Hacking Humans 7.15.21
Ep 156 | 7.15.21

Threat actors changing ransomware tactics.


Kurtis Minder: Do not engage the threat actors yourself. You need to pull in a professional.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. 

Dave Bittner: I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. 

Dave Bittner: Hello, Joe. 

Joe Carrigan: Hello, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Kurtis Minder from GroupSense. We're going to be talking about divergent ransomware trends. 

Dave Bittner: All right, Joe, we've got some good stuff to share this week. But before we do, a listener has written into us... 

Joe Carrigan: OK. 

Dave Bittner: ...With a correction. 

Joe Carrigan: Uh-oh. 

Dave Bittner: (Laughter). 

Joe Carrigan: Broom. For you or for me? 

Dave Bittner: Well, do you think I'd be - sound so happy about it if it were for me? 


Joe Carrigan: Right. 

Dave Bittner: I would not (laughter). 

Joe Carrigan: I'm just kidding. I know - I've read this already, but... 

Dave Bittner: It says... 

Joe Carrigan: Why don't you go ahead? 

Dave Bittner: All right. This listener writes in and says, hey, folks, I think it is the second time I've heard Joe referring to TIAA for Security+ certification, instead of CompTIA. 

Joe Carrigan: CompTIA. 

Dave Bittner: After listening to episode 154, I thought that I have to do something about this slip of the tongue. None of us would like to lead young and old minds to the website of a retirement services company (laughter)... 

Joe Carrigan: He is correct - 100% correct. 

Dave Bittner: ...To search for security certifications. 

Dave Bittner: Joe, what do you have to say for yourself, my friend? 

Joe Carrigan: Mea culpa. Mea culpa. 

Dave Bittner: (Laughter) You've fallen. 

Joe Carrigan: I am very sorry. 

Dave Bittner: Yeah. 

Joe Carrigan: That is 100% correct. If I said TIAA - or even CompTIAA - it is CompTIA, or CompTIA. I don't know how they actually say it. 

Dave Bittner: Yeah. We say CompTIA over on CyberWire, so... 

Joe Carrigan: Yeah, that makes sense. 

Dave Bittner: Doesn't mean that's right, but that's how we say it (laughter). 

Joe Carrigan: That's how I always say it. But CompTIA - it's a little thing in my head. I get it mixed up with the - well, it used to be called TIAA-CREF but is now just TIAA... 

Dave Bittner: Yeah. 

Joe Carrigan: ...As a retirement organization. I don't know why I make these random associations, and I apologize profusely. Sorry. 

Dave Bittner: (Laughter) OK. Yeah, well, you know, it's easy to get - the older we get, the more these things seem to get cross-wired in our brains. 

Joe Carrigan: Yeah. 

Dave Bittner: Right? 

Joe Carrigan: It's weird. 

Dave Bittner: It is. It is. All right, well, thanks to our listener, Allie (ph), who wrote in with that. We do appreciate it. We... 

Joe Carrigan: Yep. 

Dave Bittner: We don't mind being set straight when we get something wrong, so thank you for taking the time. 

Joe Carrigan: So if you need to get your Security+, go to CompTIA. 

Dave Bittner: (Laughter) Right. OK. 

Dave Bittner: All right. Let's dig into some stories here. I'm going to kick things off for us. This is a story from The Washington Post, written by Jaclyn Peiser. It's titled A Dark-Side Coupon Group Scammed Stores Out of Millions, Police Say. They Were Just Going Through the Ink. Now, Joe, are you or any member of your family avid couponers? 

Joe Carrigan: Not really. My wife will use coupons... 

Dave Bittner: Yeah. 

Joe Carrigan: ...From time to time, but not, like, what you'd call an avid couponer. 

Dave Bittner: Yeah. You know, I certainly - I remember growing up and going to the grocery store with my mom, that she was - she would have a bunch of coupons in her purse that she would use when we went through the checkout. 

Joe Carrigan: Sure. 

Dave Bittner: Of course, these days, it's all automated, and so you scan the bar codes on your coupons. And so according to this story, there were some folks who were taking advantage of the automation there. They - the Montgomery County Sheriff's Office from Houston - the Houston area - they had found some fraudsters. They had over $40,000 worth of items in their possession when the police raided them, and they were using coupons to buy all of this stuff. And what they were doing was - you know how you go to a store, and you check out, and most times today, particularly if you're doing, like, a self-checkout, it'll print out - there are two printers there. Right? There's the receipt printer, and then there's often a coupon printer... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That'll spit out a bunch of coupons. 

