Inside the Fight Against Cybercrime: A Deep Dive Into Ransomware Tactics

Elastio and AWS recently hosted a joint webinar, “Modern Ransomware Targets Recovery: Here’s What You Can Do to Stay Safe.” The session brought together experts to unpack how ransomware tactics are evolving and what organizations need to do differently to stay resilient. A clear theme emerged. Attackers are no longer focused on disruption alone. They are deliberately sabotaging recovery. Ransomware Has Shifted From Disruption to Recovery Sabotage Modern ransomware no longer relies on fast, obvious encryption of production systems. Instead, attackers often gain access months in advance. They quietly study the environment, including backup architectures, replication paths, and retention windows. Encryption happens slowly and deliberately, staying below detection thresholds while corrupted data propagates into snapshots, replicas, and backups. By the time the attack is triggered and ransom is demanded, recovery options are already compromised. This represents a fundamental shift in risk. Backups are no longer just a safety net. They are a primary target. Ransomware Risk Is Unquantifiable Without Proven Clean Recovery Points Ransomware risk becomes impossible to quantify when organizations cannot prove their recovery data is clean. Boards, regulators, and insurers are no longer reassured by the mere existence of backups. They want to know how quickly recovery can happen, which recovery point will be used, and how its integrity is verified. Most organizations cannot answer these questions with confidence because backup validation is not continuous. The consequences are real. Extended downtime, board-level exposure, insurance gaps, and growing regulatory pressure under frameworks such as DORA, NYDFS, and PRA. Without proven clean recovery points, ransomware becomes an unbounded business risk rather than a technical one. The Three Pillars of Ransomware Recovery Assurance The webinar emphasized that real ransomware resilience depends on three pillars working together. Immutability and isolation ensure backups are tamper-proof and stored separately, protected by independent encryption keys. AWS capabilities such as logically air-gapped vaults support this foundation.Availability focuses on whether recovery can happen fast enough to meet business expectations, particularly when identity systems are compromised. Clean-account restores and multi-party approval become critical.Integrity, the most overlooked pillar, ensures backups are continuously validated to detect encryption, corruption, malware, and fileless attacks, and to clearly identify the last known clean recovery point. If any pillar fails, recovery fails. For more information: Resilience by design: Building an effective ransomware recovery strategy | AWS Storage Blog Malware Scanning Is Not Ransomware Detection The speakers drew a clear distinction between traditional malware scanning and what is required to defend against modern ransomware. Signature-based tools look for known binaries, but today’s attacks often run in memory, use polymorphic techniques, and encrypt data without leaving a detectable payload. In these cases, the absence of malware does not mean the absence of damage. Effective ransomware defense requires detecting the impact on data itself, including encryption, corruption, and abnormal change patterns, not just the presence of malicious code. Validation Enables Faster, Safer Recovery Without Paying Ransom A real-world case study illustrated the value of recovery validation. Attackers encrypted data gradually over several days, allowing compromised data to flow into backups that appeared intact but were unsafe to restore. Through targeted threat hunting, Elastio identified a clean recovery point from roughly six days earlier, enabling the company to restore operations without paying the ransom. With downtime costs often reaching millions per day, even small reductions in recovery time have outsized financial impact. The takeaway was simple. Knowing where to recover from matters more than recovering quickly from the wrong place. Key Takeaways Ransomware now targets recovery, not just production.Attackers gain access early, encrypt data slowly, and ensure corruption spreads into replicas and backups before triggering an attack. By the time ransom is demanded, recovery paths are often already compromised.Backups alone are not proof of recoverability.Without continuous validation, organizations cannot confidently identify a clean recovery point, making ransomware risk impossible to quantify.True ransomware resilience depends on three pillars.Immutability and isolation protect backups from tampering, availability ensures recovery meets business expectations, and integrity validation confirms recovery data is usable. If integrity fails, recovery fails.Malware detection is not ransomware detection.Fileless and polymorphic attacks often evade signature-based tools. Detecting the impact on data, such as encryption and corruption, is critical.Provable recovery changes the economics of ransomware.Validated recovery points reduce downtime, avoid reinfection, and can eliminate the need to pay ransom, delivering measurable operational and financial impact. Additional Resources AWS ReInvent: How Motability Operations built a ransomware-ready backup strategy with AWS Backup & Elastio AWS re:Invent 2025 - Motability Operations' unified backup strategy: From fragmented to fortified

