Ransomware attacks continue to be highly prevalent, impacting a significant number of organisations. Whilst there has been some impacts to counter this threat, ransomware operators continue to adapt their tradecraft to ensure they are successful in their mission, to elicit a financial reward from a compromised victim network. The DFIR Report throughout 2024 have investigated and analyzed a number of ransomware attacks, providing a rich understanding of how an attack unfolds, how the ransomware operator navigated a compromised environment and how effects were delivered.
In this presentation, we will share our observations, what new and interesting techniques were detected, common methods and familiar tools used by the ransomware operator. Join us as we take you through the journey of an attack, some of the trends, and how to develop defensive measures to counter this threat.
- Initial access - From delivery through to persistence
- Domain takeover - Methods of lateral movement, and objectives
- Tooling - Common and bespoke tooling, including living off the land and bringing your own
- Hands-on keyboard - Observing ransomware operators at the command-line and via the GUI

10:50 - 11:00 | Zero Trust AI in Ransomware Defense: Reinventing Risk Management, Jessica Dapelo

In the face of evolving ransomware tactics, organizations must rethink their cybersecurity posture. Traditional defense models are no longer enough to mitigate the risks of sophisticated ransomware attacks. This presentation will explore how integrating Zero Trust architecture and Artificial Intelligence (AI) can revolutionize ransomware defense strategies. Attendees will learn how Zero Trust principles—requiring continuous authentication and least-privilege access—can be combined with AI tools to enhance threat detection, improve incident response, and reduce the attack surface. Practical takeaways will include real-world examples, step-by-step strategies for implementing Zero Trust AI frameworks, and lessons learned from high-risk environments such as the Department of Defense (DoD). Additionally, we will explore how AI-driven predictive models can identify ransomware activity before it escalates, enabling proactive defense measures.11:00 - 11:10 | Facing Modern Ransomware Threats and Tackling Multi-Extortion Tactics, Sanjay PoddarRansomware attacks of today are surgical and multipronged in nature, and they consist of multi-mode extortion tactics that target organizations on multiple fronts. In this session, we will explore the strategies deployed by ransomware operators to maximize their impact-from encrypting critical data to exfiltrating sensitive information and then-exposing it all in public or via denial service attack.
An understanding will be gained by attendees as to how these layered extortion techniques are being carried out, the basis of their efficiency, and the very reasons that make defense against them so challenging. For every layer of a multi-extortion attack, exposure of specific indicators will be made available to defenders for purposes of early conversation.
The talk will leave you with sincere first steps toward strengthening your defense against a multi-extortion attack, including state-of-the-art techniques in proactive detection and containment strategies as well as response protocols that can mitigate damage. No matter where you are-multitasking as an incident responder, developing cybersecurity strategy, or providing threat intelligence-you will leave with handy knowledge and other lines of defense to ensure smooth sailing for your organization in this nightmare of complex ransomware.

Tabletop Exercises (TTX) are an excellent way for organizations to find gaps in their overall incident response processes and procedures. As part of a ransomware TTX, there are several considerations that should be included to ensure that the organization is prepared to address not only the technical challenges, but also key decisions.
In this presentation, we will look at seven different key scenarios that should be included as part of a ransomware TTX. For each of these, we will examine how to structure scenarios into a TTX, either as discussion points or scenario injects. Next, we will examine key points to address and what some of the potential outcomes might be. From here, we will discuss how to incorporate the responses into process improvements to enhance the overall organizational ransomware readiness. 
The presentation will cover the following seven scenarios. 
1. “Call it an incident?”: In the past few years, there has been a lot of discussion concerning the legal ramifications of calling an incident an incident. Legal teams are now advising incident response teams to avoid the loaded word 'incident' as it may incur legal and compliance obligations. Part of a Tabletop Exercise (TTX) should address proper terminology and classification of violations of security to ensure alignment with the legal and compliance requirements.
2 .“While you wait”: Many organizations engage third party digital forensics teams, either independently or through their cyber insurer. These teams may take some time to get organized after the call is made. A TTX should include steps the internal security personnel can take to either maintain or gather evidence or organize resources for outside help to hit the ground running.
3. “The Cloud Pivot”: Many organizations have taken at least partial advantage of cloud based infrastructure. Ransomware TTXs should include potential impacts to cloud based infrastructure or how critical services may be moved to cloud infrastructure in the event of a prolonged outage.
4. “Moving your investigation off the network”: A ransomware attack that impacts the entire enterprise may force the incident response team off the network. This may include leveraging cloud resources (which may incur costs) or use alternate tools and techniques to conduct
their investigation. It is not advisable to attempt to build out an investigation environment during an incident. This inject as part of a TTX forces the team to come up with a plan of action if the worst scenario is realized. 
5. “Containment Strategies”: Every containment strategy comes with its own problems. Cutting off communications between the cloud infrastructure and the enterprise may make certain applications or credentials useless. Removing the ability for key servers to talk to applications or systems may delay products shipping. There are a host of scenarios that can play out. A well thought out TTX should include a healthy discussion of several containment strategies, what the impact to the organization these strategies will have and under what circumstances they need to be executed.
6. “Managing Credential Compromise”: This type of scenario is related to the overall containment strategies and deals directly with how credential compromise is addressed. Going beyond the simple one or two compromised administrator accounts, a TTX should address how
wide ranging compromises originating from the pilfered password store or the dreaded NTDS.dit file compromise. This inject should look at the impact a wide ranging password change may have and how the organization understands these impacts.
7. “Health and Welfare Concerns”: Ransomware attacks may take several days to weeks to fully get back to normal operations. During this time, the various teams responding will start to feel the effects of sleep deprivation and stress. To maintain a consistent level of the team, health and welfare considerations such as rotating teams, off site accommodations and even employee assistance engagement should be considered. A ransomware TTX should include a discussion of how teams will be rotated in and out and what measures leadership takes to ensure their team's health is considered.
The overall intent is for attendees to return to their organization with these seven scenarios and either take them as a stand-alone discussion or include them in their own exercises to better align their processes and procedures to address a ransomware incident. This forces the organization to pre-plan for specific scenarios, thereby reducing the time necessary to make key decisions which may limit the impact of a ransomware incident.

