Ransomware is no longer just about encrypting data and demanding payment. In modern environments, especially cloud and hybrid ones, it’s about something far more damaging: breaking an organization’s ability to recover.
In this episode of Detonation Point, host Matt O’Neill sits down with Costas Kourmpoglou, a security leader with deep cloud security expertise, to unpack how ransomware actually succeeds today, why so many organizations misunderstand their true exposure, and what resilience really means when attacks stop being theoretical and start becoming operational.
Ransomware as a Business, Not a One-Off Attack
One of the clearest themes in the conversation is that ransomware has evolved into a highly optimized business model. Early ransomware groups built the malware, delivered it, negotiated payment, and laundered the proceeds themselves. Today, those responsibilities are fragmented across specialized actors:
- Initial access brokers who sell credentials or footholds
- Operators who deploy ransomware
- Groups that handle negotiation and payment logistics
- Others focused on monetization and laundering
This specialization lowers the barrier to entry and increases scale. As Costas explains, ransomware persists because it pays, and because the ecosystem has optimized itself around profit.
Initial Access Is Still Boring, and That’s the Problem
Despite the sophistication of ransomware operations, initial access is often alarmingly simple. Credential reuse, phishing, and supply chain compromise remain dominant entry points. Zero-day exploits grab headlines, but most real-world incidents don’t require them.
Organizations often over-invest in prevention while underestimating how likely it is that attackers will eventually get in. As Matt and Costas discuss, failing to assume breach leads to blind spots later,when detection, response, and recovery matter most.
Recovery Has Become the Real Target
A central insight from the episode is that ransomware doesn’t need to be subtle once attackers gain sufficient access. If backups are found, they’re deleted or encrypted. There’s no need to study schedules or retention policies, storage is storage.
This is where many resilience strategies collapse. Backups exist, but they’re not isolated. Recovery paths depend on systems that are also compromised. Plans assume ideal conditions that don’t exist during a real incident.
As Matt puts it plainly during the conversation: “If you don’t know whether you can recover cleanly, you don’t have resilience, you have hope.”
Resilience as Imagined vs. Resilience as Operated
Costas draws an important distinction between “resilience as imagined” and “resilience as operated.” Many organizations document how recovery should work, run tabletop exercises, and check compliance boxes. But when systems are actually taken offline, identities are compromised, and communication channels fail, those assumptions quickly break down.
True resilience requires testing recovery under realistic conditions, aligning expectations across business and technical teams, and understanding how long critical services can actually be unavailable, not how long leadership wishes they could be.
Ransomware Is a Business Problem, Not Just a Security Problem
Another recurring theme is ownership. Ransomware is often treated as a cybersecurity issue and funded accordingly. But when an organization can’t operate, serve customers, or meet regulatory obligations, the impact extends far beyond security.
Costas argues that resilience must be owned by the business. Security teams bring expertise, but they shouldn’t be expected to absorb all the risk, or all the cost. When resilience is framed purely as a security problem, organizations miss the bigger picture.
Culture, Training, and Human Reality
The episode also touches on why traditional security training often fails. Generic phishing exercises, punitive responses to mistakes, and unrealistic expectations don’t change behavior. What does help is a culture where people are encouraged to challenge anomalies, report concerns, and participate in resilience,not fear consequences.
Security works best when it enables the business, not when it operates as a gatekeeper disconnected from day-to-day reality.
Looking Ahead
Asked whether things will look different in three to five years, Costas is realistic. Initial access will likely get easier as digital services proliferate and credentials spread. The attack surface will continue to grow.
What gives him optimism is cultural change: security teams increasingly acting as enablers, and organizations slowly recognizing that resilience is about how systems, and people, actually behave under stress.
Final Thoughts
The episode closes with a simple but uncomfortable question:
If ransomware detonated tonight, do you know which recovery path you’d take, and which ones would make things worse?
That question, more than any checklist or framework, gets to the heart of modern ransomware resilience.
The full episode is available on YouTube, Apple Podcasts, and Spotify.