Ransomware: From Isolated Attacks to Global Criminal Ecosystem

Sherrod DeGrippo: Welcome to The Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come hear from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. Welcome to The Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo with Microsoft. And I've spent most of my career tracking threat actors, trying to understand how cybercrime actually works -- who's behind it, how the operations scale, and what defenders can actually do to stop them. One of the things that we talk about a lot on this show is how cybercrime has evolved into a global industry. Ransomware is not just a type of malware anymore. It's a full criminal ecosystem with developers, affiliates, brokers. Entire marketplaces are supporting this ecosystem. So today we're going to dig into that world with someone who has had a front row seat to the evolution of cybercrime for more than two decades. My guest today is Cynthia Kaiser, Senior Vice President of the Ransomware Research Center at Halcyon. Before joining Halcyon, Cynthia spent more than 20 years at the FBI, including serving as Deputy Assistant Director of the Cyber Division, where she led cyber policy, intelligence, and engagement efforts. During that time, she helped build some of the best public-private threat intelligence partnerships that many of us in the industry rely on to this day. She was involved in efforts that disrupted major ransomware groups like LockBit, EightBase, and QakBot. So, as you might guess, Cynthia and I have known each other for a while just being around through threat intelligence and the law enforcement community. So this is going to be a little more like just two friends talking tea. So, Cynthia, welcome to the podcast. I've waited so long to have you here. It's great to see you.

Cynthia Kaiser: I'm so excited to be here, and I think it really shows everybody here how strong those private/public partnerships are that we have known each other for years. I'm just -- it's going to be exciting now to be able to talk not from just the public sphere but in my private sector lens.

Sherrod DeGrippo: Yes. I love that. And I think the industry really took notice when you went to Halcyon because we need that kind of crossover skills and experience and capabilities to move into both spheres, public sector and private.

Cynthia Kaiser: Absolutely. That's one of the reasons I really wanted to come out into the private sector. So, you know, spent two decades at FBI, and I wouldn't give up a minute. It was amazing. But I always knew kind of when I was at that 20-year mark that the best practitioners in our space have experience in both worlds. Even if I want to go back to the government at some point, I wouldn't be as good as I can be if I'm not on the private sector side seeing what customers need, seeing what we're getting on telemetry when we're on a network, what a CISO's concerns are, just all that gambit of things that happen as a regular course when you're in the private sector but you're just a little separated from in the public sphere.

Sherrod DeGrippo: So before I get into asking you about how you got into cyber, how you got into investigations, we talked when you first left the FBI. And you had spent 20 years going into an office, and you now work from home. How is that going?

Cynthia Kaiser: So I'm loving the work-life balance, the ability to see my kids when they come home from school, ask how their day is. But I had to relearn how to actually work. Honestly. You know, I have realized sometimes that, if I need to focus on something, I go out, right? I got to go to a coffee shop. I got to go do something because my dog is looking at me with sad eyes.

Sherrod DeGrippo: Yes.

Cynthia Kaiser: Like, don't you want to cuddle? And I do.

Sherrod DeGrippo: I have that too.

Cynthia Kaiser: I do want to cuddle. So, you know, getting out, like being flexible is really nice. But I've had to kind of learn that, right? Like, I can't just sit in my side bedroom for eight hours a day. I got to move. I got to do things. But it's nice that it's not straight eight, right, or straight -- honestly, at FBI, straight 12.

Sherrod DeGrippo: Right, right. That's what I would imagine too.

Cynthia Kaiser: Yeah. I get to have dinner every night with my family. It's amazing.

Sherrod DeGrippo: I worked in information security for 20 years. I started in government too. But we went remote really early. I think security people went remote really early. Been remote since 2008. And when colleagues would join or I would hire people out of public sector and they would sort of be in this, like, shock of what do I need to communicate, and how do I need to talk about it? Do I need to tell someone I'm going to lunch? And it was -- it's sort of like -- I worked in so many Silicon Valley companies. Now I work in like a Silicon Forest company at Microsoft. And it's so interesting, the differences in culture of the West Coast laid back a little bit in terms of, like, reporting your every move and being kind of like in that place all the time. So it's -- I must admit, it's a bit entertaining for me when people come from public sector into tech.

