Responding to a Ransomware Attack: Clean Recovery Options are Critical

The Democratization of Endpoint Defense Bypass There was a time when bypassing endpoint defenses like Windows Defender was considered a niche capability, reserved for elite red teams, advanced threat actors, or highly specialized researchers. That time has passed. Today, bypass techniques are not only widely documented, they are being actively taught, operationalized, and scaled in ways that should give both security leaders and policymakers pause. How Modern Endpoint Protection Is Being Circumvented Modern endpoint protection platforms such as Microsoft Defender rely heavily on behavioral detection and interfaces like the Anti-Malware Scan Interface (AMSI) to identify malicious activity. In theory, these systems provide layered visibility into both known and unknown threats. In practice, however, attackers have adapted. Rather than attempting to defeat detection outright, many now focus on sidestepping it entirely. Techniques such as in-memory execution, obfuscation, and the abuse of legitimate system tools have become standard approaches for avoiding scrutiny. What was once considered advanced tradecraft is now widely understood and, more importantly, repeatable. From Underground Knowledge to Mainstream Curriculum The most significant shift is not purely technical, but structural. Bypass knowledge is no longer confined to underground forums or tightly controlled research communities. It is being democratized. Training platforms, professional courses, and widely accessible labs are now teaching the mechanics of evasion as part of mainstream cybersecurity education. A clear example is the LinkedIn Learning course “Defeating Windows Defender,” which walks through how Defender operates, how it detects threats, and how those mechanisms can be bypassed in practice. This reflects a broader reality: evasion is no longer treated as an edge case, but as a core competency. The Scaling Problem: When Bypass Becomes Repeatable This shift has profound implications. When bypass techniques become structured learning material, they become scalable. They can be taught, repeated, refined, and integrated into standard operating procedures. This fundamentally changes the balance between attackers and defenders. Security teams must account for an ever-expanding set of techniques, while adversaries can focus on identifying and executing a single successful bypass. The asymmetry has always existed, but the barrier to entry is now significantly lower. Studying Security Tools as Targets Equally important is the way attackers are approaching security tools themselves. Endpoint protection is no longer viewed as a black box, but as a system to be studied, tested, and ultimately manipulated. Detection logic is analyzed, blind spots are identified, and controls are treated much like software targets in their own right. This methodical approach, combined with the growing availability of training resources, is accelerating the pace at which bypass techniques evolve. Why Prevention Alone Is No Longer Enough None of this suggests that tools like Microsoft Defender are ineffective. They remain a critical component of any modern security architecture. However, it does underscore a necessary shift in mindset. Organizations can no longer assume that prevention alone will hold. They must operate under the assumption that controls can and will be bypassed, and that some level of adversary activity may go undetected for a period of time. The Shift Toward Resilience The implication is clear: resilience must extend beyond prevention. Detection, response, and containment capabilities are no longer secondary considerations, but central pillars of security strategy. Visibility across endpoints, identity systems, and networks becomes essential, as does the ability to respond quickly when something inevitably slips through. When Bypass Becomes the Norm The real concern is not that bypass techniques exist. They always have. The concern is that they are now accessible, repeatable, and teachable at scale. When bypass becomes curriculum, it stops being exceptional and becomes normal. And once that happens, the entire defensive posture must evolve accordingly. The Blurring Line Between Testing and Threat Activity A second-order effect of this shift is the normalization of adversary tradecraft within legitimate environments. Techniques that were once clear indicators of malicious behavior are increasingly indistinguishable from sanctioned testing or training activity. This creates challenges not only for detection systems, but also for governance and oversight, as organizations struggle to differentiate between benign and hostile use of the same methods. The line between offensive research and operational threat activity continues to blur. The Changing Talent Landscape There is also a growing talent dynamic that cannot be ignored. As more individuals are trained in evasion techniques early in their careers, expectations around what constitutes “baseline” knowledge in cybersecurity are changing. This raises the floor for defenders, but it also raises the ceiling for attackers entering the field. In effect, the industry is producing professionals who are equally capable of strengthening defenses and exploiting their weaknesses. The Reactive Cycle Facing Security Vendors At the same time, vendors face increasing pressure to respond in near real time to newly disclosed bypass techniques. This creates a reactive cycle where defensive updates follow public research and training content, rather than getting ahead of it. While this cycle has always existed to some degree, the speed and visibility of modern information sharing have accelerated it dramatically. The result is a more dynamic but also more volatile defensive landscape. Adapting to an Expected Reality Ultimately, the question is not whether bypass techniques will continue to evolve, but how organizations choose to adapt. Treating evasion as an anomaly is no longer viable. It must be treated as an expected condition within any environment. Organizations that embrace this reality and build for it will be better positioned to manage risk, while those that rely too heavily on prevention alone will find themselves increasingly exposed.

