Cybersecurity Today: "The Ransomware Ecosystem – An Encore Holiday Episode"

Host: Jim Love
Guest: Tammy Harper, Senior Threat Intelligence and Dark Web Investigator, Flare IO
Date: December 26, 2025

Episode Overview

This special encore episode features a detailed, insider’s tour through the modern ransomware ecosystem, guided by threat intelligence expert Tammy Harper. The discussion covers the evolution, mechanics, business structure, and ongoing innovation of the ransomware underworld, as well as the current threat landscape, key groups, operational techniques, and implications for defenders.

Key Topics & Insights

1. What Is the Ransomware Ecosystem?

[03:56 – 07:22]

• Ransomware is now a multi-billion dollar industry, structured like a business platform.
• Ransomware-as-a-Service (RaaS): Operates as an MLM/pyramid scheme. Developers/admins receive a cut (often 20%) of the ransom; affiliates (attackers) keep the rest. Example: $100,000 ransom → $80,000 affiliate, $20,000 group.
• Initial Access Brokers: Specialists who exploit fresh vulnerabilities, then sell exclusive access to corporate networks, often for $5,000–$10,000.
  • Affiliates value brokers for providing novel, undetected access to high-value targets vs. recycled leaked credentials.

Quote:
“Ransomware as a service is built as an MLM...Usually the bigger chunk—say $80,000—goes to the affiliate, and 20% to the developers and administrators of the platform.” — Tammy [03:56]

2. Extortion Models & Leak Sites

[08:41 – 11:43]

• Double/Triple/Quadruple Extortion: Now common. Beyond encrypting files, attackers exfiltrate data, threaten DDoS, contact regulators, or harass victims’ clients to pressure payment.
• Dedicated Leak Sites: Public forums (often on Tor) to shame victims and demonstrate attacker credibility. Monitored by open-source tools such as RansomLook.
  • These sites are constantly updated and tracked for new victim postings.

Quote:
“Double extortion is...encryption and then exfiltration. Now we’re seeing triple extortion, quadruple extortion...anything above double extortion.” — Tammy [08:41]

3. A Brief History of Ransomware

[12:53 – 17:48]

• Origins: Early forms date back to the 1989 AIDS Trojan—distributed at an AIDS conference to spread awareness.
• 2005–2015: Primitive, easily reversed file-encrypting ransomware (e.g., GPCode).
• 2016 onward: Emergence of the affiliate model (e.g., Satan RaaS), exploit kits, and mass distribution.
• 2017: WannaCry and NotPetya—ransomware worms exploit unpatched systems globally, introducing self-propagation.
• 2018–2023: Groups like REvil, Conti, and LockBit professionalize operations, focusing on affiliates, customer support, and robust encryption; pandemic accelerates attacks.

Quote:
“In 2017, we have to talk about the massive WannaCry attack...this was one of the first wormable ransomware where it spread because of the EternalBlue exploit...there was a kill switch discovered and shut down.” — Tammy [16:23]

4. Business Mechanics of Ransomware Groups

[21:21 – 24:22]

• Conti as a Paradigm: Operational from late 2019–mid-2022; ran as a corporation, with HR, payroll, tech support, and internal structure.
• Internal leaks revealed high professionalism: paying salaries ($2,000+/month), career structure, and support.
• Groups fractured post-leak, spawning multiple splinters still active today.

Quote:
“What’s fascinating is...someone leaked all of their internal communications. This showed they were really structured like a business: HR, payroll, recruitments, tech support, managers.” — Tammy [21:21]

5. Attack Toolkits and Techniques

[27:39 – 32:53]

• Emotet, TrickBot, IcedID: Modular malware used for initial infection, lateral movement, credential dumping, and persistence.
• Modern ransomware attacks are highly orchestrated, with step-by-step toolkits executed by both low- and high-tier affiliates.
• Attack speed has increased significantly—compromise to ransomware detonation now takes days rather than months, as EDR improves.

Quote:
“Once you get into the network, you need tools to work. TrickBot allowed them to come in with a toolbelt: dump Mimikatz, hashes, pivot, start working from TrickBot.” — Tammy [29:56]

6. Evolution of Major Groups and Cartels

[33:10 – 42:25]

• Conti’s Demise: Suffered a devastating leak after supporting Russia in Ukraine conflict—revealing chats, payment structures, and organization.
• Splinter Groups: Black Basta, Karakurt, Royal, Black Suit, Quantum, etc., descend from ex-Conti members and maintain similar techniques.
• LockBit’s Rise: Post-Conti, LockBit became the dominant actor, noted for aggressive marketing, triple extortion, and fast locker technology.
• Affiliates & Subgroups: National Hazard Agency (NHA) and others operated semi-independently under larger umbrellas.

Quote:
“LockBit...had one of the fastest lockers and a really strong affiliate support and slick marketing. They were paying users $1,000 to tattoo themselves with the LockBit logo.” — Tammy [35:59]

7. Ransomware Negotiations

[42:33 – 49:22]

• Negotiations are sophisticated—sometimes involving professional negotiators or lawyers for victims.
• Ransom Chat (open-source project) allows researchers to study chat logs between attackers and victims.
• Conti acted professionally, offering genuine support and “customer service” reputations; LockBit adopted high-pressure, aggressive, and sometimes chaotic negotiation tactics.

