Ransomware is extortion software. Attackers infiltrate an organization's network, encrypt its files or systems to make them inaccessible, and demand payment — typically in cryptocurrency — to restore access. Modern ransomware operations also steal data before encrypting it, threatening to publish it if the ransom is not paid. This is called double extortion.
What makes modern ransomware different from earlier cybercrime is its industrialization. It is no longer the work of a single criminal or small team. It is a supply chain — a network of specialized criminal service providers, each contributing a piece of the operation, connected by underground marketplaces and governance systems. Understanding that supply chain is the foundation of effective disruption.
Modern ransomware is not a single threat actor. It is an ecosystem of 15+ specialized criminal service markets, each of which can be targeted independently. Disrupting one node degrades the others.
The Scale of the Problem
Why This Is Hard
Three structural factors make ransomware uniquely difficult to suppress:
- Russian jurisdiction shield. The majority of ransomware core teams operate from Russia or CIS states. Russia does not extradite its citizens for cybercrime against Western targets, and historically tolerates — and in some cases benefits from — ransomware operations. No Russian-based core operator has been successfully extradited and prosecuted.
- Brand resilience. When a ransomware brand is disrupted, its affiliates migrate to another brand within 30-90 days. The infrastructure and relationships persist; only the brand name changes. LockBit affiliates moved to RansomHub within 60 days of Operation Cronos.
- Specialization. No single actor controls the entire chain. Disrupting one service provider creates a temporary gap that competitors fill. This is why layered, sequential disruption (Phase A/B/C) is required — not single-node action.
The 72% non-payment rate in 2025 is the most important recent development in this space — only 28% of victims paid, a record low. This correlates with sustained financial-layer enforcement (mixer and exchange actions) and growing non-payment advocacy. Total payments held at ~$813M even as attack volume rose 50%, meaning the ecosystem is running harder for diminishing returns. Scaling non-payment support further remains the highest-priority action available.
The ransomware ecosystem is organized into nine functional layers. Each layer contains one or more specialized criminal service markets (the 15 EDP modules). The layers are not sequential — they operate simultaneously, with criminal actors purchasing services from multiple layers at once.
Reading the Diagram
Layers are organized bottom-to-top from infrastructure foundation to financial integration. Color coding indicates the primary disruption phase. The Phase A/B/C framework determines the sequence of enforcement action — not because lower layers are attacked first operationally, but because financial disruption (Phase A) degrades the economic incentive to reconstitute when the operational layers (Phase C) are later targeted.
Step-by-Step Walkthrough
Step 1 — The Lure (Module 04)
The attack begins with a lure — typically a phishing email, malicious advertisement, or phone call designed to trick the victim into executing something. Callers and spammer operators send thousands of emails per day or staff call centers that impersonate IT helpdesks. The Scattered Spider group compromised MGM Resorts by calling the IT helpdesk and socially engineering an employee into resetting credentials — no malware required at this stage.
Step 2 — Delivery and Execution (Modules 02, 03)
If the lure involves a file or link, a loader executes on the victim machine. Before delivery, a crypter has wrapped the malware in obfuscation code to evade antivirus detection. The loader's job is to establish a foothold and download the next-stage payload.
Step 3 — Credential Harvesting (Module 01)
Once inside the network, an infostealer may run to harvest credentials, session tokens, and system information. These are sent back to attacker-controlled infrastructure. Alternatively, an IAB may have already sold access harvested from a previous infection at a different organization.
Step 4 — Access Brokering (Modules 05, 06)
In many operations, the initial access is not performed by the ransomware affiliate at all. An IAB already compromised the target and listed the access on an underground forum. The affiliate bought it. For high-value targets, an exploit broker may have provided a zero-day exploit enabling direct entry without credentials.
Step 5 — Deployment (Module 07)
The ransomware affiliate (operating under a RaaS brand) establishes persistence, escalates privileges, moves laterally across the network, and exfiltrates data before detonating the ransomware payload. This phase can take hours to weeks depending on target size and affiliate sophistication. The affiliate uses RaaS tools provided by the core team.