Joe Carrigan: I just leave those there... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Because they're for products I would never buy anyway. 

Dave Bittner: (Laughter) OK. You're just - well, you could say you're leaving them for the next guy because... 

Joe Carrigan: That's what I say. 

Dave Bittner: ...You're just that kind of guy (laughter). 

Joe Carrigan: I'm nice. 

Dave Bittner: You're generous (laughter). Right. Right. You're selfless. 

Joe Carrigan: That's right, Dave. 

Dave Bittner: (Laughter) That's what I think of. 

Joe Carrigan: No one's more selfless than me. 

Dave Bittner: When I think of Joe, I think, boy, that is one selfless guy. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: So, anyway - evidently, these scammers got their hands on a bunch of those printers, and they were just generating these coupons and automatically - and spitting them out and then going to use them to buy things, either getting deep discounts on things, so that they could then later sell the stuff online - you know, sell it still at a discount to the people who were buying it but still... 

Joe Carrigan: And still make a profit. 

Dave Bittner: ...Still make a profit. 

Joe Carrigan: Right. 

Dave Bittner: Or even getting stuff for free because there are coupons out there that'll allow you to do things for free. 

Joe Carrigan: Sure. 

Dave Bittner: In fact, I remember one time I had a product - do you remember back - this was a while back. The folks who make the scrubbing bubbles - you know those guys? 

Joe Carrigan: Yes. 

Dave Bittner: They had a little, like, a little thing you could hang off your shower, and it would automatically spray your shower with soap. 

Joe Carrigan: I remember that. Yeah. 

Dave Bittner: So I had one of those, and I was - it was - because I love gadgets (laughter). 

Joe Carrigan: Right. 

Dave Bittner: So this was - you mean I can put a gadget in my shower, and it'll help keep it clean? Sign me up. 

Joe Carrigan: How effective was it? 

Dave Bittner: It was, you know, kind of like the way I think about a Roomba vacuum cleaner, which is that the main thing that it does is it lengthens the time between which you have to do a proper cleaning. 

Joe Carrigan: I see. OK. 

Dave Bittner: Right? It doesn't do a great job, but it helps hold off your need to do a great job. 

Joe Carrigan: Right. 

Dave Bittner: And that's what this did. 

Joe Carrigan: OK. 

Dave Bittner: So it helped building up soap scum and stuff. So, anyway, I bought one of those things. They were probably about 20 bucks. And it stopped working almost right away. 

Joe Carrigan: (Laughter). 

Dave Bittner: So I sent a note to the manufacturer, and I said, you know, do you want me to send this back to you? They said, no, no, no. We'll just mail you a coupon. So they mail me a coupon. And sure enough, this coupon came in the mail, and it was for a free one of those things. I think is the most valuable coupon I'd ever had. 

Joe Carrigan: Right. 

Dave Bittner: So I went to the store with this coupon, got this $20 thing off the shelf, went and checked out, handed it to the checkout person. They sort of gave it a look, looked at me, looked at it. And they were like, free? That's what the coupon says. 

Joe Carrigan: Right. 

Dave Bittner: Sure enough, got the thing for free. So the other thing - I think it's worth noting - is that with many of these coupons, you scan them in, and the coupon has all sorts of information in the bar code about... 

Joe Carrigan: Right. 

Dave Bittner: ...How the coupon's supposed to work, what you have to buy in order to make the coupon eligible, how much the coupon is worth and so on. But the actual checking for the validity of the coupon isn't always done instantaneously, and that's what these people were taking advantage of. They were making these fake coupons with authentic bar codes, bar codes that follow the standards for the bar code but were giving much greater discounts than they should've been able to get. 

Joe Carrigan: Huh. 

Dave Bittner: So anyway, these folks had these printers. And they were just pumping out these coupons and then going and buying stuff. The police got a tipoff from some of the stores that were seeing these fake coupons come in. They said a few folks at Target and Kroger and Walmart were noticing an uptick in fraudulent discounts. And so they contacted the police. And the police were able to track these folks down. They said one suspect had managed to buy $200,000 worth of items in one year using the fake coupons. 

Joe Carrigan: Wow. 

Dave Bittner: Yeah. You know, it's just another one of those things where I think these people were probably brought down by their greed. 

Joe Carrigan: Right. Right. 

