Changing the game on ransomware.
Adam Flatley: Anything that needs to be done in order to sort of change the game needs to be done with sort of this concept of being reasonable and proportional.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm David Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Adam Flatley. He's director of threat intelligence at [redacted].
Dave Bittner: All right, Joe, let's jump right in here with some stories. What do you have for us this week?
Joe Carrigan: Dave, my story this week comes from Amer Owaida over at WeLiveSecurity. And he has a fascinating article for the new year. Happy New Year, by the way, Dave.
Dave Bittner: Happy New Year.
Joe Carrigan: "22 Cybersecurity Statistics to Know for 2022."
Dave Bittner: OK.
Joe Carrigan: So try saying that three times fast.
(LAUGHTER)
Dave Bittner: Right.
Joe Carrigan: Now, Amer has a whole list of things. I'm not going to go through all of them because most of them are - some of them are not germane to the social engineering nature of this podcast. But there are some interesting highlights in here. Let's start with item No. 1 - 2021 saw the highest average cost of a data breach in the past 17 years. It now costs $4.24 million to - for a data breach...
Dave Bittner: Wow. That's a lot.
Joe Carrigan: ...Which is pretty high. No. 2 is...
Dave Bittner: Pretty soon, talking about real money.
Joe Carrigan: That's right.
(LAUGHTER)
Joe Carrigan: Item No. 2 is that the COVID-powered shift to remote work had a direct impact on the cost of these data breaches. The average data breach cost was $1.7 million higher - $1.07 million higher where remote work was a factor in causing the breach. So for some reason - and I'd like to know - I'd like to see more research on this. But being remote leads to a more significant breach, probably because you have to add some kind of access for people who aren't within your perimeter, right? The idea of the perimeter is gone in that case, so it's easier to get in.
Joe Carrigan: OK, so here we get into some real social engineering statistics. The most common cause of data breaches was pilfered user credentials, usually harvested from some kind of phishing site or something.
Dave Bittner: Yeah.
Joe Carrigan: These were responsible for about 20% of breaches, and the average cost of these breaches was $4.3 million, almost $4.4 million dollars. The highest ask for ransomware occurred in 2021, $70 million. I feel like I want to put my pinky up next to my lip...
Dave Bittner: (Laughter).
Joe Carrigan: ...And say, (imitating Dr. Evil) $70 million.
Dave Bittner: Wow.
Joe Carrigan: Phishing attacks were connected to 36% of breaches. That's an increase of 11% So phishing remains remarkably effective. This could be attributed to the COVID pandemic, but I don't know. I think it's - I think these guys are just getting better at their art form.
Dave Bittner: Yeah. I mean, it works, right? It still works.
Joe Carrigan: It does.
Dave Bittner: As long as it works, that's - they're going to still use it.
Joe Carrigan: Exactly. Social engineering attacks are the gravest threat to the public administration, accounting for 69% of public administration breaches, analyzed by Verizon. This is from the Verizon DBIR.
Dave Bittner: So does that mean, like, government organizations?
Joe Carrigan: Yes, government organizations.
Dave Bittner: OK. I see.
Joe Carrigan: They - social engineering attacks were responsible for 69% of those being successful.
Dave Bittner: Wow.
Joe Carrigan: Going to skip a bunch here. Down to No. 10, we get to cryptocurrency investment scams remain as popular as ever. And I think back to our NFT discussions day (laughter).
Dave Bittner: Yeah, shocker. I'm shocked, shocked to find...
Joe Carrigan: (Laughter).
Dave Bittner: ...That there would be scamming among...
Joe Carrigan: Right.
Dave Bittner: ...These rapidly evolving technologies.
Joe Carrigan: Yeah, exactly. You know, I had a conversation with somebody, and we were talking about NFTs, where somebody made their own NFT, sold it to themselves for $100,000 and then put it on the market for $30,000. And somebody said, wow, that's a 70% discount and snatched it right up.
Dave Bittner: (Laughter) So...
Joe Carrigan: I'm thinking, you know, that's unethical. But, man, I could make $30,000 in no time at all if I knew how smart contracts worked in NFTs.
Dave Bittner: (Laughter) Yeah, OK.
(LAUGHTER)
Joe Carrigan: Which - you probably shouldn't do that. But, I mean, it's - I'm still baffled by the NFT phenomenon.
Dave Bittner: Yeah, you and me both.
Joe Carrigan: Still baffled by it. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: All the way down to No. 17 - recent years have seen threat actors moving from just infesting systems with ransomware to double extortion. And that is no exception this year. It was - double extortion was 8.7% in 2020, and now it's 81% of ransomware attacks...
Dave Bittner: Yeah.
Joe Carrigan: ...In 2021.
Dave Bittner: Yeah, I would say that that was one of the big stories for...
Joe Carrigan: Right.