Cynthia Kaiser: Yes. I'm actually bringing on board somebody that worked with me at the FBI to come over here and help us in the Ransomware Research Center. And they were messaging me saying, Oh. I think I'm going to make my hours 7:00 AM to 3:30. And I was like, sure.

Sherrod DeGrippo: Good luck.

Cynthia Kaiser: That sounds great, right? And then they messaged me the other day. They go, I think I'm going to start at 8:30. I was like, yeah. That's what I figured, you know. Like, I mean, just as it gets flexible, right, you don't need to tell me you're leaving for 15 minutes to go pick up your kids.

Sherrod DeGrippo: Right.

Cynthia Kaiser: And that's the leadership style I always liked is, like, treating people like grown-ups so they show up like grown-ups, like knowing that people want to do this work. They're in this field. They want to catch bad guys, right? They want to fight back.

Sherrod DeGrippo: Yes.

Cynthia Kaiser: And being able to also manage your family and your time and getting everything done, as long as you can get that done, you don't need to be chained to a desk for a certain number of hours a day. I want people to be flexible.

Sherrod DeGrippo: Yeah. And I think, too, the reality is we operate a global operation either way. Ransomware doesn't sleep. The cybercrime ecosystem doesn't take -- well, I guess they do take some orthodox holidays occasionally, but they don't really take the afternoon off and all of those kinds of things. It is a daily desk that you have to work all the time. And so that means being flexible with when you're there and when you're not.

Cynthia Kaiser: Well, in fact, what we see ransomware actors do nowadays is they wait for everyone to be off work.

Sherrod DeGrippo: Right. Yeah.

Cynthia Kaiser: They wait till the night. They wait till the weekends. So, if you have to be flexible, if you have to be able to respond when the bad guys are doing bad things, you don't need to be at your desk at 7:00 AM every day.

Sherrod DeGrippo: Right. So let's talk a little bit about your two decades at the FBI doing cyber investigations. What originally pulled you into that space in the first place?

Cynthia Kaiser: I wish I would tell you that it was a well-thought-out plan, but it was a little bit by accident.

Sherrod DeGrippo: Okay.

Cynthia Kaiser: So I was living abroad. I was in South Korea, like kind of that year after college, you know, doing something different. And I sat there thinking, do I really want to go to grad school when I go back? Maybe I want to go work. And right at that time, an ad for the FBI popped up and said, Do you want to work here? And I was like, kind of. That sounds great. And this is the funny part. I filled out an application, and then I forgot. And then it was months, right?

Sherrod DeGrippo: Sure.

Cynthia Kaiser: Forgot. Accepted to go to grad school. And my mom calls me. And she goes, The FBI is calling us about you; and we don't know why. And I was like, Oh. I applied. Oh, my gosh.

Sherrod DeGrippo: So they were able to actually begin some kind of background checking just from the application?

Cynthia Kaiser: Yeah. Well, I think I probably -- since I was abroad -- had put a home phone number, back when we had home phone numbers --

Sherrod DeGrippo: Right.

Cynthia Kaiser: -- as a US phone number. But it was funny because they wouldn't tell my mom anything. She's like, are they investigating you? What's happening? What did you do? What did you do when you were abroad? But, you know, it was for the application. And they were holding their interviews the last day of those interviews the day after I got off the plane from living abroad for a year. So it was the middle of my night. If anybody's ever had to fill out one of those SF-86s where you're trying to get a clearance --

Sherrod DeGrippo: QNSP.

Cynthia Kaiser: -- I had to do all that in like a day and show up to the FBI building in Detroit. And it was, like I said, middle of my night. I answered my questions. I don't know what I said. But, at the end of the interview, I bowed because I'd been living with a Korean family for like a year, right? So I always joke. I'm like, they must have thought Cynthia is so respectful.