Dave Bittner: Right? Because if you went every now and then and used - you know, generated a - spit out a fake coupon to get - I don't know - half off your marshmallows or something... 


Dave Bittner: ...Chances are nobody would track you down. You would get away with that. 

Joe Carrigan: Right. 

Dave Bittner: But when you're going through tens or hundreds of thousands of dollars of merchandise, you're going to draw attention to yourself. 

Joe Carrigan: Absolutely. 

Dave Bittner: Yeah. Yeah. So I don't know that there's much to be done about this in terms of our listeners, unless you're a retailer, to be on the lookout for this sort of thing - that there are the fake coupon folks out there. I thought it was interesting just from the point of view that I'd never really considered how - what makes up a coupon barcode. And as you would expect, there's lots of information online about what exactly is in a coupon barcode. 

Joe Carrigan: This never even occurred to me. 

Dave Bittner: Yeah. Yeah. I would imagine that there are probably tools out there, because there are tools out there for everything, to auto-generate these, you know? 

Joe Carrigan: I'm sure there are. 

Dave Bittner: Right. So anyway, good for law enforcement to track these folks down. Shame that these stores got hit by this sort of thing, but nice to see that the bad guys got hauled in, in this case. All right, that is my story this week. What do you have for us, Joe? 

Joe Carrigan: Dave, my story comes from Jackson Hole, Wyo. Now, you and I were talking before the show. You've been to Wyoming. 

Dave Bittner: I believe so, yes. I'm pretty sure I have. 

Joe Carrigan: And I've never been and neither had the author of this story, Alexander Shur. And he was looking online at Craigslist for an apartment online. And as soon as he saw one, he saw one that was almost too good to be true. So he sent an email to the Craigslist person and said, I'm interested in this apartment. The guy, of course, sends him back a bunch of application stuff. But he gets kind of suspicious, right? So Alex - I'm going to call him Alex. 

Dave Bittner: OK. 

Joe Carrigan: Alex then goes, well, this doesn't seem right. And he actually makes a phone call to the company that manages this condo complex and says, oh, yes. He hears, oh, yes, that is a scam. So what's happening here, Dave, is right now, the housing market is really hot, right? 

Dave Bittner: Oh, yeah. Oh, yeah. 

Joe Carrigan: Interest rates are low. 

Dave Bittner: Yep. 

Joe Carrigan: Prices are going up because inventory is also low. 

Dave Bittner: Yep. 

Joe Carrigan: That puts pressure on the rental market as well, right? 

Dave Bittner: Right. 

Joe Carrigan: And these scammers are going to try to cash in on it. So Alex did a little bit of poking around. He called the police department and said that - in Jackson Hole or in Jackson. And they said that they've had a bunch of calls like this, 16 fake Craigslist-related scam calls. And 11 of them were for housing. So the vast majority are for housing. He found one ad that was of a condo that wasn't even in that area. It was pictures of another condo he found through a google image search in, I think, California, right? 

Dave Bittner: Wow. 

Joe Carrigan: And he actually reached out to the owner of that condo. And he said, yeah, I've been trying to stop them from posting pictures of my condo forever. I've gone so far as to say, I'm going to call the police. And they say, go ahead. 

Dave Bittner: Wow. 

Joe Carrigan: They don't really care. 

Dave Bittner: Huh. 

Joe Carrigan: Well, Alex actually went one step further. And he contacted the person who sent him the original request. And he says, I'm a journalist. And I'm going to do a story on it. And the guy said, OK. He goes, I'd like to interview you. And the guy says, well, give me a hundred bucks and I'll interview you - I'll let you interview me, right? 


Dave Bittner: Staying true to form. 

Joe Carrigan: Right, exactly. Not missing an opportunity. 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: And Alex goes, no, I'm not going to pay you a hundred bucks. But I am going to report on this. So you either have the opportunity to talk to me now or not. And the guy said, fine. I'll talk to you. 

Dave Bittner: OK. 

Joe Carrigan: Right. And Alex wound up talking to this guy. He is a guy named Matthew who wouldn't give his last name. He's 34 years old. He lives in Lagos, Nigeria. 

Dave Bittner: Oh. 

Joe Carrigan: He has young children. And outside of scamming, he likes talking to women and watching a lot of movies. 

Dave Bittner: Long walks on the beach. 

Joe Carrigan: Long walks on the - right, exactly. 

Dave Bittner: Yeah (laughter). OK. 

