Cyburgh 2026: Ransomware Has Changed. Has Your Response Plan?

Cyburgh’s keynote address brought together law enforcement, legal prosecution and frontline cybersecurity perspectives to deliver a ransomware reality check rooted in action, timing and preparation. Featuring Richard Evanchec, Special Agent in Charge of the FBI Pittsburgh Field Office; Kelly Locher, Assistant U.S. Attorney for the Western District of Pennsylvania; and David Kane of Ethical Intruder as moderator, the conversation set the tone for the day’s ransomware discussions by focusing on what actually changes outcomes once an organization is under attack. 

Evanchec opened by describing the FBI’s role across Western Pennsylvania and West Virginia, noting that his office handles everything “from a bank robber to the most sophisticated ransomware attacker.” Locher framed the prosecutor’s role from the Department of Justice side, explaining that cybercrime has become an increasing priority for federal prosecution and that her office works to bring domestic, international and transnational defendants to justice “right here at home in Pittsburgh.”  

One of the keynote’s biggest themes was that ransomware itself has changed. Evanchec explained that ransomware once almost always meant encryption, but today many attackers are skipping encryption altogether and focusing on theft and extortion. “What we’re seeing, quite frankly, is simple data theft,” he said. Rather than locking systems, actors steal information, evaluate its value and use it as leverage. He also warned that AI is helping attackers better understand stolen data, identify what is most valuable and improve social engineering. Locher echoed that point, noting that AI allows “less sophisticated actors to perpetrate much, much more convincing cyber espionage.”  

The speakers repeatedly returned to cyber hygiene. Evanchec pointed attendees to the FBI’s Winter Shield campaign, which focuses on basic practices like removing default passwords, patching systems, replacing end-of-life hardware and software, reducing excessive administrator access and practicing response plans. Locher stressed “backups, backups, backups,” but the discussion went further: backups need to be offline, air-gapped and regularly tested. Evanchec warned that many organizations only discover restoration failures during an actual crisis, when it is already too late.  

The keynote also emphasized that the first 72 hours, and often the first minutes, matter. Evanchec urged companies to build relationships with the FBI before a crisis. “Exchanging business cards at the site of an attack is too late,” he said. His message was clear: call early, even at the first signs of suspicious lateral movement. The FBI may already have intelligence, infrastructure access, decryption keys or related investigative material that can help victims reduce damage. He pointed to examples where the FBI helped recover data for a local school district hit by BlackCat ransomware and a regional retailer that had lost hundreds of gigabytes of data.  

Locher added that early reporting is also essential for evidence preservation. Federal prosecutors need to understand who entered the system, what was taken, what was left behind and how the conspiracy operated. She explained that the window between intrusion and data exfiltration is shrinking, making quick engagement more important than ever. “The prosecution team is interested in evidence preservation,” she said, because preserved evidence helps build probable cause, support legal process and ultimately tell a compelling story in court.  

The speakers repeatedly returned to cyber hygiene. Evanchec pointed attendees to the FBI’s Winter Shield campaign, which focuses on basic practices like removing default passwords, patching systems, replacing end-of-life hardware and software, reducing excessive administrator access and practicing response plans. Locher stressed “backups, backups, backups,” but the discussion went further: backups need to be offline, air-gapped and regularly tested. Evanchec warned that many organizations only discover restoration failures during an actual crisis, when it is already too late.  

The keynote closed with a boardroom-level warning. Paying ransom can create legal, financial and reputational exposure, especially if funds reach sanctioned or terrorist-linked actors. Evanchec challenged leaders to stop treating cybersecurity as overhead. Compared to a potential $10 million or $15 million ransom demand, security investment becomes a core business necessity. Locher summed up the practical path forward: “Preparation is key. Have your business continuity plans in place. Have the FBI on speed dial.”