Ransomware in 2025 is not malware — it is a business model. What the industry calls Ransomware-as-a-Service (RaaS) is, in operational terms, a franchise operation with developer teams, affiliate programs, negotiation specialists, and dedicated infrastructure for victim management. Understanding the ecosystem at the operational level — the way PRODAFT, Mandiant, and national CERTs map it — is the prerequisite for defending against it.

This write-up dissects the RaaS machine: how affiliates gain access, how operators manage infrastructure, what the kill chain looks like from the inside, and where defenders can break it.

The RaaS Business Model

Organizational Structure

Modern RaaS operations follow a consistent organizational pattern, regardless of the brand (LockBit, BlackCat/ALPHV, Akira, Play, RansomHub):

  • Core developers. A small team (typically 3–8 individuals) that maintains the encryptor, the decryptor, the victim portal, and the negotiation backend. They do not conduct intrusions.
  • Affiliates. Independent operators who purchase or earn access to the RaaS platform. They handle initial access, lateral movement, data exfiltration, and deployment. Revenue split is typically 70–80% to the affiliate, 20–30% to the core team.
  • Initial Access Brokers (IABs). A separate supply chain: actors who specialize in compromising networks and selling access (VPN credentials, RDP sessions, web shells) to affiliates. Prices range from $500 for a small company to $50,000+ for a Fortune 500 foothold.
  • Negotiation operators. Dedicated personnel who manage victim communications via Tor-based chat portals. Some operations employ native English speakers specifically for negotiation leverage.

The Affiliate Panel

PRODAFT’s infiltrations of RaaS panels (notably LockBit and BlackCat) revealed sophisticated affiliate dashboards:

  • Build generator. Affiliates configure encryptor payloads: target OS (Windows, Linux, ESXi), encryption mode (full, intermittent, header-only), excluded directories, ransom note customization, and embedded attacker public key.
  • Victim management. Each victim gets a unique ID. The panel tracks encryption status, exfiltrated data volume, negotiation timeline, and payment status.
  • Leak site integration. A one-click publish mechanism for the data-leak blog. Countdown timers create urgency; partial data previews demonstrate authenticity.
  • Affiliate analytics. Revenue dashboards showing earnings per victim, conversion rates (victims who pay vs. don’t), and comparative performance against other affiliates.

This is not amateur tooling. It is product management applied to extortion.

The Kill Chain: A Stage-by-Stage Technical Breakdown

Stage 1 — Initial Access

The entry point has shifted. Phishing still works, but the dominant vectors in 2025 are:

Exploiting edge devices. VPN appliances (Fortinet, Ivanti, Cisco), firewalls, and file-transfer platforms (MOVEit, GoAnywhere) are the primary targets. These devices sit at the network perimeter, often run with high privileges, and are frequently unpatched. CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-34362 (MOVEit), and CVE-2024-3400 (Palo Alto PAN-OS) were all weaponized by ransomware affiliates within days of disclosure.

Stolen credentials. Infostealer malware (Raccoon, Lumma, RedLine) harvests credentials from developer workstations. These credentials — often including VPN, SSO, and cloud console access — are sold in bulk on Russian-language forums and Telegram channels. An affiliate buys a $10 log containing a valid Citrix session cookie, and the intrusion begins without a single exploit.

Initial Access Brokers. Purpose-built operations that maintain persistent access to hundreds of networks and sell it on demand. Some IABs specialize by sector (healthcare, manufacturing) or geography.

Stage 2 — Reconnaissance and Credential Harvesting

Once inside, the clock starts. Modern affiliates aim to move from initial foothold to domain dominance within 24–72 hours. The reconnaissance phase is methodical:

Active Directory enumeration. Tools like BloodHound/SharpHound map the AD environment: trust relationships, group memberships, delegation paths, ACL misconfigurations, and the shortest path to Domain Admin. This is not manual exploration — it is automated graph analysis.