Step 6 — Extortion (Modules 08, 15)
Encryption is detonated. The victim receives a ransom note with payment instructions. Simultaneously, the stolen data is posted (or threatened to be posted) on the group's data leak site. The core team's negotiation team begins contact with the victim. On the defender side, professional IR firms engage to negotiate and, where possible, avoid payment entirely.
Step 7 — Payment and Obfuscation (Module 11)
If payment occurs, the victim sends cryptocurrency to attacker-controlled wallets. The funds are immediately run through mixing services to break the blockchain traceability chain. Chainalysis and TRM Labs can trace through custodial mixers with significant effort; decentralized mixers are substantially harder to trace.
Step 8 — Cash-Out (Modules 12, 13)
Mixed funds flow to OTC brokers and non-compliant exchanges for conversion to fiat currency. High-volume criminal OTC is concentrated in Russia. SUEX, Chatex, Garantex, and Cryptex have all been designated or seized. The 3-year gap between Garantex's designation (2022) and seizure (2025) demonstrates that designation without enforcement allows continued operation.
Step 9 — Integration (Module 14)
Fiat proceeds are laundered through mule networks into the legitimate economy: real estate purchases, luxury goods, shell company capitalization, and financial instruments. Over 50% of mule-linked funds exit within 1 hour. Recovery at this stage requires real-time intervention capability — post-receipt recovery is essentially impossible without it.
The most important thing to understand about this chain is that it is modular. The affiliate who deploys the ransomware is almost certainly not the same person who compromised the network, wrote the malware, or laundered the proceeds. Each of those functions is a separate specialist. This is why attribution is hard — and why disrupting the ecosystem requires action across multiple nodes simultaneously.
What It Does
Infostealer malware infects endpoints and automatically extracts credentials, browser session tokens, and cryptocurrency keys. The stolen data is packaged into 'logs' and sold on dark web markets (Russian Market, 2easy). These logs are the raw material that Initial Access Brokers use to sell network entry to ransomware groups.
Why It Matters
Without stealers, IABs have no product to sell. The entire credential-based access economy depends on a continuous supply of fresh logs.
Key Actors
- LummaC2
- Vidar
- RedLine
- RisePro
- Meduza
- Russian Market (log marketplace)
- Genesis Market (seized 2023)
Disruption Levers
- Microsoft DCU seized 2,300+ LummaC2 domains (2025)
- Operation Cookie Monster: Genesis Market seized (2023)
- AV/EDR telemetry sharing compresses FUD validity window
One-Line Brief
The factory that produces stolen credentials feeding the entire access economy.
What It Does
Loader malware infiltrates a target system and executes a secondary payload — which could be a stealer, ransomware, or remote access tool. They run as Loader-as-a-Service (LaaS), with operators renting access to their delivery infrastructure for $100-$1,000/month. Delivery vectors include SEO poisoning, malicious Office macros, and USB propagation.
Why It Matters
Without loaders, ransomware groups can't efficiently scale victim volume. Loaders are the bridge between the initial lure and actual malware deployment.
Key Actors
- QakBot (disrupted 2023)
- IcedID / BokBot (disrupted 2024)
- Latrodectus (active, IcedID successor)
- Raspberry Robin
- Bumblebee (disrupted 2024)
- Pikabot
Disruption Levers
- Operation Endgame (2024): IcedID, Bumblebee, SmokeLoader, Pikabot seized simultaneously — largest loader action on record
- Operation Duck Hunt (2023): QakBot C2 seized; 700,000 infected devices identified
One-Line Brief
The delivery mechanism that gets malware from the attacker to the victim's machine.
What It Does
Crypter-as-a-Service (CaaS) wraps malware in obfuscation code that defeats antivirus and EDR detection. The output is called FUD — Fully Undetectable. Services sell through criminal forums and Telegram bots. Detection eventually burns each 'stub', so operators must repurchase regularly. Market is concentrated: 1-3 sellers dominate volume on each major forum.
