Lesson 1.1: Ransomware is now less about malware and more about impersonation

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Ransomware is now less about malware and more about impersonation! Over the next 45 minutes, we will explore how the modern ransomware threat has fundamentally shifted from technical exploits to human manipulation.

But first, let me tell you about Marcus Webb.

It's 10:15 on a Tuesday in October. Marcus Webb, a senior finance manager at a mid-sized manufacturing firm in Birmingham, is reviewing a supplier invoice. The office is quiet, just the hum of the air conditioning and the faint click of his mouse. He’s expecting a payment confirmation from a regular vendor, Acme Supplies.

His inbox pings. The email is from ‘[email protected]’. The subject is ‘URGENT: Revised Invoice #7821 – Payment Required’. The body is polite, professional, and references their last phone call. It says the bank details have changed due to a system upgrade and includes a link to download the updated invoice. It looks exactly like the dozens of other emails he processes each week.

Marcus clicks the link. It takes him to a SharePoint page that looks like Acme’s portal. He logs in with his corporate credentials, a habit born from single sign-on convenience. The page spins for a moment, then displays an error. He shrugs, assumes their site is glitchy, and forwards the email to his assistant to follow up. He has no idea he just handed the keys to the kingdom to someone else.

This is the story of a Data Breach. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: The New Ransomware Playbook

Think of ransomware not as a virus, but as a burglary. The old method was to smash a window (exploit a vulnerability). The new method is to trick someone into handing you the front door key, walking you to the safe, and then helping you load the van.

The Impersonation Economy

Modern ransomware groups don't start with code; they start with research. They find a target company, then identify its people, partners, and processes. They look for the human links in the financial or IT chain.

The initial attack is almost always a form of impersonation. It could be a fake login page for a cloud service, a compromised vendor email, or a phone call pretending to be from IT support. The goal is to steal legitimate login credentials.

With those credentials, the attacker isn't a hacker breaking in; they are a trusted user logging in. They bypass most perimeter defences because they are using approved channels and authorised identities.

From Credentials to Catastrophe

Once inside, the attacker’s first job is to expand their access. They use the stolen credentials to move laterally, often targeting identity systems like Active Directory or cloud admin consoles. They create backdoor accounts for persistence.

Only after they have full control of the network do they deploy the ransomware payload. The encryption is the final, noisy act in a long, quiet campaign of impersonation and privilege escalation.

DORA Article 5-17 DORA's ICT risk management framework requires financial entities to understand and test for threats that exploit people and processes, not just technology. A threat-led penetration test must simulate these social engineering and credential theft scenarios.

ISO A.5.1 ISO 27001 A.5.1 mandates that management establishes clear policies for information security. This includes policies governing acceptable use of systems and data, which are the first line of defence against credential theft via impersonation.

Content Section 2: Anatomy of a Credential-Based Breach

Understanding this attack flow reveals why it's so effective. Let me show you exactly how Marcus was compromised.

The Attack Flow

Step 1: Reconnaissance. The attackers identified Marcus's company and found that Acme Supplies was a frequent vendor. They registered a domain like 'acme-supplies.co.uk' (with a hyphen) to mimic the real one.

Step 2: Initial Access. They sent Marcus a convincing email with a link to a fake SharePoint login page hosted on a compromised website. This is the impersonation.

Step 3: Credential Harvesting. When Marcus entered his username and password, the attackers captured them in real-time.

Step 4: Lateral Movement. Using Marcus's credentials, the attackers logged into the real company Office 365 tenant. From there, they accessed shared drives and identified more valuable targets, like IT administrators.

The Business Impact

The final ransomware demand is only part of the cost. Before encryption, attackers exfiltrate sensitive data—financial records, employee PII, intellectual property. They use this for double extortion: "Pay us to decrypt your systems, and pay us again or we'll leak your data."

The operational downtime from a full encryption event can halt business for weeks. Recovery costs, regulatory fines, and reputational damage often far exceed the ransom demand itself.

Why Traditional Defences Fail

Notice what all of these methods have in common. They all fail to verify the one thing that matters in this new model: Is the person behind this login session really who they claim to be?

Here’s how common security controls are bypassed in this model:

NIST PR.AC-1 NIST CSF PR.AC-1 requires that identities and credentials are managed for authorised users. This attack exploits a failure in this control—the credentials were not protected from theft, and there was no additional verification (like MFA) to ensure the user was legitimate.

NIS2 Article 21 NIS2 Article 21 mandates policies for risk analysis. A proper analysis must account for threats to identity systems and credential management, not just network intrusions, and implement appropriate safeguards like multi-factor authentication.

