What Incident Response Teams See After Cloud Ransomware

The Democratization of Endpoint Defense Bypass There was a time when bypassing endpoint defenses like Windows Defender was considered a niche capability, reserved for elite red teams, advanced threat actors, or highly specialized researchers. That time has passed. Today, bypass techniques are not only widely documented, they are being actively taught, operationalized, and scaled in ways that should give both security leaders and policymakers pause. How Modern Endpoint Protection Is Being Circumvented Modern endpoint protection platforms such as Microsoft Defender rely heavily on behavioral detection and interfaces like the Anti-Malware Scan Interface (AMSI) to identify malicious activity. In theory, these systems provide layered visibility into both known and unknown threats. In practice, however, attackers have adapted. Rather than attempting to defeat detection outright, many now focus on sidestepping it entirely. Techniques such as in-memory execution, obfuscation, and the abuse of legitimate system tools have become standard approaches for avoiding scrutiny. What was once considered advanced tradecraft is now widely understood and, more importantly, repeatable. From Underground Knowledge to Mainstream Curriculum The most significant shift is not purely technical, but structural. Bypass knowledge is no longer confined to underground forums or tightly controlled research communities. It is being democratized. Training platforms, professional courses, and widely accessible labs are now teaching the mechanics of evasion as part of mainstream cybersecurity education. A clear example is the LinkedIn Learning course “Defeating Windows Defender,” which walks through how Defender operates, how it detects threats, and how those mechanisms can be bypassed in practice. This reflects a broader reality: evasion is no longer treated as an edge case, but as a core competency. The Scaling Problem: When Bypass Becomes Repeatable This shift has profound implications. When bypass techniques become structured learning material, they become scalable. They can be taught, repeated, refined, and integrated into standard operating procedures. This fundamentally changes the balance between attackers and defenders. Security teams must account for an ever-expanding set of techniques, while adversaries can focus on identifying and executing a single successful bypass. The asymmetry has always existed, but the barrier to entry is now significantly lower. Studying Security Tools as Targets Equally important is the way attackers are approaching security tools themselves. Endpoint protection is no longer viewed as a black box, but as a system to be studied, tested, and ultimately manipulated. Detection logic is analyzed, blind spots are identified, and controls are treated much like software targets in their own right. This methodical approach, combined with the growing availability of training resources, is accelerating the pace at which bypass techniques evolve. Why Prevention Alone Is No Longer Enough None of this suggests that tools like Microsoft Defender are ineffective. They remain a critical component of any modern security architecture. However, it does underscore a necessary shift in mindset. Organizations can no longer assume that prevention alone will hold. They must operate under the assumption that controls can and will be bypassed, and that some level of adversary activity may go undetected for a period of time. The Shift Toward Resilience The implication is clear: resilience must extend beyond prevention. Detection, response, and containment capabilities are no longer secondary considerations, but central pillars of security strategy. Visibility across endpoints, identity systems, and networks becomes essential, as does the ability to respond quickly when something inevitably slips through. When Bypass Becomes the Norm The real concern is not that bypass techniques exist. They always have. The concern is that they are now accessible, repeatable, and teachable at scale. When bypass becomes curriculum, it stops being exceptional and becomes normal. And once that happens, the entire defensive posture must evolve accordingly. The Blurring Line Between Testing and Threat Activity A second-order effect of this shift is the normalization of adversary tradecraft within legitimate environments. Techniques that were once clear indicators of malicious behavior are increasingly indistinguishable from sanctioned testing or training activity. This creates challenges not only for detection systems, but also for governance and oversight, as organizations struggle to differentiate between benign and hostile use of the same methods. The line between offensive research and operational threat activity continues to blur. The Changing Talent Landscape There is also a growing talent dynamic that cannot be ignored. As more individuals are trained in evasion techniques early in their careers, expectations around what constitutes “baseline” knowledge in cybersecurity are changing. This raises the floor for defenders, but it also raises the ceiling for attackers entering the field. In effect, the industry is producing professionals who are equally capable of strengthening defenses and exploiting their weaknesses. The Reactive Cycle Facing Security Vendors At the same time, vendors face increasing pressure to respond in near real time to newly disclosed bypass techniques. This creates a reactive cycle where defensive updates follow public research and training content, rather than getting ahead of it. While this cycle has always existed to some degree, the speed and visibility of modern information sharing have accelerated it dramatically. The result is a more dynamic but also more volatile defensive landscape. Adapting to an Expected Reality Ultimately, the question is not whether bypass techniques will continue to evolve, but how organizations choose to adapt. Treating evasion as an anomaly is no longer viable. It must be treated as an expected condition within any environment. Organizations that embrace this reality and build for it will be better positioned to manage risk, while those that rely too heavily on prevention alone will find themselves increasingly exposed.

