The Professionalization of the Ransomware Criminal Ecosystem

Sherrod DeGrippo: Hey, everyone. It's Sherrod. Before we get into the episode, I just wanted to let you know I will be speaking and attending at the RSA Conference in San Francisco at the end of April, and I really hope to see you there. Come on by and say hello. [ Music ] Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come hear from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Hello and welcome back to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, the Director of Threat Intelligence Strategy at Microsoft, and it's a very special episode today, as it always is, but it's something that I really love, which is crime, finally. It's crime time. We have been doing a lot of nation-state threat landscape on this podcast for several weeks now and it is time to get down and dirty in the crime gutters. And I have two fantastic guests with me today to talk all about those things, and I'm going to start introducing Allan Liska, CSIRT and Ransomware Researcher at Recorded Future, as well as Jon Braley, Director of Threat Intelligence at the IT-ISAC. Allan, Jonathan, thank you for joining me.

Allan Liska: Thank you. Really excited to be here.

Jonathan Braley: Pleasure to be here.

Sherrod DeGrippo: So before we dive into ransomware, I want to start with a little background on both of you. So first, I'll start with Jonathan. Can you kind of tell me what pulled you into cybersecurity and why you're interested in talking about ransomware, what you're doing there?

Jonathan Braley: Yeah, I joined the IT-ISAC back in 2017, so I did get a degree in data networking security, and before my role here, I worked with a Google partner. We'd set up business email, so that was my kind of first foray into security there. It was right when HIPAA was coming out with health companies, so kind of helping companies figure out what their requirements were opened my eyes a little bit to security, and then when I finished my degree, I was thankfully able to get in with the IT-ISAC. I've learned a lot. Really fortunate that I get to work with some of the smartest analysts across large IT companies, so a lot of it's just been organically learning from my peers and the companies that we're working with daily, and I really enjoy it. I think for me, being more of a threat researcher, and sorry to the network defenders listening, it's not always as stressful, right? I'm trying to be proactive and figure out what these adversaries are doing. Thankfully, I'm not always up at night fixing problems when they actually get into my network, but I've really enjoyed it. I think it's rewarding to be in this field, and I feel like we do a lot of great work helping companies, so it's been great.

Sherrod DeGrippo: I love that. Allan, what about you? What are you doing with ransomware? Why are you in this?

Allan Liska: So the reason that I got into security in the first place was because of Code Red. For younger listeners, go look that up. That's one of those viruses that happened probably before many listeners were born, but I was a sociology major in college, and my first job out of college was working at the Survey Research Center at the University of Maryland, and I was put in charge of the network because I was the only one who was willing to crawl under desks, and that was literally all the qualification you needed to be a network engineer in the '90s. I eventually went to go work for UUNET, which was, at the time, the world's largest ISP, and then I went to go work on the data center side of things, so I went from the network side to the data center side. We got hit by Code Red. Well, I didn't because I was working on the UNIX side, but the Windows guys, they weren't so good with security. They got hit by Code Red, and that was an all-hands week for us, and that really got me much more interested in security, and so I went to work for Symantec and then did a stint at the government for a few years, then back to Symantec, iSIGHT Partners, FireEye, and then Recorded Future. And the reason I got into ransomware is, back in 2014, FireEye released its APT1 report. So like you, I spent several weeks talking to people about nation-state stuff, but I was dealing with a lot of enterprise customers who all had a ransomware problem, and this was a single-machine ransomware problem, so Locky server, again, back in 2014, and the solution was wipe the box, restore, and so on, rather than pay the $300 ransom. But it was happening multiple times a week, and organizations were sick of it, and they wanted to know, "Hey, how can we stop this thing from happening?" And so I got to work with -- I was on the FireEye side, but I got to work with the Mandiant guys to kind of build detections into the FireEye infrastructure for detecting these ransomware capabilities, and for better or worse, I've been doing ransomware ever since. So you could argue, on the one hand, that I'm an expert or, on the other hand, that I'm really bad at what I do because it's only gotten worse since I got involved.