Why It Matters
Without crypters, commodity malware is detected on delivery and the entire attack chain fails at the entry point.
Key Actors
- Private FUD CaaS providers (primarily unnamed)
- Telegram CaaS bots
- Open-source obfuscation tooling
Disruption Levers
- AV/EDR signature coordination (CISA) burns stubs faster
- No major LE action documented as of 2026 — largest gap in enforcement coverage
One-Line Brief
The disguise service that makes malware invisible to antivirus at the moment of delivery.
What It Does
Social engineering operators use phone calls, emails, and AI-generated voice calls (vishing) to manipulate victims into executing malware or handing over credentials. The BazarCall model sends phishing emails prompting victims to call attacker-run numbers; operators then socially engineer IT staff. MGM Resorts suffered $100M+ in losses from a single vishing call by Scattered Spider.
Why It Matters
Human-layer attacks bypass all technical security controls. They are the lowest-cost, highest-impact initial access vector when targeting enterprises with strong technical defenses.
Key Actors
- Scattered Spider (disrupted 2023-24)
- Black Basta call centers
- BazarCall operators
- PlugValley (AI vishing platform, active)
Disruption Levers
- Scattered Spider prosecutions (UK/US) — demonstrates operators can be identified and arrested
- Out-of-band verification requirements eliminate BazarCall surface without LE action
- AI vishing platform enforcement (PlugValley) would degrade multiple campaigns simultaneously
One-Line Brief
The human con artists who manipulate IT staff into handing over access.
What It Does
Initial Access Brokers compromise networks and sell access rather than exploiting it directly. Two tiers: Bulk IABs use automated scanning tools and sell commodity access at $500-$1,000. Boutique IABs curate high-value targets with documented privileged access (domain admin) and sell at $2,700-$10,000+. Rapid7 found 71.4% of observed listings include privileged access.
Why It Matters
IABs made ransomware a franchise model. RaaS groups no longer need to compromise victims themselves — they buy pre-compromised access at scale.
Key Actors
- High-volume forum IABs on Exploit.in, XSS.is
- Boutique IABs on RAMP, DarkForums
- Raspberry Robin C2 (automated pipeline)
Disruption Levers
- OFAC boutique IAB financial designation
- FBI Raspberry Robin C2 sinkholing
- Forum trust mechanism infiltration raises costs for all IAB tiers
One-Line Brief
The brokers who sell pre-compromised network access to ransomware groups.
What It Does
Exploit brokers acquire software vulnerabilities (zero-days and n-days) and sell exploitation capability to criminal or state actors. Criminal prices routinely exceed vendor bug bounty payments by 10x-100x, creating a structural economic incentive for researchers to sell to criminal markets. CL0p's MOVEit zero-day (2023) enabled $100M+ in extortion across 2,000+ organizations from a single exploit.
Why It Matters
A single quality zero-day enables mass-scale attacks against thousands of organizations simultaneously — this is qualitatively different from any other access method.
Key Actors
- CL0p / TA505 (MOVEit, GoAnywhere)
- Zerodium, Crowdfense (gray market)
- State-adjacent researchers (RU/CN)
Disruption Levers
- Bug bounty price parity: closing the criminal/vendor price gap removes researcher incentive to sell to criminal markets
- Rapid patch deployment (CISA coordination) compresses exploitation windows from weeks to days
One-Line Brief
The arms dealers who sell software vulnerabilities enabling mass-scale attacks.
What It Does
RaaS core teams (5-20 members) develop and maintain ransomware code, negotiation infrastructure, and leak sites. Affiliates (dozens to hundreds per brand) deploy against victims and take 70-80% of proceeds; core teams retain 20-30%. In 2025: 7,500+ victims publicly named on DLS (record); $813M in confirmed payments (Chainalysis). The 72% non-payment rate in 2025 (28% paid, record low) is the strongest available signal that disruption is working; attack volume rose 50% but total payments held flat.