Sherrod DeGrippo: You -- for those listening to something about those forms, you have to go back with all of your international travel, every international trip that you've taken for the past 10 years and every address that you've lived out for the past 10 years and every job that you've had for the past 10 years. And, when you're younger, you're bouncing around. You're a new apartment every year because your lease is up, and you can't afford to renew it. And, like, oh. I had this job for six months, and then I got a different one for 12 months. And I was in school. And, when you're young, I think they're harder to fill out when you're younger.

Cynthia Kaiser: Well, it's funny because they say, Well, what -- who is your neighbors at this place? And you're like, I don't remember.

Sherrod DeGrippo: I don't remember neighbors. Yeah.

Cynthia Kaiser: Or you're like asking your parents to call their old neighbors. Like, can I get their phone number down? Because we didn't really -- we didn't have smartphones, right, 20 years ago.

Sherrod DeGrippo: No. You're keeping things in a --

Cynthia Kaiser: Yeah.

Sherrod DeGrippo: I had a paper address book with everyone's phone number in it because you had to dial from a landline.

Cynthia Kaiser: Exactly.

Sherrod DeGrippo: Yeah. So technology; it's moved really fast. When you look back at the early investigation side of it, I assume that you were kind of building the playbook as you went. There weren't, like, standard here's our best practices, and here's how we do it. So you're kind of, like, you're inventing things as they happen. How different was that in the early days compared to what you're doing now?

Cynthia Kaiser: So my foray into cyber really came in 2016, 2017. I had been down as a daily intelligence briefer at the White House. And I got to see -- you know, have this front seat to all the cyber things happening. And so I say that to kind of time bound; like, I didn't want to -- like, after there, I didn't want to do anything else but counter cyberthreats. I'm like this is the national security issue of our lifetime. So, you know, my response is going to be about from that time period, that 2017, 2016-ish period. But, even though that doesn't sound like a long time ago, it is like a lifetime ago --

Sherrod DeGrippo: It's 10 years ago, right?

Cynthia Kaiser: -- in cyber operations and cyber investigations.

Sherrod DeGrippo: That's huge.

Cynthia Kaiser: And, yes; we've had to kind of build things as we go; build processes; figure out, like, how to use not just tools that we have but actually the law. So I think that's, like, underappreciated, that we're using really old laws to actually investigate and prosecute cybercrime.

Sherrod DeGrippo: Interesting. Hadn't thought about that.

Cynthia Kaiser: And it doesn't -- yeah. It doesn't always match. And so we've had to come up with, you know, really -- we had really great lawyers at DOJ. And you're going back and forth and determining, you know, how can we use this? What can we do? And so I want to kind of point out, like, what I consider two major changes from then to now. One is that what was a big deal in 2016 or 2017 is like a Tuesday today.

Sherrod DeGrippo: Yes.

Cynthia Kaiser: So -- which is terrible when you think about that. I remember being a part of the US government's, like, entire interagency response to the Russian targeting -- hacking of US energy companies. That happens with all the adversaries now, right? We had this entire marshaled response back in 2017. I think the entire marshaled response is the right reaction, by the way. They shouldn't -- we should really be working towards this. It's just there's so much coming in and so many other bad things have happened that we've almost gotten used to. It's become this regular course. So I think that that's actually a bad trend that we've had since that time I started. The good trend is more in the law enforcement space, as I noted. So I think, before, we were approaching cyber investigations; and it was akin to all these other investigations. You find out somebody did a crime, you indict them, you try to arrest them, case closed. But as either state-sponsored groups or just this entire cybercriminal enterprise starts to come up, it doesn't really matter if you've indicted the low-level guy at his cubicle in the corner. It doesn't really matter if you've been able to arrest the money mule, because they can just replace them tomorrow.

