RESEARCH · 8 min read
Ransomware Affiliate Tradecraft in 2026
Leaked affiliate manuals and chat logs from the last 18 months give us an unusually clear view of how ransomware crews actually operate. The patterns are remarkably consistent.
Initial access is bought, not earned
IABs sell footholds — VPN creds, exposed RDP, web-shell on a forgotten box. Most affiliates never touch a phishing kit.
Dwell time is shrinking
Median time-to-encrypt dropped under 24 hours for top crews. They live off the land, abuse RMM tools and avoid custom malware entirely.
- AnyDesk / Atera / ScreenConnect abuse
- Rclone for staging exfil
- Veeam and backup deletion before encryption
Double extortion is the norm
Exfil first, encrypt second. The leak site is the leverage, not the encryption.
Tools mentioned
VelociraptorGRRVolatilityRcloneAnyDeskATT&CK
⟩ takeaway
Defend the access brokers' entry points and detect RMM abuse. You'll catch most affiliates before the encryptor runs.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.