Inside Ransomware’s Supply Chain: Attribution, Rebrands, and Affiliate Betrayal
In this RSA Conference 2025 special episode, we explore two critical frontiers shaping the future of cybersecurity.
First, Jon DiMaggio (author of The Ransomware Diaries, Analyst1) breaks down the hidden supply chains behind ransomware gangs, including the economics of affiliate betrayal and the challenge of accurate attribution. He walks us through his methodology for identifying ransomware rebrands like BlackCat and RansomHub using evidence-based frameworks designed to eliminate human bias.
Then, we’re joined by Matt Radolec (VP of Incident Response at Varonis), who brings a fresh perspective on talent development in cybersecurity. Drawing from his RSAC keynote “From Gamer to Leader,” Matt argues that gamers possess untapped potential as cybersecurity professionals and it’s time to design leadership pipelines like quest lines.
From ransomware negotiations on underground forums to using AI-enhanced playbooks and transforming threat response teams into RPG-style guilds, this episode blends technical insight with cultural reflection.
Understanding Cybercrime as a Supply Chain
Jon DiMaggio reveals that modern ransomware operations function more like corporations than lone hacker groups. With phishing kits being sold, credentials traded, and affiliate networks operating like franchises, the underground cybercrime economy has evolved into an ecosystem.
“It’s software-as-a-service for fraud. It’s marketplaces for malware and brand kits for hire.”
The case study in this episode focuses on the rebranding of BlackCat (also known as ALPHV), the group behind the infamous MGM breach. After a law enforcement takedown, BlackCat went dark. Soon after, two new groups, RansomHub and Cicada 3301 emerged, both using strikingly similar code and tactics. DiMaggio set out to determine whether these were rebrands or just opportunistic spin-offs.
Attribution: More Art Than Science? Not Anymore
Attribution in cybersecurity is notoriously challenging, often driven by speculation rather than evidence. DiMaggio pushes back against this trend by applying a rigorous attribution framework.
His model includes:
- Hypothesis development
- Evidence weighting across vectors (e.g., code, infrastructure, human overlap)
- Challenge-and-defend sessions to test conclusions
- Confidence scoring before public release
“There’s a lot of people that will say, ‘This group is such and such’ without providing any evidence. That drives me crazy.”
The result? Medium confidence links were found between BlackCat and the successor groups, but not enough for a high-confidence rebrand attribution. A key example: RansomHub re-extorted Change Healthcare for $22M after a disgruntled affiliate claimed he wasn’t paid by BlackCat underscoring the fractured, franchise-style nature of today’s ransomware operations.
Inside Cybercrime’s Courtroom: Arbitration Among Thieves
Perhaps one of the most fascinating insights came from a story about RAMP, a Russian-language underground forum. An affiliate known as Naci filed an arbitration claim after being cut out of the original BlackCat ransom payment. Despite providing evidence that the group faked their FBI takedown page to exit without paying him, the moderator ruled in favor of the gang.
“They didn’t care about arbitration because they were closing that persona either way. But these criminals still care about their reputation on forums.”
This glimpse into the structured dispute resolution mechanisms in criminal ecosystems reflects just how sophisticated the ransomware world has become.
Gamers as the Next Generation of Cybersecurity Leaders
Switching gears, Matt Radolec of Varonis makes a bold argument: Gamers are one of the most overlooked sources of cybersecurity talent.
“If you treat gamers like gamers, you can turn them into superheroes.”
Radolec draws parallels between raid leadership in World of Warcraft and incident response. His team actively recruits people with gaming experience and puts them on “quests” to build skills, emphasizing strategy, achievement, and team dynamics.
At Varonis, they’ve built an AI security analyst. New hires are expected to outperform it to keep their analyst role. This challenge-driven environment fuels growth:
“Giving them this mythical sword, the AI tool, turned them into heroes of data.”
Filling the Leadership Void with Side Quests
Radolec argues the real gap in cybersecurity isn’t talent, but leadership.
“The reason we don’t have the skills we need is you – the leaders.”
To solve this, he advocates for:
- Leader-created “quest lines” to guide junior employees
- Gamified feedback loops with achievements and progression
- Allowing time for side quests (like researching Kubernetes log persistence)
These tactics help surface internal experts and encourage long-term skill development without relying on external hiring.
Attribution vs Bias: Lessons for Future Analysts
Both guests emphasize the risks of assumptions. Whether you’re attributing a cybercrime group or mentoring new defenders, the danger lies in rushing conclusions.
“You don’t even realize the bias you have until you’re forced to defend it.”
That’s why both attribution frameworks and talent frameworks need structure, feedback, and rigor—backed by human connection and technological fluency.
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
