hanging around networks forever... attacks are... way, way faster." | | 39:56 | Tammy | "[Ransomware manuals] are still very, very dangerous even today because of the lag in patching and upgrading infrastructure." | | 44:50 | Tammy | "Conti imposes business day countdowns... Lockbit just reference[s] the timer..." | | 49:11 | Jim | "A lot of this still seems like the tech industry... dominant players that absorb people." | | 71:46 | Tammy | "The disruptions are working, absolutely. The biggest example is Lockbit..." |
Resource References
- Ransomlook: Open source ransomware leak site tracker
- Ransom Chat: Repository of real negotiation transcripts
- Ransomware simulation tools: AI-powered chat training utilities
- Manuals & Playbooks: E.g., Basterlord's ransomware instruction manual (available via Tammy on LinkedIn)
- LinkedIn: Tammy Harper posts research and resources
Conclusion: Trends & Key Takeaways
- The ransomware ecosystem is more professionalized and complex than ever: a true business with operators, affiliates, tool suppliers, negotiators, and even HR-like structures.
- Law enforcement actions matter but attackers adapt by fragmenting, decentralizing, and innovating.
- Collaboration between tech-savvy youth (“Scattered Spider”) and traditional criminal organizations is a growing trend, blending advanced social engineering and technical exploits.
- The attack lifecycle is now hyper-efficient—often measured in days, not months—and constantly enabled by leaks and toolkits.
- The future: More specialization, more AI, more subgroups, and a cybersecurity "arms race" between attackers and defenders.
For Links & More Resources:
- Check the episode show notes for direct links to tools, platforms and further reading curated by Tammy Harper.
If you have questions for Tammy or want extra insights, you can connect via LinkedIn or submit questions to TechNewsday for a possible future Q&A episode!