Lesson 1.1: Under Armour - 72,742,892 breached accounts Deep Dive

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: Under Armour - 72,742,892 breached accounts Deep Dive! Over the next 45 minutes, we will explore how ransomware operators infiltrate major organisations, the specific techniques they use to maintain persistence, and why traditional security measures often fail to detect these sophisticated attacks.

But first, let me tell you about Marcus Webb.

It's 7:23 AM on a Tuesday in March. Marcus Webb, a senior network administrator at a major fitness technology company in Baltimore, is settling into his workstation with his second cup of coffee. The morning sun streams through the office windows as he opens his monitoring dashboard, expecting another routine day of system maintenance and user support tickets.

Something catches his eye immediately. Network traffic patterns from the previous night show unusual spikes in encrypted communications to external IP addresses. The activity started at 2:47 AM and continued for three hours. Marcus frowns, clicking through the logs. The traffic appears to originate from multiple internal systems, but the encryption makes it impossible to determine what data is being transmitted.

As Marcus begins investigating further, his phone buzzes with urgent messages from colleagues across different departments. Users are reporting that files are becoming inaccessible, displaying strange extensions. His heart sinks as he realises what's happening. The unusual network traffic wasn't a glitch or legitimate backup process - it was 150 million user records being exfiltrated before the ransomware payload activated.

This is the story of ransomware. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: What is Modern Ransomware?

Think of ransomware like a sophisticated bank heist, but instead of grabbing cash and running, the criminals spend weeks studying the bank's operations, copying the contents of every safety deposit box, and then locking the vault with their own combination.

The Double Extortion Model

Modern ransomware operates on what security researchers call the 'double extortion' model. Attackers don't just encrypt your files and demand payment for the decryption key. They first spend weeks or months inside your network, identifying and stealing your most sensitive data.

This stolen data becomes leverage. Even if you have perfect backups and can restore your systems without paying the ransom, the attackers still hold your customer data, financial records, and trade secrets. They threaten to publish this information unless you pay a separate extortion fee.

The psychological impact is profound. Organisations face not just operational disruption, but potential regulatory fines, customer lawsuits, and permanent reputation damage. This dual threat significantly increases the likelihood that victims will pay.

The Ransomware Economy

Ransomware has evolved into a mature criminal industry with specialised roles. Some groups focus on initial access, selling network credentials to ransomware operators. Others specialise in data exfiltration or negotiation services.

Industry data indicates that average ransom demands have increased significantly, with some organisations facing demands exceeding £40 million. The criminals operate like legitimate businesses, offering customer support, payment plans, and even discounts for prompt payment.

DORA Article 8 DORA Article 8 requires organisations to establish a comprehensive ICT risk management framework that includes identifying and assessing ransomware threats to operational resilience.

ISO A.8.24 ISO 27001 A.8.24 mandates that information security considerations are integrated into project management, including ransomware prevention measures in system deployments.

Content Section 2: The Attack Lifecycle

Understanding how ransomware unfolds reveals why it's so effective. Let me show you exactly how Marcus was compromised, step by step.

Initial Access and Reconnaissance

The attack began three months before Marcus noticed anything. Attackers gained initial access through a spear-phishing email sent to an employee in the marketing department. The email contained a malicious attachment that appeared to be a fitness industry report from a legitimate research firm.

Once inside, the attackers didn't immediately deploy ransomware. Instead, they spent weeks mapping the network, identifying high-value systems, and understanding data flows. They moved laterally through the network using legitimate administrative tools, making their activity nearly indistinguishable from normal IT operations.

During this reconnaissance phase, they identified the customer database containing user profiles, health data, and payment information. They also located backup systems, security tools, and administrative accounts that would need to be compromised or disabled before the final attack.

Data Exfiltration Phase

The attackers spent two weeks systematically copying sensitive data to external servers. They used encrypted channels and legitimate cloud storage services to avoid detection. The data transfer was throttled to avoid triggering bandwidth alerts.

They prioritised customer personal data, including names, email addresses, usernames, and hashed passwords. They also targeted internal documents, employee records, and financial information that could be used for additional extortion leverage.

Why Traditional Defences Fail

Notice what all of these methods have in common. They rely on detecting abnormal behaviour, but sophisticated attackers have learned to operate within normal parameters until the final payload deployment.

Here's why Marcus's security tools failed to detect the attack until it was too late:

NIST DE.CM-1 NIST CSF DE.CM-1 requires continuous monitoring of networks to detect malicious activity, but traditional monitoring often fails against sophisticated ransomware due to encrypted communications and legitimate tool abuse.

