The Backup Wrap-Up

Fileless malware is one of the most dangerous attack types out there — it never writes to your hard drive, lives entirely in RAM, and can steal your credentials before your antivirus has any idea it's there. In this episode, I bring in Dr. Mike Saylor — my co-author on Learning Ransomware Response & Recovery — to break down exactly how this attack works, why it's so hard to detect, and what you can actually do to protect yourself.
Mike walks us through how fileless malware hides in memory, how bad guys maintain their foothold even after a reboot by modifying registry keys or rewriting the operating system itself, and why the ArcGIS attack is a perfect real-world example — attackers sitting undetected inside a network for two years. We also get into MFA, specifically why a lot of MFA setups are done wrong, why passkeys are the better answer, and when it's time to bring in an EDR or XDR tool.
Fair warning: the action items here are a bit more advanced than our usual stuff. Think of this as the 401k conversation — don't have it before you've built your emergency fund. But this is stuff you absolutely need to know.
00:01:26 - Welcome & intro
00:04:43 - What is fileless malware?
00:09:16 - How fileless malware achieves persistence (ArcGIS case study)
00:15:02 - Can fileless malware spread beyond one machine?
00:16:43 - Defending yourself: MFA done right
00:20:38 - Why passkeys beat MFA
00:23:00 - EDR and XDR explained
00:28:03 - How modern EDR tools detect fileless malware
00:30:01 - Wrap-up and action items

A living off the land attack is one of the sneakiest techniques in a ransomware operator's playbook — and in this episode, Dr. Mike Saylor breaks down exactly what it is, how it works, and what your organization can actually do about it.
Instead of bringing their own tools into your environment (which might trip your alarms), attackers just use what's already there. PowerShell. WMI. RDP. The same tools your admins run every single day. To your monitoring systems, it looks completely normal. That's the whole point.
Mike and Curtis cover why attackers prefer your tools over their own, how recon can quietly run for 30 to 90 days before the attack goes loud, and what defenders can actually do about it — removing admin privileges, system hardening, golden images, application whitelisting, and free tools like Nmap and Wireshark. There's also a match.com story involving organized crime and a wooden casket on someone's front porch that you really don't want to miss.
0:00 - Intro
1:21 - Welcome and Book Announcement
3:28 - What Is a Living Off the Land Attack?
5:38 - Real-World Example: Conti Ransomware and WMI
8:12 - Why Attackers Use Your Tools Instead of Their Own
13:05 - Admin Privileges: Best Practice vs. Reality
17:31 - The Louvre Heist Analogy
20:08 - Recon Phase: Low and Slow
24:16 - What Defenders Can Do
25:55 - RDP and Remote Access
29:48 - The Recon Timeline: 30-90 Days
30:48 - PowerShell and System Hardening
34:10 - Network Discovery Tools (Nmap and Wireshark)
37:37 - Application Whitelisting and Geo IP Blocking
42:08 - Action Items and Wrap-Up

Password manager vulnerabilities aren't just about bad code — and a new research paper out of Zurich just proved it. Researchers analyzed three of the most popular password managers and found fundamental design flaws baked into the very architecture that's supposed to keep your credentials safe. Curtis and Prasanna break it all down and tell you what to do about it.
If you've ever been that person who asks "but what if the password manager gets hacked?" — this episode is for you. And if you haven't been asking that question, you probably should start. A research team looked at LastPass, Bitwarden, and Dashlane — products with a combined 60 million users representing roughly 23% of the password manager market — and what they found wasn't sloppy programming. It was something harder to fix: architectural problems at the core of how encrypted vaults work.
Curtis walks through how the zero-knowledge encryption model works, why the vault recovery process creates an inherent trust problem, and why the researchers were able to exploit that trust by impersonating the server during vault recovery. Prasanna adds another layer — the field-level encryption issues inside the vaults themselves, where there's no strong verification that data hasn't been manipulated. It's not theoretical. It's a real attack surface.
The good news? Curtis still believes password managers are the right tool for today — better than sticky notes on a monitor (yes, he saw that in real life) and better than reusing passwords. But he's also clear that passkeys are the right direction for the future, even if the current implementation is still a little rough around the edges.
https://eprint.iacr.org/2026/058.pdf
https://www.theregister.com/2026/02/16/password_managers/
https://www.forbes.com/sites/daveywinder/2026/01/23/lastpass-issues-critical-warning-for-users---password-attacks-underway/

