And your backup strategy won't save you
On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed.
In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force Colonel, joined forces with Andrew Bayers, Director of Threat Intelligence, to examine what’s actually driving cyber losses in 2025—and what security leaders need to prioritize now. Their insights, drawn from Resilience’s proprietary claims data and real-world threat intelligence, revealed a striking evolution in how threat actors operate and what that means for defenders.
The shift from encryption to data theft
The numbers tell a compelling story. Throughout 2025, only 13% of Resilience’s cyber extortion claims involved encryption alone. Meanwhile, 57.6% of attacks focused solely on stealing data and threatening to release it, with another 29.4% combining both tactics. This represents a fundamental departure from the ransomware-dominated landscape of just a few years ago.
“Backups become irrelevant because the leverage is now reputational, regulatory, rather than operational,” Bayers explained. As organizations have invested heavily in immutable offline backups, threat actors have simply pivoted their strategy. Why lock systems when you can threaten to expose sensitive client data, trigger regulatory fines, or spark class action lawsuits?
This shift demands an equally fundamental change in defensive strategy: from recovery-focused controls like backups to prevention-focused measures like identity management and data containment.
The evolving threat landscape
The threat actor ecosystem itself has transformed dramatically. Following aggressive law enforcement actions against legacy groups like LockBit, the landscape fragmented and reformed with new players emerging to fill the void. Groups like Qilin and Akira have risen to dominance, while the market for stolen credentials and initial access has exploded.
“Threat actors are smart,” Bayers noted. “They know that companies face pressure to maintain their brand, pressure from regulatory agencies, the fear of class action lawsuits. They know that sensitive data leads to the Bitcoins and the Lambos.”
Adding to this evolution, threat actors are now leveraging large language models and AI to automate and scale reconnaissance and phishing operations. While Bayers doesn’t anticipate fully autonomous cyber extortion attacks in 2026, the technology is making attackers faster and more efficient.
The pay or don’t pay dilemma
One of the session’s most pointed discussions centered on ransom payments. Both speakers delivered an unequivocal message: paying threat actors provides zero guarantee of data deletion and often makes organizations targets for re-attack.
Bayers pointed to the PowerSchool incident as a cautionary tale. After paying $3 million and receiving video “proof” of data deletion, the company found threat actors reaching out to individual school districts within weeks, demanding additional payments. “There is nothing more sacred than our children,” Bayers emphasized, highlighting the profound betrayal when payments fail to protect victims.
Dressler added another concerning dimension: in class action lawsuits, companies that paid ransoms have seen that decision used against them. “Why would you have paid the bad guy, the criminal, when you could have used that money to actually pay your victims?” prosecutors have argued in court.
What security leaders should do now
The webinar concluded with clear strategic recommendations: invest in data loss prevention controls, implement zero trust or role-based access controls to reduce blast radius, and harden networks against session hijacking and SaaS token abuse. With info stealers on the rise, identity has become the new perimeter that defenders must protect.
As Dressler noted, these insights reflect Resilience’s “defending forward” philosophy—borrowed from U.S. Cyber Command—which emphasizes proactive disruption, rapid intelligence sharing, and imposing costs on adversaries before they strike.
Watch the full webinar here and find transcript, below.
Webinar Transcript
Si West: Excellent, thanks. Well, let’s kick it off. Hello, my name’s Si West, Director of Customer Engagement at Resilience. Thank you for joining us today. I see there are a few familiar faces on the call and some new ones, so it’s great to have you all here for our Resilience Risk Briefing. This is the first of a new series that we’re going to be running monthly to keep our senior security professionals ahead of what’s going on in the world of cyber risk.
So, guess what? Something you may not know: insurance may just be the place that you never thought to look for the data you need to make better business decisions on managing cyber risk. While everyone else is focused on activity, stuck in the weeds of controls, we’re focused on business impact.
And we all know, being a CISO today, a senior security practitioner, it can be a tough job. You’re trying to explain the technical nuance to the board, and they only speak one language: money, finance. You’re asking for a budget to stop invisible threats. They’re asking for value at risk and return on investment.
That friction is where security programs die. We created this series to arm you with something better than fear: real-world data insights. Today, we’re opening up our books and our dashboards. We’re going to walk you through where real money is lost, and what you can do to protect your company, and also, most importantly, your professional reputation.