Dave Bittner: ...Last year - was the shift to double extortion, for sure.
Joe Carrigan: Yeah. I maintain that you should still not use that as a calculus for whether or not you pay a ransom because there is no guarantee that these guys are going to keep the data secret. In fact, there's evidence to the contrary of that. That being said, if you don't pay the ransom, there is a 100% probability that they're going to disclose it. That's going to happen. So, I mean, weigh that one way or the other for your own risk model and whether or not you want to trust these criminals with keeping their mouths shut.
Joe Carrigan: I just don't - I don't see any reason to do that yet. Additionally, you have still suffered a data breach, right? And that needs to be responsibly disclosed - or disclosed, rather, not - responsible disclosure is for other things.
Joe Carrigan: All right. All the way down at the end of this, the last three points - in 2020, the FBI's Internet Crime Center - it's actually Internet Crime Complaint Center - receives a record-breaking almost 800,000 cybercrime complaints...
Dave Bittner: Wow.
Joe Carrigan: ...With reported losses being responsible for $4.2 billion in losses.
Joe Carrigan: Here's a big social engineering statistic. Business email compromise remains the costliest cybercrime, with losses surpassing $1.86 billion in 2020. Not only is it costly in total, but per event, it's very costly for the organizations that are - that suffer one of these attacks.
Dave Bittner: Yeah.
Joe Carrigan: You really, really have to have policies in place that protect your organization from a business email compromise attack because once the email of a significantly high enough person in the organization chart gets compromised, you have a different problem. So once you suffered the cyberattack, now you're going to suffer the business email compromise attack, and that is going to be very, very costly.
Dave Bittner: Yeah. I mean, it makes me think about how, you know, lots of organizations will have sort of old-school techniques in place where, you know, any check above this amount must be signed...
Joe Carrigan: Right.
Dave Bittner: ...By more than one person, you know. And those things - those work. Those are helpful. Get another set of eyes on that to make sure, to - as we always say here, to slow down, right?
Joe Carrigan: Yep.
Dave Bittner: There's some things slowing down is going to - could in the long run help your organization, for sure.
Joe Carrigan: You know, that's a good point. All of these social engineering attacks - almost all of them have this created sense of urgency about them, that you have to do this for me and you have to do it right now. Don't think about it. Just do it. Don't think about it. Just do it. And whenever somebody starts doing that to you, you should be immediately going, whoa, whoa, whoa, whoa, whoa. Stop. Stop right here. We're not doing it this way.
Dave Bittner: Right.
Joe Carrigan: We are absolutely not doing it this way. We're going to do the slow and methodical way. And if you think that - you know, if you, person who says you're my boss, thinks that's the case, show up at my desk right now and fire me, right?
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: The final point here is the elderly were disproportionately affected by cybercrime. Twenty-eight percent of total fraud losses were sustained by victims over the age of 60. Now, we've talked about this before. This is usually the product of older people suffering much larger losses than younger people. And actually, the case is that if you look at who is more likely to be hit by an online scam, it's actually the younger person that's more likely to be victimized - successfully victimized by an online scam. But when they are victimized, their losses are much, much lower than an older person's losses. Older people are like hitting the jackpot if you're successful - right? - because they have much more money to lose.
Dave Bittner: Right.
Joe Carrigan: Younger people generally don't have it, so that's why they don't lose it.
Joe Carrigan: It's an interesting article. It's 22 points long, and it's a short read. But I wanted to talk about it because it's the new year, and I wanted to do something kind of - I don't know - gimmicky, I guess.
(LAUGHTER)
Dave Bittner: OK, fair enough. You're just - when everybody zigs, you zig, right?
Joe Carrigan: That's right.
(LAUGHTER)
Joe Carrigan: I'm the consummate podcasting professional, Dave. That's...
Dave Bittner: There you go. All right - fair enough. But, I mean, we joke, but it is good information, a good reminder...
Joe Carrigan: Right.
Dave Bittner: ...And good things as we're heading off into this new year. I think the thing that really resonates with me is just be sure you check in with those friends and relatives of yours who don't know about this stuff, particularly elderly folks who are - you know, I always think of them as being sitting ducks. And I don't...
Joe Carrigan: Right.
Dave Bittner: ...Mean that in - you know, in a derogatory way. I mean, they're easy to be victimized. So just keep an eye on them, and look out for them. Make sure they know that you're there and that if something does happen to them that you're not going to judge them, that they didn't do anything wrong, that being scammed...
Joe Carrigan: Right.
Dave Bittner: ...Is not a moral failure.
Joe Carrigan: Right. It's not a moral failure on the victim's part. Let's say it that way.
Dave Bittner: Yeah, yeah.
Joe Carrigan: It was a moral failure on the...
Dave Bittner: Absolutely. No, yes. I stand corrected. Yes.
Joe Carrigan: Right.
