CTM360 report: Ransomware exploits trust more than tech

A recent wave of ransomware attacks has disrupted major retailers across the UK. According to a new report from CTM360, the attackers didn’t need to break down the door, they were invited in through misplaced trust and weak identity safeguards.

This wasn’t about advanced malware or zero-day vulnerabilities. The attackers used common tactics: impersonating IT staff, tricking employees into handing over credentials, and intercepting multi-factor authentication codes. From there, they moved across networks.

What went wrong?

The report outlines a familiar yet dangerous pattern: attackers gained access through social engineering, stayed hidden while gathering intel, and finally deployed ransomware to cripple operations.

In one case, the attackers added their own identity provider to a retailer’s single sign-on system, giving them long-term access even after passwords were changed. They monitored internal communication channels, learned how the company handled security alerts, and used that knowledge to delay detection.

When the time came, they hit hard. Ransomware locked systems. Online sales stopped. Contactless payments failed. And behind the scenes, sensitive data had already been stolen for added leverage.

The bigger picture

Ransomware groups don’t need zero-days. They rely on people, misconfigurations, and common tools. The entry point might not be malware, it might be a phone call or a spoofed login screen.

For CISOs, the real lesson here isn’t just about controls. It’s about assumptions. These attacks succeeded not because defences failed, but because basic trust was abused: trust in employees to recognize phishing attempts, trust in identity systems to block unauthorised access, and trust in remote access tools that attackers easily repurposed.

This campaign echoes a broader trend. Threat actors are targeting identity, not infrastructure. They exploit how users authenticate, how systems connect, and how access is granted across cloud and on-prem environments.

What CISOs should focus on

The report recommends:

• Seeing the organization from an attacker’s perspective
• Reducing digital exposure across identity and supply chain systems
• Reviewing remote access practices
• Applying focused hardening policies that are easy to enforce
• Auditing how internal trust boundaries are managed

Download CTM360’s How To Harden Against Ransomware report and discover how ransomware groups are exploiting identity systems instead of technical flaws.

How CTM360 can help

CTM360 offers a comprehensive, fully managed cybersecurity approach to help organizations become harder targets. Its platform brings together key services such as External Attack Surface Management (EASM), Digital Risk Protection (DRP), and Third-Party Risk Management (TPRM), enabling enterprises to proactively identify and mitigate vulnerabilities.

EASM helps organizations uncover hidden entry points, such as exposed IPs and applications, before attackers can exploit them. DRP goes a step further by detecting early indicators of warning (IOW) and attack (IOA), effectively disrupting cybercriminals’ planning phases. For organizations dependent on vendors, TPRM provides visibility into supply chain risks by identifying insecure configurations or vulnerable third parties.

Complementing these services, CTM360 also offers Cyber Threat Intelligence (CTI) tailored to specific threat profiles and tactics, as well as robust email security through Domain-based Message Authentication, Reporting and Conformance (DMARC) enforcement.