Sherrod DeGrippo: So that is a really great opportunity to talk about evolution of ransomware. I also worked Locky as my first kind of major ransomware campaign situation in 2015 and, exactly the same as you, my enterprise customers, essentially they were getting rank-and-file employees come in to the help desk with their computer saying, "My computer tells me it wants me to pay it money. I don't know what I'm supposed to do here." And it was really interesting because at the same time, and still to this day, but at the same time then, there was a rash of car break-ins all across the Silicon Valley area, and today, don't leave a laptop in your car, and anywhere, really, but in San Francisco, they're going to take it. They're going to bust the window and take your stuff. But it was happening over and over again in Silicon Valley, and a lot of these laptop thefts, they would treat the ransomware the same as if it had been stolen out of a car. They would say, "Oh, we're just going to give you another laptop. Most of your stuff is in the cloud or backed up somewhere. We'll get you up and running." And then they would take those laptops and either format them and get them back up and going, or they would sometimes just give up and be like, you know what, in Silicon Valley, laptops are expendable. They're like pads of paper. They just give you another one. So I remember seeing that, and I also remember it was $300. Locky was $300, and they were sending out a million messages a day with Locky as an attachment to an email where the person would click on it and install it. They would install Locky. It was such a wild time. But let's talk about, Jon, I'll start with you. Like, where are we now? We're at a place where it's not $300 anymore. It's not turn and burn a laptop. It's millions of dollars. Tell me kind of how we got to this place.

Jonathan Braley: How did we get here? I've been following this, obviously. I haven't been around as long as both of you, but since 2017, you know, that was -- we started to see the early signs of it with things like WantToCry, and more destructive than anything, right? We had some of these nation-state groups that were kind of using it as a tool to begin with, and then it slowly -- we started to see these cybercriminals realize, okay, "This, we could make a lot of money with this." And now we're at the point where I hear reports from impacted companies that the customer support for some of these ransomware groups is better than the actual IT services that they're using, right? These are legitimate businesses. They're these marketplaces. We've got these very advanced cybercriminal groups that are now starting to work with some of this ransomware as a service, right? So they're just leasing this ransomware out. These very sophisticated actors that may already have access to companies may be skilled in breaching these companies are now maximizing their profits, right? And we've seen some of these more traditional cybercrime groups also jumping and turning to ransomware because they realize how lucrative it is. But to answer your question, how did we get here? People are paying the ransom, right? And it's working, and I think Allan said it earlier, it's an increasing problem. I'll talk probably later about some of the stats that we're seeing, but year after year, we're just seeing more and more ransomware and it's a real unfortunate situation.

Sherrod DeGrippo: Allan, what do you think about the differences between the old days of Locky 10 and 12 years ago and ransomware today? Somebody says "ransomware" to you today, what does that mean? Like, what's the difference?

Allan Liska: So just to piggyback on what Jonathan said, one of the reasons that we got here is because of Iran, because of Sam hit Presbyterian Health in 2016, and that's the first known case of -- publicly known case of what we call "big game hunting ransomware," where you didn't just take out a single machine, you took out a whole network and then charged the then-unheard-of ransom demand of $16,000 to get all of your computers unlocked, and that's just once one bad guy figures out how to do things, then everybody else follows suit. And while we talk about how we're different from Locky today, remember a lot of those early threat actors are still doing ransomware, so they don't go away. We can see a direct lineage from Locky to Maze to REvil to Conti to what we have today, and so that even though we're in now the fourth generation or fourth iteration of ransomware, where it's not just encryption, it's encryption and data theft, it's encryption and data theft and physical threats to people to not pay the ransom, it's all of these other components that make up ransomware, sometimes we don't even encrypt the data anymore. It's just all of the other things that aren't data encryption, but it's a lot of the same threat actors doing that, as well as all the new threat actors, and you said this -- well, in fact, I've quoted your tweet many times in one of the presentations I do about ransomware and Bruce Lee, which is ransomware is an ecosystem. It's not -- even though we talk about this as LockBit hit this or RansomHub hit that, really what it is, is it's an initial access broker that did a thing, and that initial access broker sold that access to an affiliate. That affiliate is part of a larger ransomware group, and that ransomware group has negotiators that work for it. They have programmers that work for it. They have money launderers that work for it, so they have all of these things, and that ecosystem that's built up around it is really what we're talking about when we talk about a ransomware attack.

