These middlemen hunt for poorly secured companies, flaws in security software or bad passwords. Or they send phishing emails in the hope that an employee of the companies will click on them. This gives them access to the system. This group provides the initial access.

They do research to make the information valuable. The more information about an organization and its computer system, the higher the price for the information. Based on that, that broker sells information to the real criminal hackers on the dark web. The prices vary from a few tens to sometimes even several thousand euros. Certainly companies with a 24×7 service provide a lot of money. They are hit harder and therefore access to such a company is worth more money.

The so-called ransomware affiliates. The criminals who actually dive into your laptop or hack an entire company. So they buy access online first, but they also buy something else. The ransomware itself. That’s the program that ultimately takes all of a company’s files hostage. In other words, lock it up. They buy that from the third party, the ransomware developers.

The criminal hackers work closely with the ransomware developers. And if you look at such a ransomware attack and the different steps, then these are the ones that direct everything. These two desperately need each other to eventually make money.

They structure the data that the hackers got their hands on. They are also preparing it to put it online. If necessary. On the dark web, you have numerous sites filled with sensitive company data. That is the job of those data managers.

What they do is first publish a small set of data. To increase the pressure and make you pay. Don’t you pay? Then they will slowly upload all the data. And anyone can download it. So you and me.

The goal is still “catch money”. All valuable data is bundled and the blackmail package is ready. They threaten to resell unless the company is willing to cooperate. And a fifth group is being called in for that. None of the criminals from the first four groups do this themselves. This is what criminal negotiators are for.

Negotiations can begin. To make the ransomware kill chain valuable, a hefty amount is asked in bitcoins. You can then make a counter offer.

As if you want to buy a kilo of tomatoes at the market. It is tempting to go along with this, because it often concerns business critical situations. This is of course never the advice, but understandable. If you do not cooperate, you can expect the sixth criminal group.

Think of them as a digital thug. Essentially they do the same as the negotiators. They do know how to increase the pressure. They don’t really care. They will exploit every weakness they know of you. And they persist in chasing you. A week, a month or longer if necessary. They want money and otherwise they will publish.

When the money is received, we are at the end of the chain. The criminals who channel the ransom.

The accountants who convert bitcoins into money. Make sure that the group gets currency that you can actually pay with. These money launderers pass the money into “mixers”. The money is transferred at breakneck speed through many accounts. To create a smokescreen for investigative services.

Ultimately, it ends up in the possession of the criminals. They then find a way to make that money physical from a digital environment.