We’re not here to nod at each other and be so agreeable. That would be very boring. We’re here for critical discussion, healthy friction. Expect over the series that there’s going to be some confrontation—not too much, no fisticuffs—but expect it to be constructive. At the end of the day, if our theories can’t survive debate in this room, they’re certainly not going to survive in your network out in the wild. So we’re here to pressure test our data. We’ve got together today a very specific mix of people: our very own Risk Operations Center lead, former Cyber Command Air Force Academy faculty for cybersecurity, retired Colonel Judd Dressler, and our Head of Threat Intelligence, Andrew Bayers. They’re going to talk us through some interesting insights into extortion trends, and we’re going to see where some of the big shifts happened as well.
A bit of housekeeping before we kick off. We really do encourage interaction. I’m going to take my camera off, I’m going to be involved in the chatroom, so please do get involved. Don’t feel hesitant to ask any questions. We’ll take all of your questions, and we’re going to try to incorporate them through the live discussion. We do ask a couple of things: first of all, keep it professional, and keep it on topic.
If there are questions that you’d like to be addressed in future briefings, please do drop them in the chat as well. If we’re unable to answer them today, we’ll certainly take them offline, and we’ll make sure that we follow up with you and give you our best response. So, here we are. Let’s get into today’s data story. Judd, over to you.
Judd Dressler: All right, thank you for the intro. As Si just said, I joined Resilience this past summer after more than 20 years in the United States Air Force, holding multiple positions in the research and operational fronts for the Department of Defense’s cyber activities. As I retired, I really decided to head up the ROC here at Resilience because one of its founding principles is the idea of defending forward.
This is one of the principles that worked incredibly well within Cyber Command, and we really brought it within the ROC to continue to push that idea forward. Some of those key principles are proactive disruption. We don’t just want to wait for attacks to happen; we don’t want to sit back and just take that defensive stance. We want to work together and disrupt the adversary’s capabilities before they strike.
We want to make sure to bring intelligence to bear, and make sure that intelligence cycle leads to action and leads there quickly. So we want to collect data on adversary tactics, techniques, procedures, better understand and counter threats, and then spread that information throughout our portfolio and the greater community.
But we want to make sure we work together—that collaboration piece. Sharing intel. If one company gets hit—it’s going to happen, we know we can’t stop everything—if one company gets hit, we want to make sure we learn, and learn as quickly as possible so that we can then develop those countermeasures and essentially inoculate the rest of the herd. Make it tougher for the bad guys. And that leads to the last idea, which is deterrence.
We want to impose costs on the adversaries. We want to make sure it’s harder. Hit them higher up on that pyramid of pain that we talk about on the cybersecurity side. Make the attackers’ costs of doing business so great that they want to stop—it’s not worth their time and effort.
So this mindset, that idea of defending forward, is really what we bring to our clients every day. And one of the reasons for this webinar today is we want to make sure we arm you with the latest adversary trends, the knowledge in those proactive controls heading into 2026.
These insights come from real-time threat intelligence, from inside-out security data from our clients, and our proprietary real-world claims and loss data from our insurance portfolio.
Before we get into the meat of our conversation, I wanted to poll our audience about what they might do in a situation like one of the ones that we might be talking through. So I’m going to put a poll into the event here, and we’d like you to respond anonymously as to what you may or may not do, or what you’re more likely to do, in that situation.
So real quickly: You’re the CFO of a billion-dollar professional services firm with a very high-profile client list, and you receive a message from a threat actor claiming they’ve gotten into your network. They’ve got your full client list and all the records that are associated with them, and they’re going to put them out there on the dark web for sale, ruining trust and privacy within those sensitive clients.
They have a demand: $3 million. And with that, if you pay it, they promise to delete your data, and they’ll even show you a video of it. They’ve given you 48 hours to respond before they either publish the data, or they promise to go to your clients and start telling your clients they have their data and potentially asking them to pay to suppress their portion of that data.
So with the help of your incident response and insurance panel, you’ve confirmed they have the data that they say they have. And now it’s up to you. What do you do?
