Ransomware Resilience: Lessons Learned for Protection Today

In a recent webinar titled Ransomware Resilience: Lessons Learned for Protection Today (replay available on demand), two of cybersecurity’s most seasoned leaders, Jon Miller, CEO and Co-Founder of Halcyon, and Simon Reed, Chief Research and Scientific Officer at Sophos, sat down to discuss why ransomware continues to thrive, how ransomware impacts organizations, and how collaboration and resilience are reshaping the fight.

Their insights painted a realistic but hopeful picture of how organizations can shift the balance of power by combining intelligence, adaptive defense, and operational resilience. The conversation underscored that defeating ransomware is not just about better technology, but also about adding resiliency, coordinating faster, and staying educated on how modern ransomware attacks unfold.

Why Ransomware Keeps Winning

Ransomware has dominated cybersecurity conversations for more than a decade, yet incidents keep rising in volume and severity. Both Miller and Reed agree that this persistence is not due to complacency among defenders; it is the inevitable outcome of an efficient underground economy.

“Attackers are ultra-dynamic and growing in numbers,” Miller explained. “They’re small, disciplined groups that keep adapting faster than traditional defenses. The bar for entry is dropping, and the profits are too high for it to slow down.”

Reed approached the problem through an economic lens. “Ransomware is the most productive and leveraged way to turn malicious technical skills into money.” The people behind these operations are not lone hackers; they are entrepreneurs running efficient, scalable, and well-funded criminal businesses. “They have a long history of succeeding, making good returns, being well-funded, and thus very motivated.”

This economic incentive structure is what makes ransomware different from the nuisance malware of years past. It has become an industry with service models, affiliate programs, and supply chains. Every participant, developer, broker, or negotiator has a defined role and profit share.

Miller added that while defenders have improved, attackers exploit two persistent asymmetries: the absence of consequence and the ubiquity of opportunity. “There’s no consequences for this,” he said. “In very few cases do authorities actually arrest anyone significant. Outside of that, a lot of this is coming out of Russia, and it’s all above board there. You end up with the most profitable business that’s ever been invented.”

He also pointed to cryptocurrency as an accelerant. “You’re not sending a wire transfer to somebody’s bank anymore.” Digital currency streamlined the payment process and anonymized the flow of funds, eliminating one of the last friction points in the extortion cycle.

The Lowering Bar for Attackers

Both experts highlighted how the technical skills required to run ransomware operations have changed dramatically. “It used to be you needed to be a coder to be an effective hacker,” Miller said. “With ransomware, it’s more about sys-administration skills. Do you know how to run code on remote systems?”

This shift has opened the door to a wider range of participants, fueling more frequent and faster-moving campaigns. Combined with the ready availability of exploits, RMM tools, and stolen credentials, even modestly skilled attackers can inflict outsized damage.

Reed agreed, noting that attackers increasingly operate with the efficiency of professional organizations. “These are commercial cyberattacks,” he said. “They’re building leveraged, optimized businesses.” The profit motive ensures constant reinvestment in tools, infrastructure, and affiliates. “As long as the returns are good, they’ll keep scaling.”

Why Defenders Struggle to Keep Pace

It isn’t that defenders are failing at their jobs; it’s that the threat has evolved faster than the security model designed to stop it. Miller summarized the challenge succinctly. “They can just go out and either find or buy a zero day, turn around over the next couple weeks, and hack a hundred companies with it, and have a fantastic ROI.”

Attackers move quickly, and their advantage lies in speed and surprise. Traditional patching cycles, segmented responsibilities, and alert fatigue make it difficult for organizations to keep pace. “It’s a new kind of level of threat. After 25 years of doing due diligence and building best-in-class programs, defenders must readjust to what attackers are doing today,” Miller said.

Reed further emphasized that defenders must think in terms of containment rather than prevention. “You have to work on the basis that you will get penetrated at some point, and you need to cap off the attack quickly, and localize it before they get into your control plane.”

The Cost of Compromise: Business and Human Impact

When ransomware strikes, it’s not just data at risk. The damage ripples through operations, customers, and entire supply chains. Both Sophos and Halcyon lead teams that help victims recover, and both have witnessed the toll firsthand.

Reed described the worst-case scenario. “When the attackers get into what I call the control plane of the company, they have complete admin-level access across all of the infrastructure. That becomes a systemic threat to the company’s operation.” Once attackers seize that level of control, it’s no longer an IT issue; it’s an existential business crisis.

Beyond immediate downtime, the long-term harm comes from loss of trust. “It destroys your customers’ trust,” Reed said. “Other businesses interact with you because you’re reliable, because they trust you with their data, money, and systems. Once that’s gone, rebuilding it takes years.”

Miller echoed that sentiment. “If you’re fully breached, you’re looking at three weeks of the worst three weeks of your career, hands down. Even if you pay, it still takes forever. You’re never sure they’re gone, and you’re never sure you got all your data back.”

He pointed out that attackers deliberately seek the most leverage by targeting operations that can’t afford downtime. “When core systems go down, it breaks a company’s ability to transact business. Attackers know that and specifically target it.”

Collaboration as a Force Multiplier

Traditional industry information sharing often stops at exchanging indicators of compromise, valuable but shallow. Miller and Reed described a new model: operational collaboration in context.

Reed explained, “The step up in the collaboration with Halcyon is to focus not just on sharing IOCs, but on particular attackers in particular environments within our shared customer base. We bring a game plan that is two against one, our two companies against a single attacker.”