In early 2026, U.S. authorities issued a cyber threat alert warning organizations about evolving tactics used by North Korean state-sponsored cyber actors. The advisory highlights how the Democratic People’s Republic of Korea (DPRK) continues to refine its cyber operations to conduct espionage, gain persistent access to networks, and generate revenue to support state objectives. This activity underscores a broader reality: DPRK cyber operations are no longer niche or experimental. They are mature, adaptive, and increasingly effective against both public- and private-sector targets. Evolving Tradecraft: From Phishing to QR Code Attacks A key focus of the alert is the growing use of malicious QR codes embedded in phishing emails, a technique often referred to as “quishing.” Instead of directing victims to malicious links, attackers embed QR codes that prompt users to scan them with mobile devices. This approach allows attackers to bypass traditional email security controls and exploit weaker defenses on mobile platforms. Once scanned, these QR codes redirect victims to attacker-controlled pages that closely mimic legitimate login portals, such as enterprise email or remote access services. Victims who enter their credentials unknowingly hand over access to their accounts, enabling attackers to move laterally, conduct follow-on phishing campaigns, or establish long-term persistence. Kimsuky and Targeted Espionage The activity described in the alert is attributed to a DPRK-linked cyber group commonly referred to as Kimsuky. This group has a long history of targeting policy experts, think tanks, academic institutions, and government entities, particularly those involved in foreign policy and national security issues related to the Korean Peninsula. What distinguishes recent campaigns is the subtlety of the lures and the deliberate exploitation of user trust. Emails are crafted to appear routine or administrative, and QR codes are presented as harmless conveniences. This increases the likelihood of successful compromise, even in security-aware environments. Cybercrime as Statecraft DPRK cyber operations should not be viewed solely through the lens of traditional espionage. North Korea has repeatedly demonstrated its willingness to use cybercrime as a strategic tool. In parallel with intelligence collection, DPRK-linked actors have conducted financially motivated attacks, including cryptocurrency theft, financial fraud, and illicit remote employment schemes. These activities serve a dual purpose: generating revenue to circumvent international sanctions and providing operational cover for broader intelligence objectives. In many cases, what appears to be simple fraud is ultimately tied to state-directed priorities. Why This Matters Now The techniques outlined in the 2026 alert highlight how DPRK cyber actors are adapting faster than many defensive programs. By shifting attacks to mobile devices, exploiting human behavior, and blending espionage with financial crime, they reduce the effectiveness of traditional security controls. For organizations, this means that technical defenses alone are no longer sufficient. User awareness, mobile security posture, identity protection, and anomaly detection all play a critical role in mitigating risk. Key Takeaways for Organizations Organizations should assume that DPRK cyber activity will continue to evolve and expand in scope. Practical steps include updating security awareness training to address QR code–based attacks, monitoring for anomalous authentication behavior, limiting credential reuse, and treating identity compromise as a high-impact security incident. Most importantly, leaders should recognize that DPRK cyber operations are persistent, well-resourced, and strategically motivated. Understanding this threat is essential not only for government and policy organizations, but for any enterprise operating in an increasingly interconnected and geopolitically influenced digital environment.

Detonation Point is where cyber risk stops being an abstract headline and becomes an operational reality. In a recent episode presented by Elastio, host Matt O’Neill sat down with cloud security expert Costas Kourmpoglou at Spike Reply UK to unpack a hard truth many organizations only learn after an incident: Ransomware doesn’t succeed because attackers are smarter; it succeeds because recovery fails. Ransomware Is an Industry Early ransomware operations were vertically integrated. The same group wrote the malware, gained access, deployed it, negotiated payment, and laundered funds. That model is gone. Today’s ransomware ecosystem resembles a supply chain: Developers build ransomware toolingInitial access brokers sell credentialsAffiliates deploy attacksNegotiators manage extortionSeparate actors handle payments and laundering This “Ransomware-as-a-Service” model lowers the barrier to entry and scales attacks globally. No one really needs expert technical skills. They just need access and opportunity. How Daily Mistakes Set Ransomware in Motion Ransomware became dominant for a straightforward reason: it pays. Despite headlines about zero-day exploits, most ransomware campaigns still begin with mundane failures: Reused credentialsPhishing emailsThird-party access The uncomfortable reality is that most organizations already assume breaches, yet design security as if prevention is enough. In this Detonation Point podcast, Costas noted, “Many teams over-invest in stopping the first mistake and under-invest in what happens after that mistake inevitably occurs.” Attackers don’t rush. Once inside, they: Observe quietly and use native tools to blend in (“living off the land”)Map systems and privilegesIdentify backups and recovery paths Ransomware often detonates months after initial access and long after backups have quietly captured infected data. But Why Paying the Ransom Rarely Works Ransomware payments are often justified as the “cheapest option.” But data tells a different story: Recovery success after payment is worse than a coin flipPayments may violate sanctions lawsData is often not fully restored or released anyway As Costas put it, “If you’re willing to gamble on paying the ransom, you might as well invest that money in resilience, where the odds are actually in your favor.” One of the most critical insights from the conversation was this: If your business cannot operate, that is not just a cybersecurity failure, it’s a business failure. If your plan assumes everything else still works, it’s not a plan. And, if ransomware detonated tonight, do you know which recovery path would save you, and which ones would make things worse? Because when ransomware stops being theoretical, only validated recovery determines the outcome. This blog is adapted from the Detonation Point podcast presented by Elastio.