Please respond to that, and we’ll work our way through some of the key highlights and trends from that side of the world. And to do that, I’d like to invite Andrew Bayers, our Director of Threat Intelligence, to join us now.
Andrew and the team of threat intelligence analysts actively monitor the most pivotal threat trends from our cyber risk portfolio. If you’re a client of Resilience and you receive one of our team’s critical findings, those findings are a result of Andrew’s team’s analysis. We make sure we don’t bombard you with alerts and findings. We only alert our clients when we’re aware of a critical issue that’s resident on their network, that is being actively exploited or has a proof of concept exploit, and most crucially, there are actual actions we can provide them to make that they can accomplish to actually reduce that risk. So we want to help our clients control their losses. We’re not looking to just hit them with alert after alert and waste their time.
So again, this month, we’ve invited Andrew here to talk about what he and his cyber threat intelligence team are seeing in extortion trends—really the most costly source of losses. We’ve seen some critical shifts in the cyber threat landscape, particularly in the traditional idea of ransomware, attacker tactics and techniques, and what controls we now need to pay attention to a little bit more in order to reduce that likelihood and the severity of those types of attacks.
So let’s start by ensuring we all understand this new environment, kind of set a baseline. Andrew, how would you define and distinguish between the specific threat of ransomware and the broader concept of cyber extortion, and what are some of those key tactics used within a cyber extortion event?
Andrew Bayers: Absolutely. Thank you guys for having me, and thank everyone who’s joined today. I appreciate it.
I do think, as we’ve seen this shift in the landscape, it is important, just from a terminology perspective, that we understand—provide some clarity here on—words matter. So when I use the term ransomware, we use the term ransomware, we’re specifically referring to malicious software, so malware, that threat actors deploy to achieve a ransom payment. Whereas cyber extortion includes all of the tactics that threat actors use to achieve a payment. Examples of ransomware are like encryptors, lockers, and there are others that exist, but when it comes to cyber extortion, that’s a broader category that encompasses all of the events where a threat actor threatens a victim to increase the pressure to achieve a payment.
So the most common tactics—there are many tactics that threat actors have used since we really started analyzing ransomware back in the late teens, early 2020s. The most common are, previously, the deployment of that ransomware malware. There’s also data theft, psychological warfare—so harassing, threatening, public shaming, swatting, stock market manipulation, false whistleblower claims—denial of service, distributed denial of service, stuff like that.
Yeah, so when we talk about ransomware, just to recap there, that is specifically referring to malware. And so we’ll be using the term cyber extortion throughout this talk and most engagements that we have.
Judd Dressler: All right, yeah, I appreciate that—making sure we’re all on the same page. So that traditional idea of ransomware—systems are locked, message appears, crisis ensues to make sure everything gets back up and running—we’ve pretty much highlighted that year after year as the major threat that everybody needed to pay attention to. That’s the most severe attack a company could possibly face. That’s starting to shift. Can you tell us a little bit more about that shift?
Andrew Bayers: Sorry, I muted myself there. Can you guys hear me okay? Can you hear me, Judd? Yep, okay.
So yes, we did in 2025, and even the second half, really, of 2024, see this fundamental shift in the cyber extortion threat landscape. While companies have spent years and lots of money building resilience against business interruption from encryption—the poll popped up here, hang on, let me move that out of the way—threat actors are smart, right? So they have also evolved. As more companies have immutable offline backups in place, enabling them to deny paying a ransom if their systems are encrypted, threat actors have pivoted away from disruptive encryption more towards precision data theft, supply chain amplification, and also persistent re-extortion.
So threat actors are prioritizing data theft and threatening public release as their primary tactics in 2025. In this model, backups become irrelevant because the leverage is now reputational, regulatory, rather than operational.
So that requires, here—and you can see on this slide—a strategic shift as defenders in our defensive posture from recovery-focused, so backups, to more prevention-focused, so like identity and data containment.
So across—if you could click through to the next slide—this is specific to Resilience claims in 2025. You can see here there’s 13% of encryption only, where previously that would have dominated the pie chart here. And in the first half of 2025, when this really started to kick off, it was 49%, but by the end of the first half of the year, it rose to 65%.