Why It Matters
RaaS groups are the revenue generator for the entire ecosystem. Every other module exists to either supply them (access, infrastructure) or launder their proceeds.
Key Actors
- LockBit 3.0 (disrupted 2024)
- ALPHV/BlackCat (exit scam 2024)
- RansomHub (active, dominant 2024-25)
- Cl0p
- Black Basta
- Akira
- Play
Disruption Levers
- Operation Cronos: LockBit infrastructure seized (2024); 34 servers, 1,000+ decryption keys
- FBI Hive 7-month covert infiltration: $130M in avoided payments
- Non-payment advocacy: 35% decline in 2024 — highest-durability lever requiring no Russian cooperation
- OFAC designation of core operators and key developers
One-Line Brief
The franchise headquarters that owns the ransomware brand and splits proceeds with deploying affiliates.
What It Does
Data Leak Sites (DLS) are the extortion infrastructure of double-extortion ransomware. When victims refuse to pay, operators publish stolen data to coerce payment, notify victims' customers, and signal health to prospective affiliates. 621 victims were posted across DLS platforms in December 2024 — a single-month record. Multi-tenant DLS platforms now host multiple ransomware brands on shared infrastructure.
Why It Matters
The DLS model permanently transformed ransomware by adding publication pressure to encryption pressure. Even organizations with good backups now face regulatory and reputational consequences.
Key Actors
- Hive DLS (seized 2023)
- LockBit DLS (seized 2024)
- RansomHub DLS (active)
- Multi-tenant platform operators
Disruption Levers
- FBI Hive covert infiltration: 7 months of access; $130M in avoided payments; 300+ victims received decryption keys before seizure
- Operation Cronos LockBit DLS seizure: countdown timers reversed for psychological impact
- BPH disruption (Module 09) directly degrades DLS uptime
One-Line Brief
The public shaming infrastructure that pressures victims into paying by threatening to publish their data.
What It Does
Bulletproof Hosting providers offer abuse-resistant infrastructure: they ignore law enforcement requests, provide no logs, and resist legal process — for a significant premium. BPH is the physical foundation upon which all other modules operate: leak sites, C2 servers, loader delivery, and forums all depend on it. Sophos identified a single VM template image underlying 7,000+ ransomware-linked servers in 2025.
Why It Matters
Without BPH, all other criminal infrastructure loses its protection. Disrupting BPH simultaneously degrades every dependent module — it is the only single action that impacts the entire ecosystem at once.
Key Actors
- Zservers (designated 2024)
- Media Land LLC (designated 2024)
- Aeza Group (active)
- BEARHOST (active)
Disruption Levers
- Upstream ISP depeering (McColo model): 75% global spam drop within hours — gold standard; cannot be overcome by server migration
- OFAC/UK OFSI/Australia DFAT joint designation: Zservers and Media Land (2024)
- Sophos VM template fingerprint: proactive detection of 7,000+ ransomware-linked servers — underexploited lever
One-Line Brief
The criminal landlords who provide the untouchable hosting that every other module depends on.
What It Does
Underground forums are the governance layer of the ransomware ecosystem. They provide reputation systems, escrow services, dispute resolution, and recruitment pipelines. Without forums, criminal commerce cannot function: IAB transactions cannot be trusted, affiliates cannot be vetted, and services cannot be advertised. The Conti leak (2022) was more damaging than any server seizure because it destroyed trust in linked forum identities.
Why It Matters
Forums are not just marketplaces — they enforce the trust contracts that make all criminal transactions possible. Destroying trust is more disruptive than destroying servers.
Key Actors
- Exploit.in (active, ~2010-present)
- XSS.is (active)
- RAMP (active)
- DarkForums (active)
- BreachForums (repeatedly seized and reconstituted)
Disruption Levers
- Forum infiltration and trust manipulation: implanting false information degrades reputation systems
- Conti leak model: simultaneous trust destruction across all linked identities
- Administrator prosecution: RaidForums admin arrested (2022); BreachForums admin arrested (2023)
One-Line Brief
The criminal stock exchange that provides trust infrastructure for all ecosystem transactions.
