CST Replay: The Ransomware Ecosystem with Tammy Harper

Sep 20, 2025

In this engaging discussion, Tammy Harper, a threat intelligence researcher at Flare.io specializing in ransomware, delves into the intricate ransomware ecosystem. She reveals how ransomware has evolved into a business with models like Ransomware as a Service (RaaS) and discusses the roles of initial access brokers. Tammy highlights infamous groups like Conti and LockBit, their double and triple extortion tactics, and the significance of negotiation strategies. This episode is a treasure trove for understanding the mechanisms of the cybercrime underground.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

INSIGHT

Ransomware As A Business Model

Ransomware operates as a business platform with RaaS affiliates taking ~80% of ransoms and developers taking ~20%.
Initial access brokers sell fresh, exclusive corporate access that boosts affiliate ROI and campaign success.

INSIGHT

Double Extortion And Public Shaming

Double extortion pairs encryption with data exfiltration to increase leverage and payments.
Attackers publish victims on leak blogs to shame targets and pressure payment decisions.

INSIGHT

Ransomware History And Inflection Points

Ransomware dates back to the 1989 AIDS Trojan and evolved through weak encryptors in 2005–2010 to modern RaaS.
The WannaCry worm and crypto payments accelerated professionalization and global impact.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Unveiling the Ransomware Ecosystem with Tammy Harper

In this compelling episode, Jim is joined by Tammy Harper from Flair.io to re-air one of their most popular and insightful episodes. Dive into the intricate world of ransomware as Tammy, a seasoned threat intelligence researcher, provides an in-depth introduction to the ransomware ecosystem. Explore the basics and nuances of ransomware, from its origins to its modern-day complexities. Tammy discusses not only the operational structures and notable ransomware groups like Conti, LockBit, and Scattered Spider, but also the impact and evolution of ransomware as a service. She also elaborates on ransomware negotiation tactics and how initial access brokers operate. This episode is packed with invaluable information for anyone looking to understand the cybercrime underground economy. Don’t forget to leave your questions in the comments, and they might be addressed in future episodes!

00:00 Introduction and Episode Re-Run Announcement 00:29 Guest Introduction: Tammy Harper from Flair io 00:41 Exploring the Dark Web and Ransomware 02:21 Tammy Harper's Background and Expertise 03:40 Understanding the Ransomware Ecosystem 04:02 Ransomware Business Models and Initial Access Brokers 07:08 Double and Triple Extortion Tactics 11:23 History of Ransomware: From AIDS Trojan to WannaCry 13:02 The Rise of Ransomware as a Service (RaaS) 19:41 Conti: The Ransomware Giant 26:17 Conti's Tools of the Trade: EMOTET, ICEDID, and TrickBot 32:05 The Conti Leaks and Their Impact 34:04 LockBit and the Ransomware Cartel 37:07 National Hazard Agency: A Subgroup of LockBit 38:17 Release of Volume Two and Its Impact 39:08 Details of the Training Manual 40:52 Ransomware Negotiations 41:28 Ransom Chat Project 42:27 Conti vs. LockBit Negotiation Tactics 43:30 Professionalism in Ransomware Operations 47:07 Ransomware Chat Simulation 48:03 Ransom Look Project 49:11 Current Ransomware Landscape 50:32 Infiltration and Research Methods 51:47 Profiles of Emerging Ransomware Groups 01:05:21 Initial Access Market 01:10:26 Future of Ransomware and Law Enforcement Efforts 01:13:14 Conclusion and Final Thoughts