Content Section 3: Shifting the Defence: Detecting Impersonation

Marcus's computer knew something was wrong. It just couldn't tell him. The signals of this attack aren't found in malware scans, but in user and identity behaviour.

Identity Provider Signals

This is your new frontline. Monitor your identity service (like Azure AD) for impossible travel. A login from Birmingham followed by a login from a foreign country 10 minutes later is a clear red flag.

Look for logins from unfamiliar devices, browsers, or IP ranges that the user has never used before. A single anomaly might be a user on holiday; a pattern of anomalies across multiple accounts is an attack.

Pay special attention to consent grants to third-party applications in cloud environments. Attackers often add malicious apps to maintain access.

Endpoint-Level Indicators

While no malware is initially executed, the attacker's later-stage tools leave traces. Look for unusual processes spawned from legitimate applications like PowerShell or the Windows Command Prompt.

A key indicator is the use of credential access tools like Mimikatz, or the dumping of the LSASS process memory, which attackers use to harvest more credentials after gaining initial access.

Data Exfiltration Signals

Before the ransomware detonates, attackers move data. Monitor for large, unusual data transfers from internal file shares or cloud storage to external IP addresses.

Look for spikes in data volume uploaded from a single user account, especially outside of normal working hours. This is often the final preparatory step before encryption begins.

SOC2 CC6.1 SOC 2 CC6.1 requires logical access controls to protect information assets. Effective monitoring for the identity and data exfiltration signals described here is part of demonstrating that those controls are operating effectively to detect security events.

GDPR Article 32 GDPR Article 32 requires appropriate technical measures to ensure security. The ability to detect anomalous login behaviour and unauthorised data exfiltration is a key measure for protecting the confidentiality and integrity of personal data, helping to meet breach notification obligations under Articles 33 and 34.

Content Section 4: Building Your Compliance Evidence

Think of compliance documentation not as a box-ticking exercise, but as the blueprint for your defence. The controls we've discussed are your building materials.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that your staff training and risk management processes address credential-based threats. Your completion of this lesson and the associated activity shows proactive engagement with ICT risk management.

For ISO A.5.1 auditors... For ISO 27001 assessors, you can evidence that management has been made aware of the need for policies governing identity and access management in the context of modern ransomware, supporting the establishment of A.5.1 controls.

For NIST PR.AC-1 auditors... For NIST CSF reviewers, you can show that you have analysed the specific threats to identity (PR.AC-1) posed by impersonation attacks, which is a required step before selecting and implementing protective controls.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words (e.g., The shift from malware-centric to identity-centric ransomware attacks)
• Activity submission reference
• Follow-up actions identified (e.g., Schedule a discussion with IT about MFA coverage for critical systems)

Conclusion

Let me tell you how Marcus's story ended.

The attackers, now inside for two weeks, encrypted every server and workstation. They demanded £250,000 in Bitcoin. They also leaked five years of employee payroll data and customer contracts when the company hesitated to pay. The incident made local news. Marcus was not fired, but the stress and guilt led him to leave the company six months later.

The organisation eventually recovered after paying a negotiated ransom and spending over £500,000 on recovery consultants, new security tools, and regulatory fines. Their major improvement was enforcing multi-factor authentication on all cloud and remote access systems, and implementing 24/7 monitoring for anomalous sign-ins.

But it doesn't have to be your story. That's why we're here.

You should now understand that modern ransomware is a data breach that starts with identity theft. You understand that the primary attack vector is impersonation, not malware. You know that defences must shift to monitoring identity behaviour and securing authentication. And you understand that compliance frameworks provide the structure for building these defences.

Next, we'll explore Next, we'll explore Lesson 1.2: Securing the Identity Layer. We'll look at the practical steps for implementing multi-factor authentication, conditional access policies, and privileged identity management to build a defence that works against impersonation.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key detection indicators (impossible travel, unfamiliar sign-ins, LSASS memory dumping) and immediate response steps for a credential-based ransomware breach on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls for identity and access management against the specific DORA, NIST CSF, and ISO 27001 requirements relevant to defending against impersonation attacks.
• Risk Assessment Template - Assess your organisation's exposure to credential theft and impersonation based on the business processes and authentication methods analysed in the lesson activity.
• Further reading - Links to the official NIST guidance on identity and access management (SP 800-63) and threat intelligence reports on ransomware group tactics, techniques, and procedures (TTPs).

Ransomware is now less about malware and more about impersonation Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026