Inside the RaaS Ecosystem: Operators, Affiliates & Attack Tradecraft | Huntress

Ransomware-as-a-service (RaaS) operates as an ecosystem of operators, affiliates, and initial access brokers; this report explains that the same ransomware family can appear across diverse intrusion chains. It reviews observed initial access methods (RDP, vulnerable edge appliances, rogue RMMs), persistence and defense-evasion tactics (new user accounts, RMM installs, EDR/AV killers, BYOVD), and data staging/exfiltration approaches (7-Zip, MegaSync, RClone, S5cmd, finger.exe), cites incidents such as a Bomgar compromise affecting many downstream victims, and recommends security fundamentals like asset inventory, attack-surface reduction, and broad monitoring.