SharpHound.exe --CollectionMethods All --Domain corp.local

Credential harvesting. The affiliate needs domain credentials. The progression:

  1. LSASS memory dump. Not with Mimikatz (too signatured) — via comsvcs.dll MiniDump, nanodump, or a custom tool that calls MiniDumpWriteDump directly:
rundll32.exe comsvcs.dll, MiniDump <lsass_pid> C:\temp\out.dmp full
  1. Kerberoasting. Request TGS tickets for service accounts with SPNs, then crack offline. Service accounts with weak passwords are endemic:
Rubeus.exe kerberoast /format:hashcat /outfile:hashes.txt
hashcat -m 13100 hashes.txt rockyou.txt
  1. DCSync. Once Domain Admin is achieved, replicate all password hashes from the domain controller without touching its disk:
mimikatz # lsadump::dcsync /domain:corp.local /all /csv
  1. DPAPI secrets. Decrypt saved browser passwords, RDP credentials, and Wi-Fi keys from compromised workstations using the domain backup key.

Stage 3 — Lateral Movement and Persistence

RDP tunneling. Affiliates prefer RDP for interactive access because it blends with legitimate admin behavior. SSH tunnels or chisel provide network pivoting when direct RDP is not available.

PsExec and WMI. For mass deployment, affiliates use PsExec (or custom implementations like PAExec) to push the encryptor to every reachable host. WMI (wmic process call create) provides an alternative that avoids service creation events.

Group Policy deployment. The most devastating method: modify a GPO to execute the ransomware payload at next logon or as a scheduled task. This reaches every domain-joined machine without any lateral network scanning — the policy infrastructure does the distribution.

Persistence mechanisms:

  • Scheduled tasks with randomized names
  • WMI event subscriptions (filter + consumer pairs) that survive reboots
  • Service creation with sc.exe using legitimate-sounding names
  • Registry run keys as a fallback

Stage 4 — Defense Evasion

Modern affiliates invest significant effort in neutralizing security tools before encryption:

EDR killing. Tools like Terminator, Backstab, and custom BYOVD (Bring Your Own Vulnerable Driver) exploits load a signed but vulnerable kernel driver, then use it to terminate EDR processes from kernel mode. The target: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Carbon Black.

The BYOVD technique typically uses drivers like:

  • procexp.sys (Process Explorer — signed by Microsoft)
  • gdrv.sys (Gigabyte driver — known vulnerable)
  • dbutil_2_3.sys (Dell BIOS utility)

Disabling Windows Defender. Via PowerShell (if not monitored) or registry modifications:

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -ExclusionPath "C:\"

Volume Shadow Copy deletion. Prevents recovery from Windows snapshots:

vssadmin delete shadows /all /quiet
wmic shadowcopy delete

Log clearing. Wiping Windows Event Logs to hinder forensic analysis:

wevtutil cl Security
wevtutil cl System
wevtutil cl Application

Stage 5 — Exfiltration

Data theft occurs before encryption — this is the leverage for double extortion. The exfiltration tooling:

  • Rclone configured to sync to attacker-controlled Mega.nz, Backblaze, or custom S3 buckets. HTTPS traffic blends with normal cloud activity.
  • FileZilla or WinSCP for large-volume transfers over SFTP.
  • Custom exfil tools that compress and chunk data, often using legitimate cloud APIs (OneDrive, Google Drive) to evade DLP.

Affiliates typically target:

  • Financial records, contracts, and tax documents
  • Employee PII (SSN, payroll, health records)
  • Customer databases
  • Intellectual property and source code
  • Email archives (PST/OST files) of executives

Stage 6 — Encryption and Extortion

Deployment timing. Encryption is launched during off-hours — typically Friday night or a holiday weekend — to maximize the window before detection and response.

Intermittent encryption. Encrypting every Nth byte (typically every 16th) instead of the full file. This is dramatically faster (a 1TB file system in minutes) and reduces the CPU signature that some EDR products use to detect mass-encryption behavior, while still rendering files completely unusable.

ESXi targeting. Many operations include a Linux variant that specifically targets VMware ESXi hypervisors. Encrypting the VMDK files of running VMs takes down the entire virtualized infrastructure in a single action — far more efficient than encrypting individual guest OS filesystems.