What It Does
Mixing services obscure cryptocurrency origins by pooling funds from multiple sources and returning equivalent amounts minus a 1-3% fee. Custodial mixers (Chipmixer, Blender, Sinbad) take physical possession of funds. Decentralized mixers (Tornado Cash, CoinJoin) use smart contracts without a central operator. Chipmixer processed $3B+ in criminal proceeds before seizure in 2023.
Why It Matters
Without mixing, every ransom payment is traceable on the blockchain from victim to criminal wallet. Mixing breaks the chain of traceability that blockchain analytics firms exploit.
Key Actors
- Chipmixer (seized 2023, $3B+ processed)
- Blender.io (designated 2022)
- Tornado Cash (designated 2022)
- Sinbad.io (seized 2023)
- Wasabi Wallet CoinJoin (active, decentralized)
Disruption Levers
- OFAC Tornado Cash designation: first-ever smart contract designation (2022)
- Chipmixer seizure: $3B+ in criminal proceeds; 7 servers (2023)
- ~$813M in 2025 payments (record-low 28% payment rate) correlates with sustained financial-layer enforcement
One-Line Brief
The money laundromat that makes ransomware crypto untraceable before cash-out.
What It Does
OTC brokers provide personalized, large-volume cryptocurrency-to-fiat conversion without KYC requirements. High-volume criminal OTC is concentrated in Russia (Moscow, St. Petersburg). The SUEX-to-Garantex-to-Cryptex sequence (2021-2024) established the OTC enforcement playbook. Critical lesson: Garantex was designated in 2022 and continued processing hundreds of millions in criminal proceeds for 3 years before physical enforcement in 2025.
Why It Matters
OTC brokers are the primary mechanism for converting large ransomware payments into spendable fiat. Without them, criminal proceeds remain locked in crypto.
Key Actors
- SUEX (designated 2021)
- Chatex (designated 2021)
- Garantex (designated 2022, seized 2025)
- Cryptex (designated 2024, $7B+ identified)
Disruption Levers
- SUEX designation (2021): first cryptocurrency exchange designation; established the playbook
- Garantex physical seizure (2025): 3-year gap from designation to enforcement is the critical lesson
- Tether T3 real-time USDT freeze: most underused lever — freeze at identification, not post-enforcement
One-Line Brief
The back-alley currency exchangers who convert criminal crypto to cash in Russia.
What It Does
Non-compliant exchanges process large volumes of criminal proceeds through automated systems, converting crypto to fiat at scale. Unlike OTC brokers, they operate exchange infrastructure with deposit/withdrawal systems. BTC-e ($4B), Bitzlato ($700M+), and Garantex are the documented examples. Coordinated OTC-plus-exchange designation in the same enforcement window is the untested high-value action.
Why It Matters
Exchanges are the scaling mechanism for criminal cash-out. OTC handles the largest individual transactions; exchanges handle volume. Both are required for the proceeds to reach the real economy.
Key Actors
- BTC-e (seized 2017, $4B)
- Bitzlato (seized 2023, $700M+)
- Garantex (designated 2022, seized 2025)
- Cryptex (designated 2024)
Disruption Levers
- Tether T3 real-time USDT freeze upon wallet identification — not post-enforcement
- Coordinated OTC-plus-exchange designation in same window prevents displacement
- Physical enforcement required within 12-18 months of designation or gap allows continued operation
One-Line Brief
The corrupt exchange infrastructure that converts ransomware proceeds to fiat at scale.
What It Does
Mule networks convert cryptocurrency proceeds into untraceable real-world assets through human intermediaries: professional herder operators, semi-witting recruits (tricked through fake job ads), and integration vehicles (real estate, shell companies, luxury goods). TRM Labs (2024) confirmed that 50%+ of mule-linked funds exit within 1 hour of receipt — making post-receipt recovery essentially impossible.
Why It Matters
Without mule networks, criminal proceeds remain in cryptocurrency or trapped in the financial system where they remain seizeable. Mule networks complete the conversion to real-world wealth.