Miller called it a new defensive paradigm. “You can’t watch yourself from getting shot in the back, but nobody’s ever really done it before. If you want to get past us, you’re going to have to trick both of us at precisely the right time without sending a signal that lets us know something’s going on.”

That level of synchronization makes the adversary’s job exponentially harder. “We don’t need perfect security,” Miller said. “We need an obstacle big enough that it makes no sense for them. You break the ROI; they’ll just go hack somebody else.”

Reed summarized it as adaptive collaboration. “It’s about changing the ratio of effort versus reward. If we can make attacks more costly and less successful, the economics stop working in their favor.”

The Role of Resilience

While collaboration expands visibility, resilience ensures survival when prevention fails. Both leaders stressed that modern ransomware defense is as much about response and recovery as it is about detection.

“We’re more about the resilience,” Miller said. “How do you isolate, how do you recover, how do you kick them out? That’s where we’ve focused a lot of our functionality, on the worst-case scenario.”

He explained how Halcyon’s approach complements leading EDR platforms such as Sophos. “They take the brunt of everything. We sit behind them and ask, ‘Could it be ransomware?’ It’s a second layer that focuses on isolation, recovery, and ensuring backups can’t be compromised.”

Reed reinforced the basics that often get overlooked. “A good number of attacks start with a weakly configured or unpatched perimeter device. Do everything possible to catch the attack while it’s still localized. Then clean your estate of unmanaged devices; those are gold dust to attackers.”

Both also stressed that resilience depends on understanding which groups are most likely to target your sector. “Ransomware groups that target hospitals target hospitals,” Miller noted. “You can read their tradecraft and literally check whether you have the controls that stop them.”

Escalating Tactics and Psychological Warfare

The conversation also underscored how ransomware has evolved from pure encryption into multifaceted coercion. Double extortion is now standard, but many groups go further. “They will look into the data and say, if you don’t do this, I’m going to use this data maliciously against you,” Miller explained.

Reed called out the human toll. “The bit that gets to me as a human is the victimization of executives and CISOs. The interactions attackers have are sophisticated psychological warfare, pressuring people until they’re exhausted and compliant.”

Examples include targeting hospitals, schools, and even daycare centers, leaking medical or personal data to increase public humiliation and urgency. “Every time you hack a hospital, somebody dies,” Miller said, citing University of Minnesota research that linked ransomware incidents to delayed surgeries and higher mortality. “This isn’t arguing whether it’s okay to hack a casino; ethics are out the window here.”

The Expanding Supply Chain Threat

The discussion turned to supply chain attacks, which both speakers see as the next wave of risk. “That’s the beauty of the supply chain,” Miller said. “It can be a shipping company, a software developer, a cloud provider. The dependencies are endless. If you disrupt one, you create global impact.”

Reed warned that the rapid adoption of AI-assisted coding could magnify the problem. “Within maybe five years, an order of magnitude more software will be built and deployed. That means more attack surface, more complexity, more things to patch, and more credentials stored insecurely.”

Miller added another dimension, homogeneity. “If everyone’s using the same LLMs to build code, the same problem gets introduced everywhere. For the first time, you’ll see cross-platform, cross-vendor zero days.” Both agreed that uniformity breeds fragility. True security lies in diversity, layered defenses, and visibility across shared ecosystems.

The Policy Debate: To Pay or Not to Pay

The webinar also touched on the ongoing debate over ransom payments and proposed bans. Both experts see criminalizing payments as misguided.

“Banning payments is counterproductive,” Reed said. “Every company needs to make its own decision about the balance of the situation they’re in. We should focus on reducing profitability, not punishing victims.”

Miller took it further. “You’re literally taking victims and talking about making legislation that makes a victim a criminal, instead of asking why we’re not going after the people hacking them.”

He also warned that these laws could chill information sharing. “When you start talking about making payment illegal, lawyers don’t want to talk about it, and it breaks intelligence sharing. If people are worried they’ll get in trouble, they won’t share how they were compromised, and others stay exposed.”

Shifting the Advantage

The most important takeaway from the discussion was that defeating ransomware isn’t about perfection; it’s about economics. Attackers move where the reward-to-effort ratio is highest. If defenders can invert that ratio, the business model collapses.

As Miller explained, the goal isn’t to achieve flawless security, but rather to make attacks costly and inefficient — if breaching the system isn’t worth the effort, attackers will likely move on searching for an easier target.

Reed echoed the same principle from an industry standpoint. “The more we shine a light on this, the more we support companies that do the right thing and disclose properly, the more we collectively put pressure on bad actors.”

Their message was pragmatic but optimistic. Ransomware will remain a long-term, adaptive threat, but defenders can make it unprofitable through shared context, faster response, and resilient recovery. Collaboration between solution providers like Halcyon and Sophos exemplifies a new model, one that treats cybersecurity not as isolated competition but as a team sport.

In the end, as Miller put it, resilience is not about never getting hit. It’s about getting back up faster than the attacker can adapt. “Make it harder than they’re willing to put in the effort for,” he said. “Change the math, and you change the game.”

The Halcyon Ransomware Research Center and Sophos X-Ops continue to share data, insights, and practical guidance to help organizations stay ahead of evolving ransomware threats. The full webinar recording, Ransomware Resilience: Lessons Learned for Protection Today, is available on demand.

‍