Managed service providers entered 2026 as the single highest-leverage target class in the ransomware economy. Why the channel is now the front line, which TTPs operators are running against MSPs specifically, and what the better-run shops have already changed.
Browsing: Uncategorized
A 2026 retrospective on the international takedown that displaced LockBit at the top of the ransomware ecosystem — what stuck, what reverted, where the affiliate workforce migrated, and what the next coordinated action should learn from the playbook.
Through 2024 and 2025 a quiet rebalancing happened: password-phishing fell, session-cookie theft via infostealers surged, and “we have MFA” stopped meaning what defenders thought it meant. A 2026 field guide to the technique and the controls that actually answer it.
A data-led snapshot of who’s actually being ransomed in 2026 — which sectors are losing ground, which operators are pulling away from the pack, and which national-level patterns the leak-site economy reveals.
A 2026 attribution playbook for ransomware investigations — combining TTP fingerprinting against MITRE ATT&CK, ransom-note artifact analysis, leak-site monitoring, and the open-source intelligence pivots that hold up under scrutiny.
A 2026 walkthrough of the typical infostealer-log archive — what files it contains, what each one means, and how defenders parse them with Python and jq for downstream incident response.
A 2026 practitioner walkthrough of Active Directory hardening against the lateral-movement, credential-theft, and persistence techniques that modern ransomware operators rely on — Tier 0 isolation, DSRM rotation, PRT theft mitigation, and AD audit baselines.
A practitioner walkthrough of building a ransomware-specific incident response runbook in 2026 — combining NIST SP 800-61 r3, CISA’s #StopRansomware playbook, and the lessons from named incidents on the Ransomtracker leak feed.
A 2026 self-doxxing tutorial — run the same OSINT tools attackers use, on yourself, to find every account, leaked credential, and broker entry tied to your identity. With remediation steps for each finding.
A 2026 OSINT workflow for mapping the external attack surface of any organisation using only public data — internet-scan engines, certificate transparency, and authenticated vulnerability templates.