Hello and welcome to the Thursday, May 28, 2026 edition of the Sands Internet Stormsendors Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu undergraduate certificate program in cyber security fundamentals.

Well, I assume nobody here likes ransomware, but one thing I do like is a great write-up explaining how to early detect a ransomware.

Manuel wrote up an Akira ransomware Kill Chain, which essentially walks you through

the about one week of activity that was conducted by this particular threat actor against a network

from which Manuel was able to obtain logs. Now, what was interesting is that really there were some early signs that something wasn't

right, and that was a large number of failed authentication events against the SSL VPN.

As so often, well, the secure device here, the SL VPN did sort of cause or provide the initial access.

Now, here in this case, it was basically just credential brute forcing.

The attacker eventually got lucky and was able to log in.

So there was no specific exploit used here.

Next, we then had the internal discovery where the attacker was essentially

probing the network, sort of trying to connect to Windows shares and doing the usual Who Am I and

such, so all actually things that are relatively easy to detect if you are properly instrumented,

and then of course, lateral movement

via RDP, also a very typical ransomware strategy. Well, in summary, it took them about a week

to actually start the encryption. So there were actually quite a few sort of early indicators

that may have helped to then prevent the actual encryption and exfiltration potentially here of the data.

Manuel walks you through all the different indicators, all the log IDs and such to look for in order to identify this activity in your

network, hopefully before it gets encrypted by a similar attack.

Well, I have talked before about phishing resistant authentication. Fishing resistant authentication

...