Ransomware actors following a ransomware-as-a-service (or RaaS) model are often described as one cohesive threat actor. But reality - and what we see in actual incidents - is far different.
RaaS powers an ecosystem made up of ransomware operators, affiliates, and initial access brokers (IABs). That structure is important because it means the name on the ransom note or in the encrypted file extension doesn’t reliably explain how an intrusion started or actions the attacker took (recon, data theft, etc.) in the victim’s environment.
The same ransomware family (whether it’s Akira, Qilin, or LockBit) can show up across very different intrusion chains. One attack may start with phishing or a help-desk scam. Another may begin with exposed RDP, and yet another may come through a rogue remote monitoring and management (RMM) tool. That means defenders cannot assume that one ransomware brand equals one consistent playbook. In many cases, it is the affiliate, and not the ransomware operator, that dictates the tradecraft.
During this month’s Tradecraft Tuesday, Huntress’ Harlan Carvey, Principal Threat Intelligence Analyst, and Lindsey O’Donnell-Welch, Principal Technical Community Engagement Writer, explained how the RaaS economy plays out in attacker tradecraft during on-the-ground incidents.
What is RaaS?
But first, what is RaaS? At a high level, the business model is straightforward. Ransomware operators provide, maintain, and update the variant itself, and manage ransomware infrastructure, including leak sites and post-compromise ransom negotiations. Affiliates handle the “dirty work” across victim environments – including recon, initial access, hands-on-keyboard activity, any data theft, and deploying the file encryptor.
For example, in practice, Qilin operators maintain the ransomware, recruit affiliates, and provide the surrounding business infrastructure, including leak sites, payment portals, and even legal support functions. Meanwhile, Qilin’s range of affiliates show why attribution gets messy. Its affiliate base is unusually diverse, spanning actors like Scattered Spider, Moonstone Sleet, and Devman. That means one ransomware brand can sit behind very different intrusion styles, skill levels, and operational behaviors.
Initial access: What we see
One of the clearest realities in ransomware intrusions is that initial access is all over the map. Access may come through social engineering, remote access services, or a pre-existing foothold purchased from an IAB.
Threat actors continue to abuse legitimate tools and pathways because they blend in. We see ransomware affiliates gaining initial access via:
-
Remote Desktop Protocol: Threat actors use weak or compromised RDP credentials; or even enable RDP via the SMB protocol or Microsoft SQL Server (MSSQL)
-
Vulnerable edge appliances: in 2025, threat actors targeted SonicWall VPNs before deploying Akira ransomware
-
Rogue RMMs: threat actors use RMMs like ScreenConnect, TeamViewer, or Bomgar to get into the victim’s environment
When RMMs are involved, in MSP-centric environments, one compromised instance can open the door to many downstream victims at once. That’s what we saw with an incident detected on April 14, when a ransomware campaign hit multiple organizations through a compromised Bomgar remote support environment belonging to a dental software company with software installed across dozens of organizations.
Ransomware persistence, defense evasion, and exfiltration
Persistence in ransomware intrusions stems from a variety of methods. For example, threat actors will create new users, and some will also take steps to “hide” the user accounts from the Welcome Screen visible via Terminal Services/RDP. They may also install RMMs post-initial compromise to retain access, including Chrome Remote Desktop and AnyDesk.
These persistence mechanisms may look basic, but they keep the intrusion alive long enough for the threat actor to reach the next phase of their attack, including exfiltration or encryption.
We also see various defense evasion techniques. Some attackers do very little to cover their tracks; others use Defender exclusions. Sometimes, however, threat actors use more aggressive tactics, such as EDR and AV killers or Bring Your Own Vulnerable Driver (BYOVD) activity. While these attempt to fully remove security tools, it’s worth noting that EDR killers are often noisy.
Ransomware actors stage data by consolidating and compressing it into encrypted archives using tools like 7-Zip. For the actual exfiltration of data itself, we’ve seen various techniques, including the use of cloud storage tools MegaSync, RClone, as well as S5cmd and even finger.exe.
Rethinking ransomware
The most useful way to think about ransomware is not as a fixed actor, but as a shifting intrusion model. The payload name tells you what was deployed. It does not tell you enough about the access path, the persistence mechanisms, the controls that failed, or the tradecraft that got the attacker to the finish line.
That is why the security fundamentals still matter so much. We recommend defenders take the following steps to protect their organizations:
-
Maintain an asset inventory
-
Deploy monitoring broadly
-
If you’ve already been compromised, investigate the incident without making assumptions based on branding alone
If the real intrusion path is missed, the same foothold can remain available for a return attack later, including under a different ransomware banner entirely.
Like what you just read? Join us every month for Tradecraft Tuesday, our live webinar where we expose hacker techniques and talk nerdy with live demos. Our next episode, "We Need to Talk About Device Code Phishing," will take place on June 9 at 1pm ET. Snag your spot now!
