SANS Ransomware Summit Solutions Track 2025

  • Friday, 30 May 2025 10:00AM EST (30 May 2025 14:00 UTC)
  • Speaker: Matt Bromiley
It’s 2025. Ransomware remains a persistent and evolving threat, but the landscape is changing. The tactics, targets, and technology have advanced, yet organizations continue to face devastating attacks, costly payouts, and hard lessons. Why, despite widespread awareness and publicized incidents, are so many still unprepared when the worst happens? It’s 2025 – the year we stop reacting and start proactively securing our digital future.

Join us for the Ransomware Summit Solutions Track 2025 to explore the full spectrum of ransomware dynamics. Learn how threat actors are adapting their strategies, where vulnerabilities still exist, and why the cycle of paying ransoms endures. But this summit isn’t just about understanding the problem—it’s about action. Discover how to shift from a reactive to a resilient stance by embracing advanced technologies, from AI-powered defenses to automated threat detection. Examine the critical role of human training and awareness in creating a united front against adversaries.

The time to act is now. Let’s break the cycle and declare: “Not my network, not today, and not ever.”

Why Register?
- Expert-led Sessions
- Flexible Attendance (Attend live or watch on your own time)
- On-Demand Access (Revisit sessions and download presentations at your convenience)
- Connect with Industry Leaders
- Build Your Professional Network
- Earn CPE Credits

SANS Slack:

  • Connect with our event chairs, speakers, and fellow participants on SANS Slack for real-time discussions and networking opportunities.
470x382_SolutionsTrack_Ransomware-2025.jpg

Thank You To Our Sponsors

Corelight_Transparent.pngeSentire_Logo_2021_Blue.pngExtraHop2024-Logo_color_medium (1).pngmagnetfor_logo2line_color_rgb - NEW.pngMandiant_lockup_H_rgb (2).pngFtr_MenloSecurity_Logo- transparent.pnglogo_1000 (1).pngSquareX Logo.pngVMRay Logo - Dark BlueNew_Logo_Blue.png

Full Agenda | 10:00am - 3:20 pm ET

Timeline (ET)

Session Details

10:00am-10:10am

Event Kickoff & Introduction

Matt Bromiley, Event Chair, SANS Certified Instructor

10:10am-10:45am

Mitigate the Blast Radius: Detecting Ransomware with NDR

When a ransomware attack strikes, every second counts. Traditional security measures are often too slow to respond effectively, leaving organizations vulnerable to devastating data loss and financial damage. However, there's a powerful source of truth that can be leveraged to stop attackers in their tracks: the network itself.

In this session, we'll explore how Network Detection and Response (NDR) technologies can provide crucial defense against ransomware threats.

We'll explore:

  • The role of the network in catching threat actors.
  • Network detection use cases.
  • Real-world detection engineering methods.
  • How to determine the blast radius of an attack.

Jamie Moles, Senior Manager, Technical Marketing, Extrahop

10:45am-11:20am

The Ransomware Trapdoor: How Phishing Emails Still Slip Past Defenses in 2025

Phishing remains the #1 delivery method for ransomware—and it’s only getting more deceptive. Despite advances in email security, SOC teams are still overwhelmed by suspicious emails that slip through gateways, evade filters, and demand precious time for manual investigation. So why do these threats continue to succeed? And how can we finally break the cycle? In this practical session, we’ll expose how modern phishing emails bypass traditional email defenses and accelerate the path to ransomware execution. You’ll learn real-world evasion tactics attackers use, see how long it takes to manually analyze a suspicious email, and walk away with actionable techniques to streamline phishing analysis in your SOC workflow.

In this session, you will learn the following:

• How ransomware operators are evolving phishing techniques to bypass email security gateways using sandbox evasion, obfuscation, and delayed payload delivery.

• Discover workflow shortcuts and automation opportunities to reduce phishing triage time from hours to minutes.

• Get hands-on tips and tooling recommendations to improve malware sample submission, verdict generation, and IOC extraction in the face of evasive ransomware threats.

Andrey Voitenko, Senior Product Manager, VMRay

11:20am-11:55am

Fighting Ransomware with AI: Preemptive Cyber Defenses for the Modern Threat Landscape

Traditional security measures continue to fall short. Post-breach detect and response is proven to fail. Discover how secure cloud browsing and preemptive, AI-driven defenses block evasive ransomware attacks before they reach the endpoint, ensuring data integrity and business continuity.

