Lesson 1.1: Ransomware is now less about malware and more about impersonation

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Ransomware is now less about malware and more about impersonation! Over the next 45 minutes, we will explore how the modern ransomware threat has fundamentally shifted from a technical malware problem to a human identity problem.

But first, let me tell you about Marcus Webb.

It's 10:15 on a Tuesday in October. Marcus, a senior finance manager at a mid-sized manufacturing firm in Birmingham, is reviewing a spreadsheet. The office hums with the quiet chatter of colleagues and the faint smell of coffee from the kitchen. His phone buzzes with a new Microsoft Teams message.

The message is from his boss, Claire. The profile picture is correct. 'Marcus, need you to approve this urgent vendor payment. The link is here, login with your company account.' It looks normal. Claire often messages about time-sensitive invoices. He clicks the link, which takes him to what appears to be the company's SharePoint portal. He enters his username and password.

Nothing happens for a moment. Then, a genuine Microsoft login page appears, asking for his credentials again. He assumes the first attempt failed and types them in once more. This time, it works. He's in. He doesn't realise the first page was a perfect fake. Marcus has just handed his digital keys to someone who now looks, sounds, and acts exactly like him inside the company network.

This is the story of a Data Breach. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: The New Ransomware Playbook

Forget the image of a virus secretly infecting your computer. Today's ransomware attack is more like a skilled con artist stealing a security guard's uniform and walking straight through the front door.

The Impersonation Economy

The primary goal is no longer to deliver a malicious file, but to steal a legitimate identity. Attackers target user credentials—passwords, session cookies, multi-factor authentication (MFA) tokens—because these are the master keys to the kingdom.

With a real user's identity, an attacker can move through a network openly. They can access file shares, email accounts, and backup systems using the same tools and pathways the real employee uses every day. Security systems are designed to trust these identities.

This shift makes the final ransomware deployment almost a formality. The hard work is getting in and spreading, which is done by impersonating real people.

Why Credentials Are the Target

Credentials provide scale and stealth. Once an attacker has one set of login details, they can attempt to use them across multiple systems and services, a technique known as credential stuffing.

More importantly, acting as a real user allows them to disable security controls from the inside, create new admin accounts for persistence, and exfiltrate data quietly before triggering the encryption. The ransomware itself is just the final, noisy signal of a long-compromised position.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to have specific measures for managing access rights and identity governance, directly addressing the threat of credential compromise.

ISO A.8.2 ISO 27001 A.8.2 mandates that all personnel receive awareness training on security threats, which must now include the risks of social engineering and credential phishing.

Content Section 2: Anatomy of an Impersonation Attack

Understanding this new playbook reveals why it's so effective. Let me show you exactly how Marcus was compromised.

The Attack Flow

Step 1: Reconnaissance. The attackers likely researched Marcus's company on LinkedIn, identifying him and his manager, Claire. They gathered names, roles, and communication styles.

Step 2: Delivery. They sent a phishing message, not with an attachment, but with a link. The message was delivered via a compromised external account or a lookalike domain, arriving on a trusted platform like Microsoft Teams.

Step 3: Credential Harvesting. The link led to a counterfeit login page hosted on attacker-controlled infrastructure. When Marcus entered his details, they were captured. The page then forwarded him to the real service, causing the second login prompt he saw.

Step 4: Identity Assumption. The attackers used his stolen credentials to log into the company's cloud environment. They may have used stolen session cookies to bypass MFA or triggered an MFA push notification hoping for an approve.

Key Technical Components

The attack uses 'living-off-the-land' techniques. Attackers use built-in IT tools like PowerShell, Remote Desktop Protocol (RDP), and legitimate admin consoles to explore the network and deploy payloads. This makes them hard to distinguish from normal admin activity.

The final ransomware payload is often delivered only after the attackers have located critical data and backup systems. They may disable security software using the compromised admin accounts just before the encryption starts.

Why Traditional Defences Fail

Notice what all of these methods have in common. They all fail to effectively verify that the person behind the keyboard is who they claim to be after the initial login.

