Three Buddy Problem

Threat Hunter Greg Linares on the modern ransomware playbook

Mar 3, 2026
Guest
Greg Linares
Greg Linares, Principal Threat Intelligence Analyst at Huntress known for ransomware research, walks through how modern ransomware crews run like businesses. He breaks down the dominant families, the rise of RMM and ClickFix abuse, overlaps with nation-state activity, and practical defense priorities for resource-limited organizations.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
ANECDOTE

State Actor Dropped Ransomware To Confuse Responders

  • Greg recounts a DFIR case where a nation-state actor deployed ransomware at the end to confuse responders.
  • He says attackers used Russian state actor tradecraft and dropped ransomware as a deception to mislead investigators.
INSIGHT

RMM Tools Are A Prime Abused Channel

  • RMM (remote monitoring and management) tools are being abused as trusted, signed remote access, causing a 277% jump in observed abuse.
  • Greg explains attackers mimic or reuse existing vendor binaries, crack installers, and blend into expected admin behavior.
ADVICE

Demand RMM Vendors Share Abuse Telemetry

  • Hold RMM vendors accountable and demand better telemetry and abuse reporting interfaces.
  • Greg urges vendors to share granular usage data, IOCs, and alert defenders when their binaries or servers are cracked/abused.
Get the Snipd Podcast app to discover more snips from this episode
Get the app