2026-05-08 –, Main Stage
The ransomware ecosystem thrives in the shadows of fragmented intelligence and siloed expertise. Defenders do the hard work — forensic timelining of incidents, tracing cryptocurrency flows, reverse engineering payloads, negotiating with threat actors — yet that knowledge rarely travels far beyond the individual or organization that earned it. Ransom-ISAC's L.O.C.K. S.T.A.R. (Level of Critical Knowledge in Specialized Techniques on Advancements and Research) initiative was built to change that. This talk introduces L.O.C.K. S.T.A.R. as a community-driven recognition framework designed to surface, validate, and amplify the work of ransomware researchers and practitioners across eight critical domains — and explores how structured knowledge sharing can become one of our most powerful weapons against ransomware.
Ransomware is a team sport — but defenders have never played like one. As the founder of Ransom-ISAC, I've spent years watching brilliant researchers do groundbreaking work in near-total obscurity — forensic timelines that cracked open major incidents, cryptocurrency tracing that followed the money to attribution, reverse engineering that exposed affiliate infrastructure — only for that knowledge to die in a private Slack channel or a closed incident report.
L.O.C.K. S.T.A.R. (Level of Critical Knowledge in Specialized Techniques on Advancements and Research) was built to fix that. It is Ransom-ISAC's community-driven recognition and credentialing framework — think Michelin stars for ransomware expertise — designed to surface, validate, and amplify the work of the practitioners and researchers who are actually moving the needle in this fight.
This session will walk attendees through why the initiative exists, how it works, and what it means for the broader defender community. L.O.C.K. S.T.A.R. recognition can be earned across eight domains: Infrastructure, Negotiations, HUMINT, Cryptocurrency, DFIR, Reverse Engineering, AI, and Quantum.
Rather than treating hard-won knowledge as a proprietary asset, the framework creates structured pathways — through novel workflow writeups and actionable intelligence contributions — for experts to share what they know while receiving the formal recognition they deserve.
The goal is simple but ambitious: if we can lower the barriers to knowledge sharing across the ransomware defender community, we compress dwell time, accelerate response, and make the ecosystem measurably harder for threat actors to operate in. Attendees will leave understanding how to contribute, how to apply, and why community-led credentialing may be one of the most underutilized tools in the fight against ransomware.
Ellis Stannard is a part-time security researcher and core member of the Ransom-ISAC (Information Sharing and Analysis Center) initiative, where he contributes to collaborative threat intelligence efforts focused on ransomware and advanced persistent threat (APT) campaigns.