Sherrod DeGrippo: Yeah, I've seen that you used my tweet and it's very flattering. Thank you. We at Microsoft track threat actors that don't do ransomware, but they contribute to that ransomware ecosystem either by hosting landing pages, or doing large sending, or doing attacker-in-the-middle capability to bypass MFA, and they are just a small puzzle piece in this big cottage industry of ransomware. It's very entrepreneurial. It's very, you know, these markets, I won't even call them "underground dark web markets." They're not. They're type it into your browser and you can go buy ransomware as a service. You can buy initial access as a service. The other thing I think that's important to note about evolution is that when we're talking about host-by-host encrypted laptop-type ransomware, like we saw with Locky, that was encrypted files were kind of the goal point. You had to get these files unencrypted or you had to get your data back. You had to get your data back somehow. But today what I really see is that the threat actors know it's not about encrypting the data. It's about crippling the operations of that organization. How can I take this company and get them out of business, get paid, and then put them back into business? So that's something I want to ask just quickly, too, because it is a question that people ask me. I feel like people ask me once a week about this. If an organization pays the ransomware, will they get back up and running? Jon, what is your response to that? Do they return the encryption keys, etc., in your experience?

Jonathan Braley: The answer, from my experience, is yes. I've heard different reports on it, but you got to think if you're a prominent ransomware group and people are paying you and you're not getting your files back and getting access back, that news is going to come out pretty quick, so it's in these groups' interest to get the company up and running again, right? Because if they work with negotiators from cybersecurity insurance companies, right, and if they know a group isn't going to give your files back, they're probably going to not even try, but I think that it's in the interest of these ransomware groups to actually restore files. On the other side of it, I've heard horror stories of people getting their files back, not really figuring out the hole where they came in the first place and will either see a follow-up ransomware attack by a different group, could be the same cybercriminal using a different strain. It's hard to say. But, you know, I have seen reports of follow up attacks, too, so that's definitely concerning. And I agree with your point. I think that they are trying to shut a business down, right? That's the fastest way to get them to pay the ransom, but then that stolen data is also crippling. There's sensitive intellectual property. There's customer data that will just be from a reputational perspective, almost more damaging than actually having your operation shut down, so I think that's a big consideration, too, and why we're seeing a lot of the double extortion is sometimes that data is just as crucial as getting your systems running again.

Sherrod DeGrippo: Allan, what do you think? Are they going to give me my files back if I pay?

Allan Liska: So I have a slightly different take. For the most part, they're going to give you a piece of crappy software that has a decryption key to it, and your incident response team is going to have to rewrite that and it's not going to work on your encrypted databases, it's not going to work on your encrypted VMs, and it's not going to work on anything generally larger than four gigs or so. Some of them will, but the majority of them won't. What the ransomware actor is counting on is that's enough, that you're going to be able to get most of what you're doing back, to get back up and running, but they're also counting on the fact that you won't out them for being terrible human beings. One of the things that drives me nuts when you do ransomware incident response is how much victims protect the ransomware actor. They'll say, "Oh, yeah," we see this all the time, the announcement goes out, "We're responding to a cyberattack. We're responding to a cyber incursion." Just say "ransomware" and say [bleep]. I'm sorry, can I say that on your podcast?

Sherrod DeGrippo: Sure, we can beep it out.

Allan Liska: Fantastic. Beep that out, please.

Sherrod DeGrippo: Just for context for listeners and for my guests, we had Andrew Morris from GreyNoise on the podcast, and I made sure that we had a bleeping button just in case, so we do.

Allan Liska: Very nice. And I love Andrew, and yes, you definitely need a bleeping button with him.

