Ransomware isn’t just malware anymore – it’s an industry.
There are org charts. SLAs. Affiliate programs. Help desks that sometimes treat “customers” better than we treat our users.

As a fractional CTO and early employee at Evernote and Spirit Airlines, I’ve spent years building legitimate high-growth tech companies – and years helping teams dig out from security incidents, phishing campaigns, and “how did that get clicked?” moments. What I’ve learned is uncomfortable: ransomware groups run themselves like frighteningly efficient startups.

In this session, we’ll flip the script and look at ransomware like a business case. We’ll break down how modern ransomware-as-a-service operations recruit, market, sell, support, and reinvest – and then steal their best patterns for defense.

You’ll leave with a practical, human-first playbook you can use back at the office: how to prioritize controls, how to design security training people actually remember, and how to run lightweight tabletop exercises so “we’ve been breached” isn’t the first time your team practices the response.

No scare tactics. Just a clear view of the industry you’re actually up against – and concrete steps to make your environment a much less attractive target.

You will learn:

• About the modern ransomware ecosystem (operators, affiliates, brokers, initial access vectors) and how it targets Microsoft-centric and hybrid environments.
• How to identify 5–7 specific “business practices” ransomware groups use (automation, playbooks, support, incentives) and translate them into actionable improvements for your own security operations and user training.
• How to build a concise, human-centric ransomware readiness plan: high-impact controls to prioritize, key end-user behaviors to train, and a simple tabletop exercise structure to test “you are breached – now what?” before it’s real.