Key Actors
- Professional herder networks (serve ransomware, fraud, and BEC simultaneously)
- Semi-witting money mule recruits
- Shell company and real estate operators
Disruption Levers
- Herder-tier prosecution: cross-ecosystem disruption (same networks serve multiple crime types)
- Integration-stage AML enforcement (real estate, luxury goods): entirely in Western jurisdiction, no Russian cooperation required
- Real-time fund recovery requires pre-negotiated bank-to-bank freeze protocols — 1-hour window is the constraint
One-Line Brief
The human chain that converts criminal crypto into real estate, cash, and luxury goods.
What It Does
Dual-character module. Criminal side: RaaS core teams run dedicated internal negotiation teams. Some rogue recovery firms deceptively accept victim payments while secretly paying the ransom, claiming to have 'decrypted' data. Defender side: legitimate IR firms (Coveware, GuidePoint, CyberSecOp) achieve documented non-payment rates exceeding 70% for professionally managed incidents vs. ~30-40% without professional support.
Why It Matters
The payment decision occurs at this node. Scaling professional negotiation access is the highest-ROI disruption action that requires no access to Russian infrastructure — every percentage point of non-payment growth represents hundreds of millions in avoided payments.
Key Actors
- RaaS internal negotiation teams (criminal)
- Rogue recovery operators (criminal-adjacent)
- Coveware, GuidePoint Security, CyberSecOp (legitimate)
Disruption Levers
- Scaling professional IR access to SMBs and critical infrastructure sectors (CISA/NCSC coordination)
- Rogue recovery operator enforcement (FTC, SEC reporting requirements)
- Non-payment advocacy: 70%+ non-payment rate for professionally managed incidents vs. 35% ecosystem-wide
One-Line Brief
The negotiation layer where the ransom is either paid or avoided — highest-ROI disruption point not requiring Russian access.
Understanding the financial chain is critical because financial disruption is the highest-durability lever available. Unlike operational disruption (which produces 30-90 day brand reconstitution), financial disruption raises the cost of doing business for the entire ecosystem — regardless of which brand carries the flag.
OTC brokers (Module 12) and exchanges (Module 13) are rated CRITICAL and designated Phase A targets because disrupting both simultaneously — not sequentially — prevents displacement of proceeds from one to the other. The Garantex lesson: designation alone without physical enforcement within 12-18 months allows continued operation. The Tether T3 freeze is the highest-impact underused tool at this layer.
The Krysha Model
Krysha (крыша) is Russian criminal slang for "roof" — protection provided by a more powerful party in exchange for a cut or services. In the ransomware context, it describes the relationship between RaaS operators and the Russian state: the FSB is aware of ransomware operations targeting Western victims, does not enforce against them, and in some cases benefits from them through intelligence collection or plausible deniability cover for state operations.
This is not the same as the Russian state directing ransomware attacks. In most cases, it is passive tolerance: operators are left alone as long as they do not target CIS citizens or Russian state infrastructure, and cooperate when the FSB wants access to their systems or personnel.
What Russian State Tolerance Provides
- Operating environment free from domestic prosecution
- Extradition shield — no Russian citizen has been successfully extradited for ransomware
- Ability to reconstitute after Western disruption actions
- Physical infrastructure in Russian jurisdiction (BPH, OTC, exchanges)
- Access to Russian financial system for fiat integration
What Russian State Tolerance Does NOT Provide
- Active operational direction for most groups (different from APT tasking)
- Blanket immunity — REvil was briefly arrested by FSB in Jan 2022 under US diplomatic pressure, then released
- Protection for operators arrested outside Russia — Vinnik (BTC-e), Vasinskyi (Kaseya/REvil) caught while traveling
- Protection for financial assets in Western jurisdiction — OFAC designation and seizure work on Western-nexus funds
The Extradition Reality
Russia does not extradite its citizens. This is a constitutional provision (Article 61), not a policy choice. The practical implication: any Russian national who remains inside Russia cannot be prosecuted by Western authorities, regardless of the strength of the evidence. The only viable arrest pathways are:
- Travel arrest. Operators arrested in third countries while traveling. Mikhail Vasinskyi (REvil/Kaseya) was arrested in Poland. Alexander Vinnik (BTC-e) was arrested in Greece. This requires intelligence on travel plans and coordination with transit country authorities.
