Ransomware doesn't run on malware. It runs on a krysha: the roof the Russian state holds over its crews, keeping them untouchable while the money moves and the servers stay up. We find the roof, and we map how to bring it down.
The takedown was real. The plumbing rerouted in days. Fifteen months on, the exchange brand has changed three times and the settlement layer underneath has not moved at all.
Read the dispatch →The best campaign of its kind ever run against the machinery beneath ransomware. The dependency that decides whether the rest grows back sits outside its target set by design.
The modern ransomware world traces to a dozen people who learned the trade together. Every lineage in this series begins with the same man, the same trojan, and the same club.
Maksim Yakubets built the most damaging cybercrime enterprise in history, then drove it through Moscow with plates that read THIEF. The car was a status report on the roof above his head.
A former FSB officer became Yakubets's father-in-law. The indictments came, the sanctions came, and the group simply changed its name. This is what a roof actually buys.
TrickBot and Conti ran departments, salaries, HR, and performance reviews. At the top of the org chart sat a man who had shared a room with Yakubets and Bogachev a decade earlier.
Conti did not die in 2022. It decentralized. Get the internal team structure right, and a dozen successor names resolve into two family lines.
A second world, GandCrab to REvil, DarkSide to ALPHV, LockBit, and the Maze cartel, industrialized the business model. One lineage is named down to the founder. Another has never leaked a single name.
The brands are designed to be discarded. What persists is the Money, the Metal, and the Krysha, and the decisive blows against this ecosystem were never delivered from outside.
End Krysha is the public face of a longer research program: mapping the dependencies that keep Russia and CIS ransomware operations alive, and finding the pressure points where targeted action produces measurable degradation.
Groups rebrand. Dependencies don't. The work focuses on the durable layer underneath the brands: the money, the metal, and the roof over both.
Leads, data, source documents, and pushback on the analysis are all welcome, and so are reading recommendations for the shelf. Confidentiality respected.