NIS2 Article 21 NIS2 Article 21 mandates cybersecurity risk management measures that must account for the extended dwell time and sophisticated evasion techniques used in modern ransomware attacks.

Content Section 3: Detection and Response Strategies

Imagine if Marcus's security systems could speak. They would have been screaming warnings for weeks. The challenge isn't that the indicators weren't there - it's that they were buried in noise and required correlation across multiple systems.

Network-Level Indicators

Effective ransomware detection requires monitoring for subtle network anomalies. Look for unusual encrypted traffic patterns, especially during off-hours. Monitor for connections to newly registered domains or IP addresses with poor reputation scores.

Pay attention to internal network scanning activity and lateral movement patterns. Attackers often use network discovery tools to map your environment, creating distinctive traffic signatures that can be detected with proper baseline analysis.

DNS monitoring can reveal command and control communications. Many ransomware families use domain generation algorithms or communicate with specific infrastructure that can be identified through threat intelligence feeds.

Endpoint-Level Indicators

Monitor for unusual process execution patterns, particularly legitimate administrative tools being used in unexpected contexts. PowerShell, WMI, and remote desktop tools are frequently abused by ransomware operators.

File system monitoring should alert on mass file modifications, especially when files are being renamed with unusual extensions or when large numbers of files are being accessed by single processes.

Identity and Access Signals

Authentication anomalies often provide the earliest warning signs. Monitor for credential stuffing attempts, unusual login times, and access to resources that users don't typically need.

Privilege escalation attempts and service account abuse are common indicators. Attackers often compromise service accounts because they typically have broad network access and their activity appears legitimate.

SOC2 CC6.1 SOC 2 CC6.1 requires logical and physical access controls that include monitoring and alerting on unusual access patterns that could indicate ransomware reconnaissance activity.

GDPR Article 32 GDPR Article 32 requires appropriate technical measures for security of processing, including the ability to detect and respond to ransomware attacks that could result in data breaches.

Content Section 4: Building Your Compliance Evidence

Think of compliance documentation like an insurance policy - you hope you never need it, but when auditors come calling, you'll be grateful for every piece of evidence you've collected.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 8 auditors... For DORA auditors, you can now demonstrate understanding of ICT risk management requirements specific to ransomware threats and your organisation's operational resilience measures.

For ISO A.8.24 auditors... For ISO 27001 assessors, you can evidence integration of ransomware security considerations into project management processes and system deployment procedures.

For NIST DE.CM-1 auditors... For NIST CSF reviewers, you can show implementation of continuous monitoring capabilities designed to detect sophisticated ransomware attack patterns.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Ransomware readiness assessment completion reference
• Follow-up actions identified for your organisation

Conclusion

Let me tell you how Marcus's story ended.

The ransomware attack cost Marcus's organisation £47 million in direct costs, including ransom payment, system recovery, legal fees, and regulatory fines. Marcus himself faced intense scrutiny during the incident response, though investigators ultimately concluded that the attack succeeded due to systematic security gaps rather than individual failure.

The organisation eventually implemented comprehensive network monitoring, endpoint detection and response tools, and regular security awareness training. They also established a dedicated threat hunting team and improved their incident response procedures. Marcus now leads their security operations centre, applying the hard-learned lessons from that March morning.

But it doesn't have to be your story. That's why we're here.

You should now understand how modern ransomware operates using double extortion models. You understand why traditional security measures often fail against sophisticated attacks. You know the key indicators to monitor across network, endpoint, and identity systems. And you understand how to build compliance evidence while improving your organisation's ransomware readiness.

Next, we'll explore Next, we'll explore Lesson 1.2: Advanced Persistent Threat Detection. We'll examine how nation-state actors and sophisticated criminal groups maintain long-term access to networks, and why detecting these threats requires fundamentally different approaches than traditional malware detection.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Network traffic indicators, endpoint behaviour patterns, and identity access anomalies specific to ransomware reconnaissance and data exfiltration phases
• Compliance Mapping Worksheet - Map your organisation's ransomware detection and response controls to DORA Article 8, ISO 27001 A.8.24, NIST CSF DE.CM-1, and other framework requirements
• Risk Assessment Template - Evaluate your organisation's exposure to double extortion ransomware based on network monitoring gaps, endpoint security coverage, and backup system vulnerabilities identified in this lesson
• Further reading - Links to DORA technical standards, NIST CSF implementation guidance, and threat intelligence sources for ransomware indicators of compromise

Under Armour - 72,742,892 breached accounts Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026