Joe Carrigan: Matthew said that he cannot find a job in Nigeria that pays half as much as the $7,500 a month he makes running scams for people around the United States. 

Dave Bittner: Wow. 

Joe Carrigan: And he's been doing this for 10 years... 

Dave Bittner: Wow. 

Joe Carrigan: ...OK? That is, Dave, $90,000 a year. If that's - if what Matthew is saying is correct, he makes $90,000 a year scamming people out of Nigeria. 

Dave Bittner: Yeah, that's a living. 

Joe Carrigan: That's a living here in the United States. And it's higher than all the median incomes of all the countries. But in Nigeria, it's - the median income is, like, $2,600 a year. 

Dave Bittner: Wow. 

Joe Carrigan: So he is probably one of the wealthiest men in Nigeria, right? 

Dave Bittner: (Laughter) Right. Right, right. So what's the scam here? Walk me through what - how does this fellow from Nigeria get the money from somebody? What's the deal? 

Joe Carrigan: Well, the way - with this scam it works with - it's a rental scam, right? 

Dave Bittner: Right. 

Joe Carrigan: So I put a picture - let's say I'm the scammer, right? 

Dave Bittner: Yeah. 

Joe Carrigan: I put a picture up on Facebook of some other pictures I found on google or something or maybe even from other ads. Maybe I go to San Francisco Craigslist, right? And I just download all the - the entire page, the copy and everything - right? - the words and the pictures. And then I go make my own posting, like, on Howard County, Md.... 

Dave Bittner: Right. 

Joe Carrigan: ...Craigslist and say, I got this condo for rent. You, Dave, you're the mark. So you say, hey, Joe. I'm interested in renting your condo. I go, OK. Here's all the forms to fill out. I say, well, let me have one day to run the background check and make sure you're OK. And surprise, surprise, of course, you're OK, right? So now all you have to do is mail me a deposit or send me a deposit via a bank transfer or Venmo or something - or CashApp. 

Dave Bittner: Right. 

Joe Carrigan: And you're in the apartment. And I'll send you some keys. Of course, the keys never arrive. The apartment isn't real. But that's how I make my money. 

Dave Bittner: Wow. Well, any insights on how the money is flowing, how they're laundering the money to get that through the system? 

Joe Carrigan: I don't know how they're laundering the money. They may be turning it into some cryptocurrency or something and laundering it that way. Or they may just - there may not be money laundering requirements like this in Nigeria. They may just have money that they can just pull out as cash and then spend. In the United States, we have lots of legal requirements. We need to demonstrate where or income comes from, right? 

Dave Bittner: Right. 

Joe Carrigan: The other issue is that we have to claim the income or we face the ire of the IRS, right? 

Dave Bittner: Yeah. 

Joe Carrigan: So we have to have - demonstrate that we have this income and be able to say where it came from. You may not have that requirement in other countries. 

Dave Bittner: So let's say I'm out apartment shopping. I mean, the thing - the person who I can see this being particularly difficult for is the person who's moving from out of town. 

Joe Carrigan: Correct. And that's exactly the situation that Alex was having. 

Dave Bittner: Yeah. So they're looking for something. They are not familiar with the area. 

Joe Carrigan: Right. 

Dave Bittner: I mean, if you and I were just looking for a different apartment across town... 

Joe Carrigan: Right. 

Dave Bittner: ...Right? 

Joe Carrigan: We could go see it. 

Dave Bittner: We could go see it or even we could, you know, take - look at the picture and say, that doesn't look like anything around here, you know? 

Joe Carrigan: Right. 


Dave Bittner: We don't have that kind of architecture here or whatever. But if you're not from around here, then I could easily see somebody falling for this. 

Joe Carrigan: Yeah, especially if you're trying to have an apartment ready when you show up, right? 

Dave Bittner: Mmm hmm. 

Joe Carrigan: I mean, I can absolutely see how this works. Your best bet for this - call a realtor in the area. You know, ask around on Reddit. I see a lot of people doing this on the Reddit for our hometown. 

Dave Bittner: Yeah. 

Joe Carrigan: They get on there and go, I'm looking for an apartment, and I'm seeing a lot of things that are pretty expensive. Has anybody been to these apartment places? Ask around. 

Dave Bittner: Right. 

Joe Carrigan: There are plenty of communities out there willing to share the information about their communities. The other thing is - I would say, is talk to a realtor. Because, you know, having been a realtor early on in my life, one of the ways that I made money is I would rent people apartments or houses. 