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: And so really thinking about these incidents, these cases as a much broader set of actors, like, how complex it is and, like, thinking about who you actually need to target in this ecosystem to make a big difference, that was a sea change. And I think that probably really started happening more around the 2019, 2020 period when the FBI announced this new cyber strategy. And we really started going after the leaders, the people who were the linchpins, the malware developers, not just the low-level affiliate that started last week. Really thinking about who do we target that makes a lasting difference. And that's when you started to see all of these bigger takedowns with international governments and the like for ransomware that actually made a difference, that actually caused four months of downtime, five months of downtime, which is a big deal. We're not going to solve cyber forever just because we prosecute murderers. People haven't stopped murdering.

Sherrod DeGrippo: Exactly. That's what I tell people all the time when they say, oh, well, how come security hasn't solved it yet? It's like crime has existed since the beginning of human society, thousands and thousands of years. The computer is just another tool to do additional crime. That's it. We're not going to be able to take the tools away from everyone because the tools are used for good too. So we have to stop as much as we can and let people transact.

Cynthia Kaiser: That's right. But we learn more every year about how to do that, and that's important. And we learn how to give those, once again, three months, four months, five months of downtime from a major criminal group, a major state-sponsored group, that's like four or five months of downtime where victims in the US or organizations in the US aren't victims, right?

Sherrod DeGrippo: Right.

Cynthia Kaiser: Like, it's real relief. And I think that's a really important point that's missed in a lot of these conversations. But I also want to thank -- like, we really do learn more and more as we go along. Some of that's like, hey. The advice we were giving wasn't great in 2017. We needed to change it. A very simple example is passwords. I think we used to tell people, like, change them often.

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: And now it's make them really long and complex and don't change them often because, if you change them often, people actually repeat them.

Sherrod DeGrippo: Yeah. Or go passwordless. Go phish-resistant MFA. We're so far into this identity-as-a-control-plane situation now with -- it's just a really different place, I think, than we've ever been before in terms of identity and access management.

Cynthia Kaiser: It is. But it's an evolution, right? And some of it's realizing certain advice we were giving, does it actually fit with people's psychology?

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: And I think as an industry in the last few years, we've started to get that and change some of the things that we've put out there to say, like, we're not going to change human nature. We never were. So how do we work within human nature? How do we assume breach but, like, assume we can contain it really quickly? Like, how do you put some things in place that are realistic, not wishful.

Sherrod DeGrippo: Yes. I love that. I love the idea that we have to get practical. And that's something that we're really focusing on at Microsoft right now, as well, is giving really practical, actionable advice for organizations to implement in a realistic way. Something I always talk about with, you know, the evolution, I encountered ransomware for my first time at -- at work in 2015, and it was Locky. And I just remember so vividly. I was working detection engineering with Emerging Threats at the time. And I remember so vividly saying it's just an attachment. And, when you open it, it encrypts your files. Wow. You know, it's an email with an attachment. You click it; you run it. It locks you out. Okay. And then the thing that hit me was we watched volumes, and that day they had sent a million of those emails just within our visibility at my previous organization. And it really hit me that the scale and scope ultimately is infinite.

Cynthia Kaiser: It is. And we keep seeing it grow, which is problematic. And I'm sure you and I will talk on AI, you know, the buzzword stuff in a little bit and how that's changed. But I don't want to get there quite yet. As we were seeing ransomware come up -- and like you, right, I was tracking it from the beginning. But it was almost one of these other cybercriminal vectors, right? We were doing business email compromise.

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: All these different things at the time. And as the hacks started growing, they started becoming more sophisticated. It wasn't just one email or one person. It was a lot. That's where I really started to stand up and notice because I was actually a late convert to the ransomware-as-a-problem issue.

Sherrod DeGrippo: Sure.

Cynthia Kaiser: I did nation-state for so many years -- China, Iran, Russia, North Korea. And, to me, I was like those are the existential threats to US national security. That's what I need to focus in on. And you start looking at 2019, 2020, 2021 with ransomware coming up -- and part of this is the virtualization of everything made ransomware a lot worse --

Sherrod DeGrippo: Right.

