Inside the Ransomware Economy: A Fireside Chat with Charles River Associates’ Bill Hardin
In the latest DigitalMint Fireside Chat, Marc Grens, Co-Founder and President of DigitalMint, sat down with Bill Hardin, Head of the Incident Response practice at Charles River Associates (CRA), to explore the current ransomware landscape, how cybercriminals continue to evolve, and what organizations can do to prepare before an attack strikes.


The Scale of the Problem
Hardin opened by putting the crisis in perspective: “In 2022 alone, we tracked over a billion dollars in outflows to criminal syndicates conducting ransomware attacks.” Since founding CRA’s incident response practice eight years ago, his team has tracked activity from over 120 organized groups worldwide.
“These are financially motivated actors,” he explained. “If you’re sitting in Eastern Europe making $60,000 a year and can make that in a month through ransomware, it’s an attractive business model.”
The Ransomware-as-a-Service Model
According to Hardin, the ransomware economy has matured into a franchise model.
  • Tier 1 Actors — groups like LockBit, BlackCat/ALPHV, Royal, and Black Basta — operate as large, organized syndicates.
  • Tier 2 Actors — “amateurs” — purchase attack kits or lease ransomware tools, then seek quick payouts.
“The barriers to entry are low,” said Hardin. “We’re seeing more inexperienced criminals buying kits, running attacks, and even reselling decryption keys — which can lead to double or triple extortion.”
He noted a rising trend in data-extortion-only attacks, where threat actors skip encryption entirely and threaten to leak stolen data if unpaid.
Why Familiar Foes Can Be Preferable
CRA has worked on more than 3,000 ransomware cases, many involving repeat offenders.
“When we’re dealing with known groups like LockBit or BlackCat, we understand their playbook — how they operate, what tools they use, and whether their keys work,” Hardin said.
With new or untested groups,
“it’s a roll of the dice. Sometimes the decryption keys don’t work at all.”
Experience also gives CRA leverage in negotiations. “We’ve built models that show what different groups will typically accept,” he said. “With established actors, we can often negotiate ransom reductions of 20–50%.”
Preparing Before It Happens
Proactive preparation, Hardin emphasized, makes the biggest difference in recovery outcomes. CRA’s dynamic tabletop exercises simulate evolving threat scenarios to test decision-making and response times.
He also stressed the importance of robust backup strategies. “The 3-2-1 rule — three copies of data, two online, one offline — continues to save companies from paying,” he said. “That offline copy can be the difference between recovery and ransom.”
Still, speed matters. “We’ve had clients say their backups are in S3, but restoring everything takes seven days. If the ransom is $150,000 and you’re losing millions a day, the CFO will likely choose to pay.”
Experience as a Differentiator
Hardin credited CRA’s longevity and cohesion as key strengths. “Our core team of 20 has been together for over a decade,” he said. “When an incident happens, we know exactly who handles what. Clients get straight answers — how long they’ll be down, what data was taken, and what to expect.”
Law Enforcement’s Increasing Role
Following the Colonial Pipeline attack, Hardin noted a clear shift in U.S. government posture. “The FBI and DHS got aggressive — they treated ransomware more like terrorism,” he said. The Hive takedown was a model success: “The FBI was inside their network for months. Victims were able to get free decryptors while the Bureau prepared its operation.”
Still, deterrence remains weak. “You take down one group, and the affiliates just start another. Until there are real consequences, the cycle continues.”
The Cryptocurrency Question
As the discussion turned to ransomware payments and blockchain tracing, Grens raised the question of banning cryptocurrency payments outright.
Hardin’s view was clear: “Banning crypto won’t solve the problem — it’ll drive it underground. You can’t track what you can’t see. The better path is transparency and reporting.”
He praised the FBI’s IC3 portal and ongoing collaboration between government, law enforcement, and blockchain analytics firms. “The more data we collect, the better we can disrupt these actors,” he said.
Smaller Targets, Same Problem
Hardin warned that smaller organizations are now squarely in attackers’ sights. “We’re seeing more low-demand ransomware — $30,000 to $80,000 — from threat actors flying under the radar,” he said.
“These groups know smaller companies may not have incident response teams or insurance, making them easier targets.”

To learn more about Charles River Associates’ Incident Response practice and their work helping organizations navigate ransomware attacks, visit www.crai.com or contact their Cybersecurity & Forensics team directly.