RVAsec 15

Ransomware attacks are the visible event. The access economy enabling them is not. This session maps that economy — how access is acquired, automated, and converted into ransomware deployment — using intelligence from years of undercover operations inside the criminal underground. Attendees will leave with a working model of how initial access brokers operate, and a concrete illustration of how fast CVE exploitation moves from public disclosure to active resale: in February 2026, operatives observed IABs selling confirmed access attributed to a critical BeyondTrust vulnerability within 17 days of vendor advisory. The session closes with a case study of an ALPHV affiliate whose documented operational mistakes contributed to a DOJ prosecution — and a framework for how the private-sector-to-law-enforcement intelligence loop works when it functions correctly.