Notable Quotes:
“Conti would be like: we always keep the terms of the contract. LockBit would be: ‘You think I’m a fool? I have your files, I know how much you have.’” — Tammy [44:43]
“Conti was calm, structured...tried to package everything as a service, and their reputation was everything. LockBit was all about media spectacle.” — Tammy [47:59]

8. The Modern Landscape of Ransomware

[49:32 – 61:32]

• Open-source monitoring (RansomLook): Tracks hundreds of leak sites and ransomware groups in (near) real-time.
• Group Proliferation: Many smaller/new groups emerge then disappear, while dominant players absorb or outcompete them.
• Manufacturing the Next Generation: Manuals and playbooks (e.g., by Basterlord) circulate and are used for affiliate training; sometimes more detailed than mainstream cybersecurity courses.

Quote:
“I have a copy of these manuals...It covered everything...This is better than some SANS courses in some aspects.” — Tammy [40:55]

9. Emerging and Dominant Threat Groups

[53:28 – 66:51]

• Medusa: Known for abusing legitimate remote access tools; emphasizes persistence and stealth.
• Killin/Quillin: Dominant RaaS, now recruiting English-speaking teens (Scattered Spider) for social engineering.
  • Scattered Spider: Decentralized collective of English-speaking teens exploiting social engineering and SIM-swapping.
• RansomHub: Briefly dominant after the downfall of LockBit and ALPHV/BlackCat; generous affiliate payouts secured top talent, but has since vanished.
• DragonForce: Attempted to “franchise” RaaS with turnkey services, but uptake has lagged.
• Akira: Newer group, leveraging Rust for cross-platform ransomware, connections to Conti lineage.

Quote:
“Scattered Spider...thousands of individuals...recruitment happens on clear web social media. Teenagers in UK, Europe, Canada, the US...mesmerized with the live large and fast lifestyle.” — Tammy [55:41]

10. Initial Access Brokers & Market Dynamics

[66:51 – 71:29]

• Access is bought and sold openly—ads offer RDP/domain admin on US businesses for $5k–$10k.
• Specialist brokers operate like businesses with exclusive “never sold before” access.
• Industry vertical, victim location, and potential payout affect price; some groups avoid healthcare or critical infrastructure, others deliberately target them.

Quote:
“This is an ad...a $5,000 ad. A company based in the US; you have domain admin, local user, root on Unix, access type RDP via HTTPS, Unix reverse shell, 500 computers...You contact the seller and purchase.” — Tammy [67:47]

11. Where Is Ransomware Heading?

[72:02 – 74:37]

• Groups are struggling to attract experienced affiliates—leading to stratification, with major groups developing unique tools, escalating AI usage, building in-house negotiation teams (lawyers, call centers) to increase professionalization.
• Law enforcement disruption works: takedowns (e.g., LockBit) harm group reputation, force rebranding, and fragment the criminal market.
• Still, innovation and reconstitution keep the threat evolving, with new subgroups, playbooks, and technological innovation driving the ecosystem.

Quote:
“I’m really paying attention to the stratification of ransomware...groups trying to attract experienced attackers, creating more in-house tools, diversifying their offerings...I predict more subgroups of bigger groups.” — Tammy [72:02]

Memorable Moments & Quotes

• “At one point, people would hang around networks forever...nowadays, attacks are getting conducted way, way, way faster. They get in, get out—tools and processes have been refined so much.” — Tammy [33:10]
• “Negotiating with these guys sounds like business school. ‘Never split the difference’—these are smart negotiators.” — Jim [46:35]
• “The ransomware chat simulation uses actual chat logs to train AI. You can practice negotiating—with Conti if you want!” — Tammy [49:22]

Final Thoughts

Tammy Harper’s deep dive underscores ransomware as a dynamic, professionalized, and highly resilient criminal business—constantly evolving its tactics, tools, and organizational structures even as law enforcement and defenders improve. Both the social and technical mechanics—from initial access brokers to affiliate training, negotiation psychology to operational security—mirror legitimate industries in complexity and innovation.

Timestamps of Key Segments

• [03:56] – Ransomware as a business/MLM model explained
• [07:37] – What makes initial access brokers special?
• [08:41] – Double/triple/quadruple extortion; leak sites
• [12:53] – History and evolution of ransomware
• [21:21] – Inside Conti: operations and leaks
• [27:39] – Distribution and attack toolkits: Emotet, TrickBot, IcedID
• [33:10] – Attack speed: then and now
• [42:33] – Negotiation strategies and personality differences (Conti vs LockBit)
• [49:32] – Open-source monitoring and threat group fragmentation
• [53:28] – Modern group profiles: Medusa, Killin, Scattered Spider, RansomHub
• [66:51] – Initial Access Brokers and business practices
• [72:02] – The future: stratification, defense wins, new subgroups
• [73:51] – Law enforcement impact and group rebranding

Resources Mentioned

• RansomLook – Open-source dark web monitoring tool: tracks leak sites and posted victims
• Ransom Chat – Project posting actual negotiation transcripts
• Ransomware Chat Simulation – AI-powered training script using real chat logs

(Links to be provided in the show notes as per guest/host agreement.)

Closing

Key takeaway:
The ransomware ecosystem is no longer just about code—it's about people, organization, negotiation, innovation, and a sophisticated (if illicit) business model. As defenders and law enforcement disrupt the status quo, attackers innovate, fragment, and adapt—and understanding this ecosystem is the first line of defense.

Contact:
Questions for Tammy? Find her on LinkedIn (linked in show notes), or use the TechNewsDay contact form to submit your questions for a future Q&A episode.