Dave Bittner: You're absolutely right.
Joe Carrigan: You're not the person that has the moral failing...
Dave Bittner: Yeah.
Joe Carrigan: ...If you're victimized by this. The other person is the immoral one.
Dave Bittner: Yeah, absolutely. All right - a good list. And we will have a link to that article in the show notes.
Dave Bittner: My story this week - this comes from the Baltimore Sun. This is a story local to you and I. This is written by Justin Fenton, who does a lot of good reporting here in our neck of the woods. The title of the article is "Criminal Indictments Filed Against Maryland Company that Targeted Baltimore Lead Paint Victims' Settlements." So let me unpack this here. Of course, lead paint is a problem.
Joe Carrigan: Particularly here on the East Coast...
Dave Bittner: Yeah, yeah.
Joe Carrigan: ...Because we have older buildings, much older buildings than they do on the West Coast.
Dave Bittner: Right. So lead paint, of course, is poisonous. And so there are folks who have been affected by lead paint. And for a variety of reasons, they end up receiving settlements from folks because of the injuries that they sustained or their family sustained as a result of lead paint. And very often, what happens in a settlement like this is that you agree to what's called a structured settlement. And that basically just means that rather than someone giving you a big lump sum of money, they're going to pay you X amount of dollars over X amount of years.
Joe Carrigan: Right.
Dave Bittner: And that makes it easier on the folks who have to pay out. It increases their ability to pay more people more money over time because they're not hit with a big amount all at once. Well, there are folks out there who will seek out people who have these structured settlements and basically offer to buy them out.
Joe Carrigan: Right.
Dave Bittner: So they'll say, hey, instead of taking 10 years or 20 years to get all this money, how about I give you this lower amount of money right now, and then I will receive the payments over the course of these several years.
Joe Carrigan: Right.
Dave Bittner: That's basically how it works. Have I missed anything, Joe?
Joe Carrigan: I don't think so.
Dave Bittner: OK.
Joe Carrigan: I don't think so. This sounds - I mean, there are ads for companies that do this.
Dave Bittner: Well, and that's what we're getting to here with this story. The folks who have been indicted here by the state of Maryland put up billboards all over Baltimore and surrounding areas that were looking for people who had structured settlements for lead paint, looking to contact them. And what these folks then did was they would get in touch with these folks who had the structured settlements, and they would offer them way less than what would be an appropriate amount, right? In some cases, the lead paint victims received only 8% of the value of their settlement.
Joe Carrigan: Whoa.
Dave Bittner: Yeah. According to...
Joe Carrigan: That's really, really low.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: I mean, like, really - like, you should get more than 50% percent.
Dave Bittner: Well, the state's attorney general's office said that these folks - they acquired structured settlement payments that had a value of $21 million belonging to 95 different people, but they gave these folks less than $7 million. So...
Joe Carrigan: So let's do that number again. How many millions?
Dave Bittner: Twenty-one million dollars is what they - is what the value of the settlements were. But the victims would end up receiving less than $7 million after they dealt with these folks who were indicted.
Joe Carrigan: OK.
Dave Bittner: So less than a third of the money that was owed ended up going to the victims. So the people who have been indicted in this case received over two-thirds of the money or were scheduled...
Joe Carrigan: Right.
Dave Bittner: ...To receive over two-thirds of the money. Now, where this falls into the scam category, according to the state's attorney, is that there are requirements that folks who agree to these sorts of accelerated payments receive independent professional advice and sign off on it.
Joe Carrigan: Right.
Dave Bittner: So...
Joe Carrigan: So the independent advisers sign off on the settlement.
Dave Bittner: Correct.
Joe Carrigan: Right.
Dave Bittner: And I suspect that this is something - and again, we're talking about what happens in Maryland here.
Joe Carrigan: Right.
Dave Bittner: I suspect this is a state-by-state kind of thing. But - so what I'm putting together from this article is that that is in place to help protect people from just this kind of thing. So there's nothing wrong with me saying, hey, you know what? I - my circumstances are such that, you know, Joe, I have this structured settlement. And, boy, it would really make my life easier if I could get my hands on some of this money earlier. And you said, Dave, hey, no problem. I'll buy it out from you. Let's work up a deal. There's nothing wrong with that, right?
Joe Carrigan: Right.
Dave Bittner: But in order to do that, you and I would have to meet with a third-party person who would then look over the terms of our agreement. Typically, this would be an attorney. Look over the terms of our agreement and say, yep, this looks legit. There's no rip-off here. Everybody is coming into this with their eyes wide open. And they sign off on that. And away we go. In this case, the folks who are offering these settlements - they had hired the - and I'm putting air quotes in here - "the independent professional."
Joe Carrigan: So, a little bit of a conflict of interest, would you say?
Dave Bittner: Just a little bit, yeah.
