All articles
RESEARCH · 8 min read

Ransomware Affiliate Tradecraft in 2026

Leaked affiliate manuals and chat logs from the last 18 months give us an unusually clear view of how ransomware crews actually operate. The patterns are remarkably consistent.

Initial access is bought, not earned

IABs sell footholds — VPN creds, exposed RDP, web-shell on a forgotten box. Most affiliates never touch a phishing kit.

Dwell time is shrinking

Median time-to-encrypt dropped under 24 hours for top crews. They live off the land, abuse RMM tools and avoid custom malware entirely.

  • AnyDesk / Atera / ScreenConnect abuse
  • Rclone for staging exfil
  • Veeam and backup deletion before encryption

Double extortion is the norm

Exfil first, encrypt second. The leak site is the leverage, not the encryption.

Tools mentioned

VelociraptorGRRVolatilityRcloneAnyDeskATT&CK
⟩ takeaway

Defend the access brokers' entry points and detect RMM abuse. You'll catch most affiliates before the encryptor runs.

⟩ keep reading

Related articles