So just to recap this: 13% of encryption only throughout 2025, so that is not data theft. That is just business interruption, locking up systems, preventing business operations. Then 57.6% of just stealing data and holding that at ransom. And then about 29.4% used both tactics in 2025 here.
So why? Data extortion provides stronger leverage over victims than encryption alone. Again, threat actors are smart, and anybody—while some of them may live in grandma’s basement—they are not dummies. They know that companies face pressure to maintain their brand, pressure from regulatory agencies, the fear of class action lawsuits, and so they know that sensitive data leads to the Bitcoins and the Lambos, right?
So attackers do not have to lock all systems or encrypt to force a payment now. They can simply threaten that public release of the stolen data, which causes the reputational damage, loss of customer trust, brand impact. There’s also the regulatory liability, fines from like GDPR, HIPAA, and data breach notification laws by state, by country.
That legal exposure is real, and so more victims are able to avoid paying ransoms because they do have resilient backups in place. I would say that those key observations from 2025 have really been the cause of the shift from encryption to data theft only as the primary tactic.
Judd Dressler: Okay, yeah, I appreciate that, Andrew. So we’ve seen this shift, and we’ve also seen the number of attacks continue to increase. That’s a pretty good trend going back multiple years—attacks continue to increase. But this year, we saw some new threat groups come in, increase capabilities. Can you talk real quick—I know we could probably go all day here—but real quick on who are some of these threat groups, and really, how has that attacker ecosystem changed, that overall threat landscape, when it comes to these extortion events?
Andrew Bayers: Yeah, I personally don’t like to sensationalize threat actors by naming them and giving them any sort of credibility, but for the purposes of this, I’ll sprinkle them in, how about that? I’ll answer the second question first. That’s okay.
So the ransomware ecosystem significantly fragmented in 2025 and then reformed. Law enforcement operations, international law enforcement intelligence agencies—their actions sort of shining the spotlight into the dark room, and the cockroaches sort of scatter, but as soon as the spotlight goes somewhere else, some of them are coming back.
So that law enforcement pressure did weaken legacy groups. We don’t see many, or observe as many, attacks, successful attacks by groups like LockBit. LockBit, a couple years ago, was 10 times as successful as the second most successful ransomware group, or sorry, cyber extortion group. Correcting myself there.
So it’s a volatile space in 2025. There has been the emergence of new groups. While a lot of the renaming that happens over time often may be the same humans behind the keyboard conducting these attacks, a lot of the law enforcement action actually triggered some turf wars between threat actors, and sort of out of that void following law enforcement action, new groups emerged and sort of dominated that billion-dollar market. Groups like Qilin, which is a cool name. It sounds Chinese. It is a Chinese word for a dragacorn—just to geek out for a second—but there is no indication that they are a PRC-backed threat actor group. They may have just chosen a cool name. And then, of course, Akira, which was the second most successful threat actor, or cyber extortion group, in 2025.
And the re-extortion piece—as some of these groups or these human beings behind the keyboard would work together to execute a cyber attack and sort of split the winnings among themselves, there was this turf war. So there were multiple attacks against the same victims by different groups that had access to the same intelligence to enable the reconnaissance and resource development capabilities that are at the early stages of the overall chain of attack.
And the tactics have evolved, right? As I mentioned earlier, focusing on data theft, psychological pressure, and automated capabilities rather than simple encryption. So it is safe to say that all cyber extortion threat actors are leveraging LLMs in some way, and some are leveraging agentic AI, just like we as defenders leverage LLMs and agentic AI.
Some threat actors are beginning to adopt LLMs to automate and scale their reconnaissance, phishing, and other early stages of the lifecycle. And that makes them faster. They have a list of targets, they can knock one out, move on to the next one in the early stages, move on to the next one, move on to the next one.
But I do want to caveat that by saying that I don’t think we will see an end-to-end cyber extortion attack or event through any type of LLMs or AI. There is still going to be a lot of human interaction. Now, we may be on that path, but I don’t think that’ll happen in 2026.
So all of those things considered, they have raised the frequency, sophistication, and overall impact of extortion events, making it one of the most persistent and financially damaging types of cybercrime. Cyber extortion dominated the Resilience claims specifically and seems to, as far as the cyber extortion tactics in 2025 globally as well.