Sherrod DeGrippo: Me, too.

Allan Liska: But, and even when they don't call the threat actor out by name, in the meantime, on the other side of things, you've got the ransomware actors shouting from the rooftops every chance they get to every reporter they can get who they've hit or maybe who they pretended they hit, or whatever, getting as many names out there as possible, and I feel like I don't always understand why there's this need to protect the people who broke into your network and did terrible things to your organization.

Sherrod DeGrippo: So your position is organizations that are experiencing ransomware events should be up front about that and should, if they have attribution that they feel strongly on, they should name and shame that, or if they're listed on a leak site, they should say, "Yeah, this is true and this is happening."

Allan Liska: Yeah, I agree. I'm sure there's a hundred lawyers listening to this podcast that are like, "No, please don't." I'm just telling y'all you're wrong. Call them out and let them know, especially if you're a hospital or a charity or anything like that. Let the world know what these guys are up to.

Sherrod DeGrippo: I like that. I do think that sometimes we over-rotate on protecting, to our own shame, in terms of enterprise financial attacks, whether they're ransomware or other things that are happening. Let's talk a little bit about industries. So I just did a massive piece on ransomware and health care, watching hospitals get ransomed, and I remember -- I want to say this was maybe four or five years ago now, a hospital in Beverly Hills got ransomed, and it was really the first -- maybe it was six years ago, like the first big healthcare ransomware, and no one really knew what to do. So I guess my question for both of you, and Allan, I'll start with you because you mentioned hospitals. Why are hospitals so attractive? I think that's kind of obvious, but is that changing? Are there other industries that fit that same profile that ransomware actors are going after? How are we seeing the targeting and the victimology there in terms of health care versus other things?

Allan Liska: And you may have different insight than I do into this, but generally speaking, I don't like to use the word "targeted" with a ransomware attack because I think most of them are opportunistic, right? So it's a target of weakness, not a target of, oh -- like when you mentioned nation-state earlier, a nation-state says, "Okay, we're going to go after the aerospace industry in this country," and then they devote all the resources. I think there are a couple of exceptions to this. You'll see this with Scattered Spider or, before them, Lapsus, where they will pick a target, they'll go find out the employees on LinkedIn, and then they'll start their social engineering campaign. But for the most part, it's opportunistic. It's just a lot of healthcare providers happen to have weaknesses, and if you're an initial access broker, healthcare providers are worth a lot of money to turn around and sell, and the reason for that is, as you said, it's the disruptive nature. There's this feeling that healthcare providers are going to be more likely to pay because they don't want to disrupt patient access and they don't want patient data leaked. So there is this feeling that if you can break into a healthcare provider, you're going to make a lot of money, and to this point, there really hasn't been a set of consequences for going after healthcare providers. There really hasn't been, any more so than going after manufacturing, which is another one that we see a lot of victims in, or going after basically anything else. There really hasn't been additional consequences for going after healthcare providers, despite my logging through now three administrations for drone strikes for ransomware actors program.

Sherrod DeGrippo: I want to get to that for sure, but, Jon, I just wanted to check in with you, if you have any insight in terms of industry focus when it comes to ransomware actors.

Jonathan Braley: No, I'll agree with Allan that everything we see is pretty much opportunistic as well. We have a pretty robust ransomware tracker where we're basically looking at the data leak sites for all these groups, and we look for trends, and every once in a while, I do a lot of work with the food and agriculture sector as well, and I'll see one group hit the food and agriculture sector six times in a week, and I'll say, "Oh, this looks like a trend," and then I start looking at their full targeting and they fit every other sector the exact same amount. So I'll agree there, and then from a healthcare perspective, I agree with everything you said, Allan. I think it's a lucrative target, and a lot of the groups have language, at least the ransomware as a service, that they won't work with affiliates that will hit hospitals, but then we saw -- I think that when there was some global law enforcement activity against some of these groups, all of a sudden they said, "Hey, if you're going to mess with us, we're going to start targeting hospitals." And I think, even to Allan's point, it was one of those things where I don't think they specifically were targeting. But when they're scanning the Internet looking for vulnerabilities now and they see that hospital, they're going to turn their attention to it, which was kind of an unfortunate follow-up to that, but --