Neko Papez, Sr. Manager of Cybersecurity Strategy, Menlo Security

Amelia Squires, Threat Intelligence Analyst, Menlo Security

11:55am-12:10pm

Break

12:10pm-12:45pm

The Kids Aren’t Alright: How UNC3944 Redefined Ransomware and Extortion

Beginning in 2023, a loosely organized group of teenagers and young adults shifted their focus from SIM swapping and fraud to multi-faceted extortion. Navigating corporate networks and working their way through the ransomware affiliate ecosystem, they highlighted a weakness in modern remote work environments: human verification. They talked their way into the networks of major corporations, innovatively exfiltrated critical data, and demonstrated that some audacious abuse of administrative credentials goes completely unnoticed.

This talk will examine the lasting impact UNC3944 had on cybercrime and what organizations can do to prepare for fast paced attacks that can reach any application or service of value.

Josh Madeley, Incident Response Regional Lead, Mandiant, Part of Google Cloud

12:45pm-1:20pm

Browser-Native Ransomware in a Cloud-First World

In this talk, we will unveil a new evolving class of ransomware, “browser-native ransomware” which resides entirely in the browser and can completely bypass EDRs and anti-ransomware solutions.

In this session, you will learn the following:

-The advanced TTPs attackers are using to target a victim's identity in the browser.

-How to orchestrate a fully browser-native ransomware with no local files and processes.

-How browser-native ransomware can gain lateral movement and persistence.

-How browser-native ransomware bypasses EDRs and anti-ransomware solutions.

Vivek Ramachandran, CEO and Founder, SquareX

1:20pm-1:30pm

Break

1:30pm-2:05pm

"Dear Identity": A Ransom Note and Deep Dive into Ransomware Attacks and Proactive Identity Security

Ransomware continues to be one of the most dangerous and financially devastating threats facing organizations today — but it's not just data that's at risk. Ransomware campaigns are increasingly targeting identity systems like Active Directory and Entra ID, seeking to escalate privileges with a goal of complete takeover. Securing identity has become a critical pillar in a modern ransomware defense strategy. In this webinar, we’ll explore the continuous evolving threat landscape of ransomware, how these attacks unfold, and why identity compromise is often the center of large-scale breaches.

We'll break down the typical ransomware attack chain, highlighting how attackers leverage stolen credentials and Active Directory weaknesses to succeed. We’ll discuss major ransomware incidents, including wannacry, Revil, and lockbit with real-world examples of the severe impact identity-focused ransomware can cause. We’ll also profile notable threat groups and their tactics to give you actionable insights into how ransomware operations work today compared to just a few years ago. We will finish the session with a live 15-minute demonstration of Netwrix Threat Prevention, showcasing how it can detect ransomware behavior early, identify anomalous activities linked to identity compromise, and automatically take action to contain and stop an attack before it spreads. We will also touch on the importance of internal assessments to understand what vulnerabilities potentially lie in your environment. Security practitioners, junior or senior will all walk away from this sessions with essential strategies to strengthen your defenses, focusing on identity protection as a core component of ransomware resilience.

Darryl Baker, Solutions Architect, Netwrix

2:05pm-2:40pm

It’s Typhoon Season: What You Can Do to Address Attacks That Evade EDR

Volt Typhoon and similar campaigns are bypassing traditional EDR with advanced tactics like living-off-the-land and exploiting unmanaged network devices.

This session explores how Corelight’s Open NDR platform enhances network visibility, detects evasive behaviors, and offers actionable guidance to improve detection and defense against state-sponsored threats targeting critical infrastructure.

Vincent Stoffer, Field Chief Technology Officer, Corelight

2:40pm-3:15pm

Evolution of Initial Access: How Threat Actors Are Rewriting the Ransomware Playbook in 2025

The ransomware landscape is dramatically shifting, with threat actors increasingly leveraging valid credentials, browser-based delivery, and Remote Monitoring Management (RMM) tools to gain initial access. Drawing from eSentire's Threat Response Unit's (TRU) latest research and threat investigations, this session will dissect the evolving tactics of modern ransomware operators and the growing sophistication of their initial access techniques.

We'll explore why browser-based delivery now accounts for 70% of malware cases and examine how organizations are experiencing unprecedented levels of credential abuse.

Attendees will gain both strategic insights and tactical knowledge about: Current trends in initial access vectors and how they're evolving The transformation of the Ransomware-as-a-Service (RaaS) ecosystem Real-world examples of browser-based delivery techniques including malvertising and SEO poisoning Practical strategies for defending against valid credential abuse and browser-based threats TRU's projections for emerging threats in 2025 and recommended defensive measures.

Mohammad Amr Khan, Senior Threat Researcher, eSentire

3:15pm-3:20pm

Event Recap & Closing Remarks

Matt Bromiley, Event Chair, SANS Certified Instructor