Ransomware Ecosystem — Analyst Primer

New Analyst Onboarding Guide  |  v1.0  |  Based on EDP Framework  |  April 2026  |  INTERAGENCY
Section 01
What Is Ransomware?
A plain-language foundation for analysts new to this ecosystem.

Ransomware is extortion software. Attackers infiltrate an organization's network, encrypt its files or systems to make them inaccessible, and demand payment — typically in cryptocurrency — to restore access. Modern ransomware operations also steal data before encrypting it, threatening to publish it if the ransom is not paid. This is called double extortion.

What makes modern ransomware different from earlier cybercrime is its industrialization. It is no longer the work of a single criminal or small team. It is a supply chain — a network of specialized criminal service providers, each contributing a piece of the operation, connected by underground marketplaces and governance systems. Understanding that supply chain is the foundation of effective disruption.

Key Concept

Modern ransomware is not a single threat actor. It is an ecosystem of 15+ specialized criminal service markets, each of which can be targeted independently. Disrupting one node degrades the others.

The Scale of the Problem

$813M
Confirmed ransomware payments in 2025 (Chainalysis) — down ~35% from 2024 peak estimates
7,500+
Victims publicly named on data leak sites in 2024 — a record
72%
Victim non-payment rate in 2025 — record high (only 28% of victims paid)
70%+
Non-payment rate when victims receive professional incident response support
$130M
In victim payments avoided by FBI's 7-month covert Hive operation

Why This Is Hard

Three structural factors make ransomware uniquely difficult to suppress:

  • Russian jurisdiction shield. The majority of ransomware core teams operate from Russia or CIS states. Russia does not extradite its citizens for cybercrime against Western targets, and historically tolerates — and in some cases benefits from — ransomware operations. No Russian-based core operator has been successfully extradited and prosecuted.
  • Brand resilience. When a ransomware brand is disrupted, its affiliates migrate to another brand within 30-90 days. The infrastructure and relationships persist; only the brand name changes. LockBit affiliates moved to RansomHub within 60 days of Operation Cronos.
  • Specialization. No single actor controls the entire chain. Disrupting one service provider creates a temporary gap that competitors fill. This is why layered, sequential disruption (Phase A/B/C) is required — not single-node action.
Analyst Note

The 72% non-payment rate in 2025 is the most important recent development in this space — only 28% of victims paid, a record low. This correlates with sustained financial-layer enforcement (mixer and exchange actions) and growing non-payment advocacy. Total payments held at ~$813M even as attack volume rose 50%, meaning the ecosystem is running harder for diminishing returns. Scaling non-payment support further remains the highest-priority action available.

Section 02
The 9-Layer Ecosystem
How the ransomware supply chain is structured — and which layers are targeted in which disruption phase.
THE 9-LAYER RANSOMWARE ECOSYSTEM PHASE A PHASE B PHASE C Layer 8 — Fiat Integration Money Launderers / Exchanges (13) · Mule Networks (14) PHASE A Layer 7 — Cash-Out OTC Brokers (12) PHASE A Layer 6 — Financial Obfuscation Crypto Mixers (11) PHASE B Layer 5 — Extortion Leak Site Ops (8) · Negotiation Services (15) PHASE C Layer 4 — Core Operations RaaS Groups (7) PHASE C Layer 3 — Access Markets IABs (5) · Exploit Brokers (6) · Underground Forums (10) PHASE B Layer 2 — Access Generation Stealers (1) · Loaders (2) PHASE B Layer 1 — Enablement Crypters (3) · Callers / Spammers (4) CROSS-CUT Layer 0 — Infrastructure Foundation Bulletproof Hosting (9) PHASE A

The ransomware ecosystem is organized into nine functional layers. Each layer contains one or more specialized criminal service markets (the 15 EDP modules). The layers are not sequential — they operate simultaneously, with criminal actors purchasing services from multiple layers at once.

Reading the Diagram

Layers are organized bottom-to-top from infrastructure foundation to financial integration. Color coding indicates the primary disruption phase. The Phase A/B/C framework determines the sequence of enforcement action — not because lower layers are attacked first operationally, but because financial disruption (Phase A) degrades the economic incentive to reconstitute when the operational layers (Phase C) are later targeted.

8Fiat IntegrationMoney Launderers (13) · Mule Networks (14)Phase A
7Cash-OutOTC Brokers (12)Phase A
6Financial ObfuscationCrypto Mixers (11)Phase B
5ExtortionLeak Site Ops (8) · Negotiation Services (15)Phase C
4Core OperationsRaaS Groups (7) — Central revenue generatorPhase C
3Access MarketsIABs (5) · Exploit Brokers (6) · Underground Forums (10)Phase B
2Access GenerationStealers (1) · Loaders (2)Phase B
1EnablementCrypters (3) · Callers / Spammers (4)Cross-Cut
0Infrastructure FoundationBulletproof Hosting (9) — Everything else depends on thisPhase A
Section 03
How an Attack Works End-to-End
Following a ransomware operation from initial lure to laundered proceeds — with the responsible module at each step.
📧 LURE Callers / Spammers Module 04 ⚙️ LOAD Loaders / Crypters Modules 02-03 🔑 HARVEST Stealers / Log Markets Module 01 🚪 ACCESS IAB / Exploit Broker Modules 05-06 💣 DEPLOY RaaS Groups Module 07 📢 EXTORT Leak Sites / Negotiators Modules 08+15 🔀 OBFUSCATE Crypto Mixers Module 11 💱 CASH OUT OTC / Exchanges Modules 12-13 🏠 INTEGRATE Mule Networks Module 14

Step-by-Step Walkthrough

Step 1 — The Lure (Module 04)

The attack begins with a lure — typically a phishing email, malicious advertisement, or phone call designed to trick the victim into executing something. Callers and spammer operators send thousands of emails per day or staff call centers that impersonate IT helpdesks. The Scattered Spider group compromised MGM Resorts by calling the IT helpdesk and socially engineering an employee into resetting credentials — no malware required at this stage.

