Ransomware groups are not breaking in organizations the same way they did five years ago. The entry methods have shifted, and understanding that shift is one of the most useful things you can do to protect your organization right now.
Ryan Smith’s recent linked analysis, “Shifting the Front Door: How Ransomware Initial Access Has Changed,” captures this evolution quite well. When defenders strengthen one entry point, attackers adjust to the next weakest one. That pattern is worth paying attention to.
From Mass Attacks to Precision Targeting
Historically, ransomware groups relied heavily on:
- Mass phishing campaigns with millions of targets
- Exposed Remote Desktop Protocol, RDP services
- Weak VPN credentials missing multi-factor authentication protections
- Unpatched internet-facing systems
While these tactics are still exploited heavily today, they are no longer the whole story. In his analysis, Ryan Smith highlights how attackers are increasingly:
- Purchasing stolen credentials from initial access brokers
- Exploiting multi-factor authentication fatigue attacks
- Targeting edge devices and remote access appliances (SSL VPNs for example)
- Leveraging AI to spear-phish all employees (top execs to bottom entry level staff members) with emails designed to appeal to each individual user
This is not noise. It is strategic evolution.
Attackers are treating initial access like a supply chain. When phishing becomes less effective, attackers simply purchase stolen credentials instead. A locked-down RDP environment pushes them toward browser session token theft or cloud identity abuse. As perimeter defenses strengthen, they adapt again, shifting to buying access via insiders or contractors with access to the inside.
The front door keeps moving faster than a revolving door.
What Happens After They Get In
CyberHoot has managed several incidents where ransomware attacks reflect the following patterns of activity. From stealth persistence and updated tooling to becoming whistle blowers, attackers are finding more ways to extort organizations for money than ever before. Here’s a sampling of ransomware variants and their tricks.
Medusa: Evasion and Persistence
In our coverage of the Medusa campaign, attackers deployed a malicious driver to disable endpoint protections before detonating ransomware. The access phase was not loud. It was quiet and deliberate. See: Medusa Ransomware Deploys Malicious Driver to Evade Security
The lesson? Once access is obtained, attackers are investing more effort in stealth, control, and data exfiltration.
Rust-Based Cicada 3301: Modern Tooling
When we covered the Rust-based Cicada 3301 ransomware strain, what stood out was the modernization of tooling and cross-platform capability. See: New Rust-Based Cicada 3301 Ransomware
Ransomware operators are not hobbyists. They are becoming enterprise businesses, building scalable, resilient attack platforms. Initial access feeds these platforms, and the financial payoffs are enormous.
Qilin: Operational Discipline
Our article on Qilin ransomware reinforces this notion of ransomware groups creating structured operations that behaves more like a business than a criminal gang. See: New Qilin Ransomware Attack
These groups understand that initial access is the highest leverage point. If they can get in quietly and maintain persistence, the rest becomes a matter of process.
When Ransomware Actors Turn Informants
In our piece on evolving ransomware tactics, we discussed how some operators are now acting like whistleblowers or leveraging stolen data for influence. See: Ransomware Hackers Turn SEC Snitches.
That shift underscores something critical: ransomware is no longer just encryption and extortion. It is data theft, pressure campaigns, regulatory leverage, and reputation attacks.
However, it all begins with that initial access.
Why Initial Access Is the Real Battlefield
Using a healthcare analogy, encrypted files is simply the symptom witnessed after a successful ransomware attack. The initial access is the true underlying cause. By the time files are locked, the hackers have been in your systems for weeks and sometimes months. Once attackers obtain valid user credentials, steal session tokens, bypass MFA, or gain remote administrative access, the organization is effectively breached.
It only takes moments for attackers with a foot in the door to exploit internal systems, credentials, networking equipment. They escalate privileges, move laterally across systems, disable security controls, exfiltrate sensitive data, and eventually as the final step, deploy ransomware.
If your strategy centers only on backups and endpoint detection, you are reacting at the final stage of the kill chain. That is too late.
The Modern “Front Door” Risk Areas
Security teams should take a close look at four high-risk areas.
First, examine your identity systems. Misconfigurations in Entra ID or Azure AD can quietly expose your environment. MFA exceptions granted to executives or long-tenured employees, even with good intentions, create gaps that attackers look for specifically. Weak conditional access policies leave gaps attackers can exploit. MFA fatigue vulnerabilities, especially push-based MFA without additional safeguards, leave accounts vulnerable to social engineering and account takeover.
The second, is remote access infrastructure. VPN appliances from vendors including Fortigate, SonicWall, and even Cisco. have all required significant and repeated patching over the past two years. Exposed Remote Desktop Protocol (RDP) instances are actively scanned and targeted every day. Edge devices that sit between your users and the Internet need timely patching as a standard practice.
The third is browser and session token theft. Malicious browser extensions and infostealer malware are now common tools for capturing authentication tokens. When an attacker steals a valid session token, MFA does not help because the system sees an already-authenticated user. This attack type is growing because it bypasses controls that organizations spent years building.
The fourth, is third-party and SaaS access. API keys, service accounts, and automation connectors often have broad permissions and receive little ongoing monitoring. Contractors and part-time employees are being actively recruited by ransomware groups and offered large sums of money to provide inside access. These integrations points deserve heightened attention and regular reviews.
What Security Leaders Should Prioritize
Phishing training and MFA enrollment remain important. Ransomware, though, rarely arrives as a single malicious email attachment anymore. It worms its way in through credential theft, remote access exploits, and identity misconfigurations, often combining methods in a single attack.
Shifting your focus to include these areas alongside your traditional defenses will make a huge difference in your resilience to evolving ransomware attacks.
Shift some of your focus to the following areas to improve your defense in depth cyber program:
- Enforce phishing-resistant MFA, such as hardware-backed solutions
- Harden identity providers with strict conditional access
- Scan and audit configurations of exposed services and edge devices
- Monitor for unusual logins, sign-ins from unexpected locations (sometimes called impossible travel)
- Consider adopting Zero Trust Network Access (ZTNA) where users get app-level access only after identity and device checks succeed
- Limit standing administrative privileges to limit the blast radius of a single breached admin account
- Review 3rd party integrations and revoke any access that is no longer needed
Each of these steps addresses the places attackers are pivoting their attacks towards today.
The Strategic Takeaway
You don’t have to overhaul everything all at once. Start by reviewing your MFA configurations for exceptions and remove the onces that no longer make sense. Confirm your VPN and edge devices are running current firmware. Pull a report on which accounts have global admin permissions and reduce that list. Schedule quarterly reviews of your SaaS integrations and connected service accounts.
Those four actions cost very little and close doors that attackers are actively trying to open (and succeeding with).
Ransomware operators adapt faster than most organizations patch. Your advantage is knowing where they’re looking and making those areas harder to reach. Small, consistent improvements add up faster than you think.
Start with one area this week. Your organization will be in a better position by Friday than is it today.
Additional Resources
CyberHoot Articles
- Medusa Ransomware Deploys Malicious Driver to Evade Security
- New Rust-Based Cicada 3301 Ransomware
- New Qilin Ransomware Attack
- Hackers Turn SEC Snitches: The Evolution of Ransomware Tactics
Secure your business with CyberHoot Today!
The post Ransomware Entry Points are Changing. Here Is What to Do About It? appeared first on CyberHoot.