What is an initial access broker — and why does it matter to your organization? In this episode, W. Curtis Preston and Prasanna Malaiyandi are joined by Dr. Mike Saylor of Black Swan Cybersecurity to break down the role of the initial access broker in today's ransomware attacks.
Most people picture ransomware as a single bad guy with a keyboard. The reality is way scarier. There's an entire criminal supply chain out there, and the initial access broker is the specialist at the front of it. These are the people who do nothing but break in — stealing credentials, exploiting vulnerabilities, hijacking sessions — and then sell that access to other criminals who do the dirty work. Dr. Mike Saylor walks us through a real case study from 2024 where an employee's personal Gmail account — with a Google Docs folder literally named "passwords" — became the entry point for a corporate ransomware attack months later. This stuff is real, it's happening constantly, and most organizations have no idea how exposed they are.
We cover what IABs target, how they package and sell access, what "coincidental passwords" are and why they're so dangerous, and what practical steps you can take today to make your organization a harder target.
Chapters:
00:00 - Intro: What Is an Initial Access Broker?
02:12 - Welcome, Introductions, and a Little Judging
03:33 - Defining the Initial Access Broker
04:31 - Real Case Study: How Bob's Gmail Became a Corporate Breach
07:16 - How IABs Package and Sell Access
10:32 - How Stolen Credentials Get Bundled and Priced
29:48 - RDP, VPN Vulnerabilities, and What IABs Are Hunting
32:54 - Web Shells Explained
35:08 - Session Hijacking and Man-in-the-Middle Attacks
36:16 - Would Eliminating IABs Stop Ransomware?
36:49 - How the Cybercriminal Ecosystem Evolved to Create IABs
39:51 - Practical Takeaways: What You Can Do Right Now
40:45 - The Numbers: 37 Billion Records and the ShinyHunters Breach

Ransomware as a service has turned cybercrime into a franchise business — and in this episode, Dr. Mike Saylor and I break down exactly how it works, who's buying, and why the buyer might end up as the patsy.
If you thought ransomware was just a lone hacker writing code in a basement, this episode is going to change how you think about it. Ransomware as a service means that today, literally anyone — no technical skills required — can pay someone to launch a ransomware attack on their behalf. You hand over the money, tell them what you want, and sit back and watch your crypto wallet. That's it. No portal. No dashboard. No login. Just a chat on the dark web through the TOR network and a prayer that they actually do what you paid for.
Dr. Mike Saylor walks us through the full criminal ecosystem — from the initial access brokers who collect and sell validated email addresses, to the botnet operators who rent out millions of compromised computers by the hour, to the affiliate programs that tie it all together. We cover the franchise model, the "no honor among thieves" reality of these transactions, and why the person who buys into ransomware as a service might just end up as law enforcement's fall guy.
This is one of those episodes where the more you learn, the more you realize how much the threat picture has changed — and why your backups are more important than ever.
Chapters:
00:00:00 - Episode Intro
00:01:17 - Introductions & Welcome
00:03:25 - Setting the Stage: CryptoLocker and the Birth of a Criminal Industry
00:07:17 - Defining Ransomware as a Service: The Franchise Model
00:10:36 - The Amazon/AWS Analogy and How Botnets Power the Attacks
00:17:10 - No Portal, No Dashboard: How Dark Web Transactions Actually Work
00:19:17 - Why Do RaaS Operators Offer the Service? The Lottery Ticket Theory
00:21:59 - The Affiliate Model: How the Criminal Ecosystem Specializes
00:26:33 - How Many RaaS Groups Exist — and Who's Buying?
00:29:36 - RaaS as Subterfuge: The Conti Group and the Costa Rica Attack
00:30:49 - Who Are These Criminals, Really?