Step 2 — Delivery and Execution (Modules 02, 03)

If the lure involves a file or link, a loader executes on the victim machine. Before delivery, a crypter has wrapped the malware in obfuscation code to evade antivirus detection. The loader's job is to establish a foothold and download the next-stage payload.

Step 3 — Credential Harvesting (Module 01)

Once inside the network, an infostealer may run to harvest credentials, session tokens, and system information. These are sent back to attacker-controlled infrastructure. Alternatively, an IAB may have already sold access harvested from a previous infection at a different organization.

Step 4 — Access Brokering (Modules 05, 06)

In many operations, the initial access is not performed by the ransomware affiliate at all. An IAB already compromised the target and listed the access on an underground forum. The affiliate bought it. For high-value targets, an exploit broker may have provided a zero-day exploit enabling direct entry without credentials.

Step 5 — Deployment (Module 07)

The ransomware affiliate (operating under a RaaS brand) establishes persistence, escalates privileges, moves laterally across the network, and exfiltrates data before detonating the ransomware payload. This phase can take hours to weeks depending on target size and affiliate sophistication. The affiliate uses RaaS tools provided by the core team.

Step 6 — Extortion (Modules 08, 15)

Encryption is detonated. The victim receives a ransom note with payment instructions. Simultaneously, the stolen data is posted (or threatened to be posted) on the group's data leak site. The core team's negotiation team begins contact with the victim. On the defender side, professional IR firms engage to negotiate and, where possible, avoid payment entirely.

Step 7 — Payment and Obfuscation (Module 11)

If payment occurs, the victim sends cryptocurrency to attacker-controlled wallets. The funds are immediately run through mixing services to break the blockchain traceability chain. Chainalysis and TRM Labs can trace through custodial mixers with significant effort; decentralized mixers are substantially harder to trace.

Step 8 — Cash-Out (Modules 12, 13)

Mixed funds flow to OTC brokers and non-compliant exchanges for conversion to fiat currency. High-volume criminal OTC is concentrated in Russia. SUEX, Chatex, Garantex, and Cryptex have all been designated or seized. The 3-year gap between Garantex's designation (2022) and seizure (2025) demonstrates that designation without enforcement allows continued operation.

Step 9 — Integration (Module 14)

Fiat proceeds are laundered through mule networks into the legitimate economy: real estate purchases, luxury goods, shell company capitalization, and financial instruments. Over 50% of mule-linked funds exit within 1 hour. Recovery at this stage requires real-time intervention capability — post-receipt recovery is essentially impossible without it.

Teaching Note

The most important thing to understand about this chain is that it is modular. The affiliate who deploys the ransomware is almost certainly not the same person who compromised the network, wrote the malware, or laundered the proceeds. Each of those functions is a separate specialist. This is why attribution is hard — and why disrupting the ecosystem requires action across multiple nodes simultaneously.

Section 04
The 15 Building Blocks
Each criminal service market that makes up the ransomware ecosystem — explained plainly, with disruption levers. Click any card to expand.
01
Stealers
Infostealer Malware and Log Markets
Phase B HIGH
Think of stealers as digital pickpockets that work at industrial scale — they grab your keys, passwords, and wallet contents and sell them to the next criminal in line.
What It Does

Infostealer malware infects endpoints and automatically extracts credentials, browser session tokens, and cryptocurrency keys. The stolen data is packaged into 'logs' and sold on dark web markets (Russian Market, 2easy). These logs are the raw material that Initial Access Brokers use to sell network entry to ransomware groups.

Why It Matters

Without stealers, IABs have no product to sell. The entire credential-based access economy depends on a continuous supply of fresh logs.

Key Actors
  • LummaC2
  • Vidar
  • RedLine
  • RisePro
  • Meduza
  • Russian Market (log marketplace)
  • Genesis Market (seized 2023)
Disruption Levers
  • Microsoft DCU seized 2,300+ LummaC2 domains (2025)
  • Operation Cookie Monster: Genesis Market seized (2023)
  • AV/EDR telemetry sharing compresses FUD validity window
One-Line Brief

The factory that produces stolen credentials feeding the entire access economy.

02
Loaders
Loader Malware and Delivery Platforms
Phase B HIGH
Loaders are the delivery trucks. They don't carry the ransomware themselves — they open the door and unload whatever the operator wants to deploy next.
What It Does

Loader malware infiltrates a target system and executes a secondary payload — which could be a stealer, ransomware, or remote access tool. They run as Loader-as-a-Service (LaaS), with operators renting access to their delivery infrastructure for $100-$1,000/month. Delivery vectors include SEO poisoning, malicious Office macros, and USB propagation.

Why It Matters

Without loaders, ransomware groups can't efficiently scale victim volume. Loaders are the bridge between the initial lure and actual malware deployment.

Key Actors
  • QakBot (disrupted 2023)
  • IcedID / BokBot (disrupted 2024)
  • Latrodectus (active, IcedID successor)
  • Raspberry Robin
  • Bumblebee (disrupted 2024)
  • Pikabot
Disruption Levers
  • Operation Endgame (2024): IcedID, Bumblebee, SmokeLoader, Pikabot seized simultaneously — largest loader action on record
  • Operation Duck Hunt (2023): QakBot C2 seized; 700,000 infected devices identified
One-Line Brief

The delivery mechanism that gets malware from the attacker to the victim's machine.