Sherrod DeGrippo: I think there's an element, too, of when you look at an employee who is just a user at work, if they work in certain sectors, to them, the ransomware experience is, "Oh, my stuff's locked up. I can't work today, so I can't do my spreadsheets. I can't write my documents. I can't write my PowerPoints." And generally, those employees feel a sort of helplessness in terms of this is an IT problem that IT has to fix. I think there is an absolute desperation when it comes to healthcare employees because they feel so personally responsible for patient care that they are then putting pressure as well on their leadership and management and the administrative functions within their hospitals to get this done, and that's kind of a special, I think, dynamic when it comes to health care.

Allan Liska: And, I mean, it's become so common in the industry that many hospitals now have a Code Black for when there's been a ransomware hit on the hospital, and that's disturbing to me that it is so common that they have a code for it the way they do for kind of other types of emergencies.

Jonathan Braley: Right, and that crosses a line, too, right? You're going from financial theft to human health and safety attacks. So to your point, Allan, there needs to be some sort of stricter ramifications when that sort of thing happens, but it's easier said than done when we've got criminals in countries that will never be persecuted [phonetic] and hard to track, and that's a big challenge for us.

Sherrod DeGrippo: Another one I want to mention, similarly, is going back, I'm going to say, six or seven years ago to a large pipeline that was hit with ransomware, and so I break up the ransomware at the epochs, the ransomware eras, if you will, for a Taylor Swift reference about ransomware, which you don't hear very often. The different eras of ransomware are kind of that Locky piece that we were talking about 2014, 2015. That went on one by one for years, but Colonial Pipe, to me, was a turning point where ransomware really did approach a sort of terrorism level for the first time, and there were other little things here and there, but I feel like that one was catastrophically impactful across the entire country. So Allan, you were nodding your head there. What do we see as kind of the situation there that made things different?

Allan Liska: I think it's because of how impactful it was across the country, right? Like, this was something everybody knew was impacted. So if you go back a couple of years before that to WantToCry, WantToCry was very impactful, but it was much more impactful in the U.K. because NHS was one of the organizations that was disrupted by it, so health care across the U.K. was disrupted and everybody was very familiar with it. We didn't quite have that equivalent in the United States, whereas that was the one that was that equivalent in the U.S. That was where Colonial Pipeline was on your nightly news. That was the one that was being talked about over coffee or the watercooler, or whatever, because it sort of permeated everybody's mind as, "Hey, we've got to do this," and it led to real action. The Global Ransomware Task Force was set up in part because of Colonial Pipeline, and that has led directly to 30 different law enforcement actions last year against ransomware groups because that intelligence sharing has gotten so much easier. So it had real-world impact, not just everybody talking about it, but it had real-world impact on law enforcement activity as well.

Sherrod DeGrippo: So let's get into law enforcement activity, then. Allan, you mentioned drone strikes. As we know, our friend Andrew Thompson also knows an imposed cost, frequently, perhaps excessively, frequently is looking for kinetic action against ransomware groups. So Jon, I'll start with you, but is there any legs to this? Is this something that could ever potentially happen? Is it the right thing to do?

Jonathan Braley: I think it's going to be hard. I don't know if we've seen a kinetic attack due to a cyber event yet, but there's definitely situations like Colonial Pipeline can cause us to rethink that, but no, I think to Allan's point, that's when we started to see the government involvement in it, and I don't know how you feel about it, Allan, maybe, I would love to hear your insight as well, but we've been -- when we saw global law enforcement go after LockBit and BlackCat, our tracker, we actually did see a significant downturn in ransom volume, and for the first time, it felt like, hey, maybe we're making some progress on the ransomware front. If the governments can help kind of control this a little bit, take down some of this infrastructure, maybe we can kind of slow it down. And then, now we're back up higher than ever, so it seems like even when we crush these ransomware as a service operations, the cybercriminals that are working with them just move to the next train. I think we're tracking like 50 to 100 different ransomware strains, so there's just so many options. They're all getting more sophisticated and it's going to be a very hard problem to stop. Yeah, maybe a kinetic strike might change something, but it's hard to be able to actually carry that out, is probably pretty impossible. But I'd love to hear your insight, Allan.