Dave Bittner: Hmm. Real ones? 

Joe Carrigan: Yep, real ones. 

Dave Bittner: (Laughter). 

Joe Carrigan: No, of course, that's right. 

Dave Bittner: (Laughter). 

Joe Carrigan: And you don't have to pay the realtor either. 

Dave Bittner: Right. 

Joe Carrigan: Usually the realtor is paid by the owner of the house. 

Dave Bittner: Exactly. Yeah. 

Joe Carrigan: So they don't have any motivation to scam you. Their motivation is to get you into a house or into an apartment. 

Dave Bittner: And they know the market. 

Joe Carrigan: And they know the market. Right. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Yep. 

Dave Bittner: All right. Oh, yeah, that's an interesting one. 

Joe Carrigan: It is. 

Dave Bittner: All right. Well, we - of course, we will have links to both of our stories in the show notes. So do check those out. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Craig (ph) who writes, during our clean-out of the spam filter - it sounds like he's cleaning his pool. 


Dave Bittner: Right. 

Joe Carrigan: ...We stumbled across this gem. At first it did seem real. We have a colleague who, at times, can be overbearing. But as with most things caught, it had a compressed file, which was an absolute no-no. And the fact that the email lacks detail tipped us off by the end. The subject of this email was, re: unprofessional behavior. And Dave, you want to take it? 

Dave Bittner: Sure. It goes like this. (Reading) Good day. I am really unhappy with the kind of treatment I got from your colleague when I made a price inquiry. He was very rude to me, and that is a wrong way to treat customers coming to make inquirers. I felt so bad, and it made me think if I did the wrong to patronize your company. I left the office angry. But later that day, I spoke with a partner that happens to be your old customer who sent me your email and said you can attend to my inquiry. I can't continue with my inquiry if this is not resolved first. See attached product list, and I hope you can resolve this or take it to your superior. Best regards. 

Joe Carrigan: Right (laughter). So I almost - I can guarantee you that attachment was malicious. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: This is just someone trying to gain access. This is a good catch, Craig. 

Dave Bittner: Yeah, vague enough that - (laughter) what I love about this from our listeners is, like, yeah, it's plausible. We've got somebody we work with who could - this could... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: This totally - this could totally be Bob (ph) (laughter). 

Joe Carrigan: Right. 

Dave Bittner: There's always that... 

Joe Carrigan: Yeah. It's Joe, is what they... 

Dave Bittner: That one - it's that one colleague. Yeah, right. Exactly (laughter). 

Joe Carrigan: That's what my co-workers say. 

Dave Bittner: (Laughter) Right. Right. So the old saying that if everywhere you work there's one jerk, maybe it's you, you know? 

Joe Carrigan: Right. Yeah. 

Dave Bittner: (Laughter). All right. Well, our thanks to our listener, Craig, for sending that in to us. We would love to hear from you. If you have a Catch of the Day for us, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Kurtis Minder from GroupSense. He's been on our show before. 

Joe Carrigan: Yes, he has. 

Dave Bittner: And our conversation this time was about three divergent ransomware trends that he and his colleagues have been tracking. Here's my conversation with Kurtis Minder. 

Kurtis Minder: On the threat actor side, Dave, it's chaos. As you've seen in the news, in the media, we've seen higher- and higher-profile cases. Those are the ones that we know about. There's a lot that we don't. We've also seen, because of those high-profile cases, the threat actors changing tactics, changing names, changing brands (laughter). So there's a lot going on. Even in the last month we've seen quite a bit of change in the activity level and also the tactics that the threat actors are using. 

Dave Bittner: Well, there are some specific things that you all are tracking here. Let's go through them one-by-one. What's the first thing that's on your radar? 

Kurtis Minder: We're obviously intimately involved in the actual ransomware cases themselves. So we're doing a lot of the negotiations on behalf of the victims. So we're tracking, you know, the metrics associated with those negotiations, which groups are most prolific, which groups are using which malware components successfully, also what amounts are being asked for and/or paid in those exact negotiations. But on top of that, we're actually tracking the individual threat actors themselves and their sort of - their track record and history in the space. 

Dave Bittner: Now, what about some of these groups starting to work together to sort of join forces as cartels, if you will? What - where are we seeing that trend? 