03
Crypters
Obfuscation-as-a-Service
Cross-Cutting MEDIUM
Crypters are the disguise kit. They make malware unrecognizable to antivirus scanners — like putting a wolf in a business suit so it walks past security.
What It Does

Crypter-as-a-Service (CaaS) wraps malware in obfuscation code that defeats antivirus and EDR detection. The output is called FUD — Fully Undetectable. Services sell through criminal forums and Telegram bots. Detection eventually burns each 'stub', so operators must repurchase regularly. Market is concentrated: 1-3 sellers dominate volume on each major forum.

Why It Matters

Without crypters, commodity malware is detected on delivery and the entire attack chain fails at the entry point.

Key Actors
  • Private FUD CaaS providers (primarily unnamed)
  • Telegram CaaS bots
  • Open-source obfuscation tooling
Disruption Levers
  • AV/EDR signature coordination (CISA) burns stubs faster
  • No major LE action documented as of 2026 — largest gap in enforcement coverage
One-Line Brief

The disguise service that makes malware invisible to antivirus at the moment of delivery.

04
Callers / Spammers
Social Engineering and Human-Layer Access
Cross-Cutting MEDIUM
Callers are the con artists. They don't hack computers — they hack humans, convincing IT staff to hand over access directly.
What It Does

Social engineering operators use phone calls, emails, and AI-generated voice calls (vishing) to manipulate victims into executing malware or handing over credentials. The BazarCall model sends phishing emails prompting victims to call attacker-run numbers; operators then socially engineer IT staff. MGM Resorts suffered $100M+ in losses from a single vishing call by Scattered Spider.

Why It Matters

Human-layer attacks bypass all technical security controls. They are the lowest-cost, highest-impact initial access vector when targeting enterprises with strong technical defenses.

Key Actors
  • Scattered Spider (disrupted 2023-24)
  • Black Basta call centers
  • BazarCall operators
  • PlugValley (AI vishing platform, active)
Disruption Levers
  • Scattered Spider prosecutions (UK/US) — demonstrates operators can be identified and arrested
  • Out-of-band verification requirements eliminate BazarCall surface without LE action
  • AI vishing platform enforcement (PlugValley) would degrade multiple campaigns simultaneously
One-Line Brief

The human con artists who manipulate IT staff into handing over access.

05
IABs
Initial Access Broker Markets
Phase B HIGH
IABs are the real estate agents of cybercrime — they don't live in the house, they just get the key and sell it to whoever pays most.
What It Does

Initial Access Brokers compromise networks and sell access rather than exploiting it directly. Two tiers: Bulk IABs use automated scanning tools and sell commodity access at $500-$1,000. Boutique IABs curate high-value targets with documented privileged access (domain admin) and sell at $2,700-$10,000+. Rapid7 found 71.4% of observed listings include privileged access.

Why It Matters

IABs made ransomware a franchise model. RaaS groups no longer need to compromise victims themselves — they buy pre-compromised access at scale.

Key Actors
  • High-volume forum IABs on Exploit.in, XSS.is
  • Boutique IABs on RAMP, DarkForums
  • Raspberry Robin C2 (automated pipeline)
Disruption Levers
  • OFAC boutique IAB financial designation
  • FBI Raspberry Robin C2 sinkholing
  • Forum trust mechanism infiltration raises costs for all IAB tiers
One-Line Brief

The brokers who sell pre-compromised network access to ransomware groups.

06
Exploit Brokers
Vulnerability and Exploit Markets
Phase B CRITICAL
Exploit brokers are arms dealers for software vulnerabilities — they find the unlocked doors in enterprise software and sell the key to whoever pays.
What It Does

Exploit brokers acquire software vulnerabilities (zero-days and n-days) and sell exploitation capability to criminal or state actors. Criminal prices routinely exceed vendor bug bounty payments by 10x-100x, creating a structural economic incentive for researchers to sell to criminal markets. CL0p's MOVEit zero-day (2023) enabled $100M+ in extortion across 2,000+ organizations from a single exploit.

Why It Matters

A single quality zero-day enables mass-scale attacks against thousands of organizations simultaneously — this is qualitatively different from any other access method.

Key Actors
  • CL0p / TA505 (MOVEit, GoAnywhere)
  • Zerodium, Crowdfense (gray market)
  • State-adjacent researchers (RU/CN)
Disruption Levers
  • Bug bounty price parity: closing the criminal/vendor price gap removes researcher incentive to sell to criminal markets
  • Rapid patch deployment (CISA coordination) compresses exploitation windows from weeks to days
One-Line Brief

The arms dealers who sell software vulnerabilities enabling mass-scale attacks.

07
RaaS Groups
Ransomware-as-a-Service Operators
Phase C CRITICAL
RaaS groups are the franchise headquarters. They own the brand, the tools, and the infrastructure. Affiliates are the franchisees — they do the actual work and take most of the money.
What It Does

RaaS core teams (5-20 members) develop and maintain ransomware code, negotiation infrastructure, and leak sites. Affiliates (dozens to hundreds per brand) deploy against victims and take 70-80% of proceeds; core teams retain 20-30%. In 2025: 7,500+ victims publicly named on DLS (record); $813M in confirmed payments (Chainalysis). The 72% non-payment rate in 2025 (28% paid, record low) is the strongest available signal that disruption is working; attack volume rose 50% but total payments held flat.

Why It Matters

RaaS groups are the revenue generator for the entire ecosystem. Every other module exists to either supply them (access, infrastructure) or launder their proceeds.