Judd Dressler: Yeah, definitely one of the trends we saw was this decentralization, essentially rebranding that as an ecosystem where everybody’s sharing tools, techniques, things like that, has made attribution a whole lot harder.
Andrew Bayers: Looks like we have a question.
Judd Dressler: Can you jump back in, do you have a question?
Si West: Hey guys, yeah, just going to chip in here, so we have a question. If you’re a CISO, in terms of the data suppression argument, you’re a CISO, you don’t want to pay, you’re under pressure from legal or the finance team, how do you win this argument? What is it we should be communicating to these people in order to sort of get the decision we want to enable the business in a better way?
Andrew Bayers: Yeah, I know that our global head of claims and I both have very strong opinions on this topic. There is zero assurance, zero confidence that a threat actor will do what they say they will do. And 2025 has proven this.
PowerSchool is a good example. That was about a year ago now, early 2025, where PowerSchool paid a $3 million ransom payment, and they were on a video, like a Zoom, where the threat actor showed them that they dragged that sensitive data from, like a screen recording of them dragging the file into the trash. And they promoted that to—I’m sorry, PowerSchool promoted that in their messaging to their customers, that we know this data has been deleted.
Well, I think it was within two weeks, individual county schools—I mean, let’s just hold on a second, there is nothing more sacred than our children. Any parents on the call will probably agree with that. So it was only a couple weeks before the threat actor was reaching out directly to the county school systems, saying, hey, we have your data, now you will pay us a ransom payment.
I also understand the pressure that CISOs face on the regulatory side. They want to be able to—a company wants to be able to argue in a court of law that they have done everything reasonable to suppress that data, and unfortunately, paying a criminal is one of those reasons that is considered a legitimate reason. I personally think that’s preposterous. I’m not a lawyer, for the record.
But so what do they do? I think that’s the first part, is that there is zero guarantee. You are throwing money away paying threat actors.
Judd Dressler: Yeah, I’d add on to that and say, just some stats: if you paid for the decryption capability, I think it’s less than half actually get the decryption capability after paying that actually allows them to fully unlock all of their data and get back to normal.
So there’s that piece. One of the trends we’re seeing is the idea of re-attack, and one of those key markers on re-attack is if you paid. That sends a good message to the rest of the community that you’re willing to pay again. But another aspect of that is we’re actually seeing it where, hey, potentially the same data taken during that time frame is being sold to other groups and put in place where it allows them to get an easy foothold into your network again and come back 4 or 10 months later, and you’re getting hit by the same folks over and over again.
And then as far as paying the ransom goes, it is a deeply personal, high-stakes decision, I get it. You’re in the middle of something and really trying to figure out what to do, and you’re appeasing a lot of different folks on the call. The FBI definitely advises against paying. We have no guarantee, as Andrew said, that anybody’s going to do anything, and what you’re doing is you’re fueling the continued cyber extortion ecosystem. Those funds are going to be used, and the more you pay, the more they know it’s usable and they’ll get their payment.
The ability to be able to say, no, we’re not going to do that, I know it’s hard. But the other piece that I wanted to bring up—Andrew stated that one of the main things that people point to is they want to say they’ve done everything they can. So we’ve actually seen people, when it comes to litigation after the fact, where it’s a class action lawsuit, they’ll bring up, hey, we did everything we could. See, we paid that ransom. The attackers promised they wouldn’t hold the data, they’d delete it, they wouldn’t come after our clients, they wouldn’t attack us again.
We’ve actually seen it used against them, that argument used against the company, where the prosecution or essentially the other side of the house is really saying, hey, why would you have paid the attacker? Why would you have paid the bad guy, the criminal, when you could have used that money to actually pay your victims—the victims of the attack, those that lost their data—to make sure that they were safe, that their data was not going to be used against them, that there was no identity issues going on further than that?
So please keep that in mind. Again, that’s one of the major things we hear, but I want to make sure that we understand that that’s not always going to be valid. Andrew, anything else on that?
Andrew Bayers: Yeah, I think that I don’t want to mess up this name, but I saw a question from Ronald that is actually related to this. He asked, where have you noted that multiple bad actors are attacking the same entity via a similar avenue due to information sharing, or do you have a particular risk profile for these entities?
