SANS Ransomware Summit Solutions Track 2025

When a ransomware attack strikes, every second counts. Traditional security measures are often too slow to respond effectively, leaving organizations vulnerable to devastating data loss and financial damage. However, there's a powerful source of truth that can be leveraged to stop attackers in their tracks: the network itself.

In this session, we'll explore how Network Detection and Response (NDR) technologies can provide crucial defense against ransomware threats.

We'll explore:

The role of the network in catching threat actors.

Network detection use cases.

Real-world detection engineering methods.

How to determine the blast radius of an attack.

Phishing remains the #1 delivery method for ransomware—and it’s only getting more deceptive. Despite advances in email security, SOC teams are still overwhelmed by suspicious emails that slip through gateways, evade filters, and demand precious time for manual investigation. So why do these threats continue to succeed? And how can we finally break the cycle? In this practical session, we’ll expose how modern phishing emails bypass traditional email defenses and accelerate the path to ransomware execution. You’ll learn real-world evasion tactics attackers use, see how long it takes to manually analyze a suspicious email, and walk away with actionable techniques to streamline phishing analysis in your SOC workflow.

In this session, you will learn the following:

How ransomware operators are evolving phishing techniques to bypass email security gateways using sandbox evasion, obfuscation, and delayed payload delivery.

Discover workflow shortcuts and automation opportunities to reduce phishing triage time from hours to minutes.

Get hands-on tips and tooling recommendations to improve malware sample submission, verdict generation, and IOC extraction in the face of evasive ransomware threats.

Traditional security measures continue to fall short. Post-breach detect and response is proven to fail. Discover how secure cloud browsing and preemptive, AI-driven defenses block evasive ransomware attacks before they reach the endpoint, ensuring data integrity and business continuity.

Beginning in 2023, a loosely organized group of teenagers and young adults shifted their focus from SIM swapping and fraud to multi-faceted extortion. Navigating corporate networks and working their way through the ransomware affiliate ecosystem, they highlighted a weakness in modern remote work environments: human verification. They talked their way into the networks of major corporations, innovatively exfiltrated critical data, and demonstrated that some audacious abuse of administrative credentials goes completely unnoticed.

This talk will examine the lasting impact UNC3944 had on cybercrime and what organizations can do to prepare for fast paced attacks that can reach any application or service of value.

In this talk, we will unveil a new evolving class of ransomware, “browser-native ransomware” which resides entirely in the browser and can completely bypass EDRs and anti-ransomware solutions.

In this session, you will learn the following:

-The advanced TTPs attackers are using to target a victim's identity in the browser.

-How to orchestrate a fully browser-native ransomware with no local files and processes.

-How browser-native ransomware can gain lateral movement and persistence.

-How browser-native ransomware bypasses EDRs and anti-ransomware solutions.

Ransomware continues to be one of the most dangerous and financially devastating threats facing organizations today — but it's not just data that's at risk. Ransomware campaigns are increasingly targeting identity systems like Active Directory and Entra ID, seeking to escalate privileges with a goal of complete takeover. Securing identity has become a critical pillar in a modern ransomware defense strategy. In this webinar, we’ll explore the continuous evolving threat landscape of ransomware, how these attacks unfold, and why identity compromise is often the center of large-scale breaches.

Volt Typhoon and similar campaigns are bypassing traditional EDR with advanced tactics like living-off-the-land and exploiting unmanaged network devices.

This session explores how Corelight’s Open NDR platform enhances network visibility, detects evasive behaviors, and offers actionable guidance to improve detection and defense against state-sponsored threats targeting critical infrastructure.

The ransomware landscape is dramatically shifting, with threat actors increasingly leveraging valid credentials, browser-based delivery, and Remote Monitoring Management (RMM) tools to gain initial access. Drawing from eSentire's Threat Response Unit's (TRU) latest research and threat investigations, this session will dissect the evolving tactics of modern ransomware operators and the growing sophistication of their initial access techniques.