Key Actors
  • LockBit 3.0 (disrupted 2024)
  • ALPHV/BlackCat (exit scam 2024)
  • RansomHub (active, dominant 2024-25)
  • Cl0p
  • Black Basta
  • Akira
  • Play
Disruption Levers
  • Operation Cronos: LockBit infrastructure seized (2024); 34 servers, 1,000+ decryption keys
  • FBI Hive 7-month covert infiltration: $130M in avoided payments
  • Non-payment advocacy: 35% decline in 2024 — highest-durability lever requiring no Russian cooperation
  • OFAC designation of core operators and key developers
One-Line Brief

The franchise headquarters that owns the ransomware brand and splits proceeds with deploying affiliates.

08
Leak Site Ops
Data Leak Site Operations
Phase C HIGH
Leak sites are the public shaming board. If you don't pay, your customers' data goes on the board for everyone to see — including your regulators.
What It Does

Data Leak Sites (DLS) are the extortion infrastructure of double-extortion ransomware. When victims refuse to pay, operators publish stolen data to coerce payment, notify victims' customers, and signal health to prospective affiliates. 621 victims were posted across DLS platforms in December 2024 — a single-month record. Multi-tenant DLS platforms now host multiple ransomware brands on shared infrastructure.

Why It Matters

The DLS model permanently transformed ransomware by adding publication pressure to encryption pressure. Even organizations with good backups now face regulatory and reputational consequences.

Key Actors
  • Hive DLS (seized 2023)
  • LockBit DLS (seized 2024)
  • RansomHub DLS (active)
  • Multi-tenant platform operators
Disruption Levers
  • FBI Hive covert infiltration: 7 months of access; $130M in avoided payments; 300+ victims received decryption keys before seizure
  • Operation Cronos LockBit DLS seizure: countdown timers reversed for psychological impact
  • BPH disruption (Module 09) directly degrades DLS uptime
One-Line Brief

The public shaming infrastructure that pressures victims into paying by threatening to publish their data.

09
BPH
Bulletproof Hosting Providers
Phase A CRITICAL
BPH providers are the landlords who rent apartments to criminals knowing exactly what they're doing — and actively protect their tenants from police.
What It Does

Bulletproof Hosting providers offer abuse-resistant infrastructure: they ignore law enforcement requests, provide no logs, and resist legal process — for a significant premium. BPH is the physical foundation upon which all other modules operate: leak sites, C2 servers, loader delivery, and forums all depend on it. Sophos identified a single VM template image underlying 7,000+ ransomware-linked servers in 2025.

Why It Matters

Without BPH, all other criminal infrastructure loses its protection. Disrupting BPH simultaneously degrades every dependent module — it is the only single action that impacts the entire ecosystem at once.

Key Actors
  • Zservers (designated 2024)
  • Media Land LLC (designated 2024)
  • Aeza Group (active)
  • BEARHOST (active)
Disruption Levers
  • Upstream ISP depeering (McColo model): 75% global spam drop within hours — gold standard; cannot be overcome by server migration
  • OFAC/UK OFSI/Australia DFAT joint designation: Zservers and Media Land (2024)
  • Sophos VM template fingerprint: proactive detection of 7,000+ ransomware-linked servers — underexploited lever
One-Line Brief

The criminal landlords who provide the untouchable hosting that every other module depends on.

10
Underground Forums
Criminal Markets and Trust Infrastructure
Phase B HIGH
Underground forums are the criminal stock exchange — not just a place to trade, but the institution that enforces contracts, protects reputations, and keeps the market honest.
What It Does

Underground forums are the governance layer of the ransomware ecosystem. They provide reputation systems, escrow services, dispute resolution, and recruitment pipelines. Without forums, criminal commerce cannot function: IAB transactions cannot be trusted, affiliates cannot be vetted, and services cannot be advertised. The Conti leak (2022) was more damaging than any server seizure because it destroyed trust in linked forum identities.

Why It Matters

Forums are not just marketplaces — they enforce the trust contracts that make all criminal transactions possible. Destroying trust is more disruptive than destroying servers.

Key Actors
  • Exploit.in (active, ~2010-present)
  • XSS.is (active)
  • RAMP (active)
  • DarkForums (active)
  • BreachForums (repeatedly seized and reconstituted)
Disruption Levers
  • Forum infiltration and trust manipulation: implanting false information degrades reputation systems
  • Conti leak model: simultaneous trust destruction across all linked identities
  • Administrator prosecution: RaidForums admin arrested (2022); BreachForums admin arrested (2023)
One-Line Brief

The criminal stock exchange that provides trust infrastructure for all ecosystem transactions.

11
Crypto Mixers
Cryptocurrency Mixing and Tumbling
Phase B HIGH
Mixers are the money laundromat — you put in dirty crypto from one side, it gets shuffled with everyone else's money, and clean crypto comes out the other side.
What It Does

Mixing services obscure cryptocurrency origins by pooling funds from multiple sources and returning equivalent amounts minus a 1-3% fee. Custodial mixers (Chipmixer, Blender, Sinbad) take physical possession of funds. Decentralized mixers (Tornado Cash, CoinJoin) use smart contracts without a central operator. Chipmixer processed $3B+ in criminal proceeds before seizure in 2023.

Why It Matters

Without mixing, every ransom payment is traceable on the blockchain from victim to criminal wallet. Mixing breaks the chain of traceability that blockchain analytics firms exploit.

Key Actors
  • Chipmixer (seized 2023, $3B+ processed)
  • Blender.io (designated 2022)
  • Tornado Cash (designated 2022)
  • Sinbad.io (seized 2023)
  • Wasabi Wallet CoinJoin (active, decentralized)
Disruption Levers
  • OFAC Tornado Cash designation: first-ever smart contract designation (2022)
  • Chipmixer seizure: $3B+ in criminal proceeds; 7 servers (2023)
  • ~$813M in 2025 payments (record-low 28% payment rate) correlates with sustained financial-layer enforcement
One-Line Brief

The money laundromat that makes ransomware crypto untraceable before cash-out.

