Field intelligence on the ransomware protection economy

End the
Krysha.

Ransomware doesn't run on malware. It runs on a krysha: the roof the Russian state holds over its crews, keeping them untouchable while the money moves and the servers stay up. We find the roof, and we map how to bring it down.

01 Dispatches · Analysis from the Field
Feature · Federation Tower, Moscow City
Financial LayerJun 18, 202611 min

After Garantex: where the cash-out moved next

The takedown was real. The plumbing rerouted in days. Fifteen months on, the exchange brand has changed three times and the settlement layer underneath has not moved at all.

Read the dispatch →
Endgame · the layer left standing
Enforcement Strategy

Operation Endgame: the layer it cannot reach

The best campaign of its kind ever run against the machinery beneath ransomware. The dependency that decides whether the rest grows back sits outside its target set by design.

Jun 19, 2026 · 10 min
The Bloodline · Part 1
The Bloodline · Part 1 of 7

The Common Ancestor

The modern ransomware world traces to a dozen people who learned the trade together. Every lineage in this series begins with the same man, the same trojan, and the same club.

Jul 3, 2026 · 10 min
The Bloodline · Part 2
The Bloodline · Part 2 of 7

A Lamborghini Named Thief

Maksim Yakubets built the most damaging cybercrime enterprise in history, then drove it through Moscow with plates that read THIEF. The car was a status report on the roof above his head.

Jul 3, 2026 · 13 min
The Bloodline · Part 3
The Bloodline · Part 3 of 7

The Roof Over Evil Corp

A former FSB officer became Yakubets's father-in-law. The indictments came, the sanctions came, and the group simply changed its name. This is what a roof actually buys.

Jul 3, 2026 · 14 min
The Bloodline · Part 4
The Bloodline · Part 4 of 7

The Corporation

TrickBot and Conti ran departments, salaries, HR, and performance reviews. At the top of the org chart sat a man who had shared a room with Yakubets and Bogachev a decade earlier.

Jul 3, 2026 · 12 min
The Bloodline · Part 5
The Bloodline · Part 5 of 7

The Diaspora

Conti did not die in 2022. It decentralized. Get the internal team structure right, and a dozen successor names resolve into two family lines.

Jul 3, 2026 · 13 min
The Bloodline · Part 6
The Bloodline · Part 6 of 7

The Parallel Track

A second world, GandCrab to REvil, DarkSide to ALPHV, LockBit, and the Maze cartel, industrialized the business model. One lineage is named down to the founder. Another has never leaked a single name.

Jul 3, 2026 · 14 min
The Bloodline · Part 7
The Bloodline · Part 7 of 7

The Constants

The brands are designed to be discarded. What persists is the Money, the Metal, and the Krysha, and the decisive blows against this ecosystem were never delivered from outside.

Jul 3, 2026 · 15 min
02About the Project
Our attempt to make ransomware structurally expensive to run.

End Krysha is the public face of a longer research program: mapping the dependencies that keep Russia and CIS ransomware operations alive, and finding the pressure points where targeted action produces measurable degradation.

Groups rebrand. Dependencies don't. The work focuses on the durable layer underneath the brands: the money, the metal, and the roof over both.

By Reno · Open research · Built in public
03The Leverage · Three Layers of the Roof
04The Instruments
05Contact

Have a tip, a lead, or a correction?

Leads, data, source documents, and pushback on the analysis are all welcome, and so are reading recommendations for the shelf. Confidentiality respected.

Reach the project ransomwareedp@gmail.com