Cynthia Kaiser: -- and a lot easier to compromise entire organizations. But this is what's affecting people every day, right? It's what's affecting our Main Street. It's what's affecting our jobs. It's the national security issue that we have to face every day. It's not a hypothetical for the future. So I've been really, like, looking at this now for a few years. But I also feel like the turning point for me was when we did a takedown of Hive ransomware group. I don't know if you remember that one.

Sherrod DeGrippo: Oh, yeah. I remember them.

Cynthia Kaiser: Yeah. So, for listeners that don't know, that a few years ago Hive was like the biggest one, right, or one of the biggest ones. They compromised thousands of organizations across the world. I think they had like a revenue of $100 million. And FBI was able to sneak onto their back end, right, to their infrastructure, sit in their chats; and they very helpfully put all of their decryptors in real names for the victims.

Sherrod DeGrippo: Amazing.

Cynthia Kaiser: Yes. So we started taking them and just knocking on the victims' door and being like, would you like a decryptor? That's turning threat actors' OpSec fail --

Sherrod DeGrippo: Yep.

Cynthia Kaiser: -- into victim recovery success.

Sherrod DeGrippo: Exactly.

Cynthia Kaiser: Exactly. But how long would you think we should be on there doing that before they caught us? We figured like a few weeks, right?

Sherrod DeGrippo: Okay.

Cynthia Kaiser: Seven months.

Sherrod DeGrippo: Whoa.

Cynthia Kaiser: They could not figure out what was happening. Their revenue went from like $100 million to $10 million. They're like, Why can't we make money? What's going wrong? And then, you know, finally we just shut it down, took down the infrastructure with it. The group scattered. But to me that showed we could do something about it, and that's really exciting because that means that we can actually help, right? We can actually help that day-to-day threat that we're all facing. And, candidly, like, we all know these are not just independent people in a basement deciding --

Sherrod DeGrippo: No.

Cynthia Kaiser: -- to do encryption.

Sherrod DeGrippo: They're highly, highly organized.

Cynthia Kaiser: Highly organized and highly connected, including at times with the nation-states themselves.

Sherrod DeGrippo: Yeah. And this is their livelihood in a way that I think most of us who are kind of, you know, not criminals don't really understand that dynamic. This is kind of -- in a lot of threat actor groups from the crime side, this is just sort of viewed as software or a tech job or, you know, oh, it's a little sketch; but what's wrong with this? I'm sitting behind a computer. I'm not out in the street stabbing people, hurting people, things like that. They kind of see it as, well, you know, this is what we -- we do for work from our office.

Cynthia Kaiser: Yeah. I have some thoughts on the hurting-people part. Let me get to that second. First is what I tell people to think about is like watch a mafia movie, like especially like an older one where people are just kind of born into that family.

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: Or they might be doing low-level things on the street for a gang in a city that's really more run by that. This is what we're dealing with. It's just modern-day organized crime, right? It's modern-day mafia. And the -- like, people inside, they think they have a job. Yes. They might know they're doing bad, but it's so removed.

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: Like, if they don't see those victims, that it's almost easier for them to swallow that they're just doing this activity. And these are corporations. They're going to pay anyways. They have money. What does it matter?

Sherrod DeGrippo: I think, too, the analogy of, like, mob movies and mafia movies is a great one because, in a lot of those movies, you see their mom's, like, proud of them and doesn't really know. But, like, they're a good son or, you know, hey. He's a good son, and he's not getting in trouble. And I think that there's a cultural element of that too.

Cynthia Kaiser: Absolutely. We see in the US when there's juvenile criminal hackers, we would -- the FBI would show up to the house. And the parents would have no clue that their kids were even involved in crime. They just thought they had lucrative jobs --

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: -- that they were doing like a side tech job.

Sherrod DeGrippo: Playing video games up there all night. Geez. Yeah.

Cynthia Kaiser: Uh-huh. And so there is this -- there's a generational element of maybe also not understanding some of the technology and the trouble you can get into with technology.

Sherrod DeGrippo: Right.