KEY STATISTICS <2.5%MOVEit victims who paid ransom~25%Accellion victims who paid (2021)~0%Paid in Cleo & Oracle EBS breaches For a few years, ransomware groups seemed to have found a smarter play: steal data, skip the encryption, and watch the ransom payments roll in. It worked brilliantly — until it didn’t. Now, with extortion-only economics in freefall, threat actors are returning to the double-threat model that made them so feared in the first place. How the Shift Happened The data-exfiltration-only playbook was popularized by Cl0p, a group that turned zero-day exploitation into an assembly line. The formula was elegant in its simplicity: find a critical vulnerability in a widely-used enterprise file transfer or storage product, exploit it at scale before anyone could patch, siphon data from as many victims as possible, and demand silence money. In 2021, this approach paid off spectacularly. During the Accellion campaign, Cl0p breached dozens of organizations and roughly a quarter of them paid up. The group repeated the trick with GoAnywhere MFT, where about one in five victims settled. These weren’t small scores — the group likely cleared tens of millions of dollars without ever deploying a single encryption payload. Other groups took notice. Why bother with the complexity of encryption, the risk of detection during file-locking operations, and the messy negotiation over decryption keys? Just steal the data and threaten to publish it. “The bullet points on the ‘pro’ side of the white board are getting increasingly scarce, while the cons side is getting crowded.”— Coveware, Q4 2025 Ransomware Trends Report When the Money Dried Up The MOVEit campaign — Cl0p’s largest and most audacious operation — was also the beginning of the end for the extortion-only model. The attack hit hundreds of organizations across government, finance, and healthcare. But when the ransom demands came, victims largely refused to pay. Less than 2.5% complied. In the subsequent Cleo and Oracle E-Business Suite campaigns, the rate collapsed further — approaching zero. The reason isn’t hard to understand. Enterprises have grown more sophisticated in assessing what a ransom payment actually buys. When encryption is involved, paying at least restores access to locked systems. But paying to suppress leaked data offers no such guarantee. The attackers retain the data regardless. They might sell it, recycle it in future attacks, or simply fail to honor any agreement — and there’s no enforcement mechanism for victims to lean on. The Shiny Hunters extortion group experienced the same rude awakening, according to Coveware, after attempting to replicate Cl0p’s approach. The math simply stopped working. Most Active Groups in Q4 2025 Akira~14% of activityQilin~13% of activityLone Wolf~12% of activity Who’s Getting Hit Ransomware attacks in Q4 2025 were not evenly distributed. Professional services firms bore the heaviest load at nearly 19% of all attacks. Healthcare came in second at over 15%, a perennial target due to its operational urgency and often strained security budgets. Technology, software, and consumer services rounded out the most targeted sectors. SECTORSHARE OF ATTACKS%Professional Services■■■■■■■■■18.92%Healthcare■■■■■■■■15.32%Consumer Services■■■■■9.01%Technology Hardware■■■■■9.91%Software Services■■■■7.21% What the Pivot Back Means for Defenders The return to encryption-plus-exfiltration attacks is, in a sense, good news: organizations now have more warning indicators to look for. Encrypting files across a network is a noisy operation. Good endpoint detection and response (EDR) solutions, behavioral analytics, and network monitoring give defenders a fighting chance to catch attackers mid-operation. But the combined threat model is also more consequential when it succeeds. Organizations must now contend simultaneously with system outages — creating immediate pressure to pay — and with the ongoing risk that stolen data surfaces on dark web leak sites regardless of whether a ransom is paid. That dual leverage was always ransomware’s most potent weapon, and it’s back. Coveware’s analysis offers a pointed observation: every refused ransom payment chips away at the economics that sustain these operations. Improved prevention, tighter incident response, and the maturity to resist extortion collectively make ransomware less profitable — and less frequent. KEY TAKEAWAYS FOR SECURITY TEAMS Extortion-only attacks are yielding diminishing returns — expect more groups to reintroduce encryption for additional leverage.Paying ransom to suppress data release offers no reliable guarantee; enterprises are right to weigh this carefully.Professional services and healthcare remain the top ransomware targets by volume in Q4 2025.Behavioral detection and EDR are more critical than ever as encryption-based attacks return to prominence.Disciplined incident response — including the decision whether to pay — directly erodes attacker economics across the ecosystem. The takeaway isn’t that ransomware is getting easier to deal with. It’s that the cat-and-mouse dynamic is accelerating. Defenders adapted to double extortion; attackers countered with data-only theft; now they’re reverting as that tactic loses teeth. Understanding this cycle — and staying a step ahead — is the work of modern security operations. Adapted from SecurityWeek / Coveware Q4 2025 Ransomware Trends Report — March 2026