So that ties into the one other thing I wanted to just say about this: the access for sale business or market has exploded. What that is, there’s initial access brokers—humans on the keyboard who just buy and sell access to companies.
So where have we seen that? To get at the question there, we have seen that on the dark web. So companies pay a ransom, threat actor says they deleted the data. That data then shows up for sale to other threat actors, whether it is through the form of—because during the incident response process, it is likely that if they were—and not to go too far down the rabbit hole here, because I know we have a lot of different audience members on the call.
So it may not be the exact same initial access vector that is resold, but from the data, from the sensitive data that is stolen, threat actors are going through that data and leveraging that data to gain access, regain access, and then selling that access for anywhere from $60 to $200 per credential or info stealer. I hope that answers that question.
Judd Dressler: And so, Andrew, we’re talking about InfoStealers, and really one of the new terms that have come out over the last few months is the idea of identity as that new perimeter. How are you seeing essentially identity as the new battleground? How are attackers using this, and essentially, what do our customers do? What do our clients do, our CISOs do, about this kind of new avenue of attack?
Andrew Bayers: Absolutely. So information-stealing malware—we have a lot of content on what info stealers are. I’d be happy to share that for anybody who’s never heard the term before.
But the short version is information-stealing malware. It can be staged in a repository somewhere your developers are accessing. It can be sent through clicking on a link in a phishing email. So think about it as a very lightweight, stealthy malware, whereas encryptors or ransomware is a little more disruptive. Info stealers want to persist to collect information, intelligence that can enable threat actors to continue down the full chain of attacks.
So I think some people put info stealers in the reconnaissance phase. I would probably more put it in the resource development phase of the—just framing it with the MITRE ATT&CK model there.
But what may seem on an endpoint, so your work laptop, as sort of low severity, dismiss it as something that isn’t worth a SOC responding to—but what it’s doing is it’s stealing this information, sending this back to sort of a command and control that the threat actor has, and they’re developing these resources to continue that attack.
So what do defenders do? Well, without giving away too many sources and methods of Resilience’s ability to identify these info stealers that are present on our client networks—and again, this is internet-facing, we’re not hacking into client networks to try to find info stealers by any means—but these are things that we can determine from the internet.
So what we recommend to clients on when we identify these things and send what we call a critical finding, so basically just a notification or an alert, to our clients, is with InfoStealers, it’s not just reset the password and everything’s okay. This needs to be a kickoff incident response.
We also recommend reviewing session logs thoroughly before changing the exposed passwords, because threat actors will, if they persist, they’ll be able to just steal the password, the new password, on reset. And then, of course, ensuring multi-factor authentication for any remote access. Then in the world of bring your own device, the infection may be on an employee, partner, partner’s personal device, so we also recommend in those cases, you may need to bring in human resources or legal to assist with remediation.
And then, of course, you know that they’ve accessed the system, so then it’s investigation into any potential lateral movement to other enterprise resources. Yeah, those are the big ones.
Judd Dressler: Okay. So I think we have a question from the audience: Is there any particular company type that malicious actors prefer to target and retarget, or is that you find as particularly appetizing for access broker forums?
Andrew Bayers: Oh, that’s a good one. Professional services companies are great because, thinking about it through the threat actor’s perspective, if I can get access to a law firm, for example, or anything with PII, PHI, intellectual property—many businesses across many industries have that type of data, and obviously in the PHI, it’d be the healthcare industry.
I think getting a government organization may be less of an attractive target for this type of thing.
Judd Dressler: It puts a little bit of a spotlight on you.
Andrew Bayers: Right. Well, that and federal employees are not going to be suing a federal agency because they leaked their data. Any of us who were part of the OPM breach a number of years ago—
Judd Dressler: We have no recourse. It’s very much less likely to pay the ransom.
Andrew Bayers: True. So I would say, no matter the sophistication level of the threat actor, even the highest level sophistication, best resourced, advanced persistent threat group out there—so think like a nation-backed threat actor—they’re always going to go for that low-hanging fruit first.
So thinking about that through the lens of, or through the perspective of, a financially motivated threat actor, industries that are a little slower to have mature cybersecurity programs and cyber risk management programs—so think like heavy construction, manufacturing, types of industries—those are big targets for the financially motivated.