Sherrod DeGrippo: Allan, when are you going to get a drone?

Allan Liska: So look, we have all of these Iranian drones that are hanging out in Ukraine, and all I'm saying is we repurpose one of them, drop it on the ransomware, do it, and go, "Oh, no, one of your Russian drones must have fallen off course. Too bad. Not our fault." But I'm guessing that there's not a lot of legal will for something like that. So you're right, Jonathan. LockBit takedown in particular was brilliant because it was much more of a psychological operation than just the takedown. It turned Dimitri into -- for those who don't know, that's the guy behind LockBit. It turned him into a pariah in the underground market, so he's not welcome on any underground forums anymore. He lost almost all of his affiliates. Now, yes, they've gone on to others or they started their own ransomware, but it actually was very effective at doing that. Now, part of that is the nature of that particular threat actor, where this is a guy who was paying people to get LockBit tattoos. His personality is very much tied into being the guy that ran LockBit, so he won't let that go. Whereas, BlackCat also was a really nice takedown, but six months later, he's starting -- the team behind that is starting a new ransomware operation. One of the things that we're seeing, and I'll take a slightly different tack than you, Jonathan, if that's okay, is I actually think we are at the high end. We are seeing some really sophisticated threat actors in ransomware, but we're also, because it's gotten so much easier, we're also seeing a bunch of script kiddies that are now just adopting ransomware. So like at Recorded Future, we have a sandbox that anybody can submit to through triage, and one of the things that we saw throughout the year is that despite the number of LockBit attacks, LockBit proper attacks being way down or non-existent, the number of LockBit submissions have continued and actually grown because, since the code's out there, what a bunch of people have done are like, "Oh, I don't want to be part of LockBit anymore, but I already know how this works. I'll go start my own ransomware." And that leads to that 50 number that you're talking about for what you're tracking, but they can go start it with this LockBit code, and then when they get their first ransom payment, they hire one of these known developers who can then make improvements to the code to make it more customized to what they want. So we get the higher end, absolutely, but we also get a whole bunch of lower end, and that's where you get 6,000 publicly reported attacks last year, which is significantly less than the total number of attacks, but you get that because you have all these people who are attracted to this idea that they might make a boatload of money.

Sherrod DeGrippo: I think one of the ways that we see that, too, is if, just my personal enjoyment, the Conti leaks really showed us the inner workings of not just the economy and the different providers interacting with each other, the affiliates and the ransomware as a service, little industry entrepreneurs and things, but really the internal workings and chats of people doing ransomware who really sort of saw themselves as software developers or really sort of saw themselves -- I mean, they're using Jira. They're doing Agile, right? They're having stand-up in the morning, and it just kind of shows, I think, and I'll ask both of you, too, if you've seen this, it kind of shows the difference in mentality of especially those Russian and Eastern European ransomware operators, the way they view society, culture, and crime is very different from the way we see that in the West, I think. Is that something that you've picked up on, too? Jonathan, I'll start with you.

Jonathan Braley: I would say yes, not even looking at the ransomware groups, but just looking at the general, yeah, the scammers. It's like, I don't know, it takes a certain kind of person to rip an elderly person off of all their money, right, not feel bad about it. They almost see it as like a business opportunity or maybe they feel like where their role in the world isn't fair, right? So maybe they feel like they can rip off people in the U.S. because the quality of living is different. But yeah, I mean, there's definitely -- seems like there's a disconnect to be able to do that, but I also think part of it is there's not a lot of ramifications. I mean, if you're in Russia carrying out cybercrime against the U.S., you're probably not in trouble. Even I think recently, there were some reports that Russia had arrested all these people, and it's like, I don't even know if that's true. They might just say they arrested all these people. So I think it's just a different mindset. I'm sure there's some desperation in there for these people. It's a way of living for them, and it's probably something where once you've done it for so long, it kind of -- you don't feel as bad about it possibly, too. It just becomes a normal part of your life. So it's real, real unfortunate.