Joe Carrigan: Right.
Dave Bittner: (Laughter) So the individual who they were recommending, saying, oh, we work with this person all the time, they're independent. They're, you know, completely on the up and up. Turns out that person was on the side of the people who were trying to buy out these structured settlements. In fact, not only was that person part of this, which, again, the state of Maryland is saying is a scam. He has been disbarred...
Joe Carrigan: Good.
Dave Bittner: ...After being charged by federal prosecutors with taking bribes as a member of the county liquor board (laughter).
Joe Carrigan: OK.
Dave Bittner: He pleaded guilty and was sentenced to four years in federal prison and was released in 2020. So this guy has a lot going on (laughter).
Joe Carrigan: Yeah.
Dave Bittner: Right.
Joe Carrigan: Yeah, he's a busy dude.
Dave Bittner: On the wrong side of the law, on the wrong side of the law. So this is sort of a long, roundabout way to say that despite there being protections in place - good faith protections in place, the - you know, the state saying, we're going to try to put things here so that people have to slow down, have to get an outside set of eyes on this to make sure to try to help people from getting ripped off.
Joe Carrigan: Right.
Dave Bittner: These scammers found a way around that.
Joe Carrigan: Yeah. You know what I think should happen is the state's attorney, Brian Frosh, who's the attorney general...
Dave Bittner: Yep.
Joe Carrigan: First off, he's quoted in here as saying that these people - the company's called Access Funding. They preyed on victims of lead paint poisoning.
Dave Bittner: Yep.
Joe Carrigan: And one of the things that lead paint poisoning does or lead poisoning does is it gives you brain damage.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: It makes it harder for you to deal with these kind of things. It damages your cognitive capabilities.
Dave Bittner: Yeah.
Joe Carrigan: So they went after some very vulnerable people here and deprived them of their, quote, "vital lifelines," according to Attorney General Frosh, who I've worked with before. And we have done presentations together. He's a good guy. I like this guy.
Dave Bittner: Yeah. Yeah. I agree.
Joe Carrigan: And he's really interested in protecting vulnerable populations like this. So this is right in his wheelhouse.
Dave Bittner: Yeah.
Joe Carrigan: But, you know, you know what - I don't know that this will happen. But what I'd like to see happen is that these guys get to keep the money that they were given by these guys and they just get the structured settlement payments back, right?
Dave Bittner: Yeah.
Joe Carrigan: That's what I would like to see happen so that they - these people who were scammed out of...
Dave Bittner: The victims.
Joe Carrigan: ...A large portion...
Dave Bittner: Yeah.
Joe Carrigan: ...The victims keep the $7 million that they got, but then they also have their payments restored. There's one part of this story that really angers me about this. There is a family - I'm sure that everybody around Baltimore remembers the name Freddie Gray, but Freddie Gray was the reason that the Baltimore riots happened. He was - he died in police custody, and his family received a settlement for $435,000. And it was one of these structured settlements. Access Funding bought that settlement for $54,000.
Dave Bittner: Wow.
Joe Carrigan: That is...
Dave Bittner: Yeah.
Joe Carrigan: ...For, like, 12% of what the deal was. And this was approved by a Prince George's County judge as well. I think that judge is culpable here as well. I think that needs to be investigated a little bit further.
Dave Bittner: Yeah. I mean, it just - it strikes me as sort of being - it's along the lines of payday loans, you know? It's just predatory.
Joe Carrigan: Yeah. Yeah, absolutely.
Dave Bittner: You know, it's just predatory. People who don't have the means are in tough - a tough situation, and people are preying on that. I guess, you know, the good news here is that the attorney general has indicted these folks. Of course...
Joe Carrigan: Oh, good.
Dave Bittner: ...They are innocent until proven guilty and will get their day in court, but it certainly seems as though the state has a good case against them, and we'll see how it moves through. So I guess the message to our listeners is if you hear someone you know who has received a structured settlement, your ears should perk up.
Joe Carrigan: Right.
Dave Bittner: And let them know that there are these folks out there who will prey on people who have these structured settlements. And just make sure that they are receiving good third-party counsel from someone who's on the up and up, right?
Joe Carrigan: Right, yeah.
Dave Bittner: Yeah.
Joe Carrigan: Absolutely.
Dave Bittner: All right. Well, that is my story this week. Again, we will have a link to that in the show notes.
Dave Bittner: Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Brady (ph), who writes, I thought you might like to use this one on your show - interesting that they splurged for a full-color thick card stock but did not professionally proofread the document by someone who speaks English. Needless to say, we did not send them any screenshots. Love the podcast. Well, thank you, Brady. And Brady sends two pictures along that come from a company that sells things through Amazon.
Joe Carrigan: Dave, why don't you read the contents of the first picture?
Dave Bittner: Yeah. Well, before I get to that, let me just...
