惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LangChain Blog
W
WeLiveSecurity
P
Proofpoint News Feed
月光博客
月光博客
NISL@THU
NISL@THU
L
LINUX DO - 最新话题
Webroot Blog
Webroot Blog
T
Threatpost
Y
Y Combinator Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Threat Research - Cisco Blogs
Vercel News
Vercel News
Jina AI
Jina AI
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
J
Java Code Geeks
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
小众软件
小众软件
MyScale Blog
MyScale Blog
N
News and Events Feed by Topic
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
The Hacker News
The Hacker News
Schneier on Security
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
Recent Announcements
Recent Announcements
S
Security @ Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Securelist
T
The Exploit Database - CXSecurity.com
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
雷峰网
雷峰网
量子位
Google DeepMind News
Google DeepMind News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Spread Privacy
Spread Privacy
L
Lohrmann on Cybersecurity
I
Intezer
T
The Blog of Author Tim Ferriss
G
GRAHAM CLULEY
D
DataBreaches.Net
V
Vulnerabilities – Threatpost
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
罗磊的独立博客

WeLiveSecurity

Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
The calm before the ransomware storm: What you see is not all there is
Tomáš Foltýn · 2026-04-24 · via WeLiveSecurity

Ransomware

A breach claims the systems as well as the confidence that was, in retrospect, a major vulnerability

24 Apr 2026  •  , 5 min. read

The calm before the ransom: What you see is not all there is

There’s a bit of a pattern in the history of organizational failures that repeats too often to be a coincidence: A system runs smoothly for a long stretch, causing everyone to grow confident in it. Almost invariably, this also quietly erodes the vigilance that kept the system running smoothly in the first place. And then the system fails – at the precise moment when everyone involved would have told you it was in excellent shape.

Counterintuitive as it may sound, stability itself can be destabilizing. It breeds complacency, which then reduces investments in preparedness and widens the gap between actual and perceived risk. Author Morgan Housel compressed this pattern into six words: “calm plants the seeds of crazy.” This plays out rather visibly and with near-clinical regularity in financial markets, but since it’s woven into the warp and woof of human psychology, cybersecurity is by no means spared from it.

And so it is that a company that hasn’t been breached is prone to viewing its security posture as adequate. Calm feels like evidence that the danger has passed, which changes behavior in ways that reintroduce the danger. The assumption hardens quietly, even if no one may state it explicitly: if nothing’s gone wrong, then our controls must be excellent. But in some cases, this may be mistaking the absence of evidence for evidence of absence.

Or, viewed through another lens, the absence of a visible incident is just silence, and silence can mean several things. The company with an immaculate record may indeed have top-notch defenses. But it may also have avoided the attention of anyone ill-intentioned and dedicated enough yet – there are many fish in the sea, after all.

Which raises at least two questions worth asking: Do you know that your environment is as safe as it can be against threats doing the rounds now? Or do you only know that your (baseline) controls are in place? Many organizations answer the second question while believing that they’ve answered the first one. They may resort to compliance frameworks, although those don’t necessarily check whether the measures are adequate against the threats that are doing the rounds right now. So, a company could be compliant and exposed at the same time. (Can you, too, smell the paradox of Schrödinger's cat?)

Yet more traps

The formal state of an organization’s security is easy to measure and – assuming all turns out well – also easy to feel good about. Whether an employee’s login credentials are changing hands on dark web marketplaces or whether your organization’s EDR tool can under some circumstances be defanged by an easily available ‘anti-tool’ – that’s harder to assess without looking in places many organizations don’t think to look.

Indeed, the human tendency, absent deliberate correction, is to lean on easily available information in order to build what it believes is a coherent story. This happens at the expense of hard-to-obtain information and with blissful disregard for which of the two categories is more instructive. Crucially, the mind doesn’t flag what’s missing – the picture feels complete and the confidence feels earned regardless. The late psychologist Daniel Kahneman coined an acronym for the habit: WYSIATI (What You See Is All There Is).

The problem may worsen further when you consider how many decision-makers think about risk: if something can’t be measured, it doesn’t matter. In practice, the opposite is often closer to the truth, to the point that the underlying problem has earned the status of a fallacy. Without further belaboring the point, suffice it to say now that once you see at least some of the traps, you can’t ‘unsee’ them.

eti-ecrime

In its 2025 Data Breach Investigations Report, Verizon put a number on how wide the gap between perceived security and actual exposure can get: it found that 54% of ransomware victims had their domains appear in at least one infostealer log or illicit marketplace posting before the attack. The access details were already circulating – and in some cases the breach may have already occurred – even when everything seemed in order.

This kind of blind spot hits hardest in companies whose security stack fails to flag attackers’ behavioral footprints, such as attempts to disable security processes. Remedying it requires changing what’s visible and using the right tools – the kind of tools that go beyond confirming that controls are in place and flag that something in the environment is behaving suspiciously.

When the confidence shatters

This all matters also because a ransomware intrusion is a business continuity event whose effects extend far and wide. When Change Healthcare fell victim to ransomware in 2024, the downstream impact on hospitals and pharmacies lasted months, not to mention that the incident hit nearly the entire U.S. population. The total cost was an estimated $3 billion. A ransomware attack on Jaguar Land Rover in 2025 caused similar financial damage.

Meanwhile, IBM puts the average cost of a data breach at around $5 million, including downtime, recovery, and downstream damage. Specifically for healthcare organizations, the average is almost $10 million. And the figures don’t capture the long tail, such as customer contracts that aren’t renewed or insurance premiums that spike.

eset-world-2026-invite

The damage compounds over months and years, especially where stolen data ends up on a dedicated leak site (DLS), as is so often the case these days. The public exposure of corporate data triggers a crisis in its own right as the dumped contracts, emails and personal data become fodder for follow-on attacks, such as phishing and business email compromise (BEC) fraud.

Regulatory obligations also kick in soon enough. At the same time, customers and partners start asking questions that the company often even has no way of answering. And there’s still another caveat that defenders should keep in mind: the data only reflects what the criminals choose to ‘advertise’ – it’s thought that only a small portion of ransomware victims have their data dumped on the sites.

Discipline is everything

In addition to the right tools and people, security that holds up over time rests on the habit of watching and adapting. This all is predicated on awareness of what’s happening in the threat environment, not to mention your own IT environment.

Admittedly, maintaining constant vigilance in the absence of a visible and acute threat is expensive – psychologically, that is. Humans are poorly suited to staying alert for events that don’t feel imminent, and the drift towards complacency is so gradual that it rarely registers as a decision anyone made.

But as the threat side of the ‘equation’ never holds still, the defense side can’t, either. Threat intelligence, especially the kind that delivers a wealth of signals about active campaigns, is the backbone of that awareness. It’s what security tools can ‘convert’ into detections and alerts that let security teams act in time. Without it, the gap between what an organization believes about its security and what’s actually true may continue to widen – until it’s closed, rather expensively, by cybercriminals.


Let us keep you
up to date

Sign up for our newsletters