Seeing is Believing: A Visual and Analytical Map of Russian-affiliated Ransomware Groups

Daniel Schwalbe | Jon DiMaggio

This talk presents original research by DomainTools, Scylla Intel, and Analyst1 on the evolving Russian ransomware ecosystem, which has been significantly disrupted by the Ukraine war, leaks from groups like Conti and Black Basta, and increased global law enforcement actions. Using OSINT, infrastructure analysis, and proprietary data, the study maps personnel, infrastructure, and code overlaps among ransomware groups, highlighting fragmentation, shifting alliances, and the affiliate model’s role in group adaptability. Through a “spider-out” investigative method starting with known actors, the research uncovers hidden connections and delivers a detailed relationship map and analytical report, offering valuable insights for defenders navigating a rapidly changing threat landscape.