12
OTC Brokers
Over-the-Counter Cryptocurrency Brokers
Phase A CRITICAL
OTC brokers are the back-alley currency exchangers — they convert your crypto to cash in person, no questions asked, for the right fee.
What It Does

OTC brokers provide personalized, large-volume cryptocurrency-to-fiat conversion without KYC requirements. High-volume criminal OTC is concentrated in Russia (Moscow, St. Petersburg). The SUEX-to-Garantex-to-Cryptex sequence (2021-2024) established the OTC enforcement playbook. Critical lesson: Garantex was designated in 2022 and continued processing hundreds of millions in criminal proceeds for 3 years before physical enforcement in 2025.

Why It Matters

OTC brokers are the primary mechanism for converting large ransomware payments into spendable fiat. Without them, criminal proceeds remain locked in crypto.

Key Actors
  • SUEX (designated 2021)
  • Chatex (designated 2021)
  • Garantex (designated 2022, seized 2025)
  • Cryptex (designated 2024, $7B+ identified)
Disruption Levers
  • SUEX designation (2021): first cryptocurrency exchange designation; established the playbook
  • Garantex physical seizure (2025): 3-year gap from designation to enforcement is the critical lesson
  • Tether T3 real-time USDT freeze: most underused lever — freeze at identification, not post-enforcement
One-Line Brief

The back-alley currency exchangers who convert criminal crypto to cash in Russia.

13
Exchanges / Launderers
High-Risk Cryptocurrency Exchanges
Phase A CRITICAL
Criminal exchanges are the corrupt banks — they accept deposits they know are stolen and help convert them to legitimate-looking funds.
What It Does

Non-compliant exchanges process large volumes of criminal proceeds through automated systems, converting crypto to fiat at scale. Unlike OTC brokers, they operate exchange infrastructure with deposit/withdrawal systems. BTC-e ($4B), Bitzlato ($700M+), and Garantex are the documented examples. Coordinated OTC-plus-exchange designation in the same enforcement window is the untested high-value action.

Why It Matters

Exchanges are the scaling mechanism for criminal cash-out. OTC handles the largest individual transactions; exchanges handle volume. Both are required for the proceeds to reach the real economy.

Key Actors
  • BTC-e (seized 2017, $4B)
  • Bitzlato (seized 2023, $700M+)
  • Garantex (designated 2022, seized 2025)
  • Cryptex (designated 2024)
Disruption Levers
  • Tether T3 real-time USDT freeze upon wallet identification — not post-enforcement
  • Coordinated OTC-plus-exchange designation in same window prevents displacement
  • Physical enforcement required within 12-18 months of designation or gap allows continued operation
One-Line Brief

The corrupt exchange infrastructure that converts ransomware proceeds to fiat at scale.

14
Mule Networks
Fiat Layering and Integration
Phase C MEDIUM
Mule networks are the chain of intermediaries who turn drug money into a house purchase — each link in the chain knows less than the one before.
What It Does

Mule networks convert cryptocurrency proceeds into untraceable real-world assets through human intermediaries: professional herder operators, semi-witting recruits (tricked through fake job ads), and integration vehicles (real estate, shell companies, luxury goods). TRM Labs (2024) confirmed that 50%+ of mule-linked funds exit within 1 hour of receipt — making post-receipt recovery essentially impossible.

Why It Matters

Without mule networks, criminal proceeds remain in cryptocurrency or trapped in the financial system where they remain seizeable. Mule networks complete the conversion to real-world wealth.

Key Actors
  • Professional herder networks (serve ransomware, fraud, and BEC simultaneously)
  • Semi-witting money mule recruits
  • Shell company and real estate operators
Disruption Levers
  • Herder-tier prosecution: cross-ecosystem disruption (same networks serve multiple crime types)
  • Integration-stage AML enforcement (real estate, luxury goods): entirely in Western jurisdiction, no Russian cooperation required
  • Real-time fund recovery requires pre-negotiated bank-to-bank freeze protocols — 1-hour window is the constraint
One-Line Brief

The human chain that converts criminal crypto into real estate, cash, and luxury goods.

15
Negotiation Services
Criminal and Defender-Side Negotiation
Cross-Cutting MEDIUM
This module has two sides: the criminal negotiators are the hostage-takers setting ransom terms; the professional IR firms are the hostage negotiators working to get the victim out without paying.
What It Does

Dual-character module. Criminal side: RaaS core teams run dedicated internal negotiation teams. Some rogue recovery firms deceptively accept victim payments while secretly paying the ransom, claiming to have 'decrypted' data. Defender side: legitimate IR firms (Coveware, GuidePoint, CyberSecOp) achieve documented non-payment rates exceeding 70% for professionally managed incidents vs. ~30-40% without professional support.

Why It Matters

The payment decision occurs at this node. Scaling professional negotiation access is the highest-ROI disruption action that requires no access to Russian infrastructure — every percentage point of non-payment growth represents hundreds of millions in avoided payments.

Key Actors
  • RaaS internal negotiation teams (criminal)
  • Rogue recovery operators (criminal-adjacent)
  • Coveware, GuidePoint Security, CyberSecOp (legitimate)
Disruption Levers
  • Scaling professional IR access to SMBs and critical infrastructure sectors (CISA/NCSC coordination)
  • Rogue recovery operator enforcement (FTC, SEC reporting requirements)
  • Non-payment advocacy: 70%+ non-payment rate for professionally managed incidents vs. 35% ecosystem-wide
One-Line Brief

The negotiation layer where the ransom is either paid or avoided — highest-ROI disruption point not requiring Russian access.

