From Identity Admins to Cloud Compromise

Human-operated ransomware groups have increased their focus on cloud environments, targetting identity administrators and cloud misconfigurations to gain persistent access. The financial sector is especially focused by Ransomware groups, given its high value target and reliance on cloud-based identity platforms, virtual infrastructure, and SaaS applications, which provide multiple avenues for compromise. By compromising identity admins and abusing misconfigured access controls, adversaries can stealthily pivot through cloud workloads and initiate domain-wide ransomware attacks. This session offers an in-depth examination of real-world Ransomware attack patterns by blending Cyber Threat Intelligence, DFIR insights, and detection methodologies, including:

• Social engineering tactics against IT service desks and identity admins for initial access

• Credential theft, session hijacking, and multi-factor authentication (MFA) bypass methods

• Cloud-native intrusions leveraging federated identity abuse, misconfigured IAM roles, and token hijacking

• Ransomware deployment targeting VMware ESXi, Microsoft Entra ID (Azure AD), AWS, and SaaS environments

• Key forensic artifacts and detection strategies for post-compromise DFIR investigations

• Proactive defense mechanisms to strengthen identity systems and cloud workloads against ransomware actors

Attendees will gain the detection, response, and threat-hunting strategies necessary to combat these high-impact ransomware threats before they escalate into full-scale breaches in the financial sector.