Old security models were built to stop malicious code, not malicious people using legitimate tools. Here’s how common defences are bypassed:

NIST PR.AC-1 NIST CSF PR.AC-1 requires managing identities and credentials for authorised users. This control is directly challenged when those credentials are stolen, necessitating additional behavioural and contextual checks.

NIS2 Article 21 NIS2 Article 21 mandates risk management measures that must account for evolving threats, specifically requiring policies that address supply chain risks and social engineering tactics used in these attacks.

Content Section 3: Detecting the Imposter

Marcus's computer knew something was wrong. It just couldn't tell him. The signals were there, but they were signals of a person acting strangely, not of a virus.

Identity and Access Anomalies

Look for impossible logins. A user logging in from London at 9:00 AM and from a foreign country at 9:05 AM. Multiple failed logins followed by a success from a new location.

Monitor for unusual access patterns. Is a finance manager suddenly accessing RDP servers in the engineering department? Is someone downloading large volumes of files from a file share they've never used before?

These are behavioural clues that the legitimate identity is being used by someone with different goals.

Endpoint and Tooling Anomalies

Watch for legitimate tools used at strange times or in strange sequences. For example, PowerShell being used to disable security software, or the Microsoft Azure command-line tool being used to enumerate cloud storage by a user who normally works in Excel.

A spike in network connections from a single user's device to many other internal systems in a short time can indicate lateral movement.

Cloud Provider Signals

In environments like Microsoft 365, monitor for risky sign-ins flagged by Identity Protection. Look for sign-ins from anonymous IP addresses, unfamiliar locations, or infected devices.

Watch for suspicious inbox rules being created that forward email externally, or for applications being granted high-level permissions to a user's account, which can be a backdoor.

SOC2 CC6.1 SOC 2 CC6.1 on logical access requires the entity to protect information assets from security events. Detecting anomalous user behaviour is a key operational control to meet this criterion in the face of credential theft.

GDPR Article 32 GDPR Article 32 requires appropriate technical measures to ensure security of processing. Continuous monitoring for compromised accounts is a necessary measure to prevent a personal data breach resulting from impersonation.

Content Section 4: Building Your Evidence

Compliance documentation isn't just paperwork. In this new threat landscape, it's the blueprint for verifying that you're watching the right people, not just the wrong files.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that staff training and risk management processes address the specific threat of credential phishing and identity compromise, not just generic malware.

For ISO A.8.2 auditors... For ISO 27001 assessors, you can evidence that security awareness education has been updated to cover impersonation-based attacks on collaboration platforms, as completed in this lesson.

For NIST PR.AC-1 auditors... For NIST CSF reviewers, you can show a considered analysis of how identity and credential management controls (PR.AC-1) are tested against modern adversary techniques.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Marcus's story ended.

The attackers, acting as Marcus, accessed the company's financial systems and backup servers. They deployed ransomware, encrypting critical data. The company paid a ransom of several hundred thousand pounds to get a decryption key, but the recovery took weeks. Marcus faced disciplinary proceedings for violating security policy, though he kept his job.

The organisation eventually implemented mandatory phishing simulation training focused on collaboration tools, deployed stricter conditional access policies in their cloud environment, and invested in an identity threat detection and response (ITDR) solution to look for behavioural anomalies.

But it doesn't have to be your story. That's why we're here.

You should now understand that modern ransomware is a data breach that starts with identity theft. You understand how attackers use impersonation to bypass traditional defences. You know the key behavioural signals that indicate a compromised account. And you understand how compliance frameworks map to this new reality.

Next, we'll explore Next, we'll explore Lesson 1.2: Securing the Human Identity Layer. We'll look at the specific technical controls and policies that can stop an imposter, even when they have the right password.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key behavioural indicators of credential compromise and immediate steps to isolate a potentially impersonated account on a single page.
• Compliance Mapping Worksheet - Map your organisation's identity and access management controls against the DORA, NIST CSF, and ISO 27001 requirements relevant to impersonation-based ransomware attacks.
• Risk Assessment Template - Assess your organisation's exposure to credential phishing and identity theft based on user roles, collaboration platform use, and MFA implementation.
• Further reading - Links to official guidance on identity threat detection and response (ITDR) and framework documents for securing cloud identities.

Ransomware is now less about malware and more about impersonation Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026