- FSB-motivated domestic action. The Jan 2022 REvil arrests were politically motivated — the FSB acted after the Colonial Pipeline and Kaseya incidents generated US diplomatic pressure. The arrests were brief; members were released within months. Not a reliable enforcement mechanism.
- Defection / informant. The Conti leaks (2022) came from an embedded researcher — a human intelligence operation, not an LE action. This approach produced more disruption than any technical operation in the period.
What Works Without Russian Cooperation
The following disruption actions are fully executable within Western jurisdiction and require no Russian cooperation:
- OFAC designation of operators, OTC brokers, and exchanges — severs Western financial access
- Upstream ISP depeering of BPH providers — requires only Tier-1 carrier cooperation, not Russian state cooperation
- Tether/Circle real-time USDT freeze — requires cooperation from private stablecoin issuers, not Russia
- Non-payment advocacy and professional negotiation access scaling — operates entirely on the victim side
- Integration-stage AML enforcement (real estate, luxury goods) — entirely in Western jurisdiction
- Forum infiltration and trust manipulation — intelligence operations, not LE action requiring Russian cooperation
Several major RaaS operators have documented connections to Russian intelligence services. Sandworm (GRU) has shared infrastructure with criminal ransomware operators. Conti leaks documented FSB contacts within the organization. This complicates disruption: actions against state-adjacent operators carry different diplomatic implications than actions against purely criminal actors. Intelligence community coordination on attribution confidence is required before high-profile actions against operators in this category.
The Phase A/B/C framework is the operational sequencing logic for ecosystem-level disruption. It is not a chronological roadmap — phases overlap and compound. The sequencing logic is: financial disruption first because it degrades the economic incentive to reconstitute when operational pressure follows.
Phase A — Financial Infrastructure
Phase B — Market Infrastructure
Phase C — Operational Infrastructure
Why Sequence Matters
Disrupting RaaS brands (Phase C) without Phase A/B pressure produces 30-90 day reconstitution. LockBit affiliates migrated to RansomHub within 60 days of Operation Cronos. The financial and market layers reconstitute more slowly — particularly OTC and exchange infrastructure which is trust-dependent, not just technical. Applying financial pressure first means that when Phase C operational disruption occurs, the economic incentive to rebuild is lower and the cost to reconstitute is higher.
Cross-Cutting Actions (Any Phase)
- Non-payment advocacy. The single highest-durability lever requiring no Russian access. Every percentage point of non-payment rate growth at ecosystem scale represents hundreds of millions in avoided payments. 70%+ non-payment rate for professionally managed incidents vs. 35% ecosystem-wide.
- Professional negotiation access. Scaling IR firm access to SMBs and under-resourced organizations is a force-multiplier for non-payment growth. CISA/NCSC coordination is the mechanism.
- Bug bounty price parity. For exploit brokers (Module 06): when criminal prices exceed vendor bounties by 10x-100x, researchers rationally sell to criminal markets. Closing this gap reduces zero-day supply without LE action.
- Victim-side hardening. Out-of-band verification requirements for helpdesk calls eliminate the BazarCall/vishing attack surface entirely — no LE action required, no Russian cooperation needed.