Section 05
Follow the Money
How ransom payments move from victim payment to real-world assets — and where the disruption opportunities are.

Understanding the financial chain is critical because financial disruption is the highest-durability lever available. Unlike operational disruption (which produces 30-90 day brand reconstitution), financial disruption raises the cost of doing business for the entire ecosystem — regardless of which brand carries the flag.

1
Victim Payment
Victim sends Bitcoin or USDT to attacker-controlled wallet. Average payment 2025: ~$2.7M for large organizations. 72% of victims declined to pay in 2025 (record non-payment rate; 28% paid).
$813M total 2025
2
Affiliate Split
RaaS core team immediately splits payment: 70-80% to the deploying affiliate, 20-30% retained by core team. Happens within minutes of payment confirmation.
70-80% to affiliate
3
Crypto Mixing (Module 11)
Funds sent to mixer to break blockchain traceability. Custodial mixers (Chipmixer: $3B+ seized 2023) are being replaced by decentralized alternatives (CoinJoin, cross-chain bridges) that are harder to seize.
1-3% mixer fee
4
OTC Broker (Module 12)
Large positions converted through OTC brokers in Moscow/St. Petersburg. No KYC, bilateral settlement. SUEX, Garantex, Cryptex designated/seized 2021-2025. Designation without physical enforcement is insufficient — Garantex operated 3 years post-designation.
1-5% OTC fee
5
Non-Compliant Exchange (Module 13)
Volume conversion through high-risk exchanges. BTC-e ($4B seized 2017), Bitzlato ($700M seized 2023), Garantex (seized 2025). Tether T3 real-time USDT freeze is the underused lever at this stage.
Exchange spread fee
6
Mule Network (Module 14)
Fiat layered through mule account chains. 50%+ of funds exit within 1 hour. Herder-tier operators run the same mule networks for ransomware, fraud, and BEC simultaneously — disruption has cross-ecosystem value.
50%+ exit in <1hr
7
Real Economy Integration
Proceeds integrated through real estate, luxury goods, shell companies, financial instruments. Conti leaks documented Wizard Spider's property and shell company network explicitly. Integration-stage action is entirely within Western jurisdiction — no Russian cooperation required.
Real assets
Phase A Priority Rationale

OTC brokers (Module 12) and exchanges (Module 13) are rated CRITICAL and designated Phase A targets because disrupting both simultaneously — not sequentially — prevents displacement of proceeds from one to the other. The Garantex lesson: designation alone without physical enforcement within 12-18 months allows continued operation. The Tether T3 freeze is the highest-impact underused tool at this layer.

Section 06
The Russian Factor
Why Russian jurisdiction matters, how state protection works, and what Western actors can and cannot do about it.

The Krysha Model

Krysha (крыша) is Russian criminal slang for "roof" — protection provided by a more powerful party in exchange for a cut or services. In the ransomware context, it describes the relationship between RaaS operators and the Russian state: the FSB is aware of ransomware operations targeting Western victims, does not enforce against them, and in some cases benefits from them through intelligence collection or plausible deniability cover for state operations.

This is not the same as the Russian state directing ransomware attacks. In most cases, it is passive tolerance: operators are left alone as long as they do not target CIS citizens or Russian state infrastructure, and cooperate when the FSB wants access to their systems or personnel.

What Russian State Tolerance Provides

  • Operating environment free from domestic prosecution
  • Extradition shield — no Russian citizen has been successfully extradited for ransomware
  • Ability to reconstitute after Western disruption actions
  • Physical infrastructure in Russian jurisdiction (BPH, OTC, exchanges)
  • Access to Russian financial system for fiat integration

What Russian State Tolerance Does NOT Provide

  • Active operational direction for most groups (different from APT tasking)
  • Blanket immunity — REvil was briefly arrested by FSB in Jan 2022 under US diplomatic pressure, then released
  • Protection for operators arrested outside Russia — Vinnik (BTC-e), Vasinskyi (Kaseya/REvil) caught while traveling
  • Protection for financial assets in Western jurisdiction — OFAC designation and seizure work on Western-nexus funds

The Extradition Reality

Russia does not extradite its citizens. This is a constitutional provision (Article 61), not a policy choice. The practical implication: any Russian national who remains inside Russia cannot be prosecuted by Western authorities, regardless of the strength of the evidence. The only viable arrest pathways are:

  • Travel arrest. Operators arrested in third countries while traveling. Mikhail Vasinskyi (REvil/Kaseya) was arrested in Poland. Alexander Vinnik (BTC-e) was arrested in Greece. This requires intelligence on travel plans and coordination with transit country authorities.
  • FSB-motivated domestic action. The Jan 2022 REvil arrests were politically motivated — the FSB acted after the Colonial Pipeline and Kaseya incidents generated US diplomatic pressure. The arrests were brief; members were released within months. Not a reliable enforcement mechanism.
  • Defection / informant. The Conti leaks (2022) came from an embedded researcher — a human intelligence operation, not an LE action. This approach produced more disruption than any technical operation in the period.

What Works Without Russian Cooperation

The following disruption actions are fully executable within Western jurisdiction and require no Russian cooperation:

  • OFAC designation of operators, OTC brokers, and exchanges — severs Western financial access
  • Upstream ISP depeering of BPH providers — requires only Tier-1 carrier cooperation, not Russian state cooperation
  • Tether/Circle real-time USDT freeze — requires cooperation from private stablecoin issuers, not Russia
  • Non-payment advocacy and professional negotiation access scaling — operates entirely on the victim side
  • Integration-stage AML enforcement (real estate, luxury goods) — entirely in Western jurisdiction
  • Forum infiltration and trust manipulation — intelligence operations, not LE action requiring Russian cooperation
Analyst Note — The FSB Nexus

Several major RaaS operators have documented connections to Russian intelligence services. Sandworm (GRU) has shared infrastructure with criminal ransomware operators. Conti leaks documented FSB contacts within the organization. This complicates disruption: actions against state-adjacent operators carry different diplomatic implications than actions against purely criminal actors. Intelligence community coordination on attribution confidence is required before high-profile actions against operators in this category.

