Matt O’Kane Shares Ransomware Response Strategies

1 Jul 2025

At CISO Brisbane 2025, Matt O’Kane presented updated approaches to managing ransomware incidents, offering practical tools for cybersecurity professionals.

Evolving Ransomware Tactics

Threat actors are shifting away from encryption-based attacks toward direct extortion methods. O’Kane noted this represents “a move from software-driven crime to pure threat-of-release crime.” Rather than encrypting data, modern gangs focus on pressuring victims through threats of disclosure to customers and regulators.

Simplicity in infrastructure aids detection and response, whereas complex systems enable attackers to operate undetected longer.

Containment-Based Response Framework

O’Kane advocated for containment strategies using isolated systems rather than complete shutdowns. He highlighted a Brisbane healthcare provider that remained offline for 8-12 weeks after following conventional full-shutdown protocols.

Three critical questions organizations should address:

• Can operations continue safely?
• Can additional data exfiltration be prevented?
• Can recovery processes be accelerated for future incidents?

Legacy System Vulnerabilities

An unpatched Windows 2008 server discovered on Shodan served as an attacker entry point, despite being marked for decommissioning. Adversaries leveraged this outdated system for lateral movement before deploying ransomware across the network.

Industry Culture Shift

O’Kane emphasized that organizations should embrace transparency rather than shame. “Cybercriminals share information—the security community should too,” encouraging collaborative learning across the industry.

The presentation was delivered in partnership with Cloudflare and reinforced demand for experience-based incident response guidance in Australian organizations.