Critical Statistics (2024-2025)
Key Enforcement Actions
| Operation / Action | Target | Year | Outcome |
|---|---|---|---|
| Operation Endgame | IcedID, Bumblebee, SmokeLoader, Pikabot | 2024 | Largest loader takedown on record. €100M+ enabled damages. Latrodectus reconstituted within months. |
| Operation Cronos | LockBit | 2024 | 34 servers seized, 1,000+ decryption keys, affiliates exposed. RansomHub absorbed affiliates in 60-90 days. |
| FBI Hive Infiltration | Hive RaaS | 2022-23 | 7-month covert access. $130M in avoided payments. 300+ victims received decryption keys. Hive did not reconstitute. |
| Garantex Seizure | Garantex OTC/Exchange | 2025 | 3 years post-designation. Servers seized, admins arrested. Confirms: designation alone is insufficient. |
| Chipmixer Seizure | Chipmixer mixer | 2023 | $3B+ in criminal proceeds. 7 servers seized. Largest single mixer enforcement action. |
| Zservers Designation | Zservers BPH | 2024 | Joint OFAC/UK/Australia action. Most significant BPH enforcement in history. Physical enforcement pending. |
| SUEX Designation | SUEX OTC | 2021 | First crypto exchange designation. Established the OTC enforcement playbook. |
| Genesis Market Seizure | Genesis log market | 2023 | 920,000 victim notifications. Volume shifted to Russian Market and 2easy within weeks. |
| Operation Cookie Monster | Genesis Market | 2023 | Same as above — FBI decryptor distribution to victims alongside seizure. |
| LummaC2 Domain Seizure | LummaC2 stealer | 2025 | Microsoft DCU civil action. 2,300+ domains seized. Largest stealer infrastructure action. |
Active Threat Actors (as of April 2026)
| Group / Service | Module | Status | Notes |
|---|---|---|---|
| RansomHub | 07 — RaaS | Active | Dominant brand post-LockBit. Absorbed majority of displaced LockBit and ALPHV affiliates. |
| Cl0p / TA505 | 07 — RaaS, 06 — Exploit | Active | MOVEit zero-day campaign (2023): 2,000+ orgs. Zero-day expertise distinguishes from other groups. |
| Black Basta | 07 — RaaS | Active | Heavy vishing / BazarCall use. Linked to Conti successor network. |
| Akira | 07 — RaaS | Active | Growing market share post-Cronos. Targeting VMware ESXi environments. |
| LummaC2 | 01 — Stealers | Disrupted (reconstituting) | 2,300+ domains seized May 2025. Operations disrupted; infrastructure adapting. |
| Latrodectus | 02 — Loaders | Active | IcedID successor. Deployed post-Endgame within 3-6 months. |
| Garantex | 12/13 — OTC/Exchange | Seized 2025 | Operated 3 years under OFAC designation before physical enforcement. |
| Aeza / BEARHOST | 09 — BPH | Active | Absorbed Zservers and Media Land clients post-designation. |
| Exploit.in / XSS.is | 10 — Forums | Active | Operating continuously since ~2010-2012. No LE action documented. |
The 5 Most Important Things for New Analysts
- Non-payment is the most powerful lever. 70% of professionally managed incidents end without payment. Every dollar not paid is a dollar that does not flow through the entire ecosystem. Scaling professional IR access is the highest-ROI action available that requires zero Russian cooperation.
- Brand disruptions produce 30-90 day disruptions, not permanent ones. LockBit, ALPHV, Hive (except Hive) — all reconstituted or had affiliates absorbed by competing brands. The ecosystem survives brand takedowns. Phase A/B financial pressure is required to make Phase C operational disruption durable.
- The financial layer is the most important and most underexploited. The 72% victim non-payment rate in 2025 (28% paid, record low) correlates with sustained mixer and exchange enforcement. Coordinated OTC-plus-exchange designation in the same window — which has not yet been executed — remains the untested high-value action.
- Designation without physical enforcement within 12-18 months does not stop operations. Garantex is the proof of concept: designated April 2022, seized March 2025, continued processing hundreds of millions in criminal proceeds for 3 years in between. Every designated entity that remains physically operational is an open gap.
- The target is the ecosystem, not the brand. Asking "who did this attack" is less useful than asking "which nodes of the supply chain enabled this attack, and which of those are actionable." Attribution to a brand that will dissolve and reconstitute in 90 days is less valuable than infrastructure attribution that persists across brand changes.