Judd Dressler: Did that answer that question okay there?
Andrew Bayers: If I left something out, please—
Judd Dressler: Oh yeah, so I know we’re coming up on time. I want to make sure we can summarize some of those strategic implications heading into 2026. So we can get that slide up there, I’d appreciate it.
All right, so with the shift in attacker methodologies, resilience via backups alone just isn’t sufficient. We’re seeing that shift from just the data encryption side to the data exfiltration, data suppression payments. Those data theft extortion events bypass backups—they bypass that control.
So what we need to make sure that we’re doing and focusing on is reducing the blast radius with either zero trust or even a role-based access control methodology in there, and implement controls that intercept those data exfiltration attempts—so your DLPs. If we can catch them before they steal your data, then they can’t extort you for that data.
So invest in those types of securities. Finally, with the exponential rise in info stealers, we need to make sure we cut off that capability. To do that, we’re hardening our networks and communications against things like session hijacking, SaaS token abuse. So make sure we’re focusing a little bit more on that side of the house as we’re seeing this trend shift in the way that attackers are going after their targets.
So with that, I’ll thank you for attending today, and I’ll turn it back over to Si.
Si West: Thank you, Judd. Thank you, Andrew. Very insightful. We’re almost at time, but we may have time for one more question, if you’re happy to take that. And it was kind of on point with the topic in terms of in a position to not pay the ransom. It’s specific to Coinbase, so the question is: Did Coinbase’s approach to not paying the ransomware and use those funds almost as a bounty change the extortion landscape, or has it set a precedent? Or is it too soon to tell?
Andrew Bayers: I’m sorry, Si, could you repeat that question one more time?
Si West: Yeah, sure. Did Coinbase’s approach to not paying the ransomware sort of change the landscape? I believe they use those funds almost as a bounty or something it says, I’m not sure. So yeah, did it change? By not paying, did it change the landscape? Or is it too soon to tell?
Andrew Bayers: Are you okay if I chime in, Judd?
Judd Dressler: Yeah, go for it.
Andrew Bayers: Okay. I would say that I am not deeply familiar with the Coinbase attack, simply because that is one of the sectors that Resilience currently does not write business, as it is a little higher risk. I think it’s like adult entertainment and cannabis right now are the sectors we are not currently writing.
But not paying the ransom due to the business interruption side—I think that that has a big impact on why the threat actors shifted their focus. This is like a cat and mouse game. So as we, as defenders, become, enable our companies to become more resilient against the threat that’s happening today, threat actors are also recognizing maybe that simply putting a company’s name on a leak site, naming and shaming them, is not enough for them to pay. Defenders, companies are becoming more resilient.
So I think just overall, across all industries, that has caused the shift. And if Coinbase’s business was interrupted to the point where they could not operate for days, weeks, they would have paid the ransom, so I can only assume that they had offline, immutable, validated, regularly validated backup procedures in place there. But I am not deeply familiar with Coinbase.
Si West: Yeah, thank you, Andrew. And I think generally within the insurance market as well, going back to 5, 6 years ago, we’ve seen a significant decrease in the amount of extortions or ransomware extortions that have been paid, so I think it goes to show that the insurance industry really does, or is able to, influence behavioral change within organizations over time.
So we are close to time now, very close, one minute left. Let’s revisit the poll: to pay or not to pay. Let’s see if the outcome has changed. There is a huge amount of questions, which is fantastic, and we haven’t been able or had time to answer them all here today. All of these questions will be reviewed and looked at, and we’ll send out the answers to everyone in a follow-up email.
We also would like to share with you, as a look forward, as I said, we have one of these on a monthly basis. Please do visit us again. The next risk briefing is going to be on bridging the boardroom, so we’re going to be talking about how do we communicate better to the boardroom? What is it we’re going to be communicating, how do we speak the same language as the board and the C-suite? There should be a link in the chat coming up any minute now, so please do feel free to log into that and register yourselves.
It’s been great to have you all here today. Big thank you to Andrew and Judd for the risk briefing, and thank you to everyone who’s joined us today, and we look forward to seeing you at the next risk briefing. Thank you very much. Bye-bye.