Kurtis Minder: Well, it's a little bit cloudy because, like I said, these guys - there's a lot of anonymity attached to these groups. And they - you know, they change their brands and names (laughter) relatively often and when it suits them. But this is not new, the collaboration between the groups. And you've probably heard of ransomware as a service. This has become more and more common, where, you know, the threat actors who are actually perpetrating the attack or the hack of the network are then just licensing the ransomware capability platform in communication mechanism from another party. And so this has actually become more prolific. And the problem that's causing on the response side is, you don't exactly know who you're negotiating with because they're (laughter) literally licensing the brand of another perpetrator. 

Dave Bittner: So opening up my own ransomware version of the corner McDonald's... 

Kurtis Minder: (Laughter) Basically. It's very similar to a business franchise, yes. 

Dave Bittner: Yeah. Now, the barrier of entry has become much lower as well - right? - because of these - as you say, these ransomware-as-a-service offerings. It doesn't take a whole lot of technical expertise to get started in this business if it's something you want to pursue. 

Kurtis Minder: Yeah. And it's not even simplified just at the ransomware technology stack side. It's also simplified at the network penetration side. So, you know, first and foremost, a lot of the attacks that are successful against enterprises that end up being ransomware incidents are not sophisticated to begin with. You know, a lot of these attacks are basic cyber hygiene mistakes. On top of that, you have what we call initial access brokers. And these are opportunistic attackers who are going out and finding these open holes in networks. And then they - instead of actually perpetrating the attack themselves, they just sell that access back to someone who wants to then license the ransomware capability and go through with the attack. So there's a whole marketplace. As a would-be threat actor, you could buy the network access rather than hack it yourself and then license the capability to deploy ransomware on that network, rather than doing that yourself. And it - so effectively, with a small amount of money - it takes some investment in - typically, in digital currency - you could buy the entire capability stack of deploying ransomware without any expertise at all. 

Dave Bittner: Now, is there a distinction between the more sophisticated actors who are doing their homework and targeting organizations intentionally and more of the kind of, you know, smash-and-grab, just going to, you know, spray and pray, try to hit as many folks as possible. Is there - in terms of defenses, is there a distinction there? Or is that a distinction without a difference? 

Kurtis Minder: Well, in terms of defenses, not necessarily. You know, the types of attack vectors are very similar. The only caveat I'll throw in there is for what we call the big game hunters or the threat actors that are targeting very specific organizations. You know, they're looking for a big payout, so they will invest more time and potentially craft and/or buy stronger attack capabilities. But, you know, 99% of the attacks are pretty much the same attack vectors that - you know, across the board. The difference, though - the real differentiator is in how those threat actors negotiate on the back end. The individual actors and/or sort of fly-by-night license, ransomware-as-a-service occasionally, you know, opportunistically - those folks are not operating - let's say in good faith. Or they're not worried about their brand, where a ransomware group like REvil or Conti that has a brand - they are cognizant of the outcome, right? So they're more worried about - they're concerned about making sure they honor the ransom so that other people, in the future, pay the ransom. 

Kurtis Minder: So what we've noticed - and this has actually gotten quite worse in the last couple months, is these smaller operators that are just licensing the platforms are less likely to operate in good faith, like, or honor the ransom. So they might actually give you partial key - like, they might encrypt systems with multiple keys and only give you one when you've negotiated for three and then charge you for the second one and the third one. We like to call those tagalongs. So they - we've seen that happen in the last couple months more and more often. And it is with these smaller actors. 

Dave Bittner: I see. Now, one of the things you're tracking are what you describe as crypto brokers, these folks who managed the crypto payments. Can you describe that to us? What's going on here? 

Kurtis Minder: So we're - I wouldn't use the word tracking. We have relationships with and are well-acquainted with the brokers that basically take, you know, the standard currency - in this case, a lot of times it's U.S. dollars - and convert that into cryptocurrency for the purposes of doing a cryptocurrency transaction. In this case, that transaction is often paying, you know, a threat actor or a ransom payment. There are specific operational and financial security measures that you have to take - or you - obviously, you don't have to, but it is advised that you take... 


Kurtis Minder: ...Doing a transaction like this. And so, you know, we've worked with a number of brokers that help us facilitate those processes. And I can't go through those specifically, but the idea is, you know, the threat actor, when you're actually making the payment, cannot easily trace back to, you know, the victim's bank. That's - yeah, so there's a whole, you know, infrastructure there that helps protect the reverse-tracing of the transaction. 

Dave Bittner: Interesting. 

