How Do Ransomware Gangs Work?

Summary: In this episode of Exploring Information Security, we dive deep into the dark, complex world of ransomware gangs with returning guest Kyle Andrus. Drawing on leaked chat logs, real-world cases, and extensive incident response experience, Kyle helps us understand the internal operations, motivations, and evolution of these cybercriminal organizations. We explore how ransomware gangs are structured like modern corporations—with developers, access brokers, negotiators, HR, and even customer support. Kyle also shares insights into how these gangs are adapting to legal pressure, sanctions, and the cybersecurity community’s defensive advancements. Topics covered: The organizational structure of ransomware gangs Ransomware-as-a-Service (RaaS) models and profit sharing Affiliate programs, access brokers, and laundering tactics The impact of geopolitics on ransomware operations Creative pressure tactics, including triple extortion and SEC complaints The role of insider threats and chat log leaks (e.g., Conti) Use of AI by defenders and attackers The evolving response of law enforcement and regulation