“Ransomware was a blessing, in a way, because it forced cybersecurity improvements”: An Amazon executive's analysis

A new study warned this week that the Latin American financial industry is still suffering from a specific type of cyberattack: ransomware . This is a type of malicious program ( malware ) that encrypts information so that it becomes inaccessible to its owners, and then demands a ransom in return. It has been a headache for companies, states, and entities around the world for the past five years.

Ransomware has a history. While its origins date back to the late 1980s, it has only become a cybercriminal business in the last decade. So prolific is it that these ransomware groups have members dedicated to encrypting information, finances, and even what they call "technical support": a chat where negotiations are opened to, in the best-case scenario for the victim, lower the requested amount. They have even built brands with well-known names in the industry.

While there were several major operational disruptions in 2024, such as the LockBit and BlackCat (ALPHV) groups, it remains an active threat . Although it has faded from the media spotlight, 2025 has already seen several cases, some circulating on social media and others making headlines.

But, like every crisis, ransomware was also an opportunity: “In some ways, ransomware was a blessing , because it forced users to practice better cyber hygiene .”

This is Mark Ryland , leader of a team of cloud security experts at Amazon Web Services (AWS), Amazon 's cloud computing division. He serves as deputy to the "CISO," a position that large companies and governments are beginning to consider for their operations: Chief Information Security Officer, that is, the person who responds to a cybersecurity incident but is also responsible for designing access policy, account management, and the practices that ultimately contribute to a company's security.

And it's precisely this map that makes the difference when it comes to suffering an attack or having to respond: understanding what measures must be taken to prevent ransomware, being clear that you must be prepared for when it occurs, and having a "security by design" policy, such as ensuring that a system does not allow "1234" to be chosen as a password.

Ryland spoke about all this with Clarín at re:Inforce , AWS's cybersecurity-focused event in Philadelphia, USA, to explain what's happening with current trends in cyberattacks.

─How do you keep up with technological advances, with the speed at which they occur?

─I think if you have a natural curiosity, it drives you to try to understand a little better what's going on. A large part of my job is talking to non-technical audiences about technology, so I have to stay up-to-date on the new tools being used so I feel comfortable summarizing or simplifying ideas. And I say this because there are simplifications that are misleading and others that are good. It's a bit of an art, too.

─Aren't trends, like artificial intelligence today, overhyped too?

─Gartner's hype cycle is always a factor to consider when a new technology comes out. I tend to be quite skeptical of any technology that's sold as the solution to all our problems. In fact, I digress a bit, but I was skeptical about blockchain . I never thought it would solve everything they said it would solve, like tracking the shipment of goods from one end of the country to the other.

─Actually, yes, because we already had databases that worked very well for that. Blockchain wasn't anything like what it said it would be . It's good for cryptocurrencies, digital currency, but not much more. Almost all the uses beyond that were nonsense, and I remember IBM, Accenture, Gartner, all talking about blockchain and selling consulting projects to companies to use blockchain to do things they could have done with a regular database.

─For the past few years, ransomware has been the number one topic in the cybersecurity industry. What's the current status?

─Reports indicate that it has stopped growing as a trend, but by no means is it a finished issue . The general feeling—and the numbers—are that at least it's not increasing.

─What would you say ransomware has taught the industry?

─I'm going to say something slightly controversial. In a way, ransomware was a blessing, because it forced users to practice better cyber hygiene . The underlying problem is that, in reality, for many years we worked with systems that were easy to hack; the difference is that before, there wasn't a cybercrime industry to monetize it. An attacker could get in, but why would they do it if there was no way to monetize it?

─But do you think anything has changed since the ransomware?

─Well, I think it was a terrible rite of passage, a toll the industry had to pay . It was painful to go through, but I think—in general—companies became stronger in improving the basics, from working on education with internal phishing testing, strengthening their perimeters and firewalls , and making better backups. More companies and government agencies became aware of the problem and, for example, began restricting user access so they didn't have permission to delete a backup, not even the most privileged administrators.

─So, paradoxically, it had a positive effect on the industry.

─And I think there's more awareness. Company executives also began to understand that cybersecurity isn't an option. CEOs and senior managers began to ask themselves, "What do we do with ransomware?" Companies were never good at patching systems (updating them) and training users. And after the ransomware cases, things began to improve. I admit it was in a strange way, but the crises that ransomware generated also created opportunities to improve practices and systems.

─ Two years ago, we discussed how attackers use AWS infrastructure to host phishing campaigns. How did this problem evolve, and were you able to solve it?