Kurtis Minder: Yeah. 

Dave Bittner: But you make the point, though, that they may have some, I don't know, perverse incentives here. Like, they - you know, the way that they make their money, the commissions that they make, influences how they go about things and recommendations they may make. 

Kurtis Minder: Yeah. Certainly their economic model is taken into account when we're choosing a partner for a transaction like this (laughter). And we have seen where - in some cases, where the crypto brokers are - and actually we just saw one of these in Australia, where the crypto broker was working with the threat actors. And so we - these are type - this is the type of due diligence that we will do to determine whether it's safe to work with a particular broker or not, is if they are engaged in fraud in any way or coercion with the threat actor and/or any other (laughter) fraudulent campaign. And we do this both by using our intelligence capabilities, which are native to what we do as a company, but also we partner with companies like CyberTrace that will help us basically measure and track the crypto transactions that happen. So we can see who is transacting with whom and how often and that sort of thing. 

Dave Bittner: So it's really knowing who you're doing business with. 

Kurtis Minder: As best you can, yes. 


Dave Bittner: Right. Right. Right. Right. Where do you suppose we're headed? I mean, what are the trend lines? Are we on a trajectory where, you know, this can't continue, there's going to have to be some sort of disruption here? 

Kurtis Minder: Yeah, I think - I hope that we're getting to a point where we can start curbing this. And there are several ways to do that. There's the technology approach, which - you know, we've got, you know, myriad companies trying to solve this. How do we protect companies better from ransomware? 

Kurtis Minder: There's a - sort of a policy and best practices approach, which, by the way, is highly effective. And what I mean by that is, just following some basic security hygiene on the front end will make - will basically remove a company from being the low-hanging fruit. So that's probably one of the cheapest ways (laughter) to address that. 

Kurtis Minder: And then the third way is legislation and government support. And I - that's something - like, for example, the Ransomware Task Force is making recommendations around, how can the government help the victims that are in these scenarios without facilitating a ransom payment? And so the net outcome from this would be that the threat actors no longer get paid for what they do. Now, what I will add to that is, they will find another angle (laughter). 

Dave Bittner: Right. 

Kurtis Minder: And we're already seeing, you know, threat actors pivoting off of pure ransomware and creating - for example, Marketo created a - by the way, this is not the same as the marketing company Marketo. There is a threat actor group called Marketo, which is a little bit confusing and unfair to the marketing company. 


Dave Bittner: Right. 

Kurtis Minder: But the threat actor group, Marketo, for example, has already pivoted to just selling stolen data in packages rather than doing the ransomware deployment themselves. So they just exfiltrate data, and then they've got a stolen data marketplace that they've created. So we're seeing them get creative about changing their approach. So that's - we're going to see that regardless of what we do on the - specific to the ransomware problem. 

Dave Bittner: I see. 

Kurtis Minder: Yep. 

Dave Bittner: What are your words of wisdom - and I realize this is a little bit like asking a barber if I need a haircut. But, you know, what are your words of wisdom in terms of folks negotiating with the folks who are holding them for ransom? Is there - have we reached the point where it is not in your best interest to try to handle this yourself? 

Kurtis Minder: Yeah, I think we reached that point a long time ago. And so my advice to companies and/or victims of ransomware would be, do not engage the threat actors yourself. You need to pull in a professional. The second part of that, I'll say, is don't find that professional by googling help me with ransomware. Because there are a lot of scammers out there that will claim to have expertise and/or capabilities - like, for example, the ability to decrypt your files - that they don't actually have. And they'll just waste your money. What you want to do is call external legal counsel that specializes in breach response, or if you have an incident response firm that you work with or you have cyber insurance, those three angles are the best angles to find a professional to help you with the response. When you respond on your own and then engage a third party to help, it is really difficult to unwind, you know, a negotiation in process. That's my advice. 

Dave Bittner: I suspect, too - I mean, is it fair to say that this is one of those things - this is a conversation that you need to have with your leadership team before you need to have it so that when you're in the heat of the moment you've already got a plan in place? 

Kurtis Minder: Absolutely. And I would say for the larger companies that have incident response plans in place, that's good. But the incident response plans that we have experienced often do not address ransomware incidents specifically, and they should. Those scenarios are quite different, and they involve different business processes, different decision-makers and things like this. So my advice would be, yes, ransomware preparedness is, you know, an ounce of prevention, right (laughter)? 

Dave Bittner: Right. Right. 

