Webinar Recap: Everything You Wish You Didn’t Have to Know About Ransomware

When we talk about ransomware, it’s tempting to picture it as a singular, ominous force looming over organizations. But the reality is far more structured and market-driven. In 2025, ransomware has matured into a highly segmented, economically efficient ecosystem where division of labor is the norm, and commoditization is key. 

TL;DR 

• Understand and leverage your strengths as defenders. Persistent changes and attacker behaviors offer detection opportunities.  
• Prioritize detections wisely to avoid overwhelming your team with false positives. Assume you will be targeted; size and industry don’t matter, exposure does.  
• Embrace defense in depth with layered tools and foundational practices.  
• Focus on holistic resilience: prevent, react, recover, and adapt.  
• Prepare clear detection and response plans, including fallback sites and responsibilities. Ransomware affects everyone, so adopt a comprehensive mindset to stay ahead. 

Want to dive deeper? Watch the full webinar, Everything You Wish You Didn’t Have to Know About Ransomware to learn more about these vital strategies. 

The Ransomware Economy: 3 Core Roles 

To understand ransomware’s operational sophistication, it’s helpful to break down the ecosystem into three key roles: 

1. Ransomware-as-a-Service (RaaS) Operators 
   These are the “brand names” in ransomware, such as LockBit, RansomHub, etc. They build and maintain the malware, the infrastructure (including leak sites), and often the payment portals. But they rarely perform the actual intrusions themselves. 
     
2. Affiliates 
   These actors license the ransomware from the RaaS operators. They’re responsible for deploying it: breaching networks, navigating environments, escalating privileges, and ultimately executing the payload. Affiliates are the hands-on attackers. 
     
3. Initial Access Brokers (IABs) 
   Some affiliates don’t want to, or can’t, break in themselves. That’s where IABs come in. They specialize in acquiring initial access to targets, often through phishing, credential stuffing, or, increasingly, via info-stealing malware that collects saved credentials or session tokens. These brokers sell access on underground forums to affiliates, who then proceed with the full ransomware kill chain. 

This separation of roles means ransomware operators don’t need deep technical sophistication across the board. The ecosystem allows threat actors to plug into only the parts of the attack lifecycle they’re good at (or willing to pay for). 

The Landscape Today: Still Prevalent, Still Profitable 

Despite some major law enforcement wins, notably the disruption of LockBit’s infrastructure, ransomware remains one of the most active and impactful threats in cybersecurity. While LockBit has fallen in prominence, it wasn’t due to a lack of affiliates or interest. As with any commoditized market, disruption in one supplier leads to migration, not cessation. 

Enter RansomHub: a relative newcomer that rapidly surged in prominence following LockBit’s takedown. Many affiliates simply shifted platforms. The same actors, the same tools, just a new logo. 

So even though we’ve seen successful efforts by law enforcement, the broader ransomware numbers remain stubbornly high. The decentralized nature of this threat makes it resilient. Disrupting infrastructure doesn’t eliminate demand, it just drives affiliates to the next provider. 

Ransomware Is About Monetization, Not Motivation 

One of the biggest misconceptions in cybersecurity circles is viewing ransomware through the same lens as APTs or hacktivists. These aren’t ideologically motivated actors. They’re not trying to send a message or sow chaos; they’re trying to get paid. 

This economic mindset drives attacker behavior: 

• They don’t care who they hit, only how easily they can monetize the intrusion. 
• They prefer easy targets over prestigious ones. 
• And most importantly: they go where the ROI is highest. 

That’s why we’re seeing a major shift toward token-based access rather than credential-based breaches. Why bother stealing and cracking passwords when you can simply hijack an active session? With session tokens, attackers can bypass MFA, gain immediate access, and often remain undetected for longer. 

Kill Chain Familiarity: It’s Not Sophisticated, It’s Efficient 

From initial access to encryption and extortion, the ransomware attack chain is strikingly familiar: 

1. Reconnaissance 
2. Initial Access (via phishing, brokers, vulnerabilities) 
3. Privilege Escalation 
4. Lateral Movement 
5. Data Exfiltration 
6. Ransomware Deployment & Extortion 

What surprises many defenders is just how simple some of the TTPs still are. Ransomware actors aren’t innovating much because they don’t need to. Classic techniques like scheduled tasks and registry run keys still work. In fact, many attackers have turned to legitimate tools, like Remote Monitoring and Management (RMM) software, for persistence, command, and control. These tools often evade detection because they’re widely used by IT teams. 

What’s more alarming is by the time the encryption happens (the moment most companies realize they’re under attack) the adversary has already spent 5 to 14 days inside the environment. They’re not just encrypting data; they’re exfiltrating it, studying the network, and preparing the extortion play. 

What Security Teams Get Wrong and What to Do Instead 

A persistent myth is that ransomware is somehow “special,” an exotic class of threat requiring a totally different defense strategy. In truth, it’s just a well-optimized chain of familiar intrusions. 

Some common gaps in enterprise defenses: 

• Narrow focus on developer-centric vulnerabilities, while broader, low-hanging external exposures go unnoticed. 
• Limited external attack surface awareness, not knowing what’s truly exposed. 
• Delayed detection: only discovering the attack post-encryption, when mitigation is no longer possible. 

The key takeaway: early detection is everything. If your visibility doesn’t extend to pre-encryption activity (think reconnaissance, access attempts, lateral movement) you’re not defending, you’re reacting. 