KEY STATISTICS <2.5%MOVEit victims who paid ransom~25%Accellion victims who paid (2021)~0%Paid in Cleo & Oracle EBS breaches For a few years, ransomware groups seemed to have found a smarter play: steal data, skip the encryption, and watch the ransom payments roll in. It worked brilliantly — until it didn’t. Now, with extortion-only economics in freefall, threat actors are returning to the double-threat model that made them so feared in the first place. How the Shift Happened The data-exfiltration-only playbook was popularized by Cl0p, a group that turned zero-day exploitation into an assembly line. The formula was elegant in its simplicity: find a critical vulnerability in a widely-used enterprise file transfer or storage product, exploit it at scale before anyone could patch, siphon data from as many victims as possible, and demand silence money. In 2021, this approach paid off spectacularly. During the Accellion campaign, Cl0p breached dozens of organizations and roughly a quarter of them paid up. The group repeated the trick with GoAnywhere MFT, where about one in five victims settled. These weren’t small scores — the group likely cleared tens of millions of dollars without ever deploying a single encryption payload. Other groups took notice. Why bother with the complexity of encryption, the risk of detection during file-locking operations, and the messy negotiation over decryption keys? Just steal the data and threaten to publish it. “The bullet points on the ‘pro’ side of the white board are getting increasingly scarce, while the cons side is getting crowded.”— Coveware, Q4 2025 Ransomware Trends Report When the Money Dried Up The MOVEit campaign — Cl0p’s largest and most audacious operation — was also the beginning of the end for the extortion-only model. The attack hit hundreds of organizations across government, finance, and healthcare. But when the ransom demands came, victims largely refused to pay. Less than 2.5% complied. In the subsequent Cleo and Oracle E-Business Suite campaigns, the rate collapsed further — approaching zero. The reason isn’t hard to understand. Enterprises have grown more sophisticated in assessing what a ransom payment actually buys. When encryption is involved, paying at least restores access to locked systems. But paying to suppress leaked data offers no such guarantee. The attackers retain the data regardless. They might sell it, recycle it in future attacks, or simply fail to honor any agreement — and there’s no enforcement mechanism for victims to lean on. The Shiny Hunters extortion group experienced the same rude awakening, according to Coveware, after attempting to replicate Cl0p’s approach. The math simply stopped working. Most Active Groups in Q4 2025 Akira~14% of activityQilin~13% of activityLone Wolf~12% of activity Who’s Getting Hit Ransomware attacks in Q4 2025 were not evenly distributed. Professional services firms bore the heaviest load at nearly 19% of all attacks. Healthcare came in second at over 15%, a perennial target due to its operational urgency and often strained security budgets. Technology, software, and consumer services rounded out the most targeted sectors. SECTORSHARE OF ATTACKS%Professional Services■■■■■■■■■18.92%Healthcare■■■■■■■■15.32%Consumer Services■■■■■9.01%Technology Hardware■■■■■9.91%Software Services■■■■7.21% What the Pivot Back Means for Defenders The return to encryption-plus-exfiltration attacks is, in a sense, good news: organizations now have more warning indicators to look for. Encrypting files across a network is a noisy operation. Good endpoint detection and response (EDR) solutions, behavioral analytics, and network monitoring give defenders a fighting chance to catch attackers mid-operation. But the combined threat model is also more consequential when it succeeds. Organizations must now contend simultaneously with system outages — creating immediate pressure to pay — and with the ongoing risk that stolen data surfaces on dark web leak sites regardless of whether a ransom is paid. That dual leverage was always ransomware’s most potent weapon, and it’s back. Coveware’s analysis offers a pointed observation: every refused ransom payment chips away at the economics that sustain these operations. Improved prevention, tighter incident response, and the maturity to resist extortion collectively make ransomware less profitable — and less frequent. KEY TAKEAWAYS FOR SECURITY TEAMS Extortion-only attacks are yielding diminishing returns — expect more groups to reintroduce encryption for additional leverage.Paying ransom to suppress data release offers no reliable guarantee; enterprises are right to