Joe Carrigan: OK.
Dave Bittner: ...Describe what this is because I think, folks, I - boy, do we get a lot of stuff from Amazon.
Joe Carrigan: Yes.
Dave Bittner: And if you order enough from Amazon - I've certainly seen these cards, right...
Joe Carrigan: Yes.
Dave Bittner: ...Where basically, they're telling you, you know, we'll do something for you if you do something for us. So...
Joe Carrigan: Right.
Dave Bittner: Let me read it here. It says...
Joe Carrigan: Right.
Dave Bittner: It says, dear valued customer, thank you for purchasing automatic. We hope this product is working well for you. To return the great trust from you, you can get a $20 free Amazon gift card by sharing your shopping experience. You can use this gift card on Amazon to pay for what you buy. Amazon has been encouraging customers to share their shopping experience. Your positive opinions will be an important reference for others. It will encourage our team to provide more professional service and products. All steps to get a gift card - post your review at Amazon. Log into your Amazon account. Click your account. Click your order. Find our products. Click write product review. Send a review screenshot with your order ID in the email subject or add on our WhatsApp. An e-gift card will be sent to you within 24 hours. If there is anything you not so clearly with using it, you are waiting to send the message to us, our R&D team will supports you during 24-hour working hours. Thanks and best wishes.
Joe Carrigan: So what's happening here...
Dave Bittner: You know, it really falls apart there in the end, doesn't it (laughter)?
Joe Carrigan: Right, it does. Yeah. It's like they ran out of money for the translating service...
Dave Bittner: Right, right.
Joe Carrigan: ...And then just had somebody who speaks a little bit of English do it.
Dave Bittner: Yes.
Joe Carrigan: So what this is - this is not, you know, a scam that's targeting Brady. It - in fact, you may actually get a $20 gift card. But what they're doing is you're essentially buying a five-star review.
Dave Bittner: Yeah.
Joe Carrigan: If you don't write a five-star review, you're not getting a $20 gift card. That's just not happening.
Dave Bittner: (Laughter) Right.
Joe Carrigan: You write a three-star review, you're getting - you're not getting anything. But I want to point out this is against Amazon's terms and conditions.
Dave Bittner: Right.
Joe Carrigan: You're not allowed to pay people for their reviews, and that's what these are doing here. So you ever see the - you ever wonder how does this thing have so - how does this product have so many five-star reviews? This is how, this right here.
Dave Bittner: Yeah, yeah. So here's a question for you, Joe.
Joe Carrigan: Yeah.
Dave Bittner: You get something like this, you get to this postcard, do you rat them out? Do you let Amazon know?
Joe Carrigan: I might.
Dave Bittner: What do you do?
Joe Carrigan: I might rat 'em out, yeah.
Dave Bittner: Yeah.
Joe Carrigan: I might do that. I might be inclined to do that.
Dave Bittner: Yeah, yeah. It's a shame that it's come to this, but...
Joe Carrigan: Right.
Dave Bittner: ...I've read articles that talk about how this really does make a difference if you're selling things on Amazon.
Joe Carrigan: Absolutely.
Dave Bittner: Getting those five-star reviews bumps you up to the top of the list, and that can be...
Joe Carrigan: Yup.
Dave Bittner: ...A real difference-maker for...
Joe Carrigan: Now...
Dave Bittner: ...The success of your endeavor with Amazon.
Joe Carrigan: I want to point out that it is perfectly fine to send an email saying, hey, please review us on Amazon. And you can encourage people to write a five-star review.
Dave Bittner: Right.
Joe Carrigan: You just may not compensate them for that.
Dave Bittner: (Laughter) Right. Bribes are against Amazon's terms and conditions.
Joe Carrigan: (Laughter) Right.
Dave Bittner: Right, right.
Joe Carrigan: Yes.
Dave Bittner: All right. Well, our thanks to Brady for sending that in to us. We would love to hear from you. If you have a Catch of the Day or a story you'd like us to consider for the show, you can send it to us at hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Adam Flatley. He is the director of threat intelligence at an organization called [redacted]. Interesting conversation - here's my talk with Adam Flatley.
Adam Flatley: So the traditional model of dealing with ransomware actors is pretty much the same as what has been done with most types of cyber criminals, where sometimes the private industry and law enforcement will share information. They will try and track down the perpetrators of these crimes. Most of them are coming from somewhere overseas, and so it involves working with liaison organizations overseas with either going through Interpol or directly going to other sort of federal law enforcement agencies in these other countries, and then working with them to arrest the perpetrators. So that's sort of the traditional way of doing things.
Dave Bittner: And what - we seem to have come up short here. And without being too coy about it, I mean, there's a big issue with Russia.