Section 07
The Disruption Framework
Phase A, B, and C — what each phase targets, why the sequence matters, and the key actions in each phase.
PHASE A — FINANCIAL DISRUPTION Targets: Nodes 01, 02, 03 OTC Brokers (12) Exchanges / Launderers (13) Bulletproof Hosting (9) WHY FIRST: Severs the financial rails before disrupting operations. Raises reconstitution cost. PHASE B — MARKET DISRUPTION Targets: Nodes 04, 07, 08 IAB Markets (5) Underground Forums (10) Crypto Mixers (11) WHY SECOND: Degrades recruitment and trust infrastructure while financial pressure is applied. PHASE C — OPERATIONAL DISRUPTION Targets: Nodes 05, 06, 09 RaaS Core Teams (7) Leak Sites (8) Loaders / Stealers (1,2) WHY LAST: Direct operator action is most durable when financial and market layers are degraded.

The Phase A/B/C framework is the operational sequencing logic for ecosystem-level disruption. It is not a chronological roadmap — phases overlap and compound. The sequencing logic is: financial disruption first because it degrades the economic incentive to reconstitute when operational pressure follows.

Phase A — Financial Infrastructure

OTC Brokers (Module 12)SUEX-to-Garantex-to-Cryptex designation sequence. Physical enforcement within 12-18 months. Tether T3 freeze.
Exchanges / Launderers (Module 13)Coordinated with OTC — same enforcement window. Bitzlato, Garantex models.
Bulletproof Hosting (Module 09)Upstream ISP depeering. Joint designation (Zservers/Media Land 2024).

Phase B — Market Infrastructure

IAB Markets (Module 05)Financial designation of boutique IABs. Raspberry Robin sinkholing. Trust mechanism infiltration.
Underground Forums (Module 10)Admin prosecution. Trust manipulation. Infiltration — more durable than seizure.
Crypto Mixers (Module 11)OFAC designation. Server seizure. Blockchain analytics tracing compounds.

Phase C — Operational Infrastructure

RaaS Core Teams (Module 07)Infrastructure seizure + affiliate exposure. Non-payment advocacy. Covert DLS access (Hive model).
Leak Sites (Module 08)Covert access before seizure — $130M avoided (Hive). Multi-tenant > single-brand targeting.
Loaders / Stealers (02, 01)Operation Endgame model: simultaneous multi-family action. Microsoft DCU civil actions.

Why Sequence Matters

Disrupting RaaS brands (Phase C) without Phase A/B pressure produces 30-90 day reconstitution. LockBit affiliates migrated to RansomHub within 60 days of Operation Cronos. The financial and market layers reconstitute more slowly — particularly OTC and exchange infrastructure which is trust-dependent, not just technical. Applying financial pressure first means that when Phase C operational disruption occurs, the economic incentive to rebuild is lower and the cost to reconstitute is higher.

Cross-Cutting Actions (Any Phase)

  • Non-payment advocacy. The single highest-durability lever requiring no Russian access. Every percentage point of non-payment rate growth at ecosystem scale represents hundreds of millions in avoided payments. 70%+ non-payment rate for professionally managed incidents vs. 35% ecosystem-wide.
  • Professional negotiation access. Scaling IR firm access to SMBs and under-resourced organizations is a force-multiplier for non-payment growth. CISA/NCSC coordination is the mechanism.
  • Bug bounty price parity. For exploit brokers (Module 06): when criminal prices exceed vendor bounties by 10x-100x, researchers rationally sell to criminal markets. Closing this gap reduces zero-day supply without LE action.
  • Victim-side hardening. Out-of-band verification requirements for helpdesk calls eliminate the BazarCall/vishing attack surface entirely — no LE action required, no Russian cooperation needed.
Section 08
Glossary
Key terms for new analysts. Refer back as needed.
RaaS
Ransomware-as-a-Service. A franchise model where core developers license ransomware to affiliates who deploy it and split the proceeds.
Affiliate
A criminal operator who rents RaaS tools, deploys ransomware against victims, and typically receives 70-80% of ransom payments.
IAB
Initial Access Broker. An operator who compromises networks and sells the access rather than exploiting it directly.
BPH
Bulletproof Hosting. Infrastructure providers who guarantee no cooperation with law enforcement and no response to abuse complaints.
OTC Broker
Over-the-Counter broker. Converts large cryptocurrency holdings to fiat currency without KYC requirements.
MaaS
Malware-as-a-Service. Any malware sold or rented to operators as a service product (stealers, loaders, etc.).
Double Extortion
The model (introduced by Maze in 2019) where attackers both encrypt data AND steal it, threatening publication to increase payment pressure.
DLS
Data Leak Site. Dark web infrastructure where ransomware groups post stolen victim data as extortion pressure.
Krysha
Russian term meaning 'roof' — the protection model where Russian state actors (FSB) are aware of criminal operations and provide implicit protection through non-enforcement.
Log
A package of stolen data from an infostealer infection — typically containing credentials, session tokens, and system information — sold on dark web markets.
FUD
Fully Undetectable. Malware that has been obfuscated to evade antivirus and EDR detection at the time of delivery.
OFAC
Office of Foreign Assets Control. The US Treasury division that administers sanctions; its cryptocurrency designations are the primary financial enforcement tool against ransomware.
Mule
A person (witting or unwitting) who moves criminal proceeds through their bank accounts as part of a money laundering chain.
Vishing
Voice phishing. Using phone calls (increasingly AI-generated) to socially engineer victims into providing credentials or installing malware.
Depeering
Upstream internet provider action to disconnect a downstream provider from the internet by refusing to route their traffic — the most powerful infrastructure disruption tool available.
Non-payment Rate
The percentage of ransomware victims who decline to pay the ransom. 72% ecosystem-wide in 2025 (record; 28% paid); 80%+ for professionally managed incidents.
Phase A/B/C
The three-phase disruption framework: Phase A (financial infrastructure), Phase B (market infrastructure), Phase C (operational infrastructure). Sequence matters.
CaaS
Crypter-as-a-Service. Obfuscation services sold to malware operators to make their payloads evade antivirus detection.
Escrow
The forum-based mechanism where a trusted third party holds funds during a criminal transaction until both parties confirm delivery — the trust backbone of criminal markets.
VASP
Virtual Asset Service Provider. Regulatory term for cryptocurrency exchanges and similar services, used in AML/CFT compliance frameworks.
Section 09
Quick Reference
Essential facts, key actions, and critical statistics for rapid briefing.

