January 15th. Toronto got hit with 22cm of snow at Pearson. Some spots in Scarborough saw over 50cm. Schools shut down. DVP was done. The city called it a Major Snowstorm Condition. Might have been the snowiest January 15th in Toronto history. The old record was from 1863.
DC416 relaunched anyway.
We'd been quiet for a year. The room was packed. People chose a hacker meetup over their couch during a blizzard. That told us everything we needed to know.
Tammy Harper from Flare kicked things off with Syndicate: Inside the Life of a Ransomware Operator. Not your usual "ransomware is scary" presentation. She pulled from leaked internal docs from Conti and Black Basta, years of threat intel work, and actual conversations between criminals. This was the real thing.
The Underground Economy
Tammy started with this concept called Natlevo. Back in the Soviet Union, there were shortages everywhere. If your tractor broke and you needed a part, you didn't go through the government. You called your buddy who worked at the factory that made the part. That was the underground economy. Everyone had one.
Cybercrime works the same way now. Forums. Telegram groups. Invite only chats. A whole parallel world running on stolen data, cracked tools, and trust built in ways you wouldn't expect.
Act 1: The Skids
This is where everybody starts. Your bedroom. Pirating games. Typing "how to hack" into Google. Running random scripts from forums you probably shouldn't be on. That's a skid. Short for script kiddie.
And they screw up all the time. Tammy's team found hackers running their own malware on their own computers by accident. Leaking their own passwords onto the dark web. Getting caught because of their own tools. You can't make this stuff up.
Why do people end up here? There's this old concept called Strain Theory from 1938. Basically, when you can't get out of a bad situation through normal means, something breaks. You try it once, you get away with it, and that little voice that says "don't do that" gets quieter each time.
There's also this idea that criminals teach other criminals. Like literally. On Telegram, in forums, everywhere. The old guys who made millions are retiring now, but they trained the next wave. And they didn't just teach the technical stuff. They taught people how to be okay with it. How to stop feeling bad about it.
And then there's the paranoia. Tammy brought up Waifu, a hacker from Ontario who hit Snowflake. This guy kept messaging threat intel researchers asking if they knew his real identity. Over and over. The paranoia spiral got so bad his security fell apart and he made mistakes. That paranoia is something we can actually use against them as defenders.
Act 2: The Affiliates
Once you're past the skid phase you're on forums trying to make money off this. You've done a few hacks. Maybe you've got some savings. Now you want to turn it into a real thing.
And get this. Ransomware groups are making actual commercials now. Like polished marketing videos. To recruit people into their criminal operations. Van Helsing did it. Global did it. Both are shut down now, but they were out there running ads like they were selling SaaS products.
The paranoia here is different though. When a victim pays a ransom, the money goes into a wallet that the ransomware group controls. Then they're supposed to send you your cut. Key word: supposed to. Sometimes they just don't.
That's exactly what happened with Change Healthcare. $22 million ransom. The affiliate who pulled it off, a guy called Notchy, you can literally trace his journey from skid to big time operator through his forum posts, never got paid by ALPHV. So he went public. Told everyone. Moved the data to a different group. Told the victim to pay again. Wild.
The Money Isn't What It Used To Be
This is where it gets really interesting if you're on the defense side.
Insurance companies and negotiation firms share data on how much these groups actually settle for. That tanks the whole market. New affiliates come in taking $10k or $50k ransoms. And suddenly when the experienced guys ask for $200k or $300k, the victim says "nah, last time we dealt with your group we got an 80% discount."
Chaos, which is basically Black Basta rebranded, now won't touch anything under $200k because anything less doesn't cover costs. That's useful info if you ever have to negotiate with them.
Act 3: The Syndicate
This is the top. These operations run like actual companies. Offices. Managers. HR. Payroll. Developers on salary. The whole corporate setup, just for crime.
Tramp
Tammy told us about a guy called Tramp. Real person. Started with Conti. When the Russia Ukraine war kicked off in 2022, Conti publicly backed Russia. Their Ukrainian team didn't like that one bit. They leaked everything. Chat logs, source code, the whole internal operation.
Conti split into three groups. Tramp was one of the people running the TrickBot side of things. In 2025 the German police (BKA) put his real name out there. He's in Ukraine. They raided some properties but didn't catch him.
Black Basta: A Whole Company
The Black Basta leaks cover September 2023 to September 2024 and Tammy's team used them to map out how the entire thing was structured. They had three groups working together.
The internal team built the malware, got the initial access into networks using tools like TrickBot, IceID, and later PikaBot. They ran everything through Matrix chat.
The external affiliates were basically contractors. They got handed access to a network and did the actual hacking. Privilege escalation, stealing data, dropping the ransomware. Then they went home.
Then there was the social engineering crew. This is where it gets crazy. They were hiring people off Fiverr. One guy named Arslan from Pakistan was getting paid $20 a week in crypto to sit there 8 to 10 hours a day going through spreadsheets, confirming phone numbers and emails. They used that info later for Microsoft Teams social engineering attacks. Arslan thought he was doing telemarketing for some Russian company.
When Arslan messed up a spreadsheet one day, a manager said he was done. Arslan sent back this long message begging to keep his job. $20 a week. He had zero idea he was helping run one of the biggest ransomware operations on the planet.
When It Gets Real
Black Basta hit Ascension, a huge healthcare system. The people who actually did the attack freaked out. The victim's negotiators told them straight up: you're killing people. The affiliates went to their managers and said never give me a target like that again. They did not want that on them.
Evil Corp
Evil Corp is literally a family business. One of them, Maxim, hit an Australian healthcare system so hard that Australia straight up banned ransom payments after that. These people are sanctioned individually. If they attack you, you legally can't pay even if you wanted to. And a bunch of them were running attacks through LockBit on the side, which makes figuring out who is who really important.
Tammy showed a photo she snuck at Munich airport. Wanted posters of these hackers at passport control. She got in trouble for taking the picture. But that's the reality. These guys can't leave Russia. They pay off local law enforcement to keep operating. As long as they don't hit Russian targets, nobody there cares.
What's Coming Next
Tammy ended with a question. What happens when these threat actors stop trusting the whole ransomware as a service model?
It's already happening.
There's a new group called Deadlock that moved everything off onion sites. They don't trust them anymore. Even bulletproof hosting isn't good enough. So they're doing their negotiations on the blockchain with smart contracts. And they're putting stolen data on IPFS, which means once enough people look at it, it spreads across the network and you basically can't take it down.
What About AI?
Someone in the audience asked about AI doing the hacking. Tammy was honest about it. Last year ESET said they found the first AI powered ransomware. It connected to a LLaMA server and used it to figure out commands for moving around a network. Turns out it was built by some university students and it barely worked. The payload was way too big and it needed a constant connection to an LLM server just to think.
Bottom line: AI ransomware isn't there yet. It still needs to phone home. And that means we can spot it.
But where AI is actually doing damage right now? Social engineering. Tammy talked about a startup she saw demo at Sektor. Backed by BlackRock. The AI finds you on LinkedIn, checks your other socials, figures out you're going to a conference, and sends you a fake email about your ticket. You call the number in the email and you're talking to an AI that sounds like a person. No humans anywhere in that chain. Just agents passing you from one to the next. That one was scary.