Adam Flatley: Yes, absolutely. And that's where the traditional model breaks down. There's still a lot of great work going on in sort of the traditional way of doing things 'cause there are some ransomware actors that are operating out of countries that have a good legal relationship with the U.S. But the problem, as you identified, is really when you're dealing with a country that is either unable or unwilling to work with the U.S. in a law enforcement manner.
Adam Flatley: And it's especially tough when the government is either, you know, partially complicit with the ransomware actors; you know, if they're, you know, willfully ignoring them because they're enjoying the havoc that they're causing around the world. Or in some cases, there may even be profiting from what the ransomware actors are doing by taking their cut in their profits in order to sort of pay for the protection that they're providing. It's very much like what we saw with organized crime. You can think of it in that light, where, you know, large criminal organizations would corrupt the police and then have the police shelter them for, you know, a cut of or a skim of the profits.
Dave Bittner: And so what options then are on the table? I mean, are we talking about diplomatic pressure? Could we see this get to the point where, you know, there's kinetic action, where we're targeting actual, you know, physical locations for damage?
Adam Flatley: So anything that needs to be done in order to sort of change the game needs to be done with sort of this concept of being reasonable and proportional. So, you know, I don't think anybody with any good sense is advocating dropping bombs on anyone overseas for doing this kind of thing.
Dave Bittner: Right.
Adam Flatley: But there are many, many capabilities that the government has that they can bring into this fight. And that's sort of what changed when the Biden administration designated ransomware as a national security threat. That really changed the game. That allowed the U.S. government to do a lot of things.
Adam Flatley: So No. 1 - it got more resources to be able to put into the traditional way of doing things. So the organizations that were already in the fight are getting a lot more resources to do it. However, it also then unlocked the ability for the intelligence agencies, the military intelligence apparatus and other parts of the government to now get into the fight because it's not just a pure criminal act anymore. Now these acts are considered national security threats, which then unlocks this entire other, you know, bevy of capabilities.
Dave Bittner: What sort of capabilities do we suspect we're talking about here?
Adam Flatley: So when you're in a situation where the traditional law enforcement model either isn't working or is being blocked by an uncooperative adversary, that's when you start to conduct operations that will allow you to do several things. So No. 1 - gathering information in order to have, like, irrefutable evidence that we know who the criminals are, we know where they live, we know what they're up to. And then that is presented to that uncooperative government in such a way that there is no legitimate way that they can deny that they are in their country.
Adam Flatley: And that will then enable sort of what you were talking about, about adding that diplomatic pressure. So if you can present them with a really clear target package on exactly what this group is, who the members are and what they're doing, where they live to where it's completely irrefutable, if they then do not cooperate, serious repercussions can be brought on them from a diplomatic perspective, especially, you know, additional sanctions or other types of activities that would put pressure on the government to comply with this, you know, rock-solid case.
Adam Flatley: There will be some situations where a government still will just deny, you know? They'll deny, deny, deny, counter-accuse at every opportunity, right? And so when you're in a situation like that, the law enforcement model, like, completely breaks down. And so we would have to take matters, you know, into our own hands to protect our country from a national security perspective.
Adam Flatley: And so that's where, you know, disruption operations come into play, where they make it impossible for these actors to do what they're doing, or they make it impossible for them to actually continue to profit from these crimes and then drive them into doing something else that is not targeting our country.
Dave Bittner: So take away the ability for them to make money. I guess make it so that it's really - it's no longer worth their time.
Adam Flatley: Yeah. Because really what it boils down to is right now, the ransomware actors that are operating from countries that are sheltering them have literally no consequences for their actions. They are operating with impunity. They're hiding behind, you know, their big brother, and they're just reaping millions and millions out of these companies that they're victimizing.
Adam Flatley: And so you have to change their risk calculus a bit. You have to show them that they can be found, they can be touched and that their lives can be made very, very difficult if they're going to continue down this road, and maybe it'd be a better idea for them to do something else with their time.
Dave Bittner: What about coming after the ability for them to actually exchange the money - you know? - going after some of the cryptocurrencies? Are there options there that seem practical and achievable?
Adam Flatley: Yeah, absolutely. It really needs to be part of a - like, a holistic strategy in order to do this. Like, you can't just do pure disruption, can't just do pure, you know, threat actor, like, hunting and targeting. It's got to be part of a large weave of a campaign that involves, you know, all the traditional things that law enforcement does, all the traditional things that the State Department would do, all the things that Treasury would do - all woven together in, you know, a whole-of-government effort to tackle this problem.
Adam Flatley: So with cryptocurrency specifically, there are exchanges out there that are not following what would be sort of the normal banking rules about knowing your customer. And so things that would help them comply with anti-money-laundering statutes and anti-funding-of-terrorism statutes - those kind of things, if applied to these exchanges, would then force them to know exactly who is transferring money to who. And then that could be used in a law enforcement capacity to prevent them from moving money that way or at least doing it anonymously, which could create options to recover those funds.
