Abstract
The SANS Ransomware Summit 2024 brought together 5 100 virtual attendees who generated nine new open-source repositories before the closing keynote. This article converts the live graphic recordings into a searchable knowledge base, highlights previously unpublished indicators of compromise, and introduces an upcoming 2025 community drill that will test pre-quantum encryption abuse and deep-fake extortion scenarios.
decrypting-the-ransomware-diaries
Amanda Rees reversed six months of underground forum chatter and released a 47-rule YARA package that differentiates early-stage LOCKBIT, BLACKCAT and CACTUS artefacts. Each rule is mapped to a MITRE ATT&CK technique and stored in a GitHub release that is automatically scanned for false positives by a fine-tuned CodeBERT model.
unmasking-cyber-shadows
Stephanie Regan demonstrated a low-cost hunting pipeline: Velociraptor + Sigma + Kusto. Queries are published under CC-BY-SA and can be imported into Azure Sentinel or Chronicle with two clicks. The pipeline reduced mean time to detect lateral movement from 14 h to 51 min during a 30-day volunteer SOC trial.
drone-strike-to-file-recovery
Matt Lin traced a nation-state wiper that arrived through a DJI firmware update channel. The supplied memory dump, converted to lime format, contains the first public capture of a MIPS-32 ransom dropper. A companion Volatility profile and Ghidra script are available in the repo; 38 analysts have already submitted pull requests that improve the disassembler signatures.
cloud-ransom-running-wild
Peter O showed that 68 % of examined 2024 cases abused Object-Version-Delete within 15 min of initial access. A CloudFormation honey-pot now replays the behaviour and streams findings to an open MISP instance. The template costs less than three US dollars per week to run and auto-cleans after 30 days.
data-leak-sites-uncomfortable-truths
Michael Rogers scraped 41 leak blogs and released a STIX-2.1 bundle that maps each post to an organisation, revenue band, and stolen data category. The bundle refreshes every six hours and feeds the Leak-Site-Monitor repo, letting any non-profit run its own early-warning dashboard without third-party APIs.
panel-active-defence-strategies
Consensus emerged on three cost-neutral controls:
- application allow-listing through native Windows Defender Application Control
- service account segmentation via Azure PIM just-in-time admin
- cloud-backup immutability using time-based one-time signatures (RFC 8934)
atomic-ransomware-emulation
The DFIR Report team open-sourced a Go rewrite of their previous YAML play-set. New modules target GCP service accounts and Entra ID conditional-access abuse. A GitHub Action runs the full chain inside a throw-away lab every 24 h and publishes PCAP, EVTX and JSON-L logs for training purposes.
2025-community-battle-drill
A call for 10-minute live demos opens on 01 December 2025. Participants must containerise an attack or defence script that abuses either post-quantum key exchange or AI-generated voice extortion. The winner receives a GIAC GRID voucher and a six-month mentor slot with the SANS instructors who chaired this year’s summit.
indicators-of-compromise
All IOCs referenced above are maintained in a single repository that provides Suricata, Snort and CSV formats. A SHA-256 change-set is committed automatically every six hours; the median delay between real-world appearance and public availability is 2 h 11 min. No registration or commercial key is required for access.
conclusion
By converting graphic summaries into executable code and continuously integrating community feedback, the 2024 ransomware summit has produced a living defence kit rather than a static after-action report. Practitioners are encouraged to fork the repositories, submit improvements and enrol in next year’s drill to help keep the corpus accurate as threats evolve.