Allan Liska: You know, I mean, I agree with everything you said, 100%, and I don't know about you all, but I spent part of this past weekend doing the same thing we did with the Conti leaks, with the Black Basta leaks, so --

Sherrod DeGrippo: Everyone's talking about the Black Basta leaks. Did you see anything cool in there?

Allan Liska: It's a lot of the same things we saw with Conti. It's just the continuation. It's everything from -- you know, and it feels -- I've often joked that ransomware is like multilevel marketing for bad guys, and one of the things that I noticed in there is, in the form, it's everybody pitching their tools. For this much money, you can get this tool, and for this much money, you can get this tool to make your -- selling your Lululemon a little bit better and so on. So I find that kind of, again, that tactic is universal across MLMs, I guess. And one of the things, and I'd love to sit down and just riff on this at a con with you one time, if you're ever up for it, is I am fascinated about the way different types of cybercrime develop in different regions of the world. So we see Russia with very software-based cybercrime, like ransomware, but then if you go to Nigeria and Kenya, it's all business email compromise, which almost is irrespective of the tools. It's can you write the right email and convince people to go in? And then when you go to Western Asia, Indonesia and Myanmar, that's where you have like the romance scams and the pig butchering and so on, and that's one that is very human resource intensive. You know, over in Brazil, where you have all the banking Trojans and everything that developed, I do find that culture impacts the type of malware that your society develops, and I think it'd be a really cool and interesting kind of breakdown to look at that.

Sherrod DeGrippo: Maybe that's a panel we need to submit to some conferences.

Allan Liska: I think so.

Sherrod DeGrippo: Sherrod and Allan talk cultural impacts of different kinds of Internet crime.

Allan Liska: You up for it?

Sherrod DeGrippo: Yeah, I'd like to.

Jonathan Braley: I'm in. That sounds really fun.

Sherrod DeGrippo: Let's talk about it. So another one that I'll add is Octo Tempest, Scattered Spider, which I think is also UNC3944. They're typically seen as native English speakers and they do social engineering to almost the entire end of the operation. Like, they are social engineer focused. Like you mentioned, they go look people up on LinkedIn and things like this. So there are cultural impacts. I think there are different views and moralistic impacts where these threat actors that we who work in this industry see them as the absolute adversary that we must stop from attacking our customers and organizations, and etc., and they kind of see themselves as like, "Well, I just do a job. I'm a developer. I do my tickets." And it just so happens that those tickets are for implementing encryption across large enterprises in the West. It's an interesting thing that we've seen both with evolution and the geo kind of impact culturally. Okay, well, now we are moving to the rapid fire questions. Jon, I'll start with you. If you could tell enterprises to do one thing to protect themselves against ransomware, what is the one thing you would tell them they had to do?

Jonathan Braley: I will start with have a plan. I think you need to expect the worst, right? We often say it's a matter of when, not if, especially the opportunistic cases of ransomware, and we see very small companies get hit by ransomware. We see very large companies get hit by ransomware. It doesn't spare anybody. So having a plan, who you're going to call. If you have to have some sort of security retainer come in, you need to call them ahead of time, figure out who you need to call if something happens. Cybersecurity insurance, make sure you have a policy, understand what that's going to cover, if you're going to have a negotiator to help, auditing all your systems. A lot of it's unpatched vulnerabilities, is how they're getting in. So having a way to know all your different systems, getting alerts when there's updates, making sure you're fixing security patches is huge, and user training. That's also one of my favorite ones. We still see phishing as one of the easiest ways to get into an organization, so having even MFA on everything, it will save you a lot of headache, but training your users to watch out for phishing and things like that is huge.

Sherrod DeGrippo: Allan, what's one thing you could tell people?