Dave Bittner: You know, when I think about the potential for offensive operations from some of our intelligence agencies - you know, their ability to reach out and, you know, do some of the things that they would do to do harm to the systems and capabilities of our adversaries - do you think it's likely that those are the kinds of things that may happen, but we would never hear about them?
Adam Flatley: I mean, very likely, if anything starts to go down that road, in most cases, you know, none of us would ever know about it. And in most cases, like, you know, doing direct offensive cyber actions is not the right answer either because in most cases, these actors, if some of their infrastructure were to be destroyed, they can spin up new infrastructure sometimes in minutes and just continue doing what they're doing.
Adam Flatley: So it's not as easy as, you know, firing a cyber bullet and the problem goes away. It really needs to be part - it needs to be, like, one tool in this larger campaign, where maybe that's the right thing over in this corner, but in this other corner, it's diplomatic pressure; and in this other corner, it's starting to squeeze them on how they can turn cryptocurrency into fiat, and you slowly crush and dismantle and destroy the organization from all sides.
Dave Bittner: You know, I think about, for example, spam - you know, just sort of regular run-of-the-mill spam. I kind of think of that as being a solved problem; you know, that spam rarely makes it into my inbox, that the mail providers have - they do a really good job with that. Do you think we're headed in a direction where we might see that with ransomware, where enough changes happen that it becomes a thing of the past?
Adam Flatley: I think we can get there, but what it will take is the will to really drive this campaign and to be relentless. The message needs to be sent that this is unacceptable and we will no longer sit back and just play defense. Because essentially, it's really easy to get past the defenses if you're on the offensive side.
Adam Flatley: You're seeing - you know, companies are getting hacked every single day. And some of them are spending millions of dollars on, you know, security software and other things for their defense. But there is literally no network that's unhackable. With enough time and energy, you can get in anywhere.
Adam Flatley: So the really - key here is to let them know that we are no longer just going to sit here and play defense, and we are going to come after you, and you need to stop what you're doing or you're going to face the full force of not just the U.S. government, but all of the allied governments around the world who are no longer going to tolerate this behavior.
Dave Bittner: You know, it also strikes me as one of those rare things in this time of, you know, divided politics, this is something that has support from all sides. There's, you know, there's nobody who's pro ransomware.
Adam Flatley: Yeah. I mean, you'll see that it's something that really impacts everyone. You know, when the when the Colonial Pipeline was taken down briefly, it caused, you know, massive reactions on the entire east coast of the U.S. I mean, we saw cases where people were, like, filling trash bags with gasoline because they were in a panic about shortages. And they were - you know, there were - cars were lighting on fire. So, like, even that, you know, relatively small disruption, you know, caused people to go crazy. And then there was the - JBS meats started to have an impact on the food supply. And then recently, there were two farming cooperatives that were taken offline by ransomware, and that had another impact on the food supply.
Adam Flatley: So, I mean, when you start messing with people's fuel and food and potentially the electric grid - they're definitely messing with hospitals during the pandemic - you're starting to touch people at every level of their lives, and it's - really starts to feel like our country is under attack at this point. And when that happens, you know, Americans unify. Regardless of what's going on, if our country is under attack, we get together and we fight together.
Dave Bittner: All right, Joe. What do you think?
Joe Carrigan: Great interview. I want to say something - when it comes to international law enforcement, we are probably...
Dave Bittner: Yeah.
Joe Carrigan: ...Not going to reach an agreement with Russia.
(LAUGHTER)
Dave Bittner: You heard it here first, folks.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: Exactly, yeah.
Dave Bittner: International diplomacy pundit Joe Carrigan...
Joe Carrigan: Right.
Dave Bittner: ...Goes out on a limb. Yeah (laughter).
Joe Carrigan: Right. I'm also going to make another risky prediction - we're not going to do that with China, either.
Dave Bittner: Oh, wow.
Joe Carrigan: It's just not going to happen.
Dave Bittner: (Laughter).
Joe Carrigan: Reasonable and proportional he says - Adams says about the response that we have to these things. And it's true. We can't just go about threatening to drop bombs on people just because they have a crime problem in their country.
Joe Carrigan: You know, there's - you know, we talk about how a lot of this crime comes out of Nigeria. And honestly, the Nigerian authorities do not take kindly to it. They really want to be a player on the world stage. They're a, you know, very populous country. They are the most populous country in Africa, and they are trying to develop as well. And they do not appreciate having these scammers operating within their borders. So they cooperate with us. They work with us...
Dave Bittner: Right.
Joe Carrigan: ...Which is nice. It's interesting that the Biden administration's action classifying ransomware as a national security threat means that they're putting more resources into it, and intelligence agencies can now join the fight. I like that for this case. But I want to temper that with a little bit of caution (laughter)...
Dave Bittner: OK.