─Well, that's still a problem, but we've gotten better at detecting and blocking those accounts. That's where AI and machine learning come in, helping us better distinguish between legitimate and malicious campaigns. The danger is always there: I can own a bike shop and want to email my customers about the latest news, but there's always the possibility that my account could be compromised and my platform abused to send spam.

─There's a "safe design" philosophy being pushed by the industry. What does it mean?

─In the current environment, using technology that already comes with built-in security standards is, ideally, the best option. Think of it this way: if I'm a startup making, say, a smart toaster, I most likely don't want to—or can't—invest heavily in cybersecurity. But if a vendor gives me a solution that's already secure by design, I'll use it. I can even market it: "automatic updates," "strong passwords," etc. This increases overall security; that's what secure by design refers to. Adopting that mindset will always keep you one step ahead in an ecosystem that moves day by day.

─You said before that you were skeptical about the uses and scope of blockchain. Did something similar happen to you with AI?

─At first, yes, it seems to me there was a lot of “rebranding” of something we already knew. It's definitely a technology that brings something new, and we're just now seeing its applications; it's not the same case as the blockchain I was telling you about. But I do have to distinguish between what's useful and what isn't. This week I met with government regulators in Washington, and I always tell them to lower their expectations a bit regarding what they expect from AI. It's definitely going to have a big impact on our jobs , but I think people still need to use good judgment when deciding whether an output is useful or not.

─Well, let's take an example. If I ask an AI to write me a marketing proposal, but I've never worked in that field in my life, I'm unlikely to find any use for what the AI ​​can give me. If I can't judge what it's useful for, then we might start running out of experts who can decide whether something is useful or not. There's a risk in using it.

─Stephen Schmidt, Amazon's chief security officer, said last week at another conference that cybercriminals are using AI to improve their attacks. "There are no bots attacking each other," he said . Is that correct?

─It's a good summary of the situation, yes. I would add that those who defend systems are also taking advantage of it, to program, review their code, run system penetration tests, and improve response times. AI is also very useful for sorting information you already have, so it helps you detect patterns or forms of attack that you might not have detected. AI is good at capturing semantics , which is why it's very good at helping not only attackers but also those who defend systems. If used well, it's a very powerful tool.

─Is AI good for malware (virus) analysis?

─As long as it's used by an expert , yes . That's the answer. Our teams are using it to analyze similar malware families; it helps understand similarities and differences. And honestly, they're getting good results.

─The trend now is to talk about “ agents ” in the industry, that is, AI that, in addition to analyzing, “makes decisions.” Where does cybersecurity fit into this discussion?

─That's the next step in using AI in threat analysis: taking action. If I program an AI to analyze, I can then ask it to fix a bug (error in the system),

─It's in progress. A concrete example is a competition being organized by DARPA, the U.S. Defense Advanced Research Projects Agency. They're promoting a competition that will be officially announced at Black Hat , with significant prizes (first place, for example, will win half a million dollars). The goal is to develop a system capable of analyzing open source projects, detecting vulnerabilities, and automatically correcting them. The interesting thing is that, once the teams submit their system, DARPA tests it with projects other than those used during training to evaluate its capabilities.

─So it's good for heavy workloads.

─Definitely, for example, to schedule tedious tasks, update automatically, etc. It saves time.

─What negative or problematic side do you see in these artificial intelligence developments?

─There's a dark side, no doubt about it. For example, phishing scams are becoming much more sophisticated . One of the phenomena that most catches my attention is what's called " pig butchering ": prolonged scams where attackers pose as someone trustworthy to gain access to money or information. This type of deception is growing at an alarming rate, and, of course, it's powered by AI tools. Many of these actors operate from places like Malaysia or the Philippines, in near-slave conditions, and thanks to AI, they can communicate perfectly in English, even simulating fake voices and reproducing them.

─Voice cloning and deepfakes are problems that don't seem to have a solution.

─Yes, without a doubt, today it's already possible to receive a voice message that sounds exactly like your boss, asking you to transfer money or access certain systems. And if you're not trained to suspect all this , you could easily fall for this scam. That's why it's essential that users receive much more advanced training.

─I think it's not enough to say "don't click on suspicious links." We need simulation training, even in virtual reality if necessary, so that people know they always have to confirm through another channel any request that involves changing the status of a system or transferring money.

─What advice would you give to the average user for maintaining basic cybersecurity hygiene?

─Even if you receive a message from someone who sounds exactly like someone you know—be it a colleague, your boss, or your mom—always think twice and check elsewhere before acting: before clicking "accept," before opening a link, or even before adding a new recipient to your address book and clicking "transfer." Always hesitate.