Full Agenda | 10:00am - 3:20 pm ET
Timeline (ET) | Session Details |
---|---|
10:00am-10:10am | Event Kickoff & Introduction Matt Bromiley, Event Chair, SANS Certified Instructor |
10:10am-10:45am | Mitigate the Blast Radius: Detecting Ransomware with NDR When a ransomware attack strikes, every second counts. Traditional security measures are often too slow to respond effectively, leaving organizations vulnerable to devastating data loss and financial damage. However, there's a powerful source of truth that can be leveraged to stop attackers in their tracks: the network itself. In this session, we'll explore how Network Detection and Response (NDR) technologies can provide crucial defense against ransomware threats. We'll explore:
Jamie Moles, Senior Manager, Technical Marketing, Extrahop |
10:45am-11:20am | The Ransomware Trapdoor: How Phishing Emails Still Slip Past Defenses in 2025 Phishing remains the #1 delivery method for ransomware—and it’s only getting more deceptive. Despite advances in email security, SOC teams are still overwhelmed by suspicious emails that slip through gateways, evade filters, and demand precious time for manual investigation. So why do these threats continue to succeed? And how can we finally break the cycle? In this practical session, we’ll expose how modern phishing emails bypass traditional email defenses and accelerate the path to ransomware execution. You’ll learn real-world evasion tactics attackers use, see how long it takes to manually analyze a suspicious email, and walk away with actionable techniques to streamline phishing analysis in your SOC workflow. In this session, you will learn the following: • How ransomware operators are evolving phishing techniques to bypass email security gateways using sandbox evasion, obfuscation, and delayed payload delivery. • Discover workflow shortcuts and automation opportunities to reduce phishing triage time from hours to minutes. • Get hands-on tips and tooling recommendations to improve malware sample submission, verdict generation, and IOC extraction in the face of evasive ransomware threats. Andrey Voitenko, Senior Product Manager, VMRay |
11:20am-11:55am | Fighting Ransomware with AI: Preemptive Cyber Defenses for the Modern Threat Landscape Traditional security measures continue to fall short. Post-breach detect and response is proven to fail. Discover how secure cloud browsing and preemptive, AI-driven defenses block evasive ransomware attacks before they reach the endpoint, ensuring data integrity and business continuity. Neko Papez, Sr. Manager of Cybersecurity Strategy, Menlo Security Amelia Squires, Threat Intelligence Analyst, Menlo Security |
11:55am-12:10pm | Break |
12:10pm-12:45pm | The Kids Aren’t Alright: How UNC3944 Redefined Ransomware and Extortion Beginning in 2023, a loosely organized group of teenagers and young adults shifted their focus from SIM swapping and fraud to multi-faceted extortion. Navigating corporate networks and working their way through the ransomware affiliate ecosystem, they highlighted a weakness in modern remote work environments: human verification. They talked their way into the networks of major corporations, innovatively exfiltrated critical data, and demonstrated that some audacious abuse of administrative credentials goes completely unnoticed. This talk will examine the lasting impact UNC3944 had on cybercrime and what organizations can do to prepare for fast paced attacks that can reach any application or service of value. Josh Madeley, Incident Response Regional Lead, Mandiant, Part of Google Cloud |
12:45pm-1:20pm | Browser-Native Ransomware in a Cloud-First World In this talk, we will unveil a new evolving class of ransomware, “browser-native ransomware” which resides entirely in the browser and can completely bypass EDRs and anti-ransomware solutions. In this session, you will learn the following: -The advanced TTPs attackers are using to target a victim's identity in the browser. -How to orchestrate a fully browser-native ransomware with no local files and processes. -How browser-native ransomware can gain lateral movement and persistence. -How browser-native ransomware bypasses EDRs and anti-ransomware solutions. Vivek Ramachandran, CEO and Founder, SquareX |
1:20pm-1:30pm | Break |
1:30pm-2:05pm | "Dear Identity": A Ransom Note and Deep Dive into Ransomware Attacks and Proactive Identity Security Ransomware continues to be one of the most dangerous and financially devastating threats facing organizations today — but it's not just data that's at risk. Ransomware campaigns are increasingly targeting identity systems like Active Directory and Entra ID, seeking to escalate privileges with a goal of complete takeover. Securing identity has become a critical pillar in a modern ransomware defense strategy. In this webinar, we’ll explore the continuous evolving threat landscape of ransomware, how these attacks unfold, and why identity compromise is often the center of large-scale breaches. We'll break down the typical ransomware attack chain, highlighting how attackers leverage stolen credentials and Active Directory weaknesses to succeed. We’ll discuss major ransomware incidents, including wannacry, Revil, and lockbit with real-world examples of the severe impact identity-focused ransomware can cause. We’ll also profile notable threat groups and their tactics to give you actionable insights into how ransomware operations work today compared to just a few years ago. We will finish the session with a live 15-minute demonstration of Netwrix Threat Prevention, showcasing how it can detect ransomware behavior early, identify anomalous activities linked to identity compromise, and automatically take action to contain and stop an attack before it spreads. We will also touch on the importance of internal assessments to understand what vulnerabilities potentially lie in your environment. Security practitioners, junior or senior will all walk away from this sessions with essential strategies to strengthen your defenses, focusing on identity protection as a core component of ransomware resilience. Darryl Baker, Solutions Architect, Netwrix |
2:05pm-2:40pm | It’s Typhoon Season: What You Can Do to Address Attacks That Evade EDR Volt Typhoon and similar campaigns are bypassing traditional EDR with advanced tactics like living-off-the-land and exploiting unmanaged network devices. This session explores how Corelight’s Open NDR platform enhances network visibility, detects evasive behaviors, and offers actionable guidance to improve detection and defense against state-sponsored threats targeting critical infrastructure. Vincent Stoffer, Field Chief Technology Officer, Corelight |
2:40pm-3:15pm | Evolution of Initial Access: How Threat Actors Are Rewriting the Ransomware Playbook in 2025 The ransomware landscape is dramatically shifting, with threat actors increasingly leveraging valid credentials, browser-based delivery, and Remote Monitoring Management (RMM) tools to gain initial access. Drawing from eSentire's Threat Response Unit's (TRU) latest research and threat investigations, this session will dissect the evolving tactics of modern ransomware operators and the growing sophistication of their initial access techniques. We'll explore why browser-based delivery now accounts for 70% of malware cases and examine how organizations are experiencing unprecedented levels of credential abuse. Attendees will gain both strategic insights and tactical knowledge about: Current trends in initial access vectors and how they're evolving The transformation of the Ransomware-as-a-Service (RaaS) ecosystem Real-world examples of browser-based delivery techniques including malvertising and SEO poisoning Practical strategies for defending against valid credential abuse and browser-based threats TRU's projections for emerging threats in 2025 and recommended defensive measures. Mohammad Amr Khan, Senior Threat Researcher, eSentire |
3:15pm-3:20pm | Event Recap & Closing Remarks Matt Bromiley, Event Chair, SANS Certified Instructor |