weigh this carefully.Professional services and healthcare remain the top ransomware targets by volume in Q4 2025.Behavioral detection and EDR are more critical than ever as encryption-based attacks return to prominence.Disciplined incident response — including the decision whether to pay — directly erodes attacker economics across the ecosystem. The takeaway isn’t that ransomware is getting easier to deal with. It’s that the cat-and-mouse dynamic is accelerating. Defenders adapted to double extortion; attackers countered with data-only theft; now they’re reverting as that tactic loses teeth. Understanding this cycle — and staying a step ahead — is the work of modern security operations. Adapted from SecurityWeek / Coveware Q4 2025 Ransomware Trends Report — March 2026

Why Cyber Risk Spikes During Disasters and How to Build Resilience by Design Disaster recovery planning has traditionally focused on infrastructure. Systems fail, environments go offline, and IT teams restore operations as quickly as possible. But that model no longer reflects the reality organizations face today. In a recent webinar with NetApp and Elastio, Brittney Bell (NetApp), Mike Fiorella (NetApp), and Eswar Nalamuru (Elastio) explored an increasingly common pattern. When organizations experience a disruption, whether it is a natural disaster, infrastructure outage, or operational crisis, cyber risk often increases at the exact same time. Attackers understand that recovery periods create vulnerability. Systems are under pressure, teams are focused on restoration, and normal controls may be temporarily bypassed. The result is that disaster scenarios frequently become cyber incidents as well. This shift is forcing organizations to rethink how resilience is designed. Instead of treating disaster recovery and cybersecurity as separate functions, organizations are beginning to design recovery strategies that assume both types of events may occur simultaneously. When crises collide Brittney Bell described this challenge using the concept of a “polycrisis,” where multiple forms of disruption occur together rather than in isolation. Natural disasters alone can cause widespread operational impact. Infrastructure damage, power outages, and supply chain disruptions can force organizations into emergency recovery mode. But during those same moments, cyber attackers may also exploit the chaos. In fact, research shows that a large percentage of organizations affected by natural disasters also experience cyber attacks at the same time. Examples from recent history illustrate the scale of impact that disasters can have on infrastructure and digital operations: Major hurricanes that disrupted utilities and transportation infrastructure for weeksFlooding events that took critical systems offlineStorms that impacted data centers and shut down major digital services These events demonstrate why resilience cannot be limited to infrastructure recovery. Organizations must also assume that security threats will emerge when systems are already under stress. As Bell emphasized, resilience today is not just an IT concern. It is a business survival strategy. Disaster recovery and cyber recovery are not the same A key theme of the discussion was the difference between traditional disaster recovery and cyber recovery. Eswar Nalamuru explained that many organizations still approach both scenarios using the same framework. In practice, the two require very different assumptions. In a traditional disaster recovery scenario, the failure is usually clear. Systems may be offline or infrastructure may be unavailable, but organizations generally trust their backup data and recovery points. Cyber recovery introduces uncertainty. Security teams may not know whether attackers still have access to the environment, whether backups have been compromised, or which recovery point is actually safe to restore. This changes how recovery must be executed. Traditional disaster recovery prioritizes speed and service restoration. Cyber recovery requires precision. Teams must identify a clean recovery point and ensure that restoring data will not reintroduce the threat. That investigation step is what often slows recovery efforts during ransomware incidents. Without confidence in backup integrity, organizations may spend days or weeks determining which recovery point can be trusted. The three pillars of modern resilience The speakers outlined a simple framework that organizations can use to bridge the gap between disaster recovery and cyber recovery. Effective resilience strategies now require three capabilities working together. Availability Systems and data