Kurtis Minder: Doing something on the front end to get ready for an incident will help you a ton when it does occur. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: I am very happy to hear Kurtis on the show again. 

Dave Bittner: Yeah. 

Joe Carrigan: I always love having him on. Ransomware has really evolved since we first started hearing about it. And it's even evolved more recently with the Cicada ransomware and the industrial control systems we've seen them go after. Ransomware-as-a-service is almost like a franchising model. And we see these guys looking for clients, I guess, front ends for the business. 

Dave Bittner: Yeah. 

Joe Carrigan: And like a McDonald's - like McDonald's, which, of course, everybody knows is a legitimate franchise, a very profitable one at that... 

Dave Bittner: Yeah. 

Joe Carrigan: ...They'll help you get set up. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. 

Joe Carrigan: What's interesting - one of the things that's interesting about what he said is that the attacks are not all that sophisticated. They're the really basic attacks. They're not breaking into things to - you know, they're not using zero-day exploits to get into these places. They're just using phishing attacks. 

Dave Bittner: Right. 

Joe Carrigan: Right? And one of the things I think is interesting is initial access brokers, right? These are guys that have access to things and then they start - they go out and sell that. You and I were talking beforehand about a Facebook account of somebody I know who - I recently helped them recover it because somebody had changed the password on the account. 

Dave Bittner: Right. Right. 

Joe Carrigan: And this person did not remember changing their password. And it was fairly recently, too. So I think - my suspicion is that that was an access broker or, you know, initial access broker. 

Dave Bittner: So somebody broke into that account and then would sell that access to someone else. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: Change the password and lock this person out of their account. But fortunately, we were able to recover the password without much - without any human involvement from Facebook. They have a good password recovery system. I love it that Kurtis calls some of these guys fly-by-night. 

Dave Bittner: Yeah. 


Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: I thought that was funny. That made me chuckle a little bit. Because if you think about it, some of these operators are not fly-by-night operators. They're long-term criminal operators, like REvil, right? 

Dave Bittner: Yeah. 

Joe Carrigan: They are - they've been around for a while. 

Dave Bittner: Yeah. There is a - as you say, this has evolved, and there's growing sophistication with these organizations. 

Joe Carrigan: Right. And that speaks to their brand management. These guys actually - some of these guys actually care about their brand. They're not franchising out their name to everybody. They're saying, when you're talking to us, you're talking to the real people. 

Dave Bittner: Right. 

Joe Carrigan: Right? He was talking about the brokers that he uses - the crypto brokers - that are essentially escrow agents, right? I mean, this is looking more and more like legitimate business all the time. 

Dave Bittner: (Laughter). 

Joe Carrigan: Isn't it? 

Dave Bittner: (Laughter) It is, yes. 

Joe Carrigan: It's fascinating to me. 

Dave Bittner: It is, yeah (laughter). 

Joe Carrigan: If things get very hard for these ransomware actors, they will change to a new threat model. That is one of the key takeaways from this. These guys are really, really, really enjoying the amount of money they're making. And when people start making a lot of money and people start acquiring a lot of money, they like to keep it that way, right? And ransomware actors are no different. So they're going to switch up to something equally as profitable. And Kurtis was talking about some people who just don't even bother with encrypting your data anymore now. They just sell it. 

Dave Bittner: Right. Yeah. 

Joe Carrigan: That's their business model. That's obviously gotten profitable enough for them to do it. 

Dave Bittner: Yeah. 

Joe Carrigan: One of the things Kurtis said that I could not agree with more is, call a professional as early in the process as you can when you're dealing with a ransomware gang. One of the big benefits that gets you is it gets you your emotional detachment from the situation. You do not want to be the small-to-medium business guy on an email conversation with the ransomware actor, malicious actor, who has encrypted all of your files. 

Dave Bittner: Right. Right. 

Joe Carrigan: Because... 

Dave Bittner: And that person does this all day every day. 

Joe Carrigan: Right. 

Dave Bittner: They're - yeah. 

Joe Carrigan: And this is a new situation for you. Get somebody in your corner who also does this all day every day. 

Dave Bittner: Right. 

Joe Carrigan: And that is great advice. I couldn't agree more with Kurtis on that. 

Dave Bittner: Yeah. All right. Well, our thanks to Kurtis Minder for joining us once again. Always a pleasure to have him on the show. 

Dave Bittner: We want to thank all of you for listening, and, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.