BlackBasta operators in 2024 increasingly use social engineering for initial access, leveraging email bombing and Teams-based impersonation to trick victims into launching remote management tools. Once inside, they deploy credential theft websites, exploit Microsoft 365 session replay, abuse Active Directory (ESC1), and disable security tools. This talk dissects their attack flow, detection opportunities, and mitigation strategies based on recent investigations.

Data and statistics are fundamental to understanding and combating real-world criminal activity, enabling us to extrapolate trends and proactively address emerging threats. However, this data-driven approach is often underutilized in the fight against Ransomware-as-a-Service (RaaS), despite the wealth of information available to us through leak site figures – the cyber equivalent of real-world crime data. This presentation delves into the insights available through the analysis of leak site data, going beyond surface-level observations to provide a unique perspective, augmented by PwC Global Threat Intelligence team’s own first-hand telemetry and collection, and insights from incident response engagements. In this presentation we will explore:
• The evolving RaaS ecosystem: Moving beyond simply identifying actors, we will analyse how the landscape has transitioned towards a more fluid and agile model. This includes examining the rise of affiliate programs and the increasing speed at which new RaaS brands achieve “critical mass”, highlighting the sophisticated skills and established networks that underpin these operations.
• Shifting targets and tactics: We will dissect the evolving targeting strategies of RaaS operators, analyzing shifts in preferred sectors and countries over time. This will be enriched with insights gleaned from PwC’s incident response engagements, providing real-world context to the data trends.
• Impact of law enforcement operations: Examining the impact of increased law enforcement focus on major RaaS operations like Conti, LockBit and affiliates such as Scattered Spider, we will explore whether this pressure is driving a shift towards smaller, more agile RaaS brands. This analysis will consider the potential emergence of a “death by a thousand cuts” strategy, where operators leverage a portfolio of smaller affiliates to minimise the impact of disruptions.
By providing this in-depth analysis of leak site data, enriched with real-world insights from PwC Global Threat Intelligence’s experience, this presentation will equip attendees with actionable intelligence that they can use in defending their own networks. Attendees will gain a deeper understanding of how to leverage this data to inform both tactics and strategic decision makers in their response to the RaaS ecosystem. Ultimately, by adopting data-driven methodologies like those used in combating real-world crime, organisations can better anticipate, prioritise, and mitigate the evolving threat of ransomware.

Ransomware attacks don’t begin with encryption—they start with initial access malware that gives attackers a foothold in the network. Threats like Lumma Stealer, Bumblebee, RedLine, SnakeLoader, Remcos RAT, and Socgholish are frequently used by ransomware operators to gain access, steal credentials, and move laterally before launching an attack.
This session will focus on how to detect and hunt these early-stage threats before they lead to ransomware deployment. Instead of relying only on IoCs, we’ll explore behavioral patterns and detection techniques that help uncover initial access malware in its early stages. Attendees will walk away with practical hunting queries and strategies to strengthen their defenses against ransomware groups.

Cloud environments have become a prime target for ransomware operators, who exploit misconfigurations, identity-based attacks, and cloud-native vulnerabilities to deploy ransomware at scale. This talk will break down the ransomware deployment life cycle in cloud environments, sharing actionable intelligence about Cloud centric Ransomware groups and their TTPs by using real-world case studies.