Critical Statistics (2024-2025)

$813M
Confirmed 2025 ransom payments (Chainalysis)
72%
Non-payment rate 2025 — record high (28% paid)
7,500+
Victims named on DLS platforms in 2024
70%+
Non-payment rate with professional IR support
30-90d
RaaS brand reconstitution after takedown
$3B+
Criminal proceeds processed by Chipmixer (seized 2023)

Key Enforcement Actions

Operation / ActionTargetYearOutcome
Operation EndgameIcedID, Bumblebee, SmokeLoader, Pikabot2024Largest loader takedown on record. €100M+ enabled damages. Latrodectus reconstituted within months.
Operation CronosLockBit202434 servers seized, 1,000+ decryption keys, affiliates exposed. RansomHub absorbed affiliates in 60-90 days.
FBI Hive InfiltrationHive RaaS2022-237-month covert access. $130M in avoided payments. 300+ victims received decryption keys. Hive did not reconstitute.
Garantex SeizureGarantex OTC/Exchange20253 years post-designation. Servers seized, admins arrested. Confirms: designation alone is insufficient.
Chipmixer SeizureChipmixer mixer2023$3B+ in criminal proceeds. 7 servers seized. Largest single mixer enforcement action.
Zservers DesignationZservers BPH2024Joint OFAC/UK/Australia action. Most significant BPH enforcement in history. Physical enforcement pending.
SUEX DesignationSUEX OTC2021First crypto exchange designation. Established the OTC enforcement playbook.
Genesis Market SeizureGenesis log market2023920,000 victim notifications. Volume shifted to Russian Market and 2easy within weeks.
Operation Cookie MonsterGenesis Market2023Same as above — FBI decryptor distribution to victims alongside seizure.
LummaC2 Domain SeizureLummaC2 stealer2025Microsoft DCU civil action. 2,300+ domains seized. Largest stealer infrastructure action.

Active Threat Actors (as of April 2026)

Group / ServiceModuleStatusNotes
RansomHub07 — RaaSActiveDominant brand post-LockBit. Absorbed majority of displaced LockBit and ALPHV affiliates.
Cl0p / TA50507 — RaaS, 06 — ExploitActiveMOVEit zero-day campaign (2023): 2,000+ orgs. Zero-day expertise distinguishes from other groups.
Black Basta07 — RaaSActiveHeavy vishing / BazarCall use. Linked to Conti successor network.
Akira07 — RaaSActiveGrowing market share post-Cronos. Targeting VMware ESXi environments.
LummaC201 — StealersDisrupted (reconstituting)2,300+ domains seized May 2025. Operations disrupted; infrastructure adapting.
Latrodectus02 — LoadersActiveIcedID successor. Deployed post-Endgame within 3-6 months.
Garantex12/13 — OTC/ExchangeSeized 2025Operated 3 years under OFAC designation before physical enforcement.
Aeza / BEARHOST09 — BPHActiveAbsorbed Zservers and Media Land clients post-designation.
Exploit.in / XSS.is10 — ForumsActiveOperating continuously since ~2010-2012. No LE action documented.

The 5 Most Important Things for New Analysts

  • Non-payment is the most powerful lever. 70% of professionally managed incidents end without payment. Every dollar not paid is a dollar that does not flow through the entire ecosystem. Scaling professional IR access is the highest-ROI action available that requires zero Russian cooperation.
  • Brand disruptions produce 30-90 day disruptions, not permanent ones. LockBit, ALPHV, Hive (except Hive) — all reconstituted or had affiliates absorbed by competing brands. The ecosystem survives brand takedowns. Phase A/B financial pressure is required to make Phase C operational disruption durable.
  • The financial layer is the most important and most underexploited. The 72% victim non-payment rate in 2025 (28% paid, record low) correlates with sustained mixer and exchange enforcement. Coordinated OTC-plus-exchange designation in the same window — which has not yet been executed — remains the untested high-value action.
  • Designation without physical enforcement within 12-18 months does not stop operations. Garantex is the proof of concept: designated April 2022, seized March 2025, continued processing hundreds of millions in criminal proceeds for 3 years in between. Every designated entity that remains physically operational is an open gap.
  • The target is the ecosystem, not the brand. Asking "who did this attack" is less useful than asking "which nodes of the supply chain enabled this attack, and which of those are actionable." Attribution to a brand that will dissolve and reconstitute in 90 days is less valuable than infrastructure attribution that persists across brand changes.