Joe Carrigan: ...Because it's very easy to say something's a national security threat, and then all of a sudden you get all kinds of resources thrown at it. And I can imagine that going badly for a lot of different people. You know, I just - I mean, I'm on board with it for this case, but as citizens in a free society, we must be ever vigilant. You know, there's a saying - I think it's on the National Archives - that perpetual vigilance is the price of liberty. And that's what we have to have here.
Dave Bittner: Yeah.
Joe Carrigan: I'm glad that the government has the ability to take ransomware seriously, but I'm concerned, not for the immediate future but for the distant future, that this could very easily be abused.
Dave Bittner: Yeah. Yeah. I think it's a good point.
Joe Carrigan: Yep. I like what Adam is saying about building a case that you present - you know, you present to your - to the foreign power. But there are two countries that come to mind immediately, and I have already mentioned them, that will always deny and counter-accuse.
Dave Bittner: Right (laughter).
Joe Carrigan: That's just the way these guys do business. It's just - it's how they are.
Dave Bittner: Yeah.
Joe Carrigan: This is an economic problem, and if we can change the economic model, we can disincentivize the activity, which is - which would be great, right? And I've been talking about that for a number of years, how this is an economic issue. And if you can disincentivize or change the incentive structure, you might go a long way to solving this problem.
Joe Carrigan: You know, that's one of the reasons that we say - there are some people who are pitching the idea of making ransomware payments illegal. If you make ransomware payments illegal, advocates argue that that would make the ransomware problem go away. If nobody can pay ransomware, there's no economic incentive.
Joe Carrigan: I'm also a big fan of the Stephens Dubner and Levitt, though.
(LAUGHTER)
Joe Carrigan: And they have three books written on the nature of perverse incentives, right? "Freakonomics," "SuperFreakonomics" and "Think Like a Freak." And you don't really know what's going to happen when you try to disincentivize something a certain way. So you have to really be careful when you're doing that. So...
Dave Bittner: Right, right. Yeah. That reminds me of - this was probably back in the '80s, back when all - you know, lots of - a hot consumer items were car alarms, right?
Joe Carrigan: Right.
Dave Bittner: People were getting their cars broken into. So, oh, great, we'll put a car alarm in. That led to carjacking.
Joe Carrigan: (Laughter) Right. So yeah, exactly. There's another story that they talk about in one of their books. I can't remember which one it is. But there was a - there is a country that put a bounty out on snakes. They had a snake problem. So they were paying people to go out into the wilderness and kill snakes, and you brought the snakes back in, and they gave you a bounty for them. Well, people started raising snakes and then just killing them and bringing them in.
Dave Bittner: (Laughter) Oh. Oh, man.
Joe Carrigan: That's what happened.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: So, yeah, poor snake, right?
Dave Bittner: Yeah.
Joe Carrigan: I'm sure a lot of our audience is sympathetic, but I'm sure there's a part of our audience who's like, I don't care; kill all the snakes.
Dave Bittner: (Laughter) Snakes have what's coming to them...
(LAUGHTER)
Joe Carrigan: Right.
Dave Bittner: ...For being so snake-y.
Joe Carrigan: Right. I agree with Adam when he talks that taking direct counteraction, like cyberattack on - performing a cyberattack on the malicious actors is probably not going to do it. I think that will rarely work. These bad guys are able to set up new infrastructure instantaneously almost. Really, what is most dangerous is the activities and the software that they have, you know, the skills and the software. Taking down their infrastructure will not impact it. It needs to be aimed at their ability to operate and to monetize those operations.
Dave Bittner: Yeah.
Joe Carrigan: I like a lot of what Adam said about money laundering and financial structure and, you know, putting more financial regulation on. I'm not sure that's the exact right answer, but, you know, I don't think that there are - I think there are plenty of ways to move around that situation, particularly with anonymous cryptocurrencies like Monero and Zcash. I think those are going to make that - you know, putting the hindrance on this very difficult.
Joe Carrigan: And not to say that those are strictly for criminal purposes; they have legitimate purposes as well. You know, think of them like tools. I can use a hammer to build a house, or I can use a hammer to tear - you know, to break into a house.
Dave Bittner: (Laughter) Right.
Joe Carrigan: It's a tool that I can use for good or bad.
Joe Carrigan: One of the things he talked about at the end, towards the end of the interview, is that these guys are - they're no longer masquerading as the Robin Hood, you know, good-guy types, you know, David versus Goliath. You know, we're only going after the - only after the big evil corporations. They're not doing that anymore. They're going after critical infrastructure, hospitals, meatpacking plants, fuel delivery systems. They're doing that because it creates a lot of discord, and they think that makes their targets much more willing to pay.
Dave Bittner: Yeah. Yeah, absolutely. All right. Well, again, our thanks to Adam Flatley from [redacted] for joining us. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