Your Best Defenses Against Ransomware 

Ransomware in 2025 isn’t defined by revolutionary techniques or zero-days, it’s defined by resilience, decentralization, and economic efficiency. It’s not a single bear chasing the herd, it’s a pack, and they’re all just looking for the slowest runner. 

Mitigating ransomware means acknowledging that: 

• Affiliates can pivot overnight. 
• RaaS infrastructure can rebrand in days. 
• And attackers don’t have to be clever, just persistent. 

Your best defense? Comprehensive visibility, aggressive detection, and treating ransomware like the business model it is, not the anomaly it isn’t. The final stage is where everything culminates: exfiltrating your data, deleting backups, and deploying ransomware. It’s that critical moment and, surprisingly, much of the tooling involved is perfectly legitimate. You’ll see stuff like Rclone, WinSCP, or other file transfer tools that any IT team might use. The same tools you’d use for a basic sysadmin task are repurposed for data theft. 

Even when it comes to deploying ransomware, attackers often stick with tried-and-true methods. PsExec is still one of the most popular tools, and they’ll use it to push a ransomware binary across dozens or even hundreds of endpoints. It works. Why fix what isn’t broken? Attackers don’t discriminate based on industry. Too many companies assume they’re not interesting enough to be targeted, but these actors have no industry loyalty. Just because you’re not in healthcare or government doesn’t mean you won’t be tomorrow’s target. 

Size doesn’t matter either. Small businesses and startups often think they’re not “juicy” enough, but the reality is, they’re more attractive because they’re easier to compromise. A real stat: 43% of all cyberattacks target SMBs, according to Verizon’s Data Breach Report, and of those, 60% go out of business within six months, according to the National Cyber Security Alliance. Why? Because they can’t recover. Large enterprises are more resilient, but that also means they’re slower, better defended, and less likely to pay quickly. SMBs are a faster path to payout, which is ultimately what these actors want. And that’s the harsh truth: this strategy still works because victims still pay. When it hits, and your data is locked up, the knee-jerk reaction is, “Pay the ransom. We need our data back.” 

Playing Up Your Strengths 

So, this isn’t about which industries are at risk. It’s about opportunity. These attackers don’t ask, “Is this my industry?” They ask, “Will this victim pay quickly?” If the answer is yes, congratulations, you’re today’s target. Sometimes, we focus so much on what attackers are good at that we forget to ask: what are we good at? How can we leverage our strengths as defenders? For example, persistence mechanisms used by attackers; those are actually great detection opportunities for us. Why? Because attackers have to make a change to the system, whether it’s creating a file or modifying something. That change leaves a footprint we can detect. 

Similarly, if ransomware actors are consistent in the types of discovery commands they run, we should use that knowledge to our advantage. These are our defensive advantages. We need to understand where we can win. At the same time, we need to know when detection efforts aren’t worth the cost. Sometimes, trying to detect everything leads to too many false positives, which flood our SOC teams and distract them from critical fundamentals we haven’t nailed down yet. Learning to say “no” to certain detections (even when leadership pushes for them) is a valuable skill. It’s about prioritizing what really matters. 

Knowing where we can win, and when to say no, is key when tackling cybersecurity challenges. 

NetSPI Can Help: Watch the Webinar 

We know it can feel overwhelming, like you’ll never measure up to the experts you see in the headlines. But trust us, there’s value in focusing on the mindset and programmatic approaches. Here are some mindset shifts we recommend: 

1. Assume you will be attacked. 
Don’t think “We’re too small,” or “They don’t target our industry.” Ransomware isn’t always a targeted attack, it’s a business model. Attackers go after the easiest targets: organizations with weaker controls, no dedicated teams, or those that outsource security and have complex vendor relationships. It’s not about size or industry, it’s about exposure and ease of exploitation. So prepare for when, not if, you get attacked. 

2. Defense in depth is essential. 
You can’t rely on a single tool or phase of defense. EDR is powerful, but it’s not foolproof. Tools only detect what they’re configured and programmed to see. If attackers know what you’re using, it’s like giving them the answers in advance. So don’t abandon foundational tools just because they’re “not sexy” anymore. Combine multiple layers: Zero Trust models (even if it’s a buzzword), network segmentation, and thorough monitoring of remote management tools like RMM software (one of the biggest blind spots for ransomware). 

3. Focus on holistic resilience. 
Relying solely on cyber insurance or backups is risky. Insurance payouts are shrinking, policies are tightening, and backups can be deleted if they’re not properly isolated and immutable. Resilience means more than prevention; it also means preparing to react, recover, and adapt quickly. Build all four pillars into your strategy. 

Here are some questions to consider if you feel stuck: 

• How fast do you detect and isolate active threats? What’s your mean time to detect and respond? 
• If ransomware hit right now, what’s your fallback plan? Do you have hot sites or cold sites ready? Who is responsible for bringing them online? 

The truth is, motivated attackers will find creative ways in, no matter what. By thinking comprehensively, beyond just putting a big front door on your assets, you can give your company a much better chance to defend itself. Ransomware is everyone’s problem; not just big government, hospitals, or aviation. These actors want to monetize, not win awards. CISOs and security teams need to step back, think bigger picture, and acknowledge that this threat affects every industry and organization. 

Want to dive deeper? Watch the full webinar entitled Everything You Wish You Didn’t Have to Know About Ransomware to learn more.