Cloud ransomware incidents rarely begin with visible disruption. More often, they unfold quietly, long before an alert is triggered or a system fails. By the time incident response teams are engaged, organizations have usually already taken decisive action. Workloads are isolated. Instances are terminated. Cloud dashboards show unusual activity. Executives, legal counsel, and communications teams are already involved. And very quickly, one question dominates every discussion. What can we restore that we actually trust? That question exposes a critical gap in many cloud-native resilience strategies. Most organizations have backups. Many have immutable storage, cross-region replication, and locked vaults. These controls are aligned with cloud provider best practices and availability frameworks. Yet during ransomware recovery, those same organizations often cannot confidently determine which recovery point is clean. Cloud doesn’t remove ransomware risk — it relocates it This is not a failure of effort. It is a consequence of how cloud architectures shift risk. Cloud-native environments have dramatically improved the security posture of compute. Infrastructure is ephemeral. Servers are no longer repaired; they are replaced. Containers and instances are designed to be disposable. From a defensive standpoint, this reduces persistence at the infrastructure layer and limits traditional malware dwell time. However, cloud migration does not remove ransomware risk. It relocates it. Persistent storage remains long-lived, highly automated, and deeply trusted. Object stores, block snapshots, backups, and replicas are designed to survive everything else. Modern ransomware campaigns increasingly target this persistence layer, not the compute that accesses it. Attackers don’t need malware — they need credentials Industry investigations consistently support this pattern. Mandiant, Verizon DBIR, and other threat intelligence sources report that credential compromise and identity abuse are now among the most common initial access vectors in cloud incidents. Once attackers obtain valid credentials, they can operate entirely through native cloud APIs, often without deploying custom malware or triggering endpoint-based detections. From an operational standpoint, these actions appear legitimate. Data is written, versions are created, snapshots are taken, and replication occurs as designed. The cloud platform faithfully records and preserves state, regardless of whether that state is healthy or compromised. This is where many organizations encounter an uncomfortable reality during incident response. Immutability is not integrity Immutability ensures that data cannot be deleted or altered after it is written. It does not validate whether the data was already encrypted, corrupted, or poisoned at the time it was captured. Cloud-native durability and availability controls were never designed to answer the question incident responders care about most: whether stored data can be trusted for recovery. In ransomware cases, incident response teams repeatedly observe the same failure mode. Attackers encrypt or corrupt production data, often gradually, using authorized access. Automated backup systems snapshot that corrupted state. Replication propagates it to secondary regions. Vault locks seal it permanently. The organization has not lost its backups. It has preserved the compromised data exactly as designed. Backup isolation alone is not enough This dynamic is particularly dangerous in cloud environments because it can occur without malware, without infrastructure compromise, and without violating immutability controls. CISA and NIST have both explicitly warned that backup isolation and retention alone are insufficient if integrity is not verified. Availability testing does not guarantee recoverability. Replication can accelerate the blast radius Replication further amplifies the impact. Cross-region architectures prioritize recovery point objectives and automation speed. When data changes in a primary region, those changes are immediately propagated to disaster recovery environments. If the change is ransomware-induced corruption, replication accelerates the blast radius rather than containing it. From the incident response perspective, this creates a critical bottleneck that is often misunderstood. The hardest part of recovery is deciding what to restore The hardest part of recovery is not rebuilding infrastructure. Cloud platforms make redeployment fast and repeatable. Entire environments can be recreated in hours. The hardest part is deciding what to restore. Without integrity validation, teams are forced into manual forensic processes under extreme pressure. Snapshots are mounted one by one. Logs are reviewed. Timelines are debated. Restore attempts become experiments. Every decision carries risk, and every delay compounds business impact. This is why ransomware recovery frequently takes days or weeks even when backups exist. Boards don’t ask “Do we have backups?” Boards do not ask whether backups are available. They ask which recovery point is the last known clean state. Without objective integrity assurance, that question cannot be answered deterministically. This uncertainty is not incidental. It is central to how modern ransomware creates leverage. Attackers understand that corrupting trust in recovery systems can be as effective as destroying systems outright. What incident response teams wish you had is certainty What incident response teams consistently wish organizations had before an incident is not more backups, but more certainty. The ability to prove, not assume, that recovery data is clean. Evidence that restoration decisions are based on validated integrity rather than best guesses made under pressure. Integrity assurance is the missing control This is where integrity assurance becomes the missing control in many cloud strategies. NIST CSF explicitly calls for verification of backup integrity as part of the Recover function. Yet most cloud-native architectures stop at durability and immutability. When integrity validation is in place, recovery changes fundamentally. Organizations can identify the last known clean recovery point ahead of time. Recovery decisions become faster, safer, and defensible. Executive and regulatory confidence improves because actions are supported by evidence. From an incident response standpoint, the difference is stark. One scenario is prolonged uncertainty and escalating risk. The other is controlled, confident recovery. Resilience is proving trust, not storing data Cloud-native architecture is powerful, but ransomware has adapted to it. In today’s threat landscape, resilience is no longer defined by whether data exists somewhere in the cloud. It is defined by whether an organization can prove that the data it restores is trustworthy. That is what incident response teams see after cloud ransomware. Not missing backups, but missing certainty. Certainty is the foundation of recovery And in modern cloud environments, certainty is the foundation of recovery.