must remain accessible even during disruption. High availability architectures and geographic redundancy ensure that applications can continue operating if a primary location fails. Isolation and immutability Backup data must be protected from tampering or deletion. Features such as immutable storage and write-once policies help ensure attackers cannot alter or destroy recovery data. Integrity Organizations must be able to verify that their backups are clean and recoverable. Without validation, backups may contain encrypted or corrupted data that will fail during recovery. While many organizations already invest heavily in availability and immutability, integrity validation is often the missing layer. The storage foundation for resilient recovery Mike Fiorella discussed how many organizations are using Amazon FSx for NetApp ONTAP as a foundation for modern recovery strategies. FSx for NetApp ONTAP, often referred to as FSxN, is a managed storage service in AWS that incorporates NetApp’s ONTAP data management platform. Several capabilities make it well suited for resilient architectures. High availability deployments allow data to remain accessible even if a failure occurs within a single availability zone. Snapshot technology enables fast, space efficient point-in-time recovery of data. SnapMirror replication allows organizations to maintain synchronized copies of data in secondary AWS regions, enabling rapid failover if a primary region becomes unavailable. SnapLock adds immutability by allowing organizations to enforce write-once retention policies that prevent modification or deletion of protected data. Together, these capabilities allow organizations to create layered recovery strategies that include local snapshots, cross-region replication, and long-term protected backups. The integrity challenge in ransomware recovery Even with strong storage and backup protections in place, a critical question often remains unanswered during ransomware incidents. Is the data clean? Eswar Nalamuru explained that modern ransomware campaigns increasingly target backup infrastructure. If attackers can encrypt both production systems and backups, they remove the organization’s ability to recover independently. Attack techniques have also become far more sophisticated. Many modern ransomware variants use approaches designed to evade traditional detection tools. Examples include: Fileless attacks that operate entirely in memoryEncryption techniques that modify only portions of filesObfuscation techniques that preserve file metadataPolymorphic malware variants that continuously change signatures These techniques make it difficult for traditional security tools to detect encryption activity before damage occurs. To address this challenge, Elastio focuses on validating the integrity of backup data. Its platform scans stored data to detect ransomware encryption patterns and identify clean recovery points that organizations can safely restore. The goal is simple but critical. When a crisis occurs, recovery teams should know exactly where to recover from. Designing resilience for the real world The central lesson from the webinar is that recovery planning must evolve. Organizations can no longer assume that disasters and cyber attacks occur independently. Real world disruptions often combine both. Building resilient architectures requires integrating infrastructure availability, immutable data protection, and backup integrity validation into a single strategy. When these elements work together, organizations can recover faster and with greater confidence, even under the most challenging conditions. Join us for the “Building for the Breach” workshops To continue the conversation, Elastio, NetApp, and AWS are hosting a series of in-person workshops focused on ransomware resilience and recovery readiness. The Building for the Breach workshops explore how organizations can prepare for ransomware attacks before they occur. Each session includes: An executive discussion on modern cyber resilience strategiesA technical walkthrough of ransomware attack and recovery scenariosHands-on demonstrations of technologies that help validate recovery points and accelerate recovery Upcoming workshops are scheduled in cities including New York, Boston, Chicago, and Toronto. If you are responsible for disaster recovery, cybersecurity, or infrastructure resilience, these sessions provide an opportunity to see how modern recovery strategies work in practice and how organizations can strengthen their readiness for future disruptions. You can learn more about the workshops and upcoming dates through the Elastio events page.