Stay Ahead of Ransomware: Threat Hunting for Ransomware and Cyber Extortion

On the December 2025 episode of the SANS Stay Ahead of Ransomware livestream, we explored the critical role of threat hunting in defending against ransomware and cyber extortion attacks. Joined by special guest Sydney Maroney, co-founder of the THOR Collective and co-author of the PEAK Threat Hunting Framework, we discussed how organizations can proactively identify threats before they escalate into full-blown ransomware incidents. 

Defining Threat Hunting 

Sydney defined threat hunting as "proactively looking for threats in your environment that aren't otherwise found." This proactive approach goes beyond traditional detection methods, uncovering not just active threats but also data gaps, process improvements, and detection opportunities that strengthen overall security posture. 

The distinction between threat hunting and incident response became a key discussion point. While incident response is reactive, responding to alerts or confirmed incidents, threat hunting takes a proactive stance, searching for anomalies and potential threats before they trigger traditional security alerts. As Sydney noted, threat hunting should ideally funnel findings to incident response teams, creating a collaborative environment. 

The PEAK Threat Hunting Framework

We discussed the PEAK Threat Hunting Framework, a free, vendor-agnostic resource that provides structured approaches to threat hunting: 

• Hypothesis-Driven Hunting: Focusing on specific behaviors or MITRE ATT&CK techniques commonly used in ransomware campaigns 
• Baselining: Analyzing new data sources or assets to understand normal behavior and identify anomalies 
• Model-Assisted: Leveraging machine learning and advanced analytics for sophisticated threat detection 

The recently released Threat Hunter's Cookbook, co-authored by Sydney and Dr. Ryan Fetterman, provides practical applications of these concepts, including techniques like stacking, clustering, and statistical analysis that hunters can apply immediately. 

Real-World Ransomware Hunting Techniques

Using a recent The DFIR Report case study involving Lynx ransomware, we examined practical hunting opportunities. 

Remote Access Tools

The presence of tools like AnyDesk sparked discussion about dual-use software. Sydney emphasized that even approved tools require scrutiny: "An adversary could take control of that. They might scan your environment and see what tools you have and then leverage those tools themselves." 

Network Scanning Activities

We highlighted how threat actors commonly use tools like SoftPerfect Network Scanner (netscan.exe) for reconnaissance. Hunting strategies include: 

• Looking for execution from unusual directories (like user document folders) 
• Using regular expressions to identify suspicious naming patterns 
• Correlating network scanning with other suspicious activities 

User Account Modifications

The case showed attackers creating accounts with misspelled names and adding them to privileged groups. Effective hunts include: 

• Identifying deviations from standard naming conventions 
• Monitoring additions to Remote Desktop Users groups 
• Tracking password policy changes 

Critical Logging Requirements

A recurring theme was the importance of proper logging configuration. Sydney noted that while organizations with EDR/XDR solutions often have comprehensive process execution telemetry, many organizations still lack critical visibility, though options exist to help those without more advanced logging systems in place. Examples include: 

• Command Line Process Auditing: Often disabled by default in Windows Event Logs (Event ID 4688) 
• Sysmon: Provides free, comprehensive logging including process creation, network connections, and file modifications  

Measuring Threat Hunting Success

We addressed a common misconception about threat hunting success metrics. Sydney emphasized that success isn't solely about finding active threats: "As long as you prove or disprove your hypothesis by your investigation, then you have successfully completed the hunt." 

Valuable hunting outcomes include: 

• Knowledge documentation for future investigations 
• Detection rule recommendations and/or implementations 
• Process improvement suggestions 
• Data collection gap identification 
• Baseline establishment for normal/expected behavior 

Living Off the Land Techniques

The discussion highlighted how ransomware and cyber extortion operators increasingly use legitimate Windows tools to evade detection (see the LOLBAS project). Understanding tools like PowerShell, Bitsadmin, and PSExec, along with their legitimate versus malicious usage patterns, can prove essential for effective threat hunting. 

Learning More and Looking Forward

As ransomware and cyber extortion groups continue evolving their tactics, threat hunting provides a crucial layer of defense, identifying indicators of compromise before encryption or data exfiltration occurs. The resources shared, including the PEAK Framework and Threat Hunter's Cookbook, offer organizations practical starting points for building or enhancing their hunting capabilities. 

To learn more, we recommend watching the December 2, 2025  episode of the SANS Stay Ahead of Ransomware livestream.  

You can also review the SANS Stay Ahead of Ransomware livestream playlist on YouTube here. 

Join us next month on the first Tuesday at 1:00 PM Eastern for our next Stay Ahead of Ransomware livestream, and remember to check out our upcoming SANS training events, including FOR528: Ransomware and Cyber Extortion, where we dive into the technical details of preventing, detecting, and responding to these types of attacks.