Allan Liska: Training is key, 100% what Jonathan said, having that plan in place, testing that plan with tabletop exercises. So since he took that one, I'm going to take keep out the initial access brokers, and the way you do that is good identity management, good asset management, and good data management. You need to know when you have leaked credentials that are out there and take action to stop them. You need to know what you have in your network and prioritize patching those things that ransomware actors are going after. I love CISA's KEV list for that reason, because that's a quick -- it takes those 50,000 vulnerabilities we're going to see in 2025, and it goes to the hundred or so that you actually need to worry about and probably only 5 or 10 of those that you actually need to worry about. And then where's your data? Not just in your network and in your cloud, but in your partner's network and in your partner's cloud. Doing all three of those things, while not easy, is easier than keeping out a ransomware actor once they get in. So if you can stop the initial access broker, then the rest of what you're doing is going to be easier.

Sherrod DeGrippo: Okay, next rapid fire. Jon, I'm starting with you. What is the biggest misconception about ransomware?

Jonathan Braley: That you're too small to be targeted by it. We hear that a lot. We work with food and agriculture companies and you have these small farms that say, "People don't even know who my company is, like we don't have a lot of money." But it really is opportunistic, as Allan mentioned earlier. We see across the board companies getting hit. So I would caution people to think that they're not relevant enough or large enough to be a target, because they'll breach you and then they'll look up your revenue and they'll cater their ransom demand to however much your company's worth, so everybody's at risk of it.

Sherrod DeGrippo: Allan, what's the biggest ransomware misconception?

Allan Liska: I think too often we talk about these ransomware actors as like these super advanced uber-hackers, and know that they're not. Know that they are -- some of them are. Some of them are really good at what they do, but a lot of them are stupid script kiddies that just are relying on the fact that the resources they need are readily available to do whatever they want, which means you can stop them. It's not impossible to detect the activity and kick them out of your network. When we assign this sort of mythical status to them, it makes it harder to defend against them, because a lot of companies are like, "Well, there's nothing we can do. We're going to eventually get hit." And that's an attitude you should not have. You can stop them, and you don't necessarily need all the super fanciest gizmos and widgets and gadgets to do it. You just need to be well configured and well prepared with the tools that you have, going back to Jonathan's point about testing and training.

Sherrod DeGrippo: Okay, Allan, final question, rapid fire for you. If you could say one thing directly to a ransomware threat actor, what would you say?

Allan Liska: Stop it. I mean, I know that that's not a -- I know that that's not going to work.

Sherrod DeGrippo: No, that was my first thought, too. It was like, quit it. Just quit it.

Allan Liska: I just hope that I don't become president because, yeah, I will drone-strike your ass, and I only need to do it once, and the rest of y'all quit because you're a bunch of cowards.

Sherrod DeGrippo: Nice. Very direct language from Allan Liska. Jon, what would you say to a ransomware group?

Jonathan Braley: I'm not going to say anything. I'm just going to vote for Allan in the next presidency because I like his plan.

Sherrod DeGrippo: Okay, Allan Liska for president. I am all on board. I'm the campaign manager ready to do it. For me, like, I would really like to see ransomware groups take the technical skill and the capability and the organizational and the creativity, quite frankly, all of these skills and talents are being used to do things that really, really hurt people. What if you took all your skills and talents and used them to do things that really help people? You could be having kind of like a clear conscience, peace of mind when you go to bed at night instead of seeing people suffer, and I think it's possibly worth making that change, guys. Come on. All right, I loved talking to you guys. I could talk to you all day long. I really appreciate you joining me on the Microsoft Threat Intelligence podcast. We have had Jon Braley, Director of Threat Intelligence at the IT-ISAC. Also joining us today, Allan Liska, CSIRT and Ransomware Researcher at Recorded Future. Thank you so much for joining me and talking ransomware. Finally, some crime.

Allan Liska: Thank you.

Jonathan Braley: You bet. Thanks. [ Music ]

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com, for more, and subscribe on your favorite podcast app. [ Music ]