The extortion flow:

  1. Ransom note dropped on every encrypted machine with a unique victim ID and a Tor .onion link.
  2. Victim connects to the negotiation portal. Initial demand is typically 2–5% of annual revenue (researched beforehand using public financial data).
  3. Countdown timer (usually 72 hours) before data publication begins.
  4. Negotiation phase — discounts of 30–60% are common. Some operations accept cryptocurrency only; others have adopted Monero for improved anonymity.
  5. If no payment: staged data publication on the leak site. Notifications sent to the victim’s customers, partners, and regulators.

Tracking the Ecosystem: Intelligence Indicators

Infrastructure Patterns

RaaS operations maintain consistent infrastructure patterns that enable tracking:

  • C2 servers on bulletproof hosting providers (Yalishanda, ELITETEAM) or compromised legitimate servers.
  • Tor hidden services for victim portals and leak sites, often with clearnet mirrors for SEO.
  • Cryptocurrency wallets that follow predictable tumbling and cash-out patterns — blockchain analysis firms (Chainalysis, Elliptic) track these flows.
  • Affiliate communication via TOX, Session, or dedicated XMPP servers with OTR encryption.

Behavioral TTPs for Detection

Kill Chain StageMITRE ATT&CKDetection Opportunity
Initial AccessT1190, T1078Edge device exploit alerts; impossible-travel on VPN logins
ReconT1087, T1069BloodHound/SharpHound LDAP query volume anomaly
Credential AccessT1003.001, T1558.003LSASS access by non-system process; RC4 TGS requests (Kerberoasting)
Lateral MovementT1021.001, T1047Anomalous RDP from server tier; WMI process creation from remote host
Defense EvasionT1562.001, T1211Vulnerable driver load event; Defender exclusion modification
ExfiltrationT1567.002Rclone/cloud-sync binary execution; large outbound HTTPS transfers
ImpactT1486, T1490VSS deletion; mass file rename with new extensions; ESXi SSH activity

Defensive Architecture

Pre-compromise

  • Patch edge devices within 48 hours of critical CVE disclosure. VPN and firewall appliances are the #1 entry point.
  • Enforce MFA everywhere — VPN, RDP, cloud consoles, email. Phishing-resistant MFA (FIDO2/WebAuthn) where possible.
  • Deploy infostealer detection — monitor for credential dumps on dark-web marketplaces containing your domain.
  • Reduce AD attack surface — audit SPNs, enforce AES Kerberos, tier administrative accounts, remove unnecessary delegation.

During compromise (assume breach)

  • Credential Guard on all endpoints to protect LSASS.
  • BYOVD mitigation — maintain a blocklist of known-vulnerable drivers via WDAC/HVCI.
  • Canary files in high-value shares — tripwire documents that alert on access.
  • Network segmentation with east-west monitoring — detect lateral movement between server and workstation tiers.

Impact containment

  • Immutable, air-gapped backups. If the backup server is domain-joined, assume it will be encrypted. 3-2-1 rule: 3 copies, 2 media types, 1 offsite/offline.
  • Incident response retainer — have a contract in place before you need it. The first 4 hours determine the outcome.
  • Rehearse recovery. A backup that has never been tested is not a backup — it is a hope.

Conclusion

The ransomware ecosystem in 2025 is a mature, industrialized operation. It has specialization, supply chains, customer service, and product iteration cycles. Treating it as “just malware” is a category error that leads to inadequate defense.

The organizations that survive are the ones that understand the machine well enough to break it at multiple points — not just at the encryption stage, where it is already too late, but at the credential boundary, the lateral movement path, and the initial access vector where the chain begins.

References

  • PRODAFT. Threat Intelligence Reports — LockBit, BlackCat, Akira affiliate infrastructure analysis. prodaft.com
  • CISA. #StopRansomware Joint Advisories. cisa.gov
  • Mandiant. M-Trends 2025 — ransomware affiliate behavioral analysis. mandiant.com
  • MITRE ATT&CK. Ransomware technique mapping. attack.mitre.org
  • Chainalysis. Crypto Crime Report 2025 — ransomware payment flow analysis. chainalysis.com
  • Sophos. Active Adversary Report 2025 — dwell time and TTP trends. sophos.com
  • SpecterOps. BloodHound Enterprise — AD attack path analysis. specterops.io