Cynthia Kaiser: And that does play a role. But, in terms of hurting people, though, I do want to counter what you said a little bit because I think that ransomware actors every day do make choices about who they target, and I believe to my core that we can change some of those choices and make them understand that targeting a hospital is different than targeting a company X. And by that I mean, like, ransomware actors have killed people.

Sherrod DeGrippo: And I don't think that they feel that connection --

Cynthia Kaiser: Exactly.

Sherrod DeGrippo: -- the same way that, like, a criminal on the street would feel it. And, you know, that gets into like cultural and societal. What do you think it will take for some of that targeting to change?

Cynthia Kaiser: I think that the legal authorities exist now where you really could consider ransomware against specific targets -- hospitals, for example -- terrorism. You don't need to go to Congress and get additional authorities. You really kind of just need a focus on it to say, yes; we consider it this. This is what happens if you target a hospital. You are putting these lives at risk, and you are considered a terrorist.

Sherrod DeGrippo: Have you seen that messaging given to policymakers, and how is it received?

Cynthia Kaiser: So, yes. I've had those conversations with policymakers. I think there's a lot of interest in doing that. Like, this feels like something that is possible within the next few years. Like, let's have a world in which ransomware doesn't kill people, but then let's tackle the other things. I think that's a world we can live in, since -- it's doable. Once a few of these guys are labeled terrorists, I think other actors are going to make other choices.

Sherrod DeGrippo: Attitudes may change. Attitudes may change. Yeah.

Cynthia Kaiser: I don't -- like, my guess is, if it's -- if they have a codependent relationship with the state, the state might also be like, listen. You don't want to be on the terrorist watch list. If there's stiffer penalties for this, then we can really, like, start to shape some behavior. And then that's the next step, right? You can't just leave it at that, but I think like let's do something doable and something good.

Sherrod DeGrippo: I think that it would be really fantastic to see that. Two years ago, I went and visited the UC San Diego Center for Healthcare Cybersecurity. They're fantastic. Do you know those guys?

Cynthia Kaiser: I do, and they're amazing.

Sherrod DeGrippo: They're so cool. They're actual doctors that lead the center, and they go through the reality of what happens in the emergency room -- in a surgical suite -- if a ransomware event happens. And that's the kind of stuff that makes me so scared and empathetic for people working on the front lines that, yeah; someone's life is in the balance, and they have the data to prove that people really get hurt when medical organizations -- hospitals, clinics, etc. -- experience these kinds of attacks.

Cynthia Kaiser: University of Minnesota did a study where they kind of looked at just excess Medicare deaths over time, and from 2016 to 2021 they've noted at least 47 deaths were because of ransomware. That's kind of before ransomware was as big as it is now, right? Imagine what that number is today. And some of this is because, when a hospital shuts down, we used to say at the FBI -- we would be briefing policymakers and be like, oh. But they're diverting ambulances, right? Like, that was a mitigation. But think if you're having a heart attack.

Sherrod DeGrippo: Right.

Cynthia Kaiser: Yeah.

Sherrod DeGrippo: Diversion actually decreases patient outcomes.

Cynthia Kaiser: That's exactly right, and it stresses other hospitals. So, if you have more people in an ICU at a hospital nearby because there was a ransomware attack at this place, there might be decreased patient outcomes there. Like, there's a lot of implications here. That's where I think we can really look at these -- labeling them terrorists. But, you know, I talked at the beginning of our conversation about how you take laws that were made for something else and maybe apply them to cyber. I also think, if we can do a better job of identifying patient harms quickly, we can charge these guys with felonious murder.

Sherrod DeGrippo: Whoa.

Cynthia Kaiser: Right? Because it's a felony.

Sherrod DeGrippo: I haven't heard this one, Cynthia; and I talk about this stuff a lot.

Cynthia Kaiser: Yeah. So it's a felony, right? Intrusion is a felony, a federal felony. And, if you kill somebody in the commission of a felony, that's also felonious murder.

Sherrod DeGrippo: Wow. Okay. The creative minds when it comes to policy and law enforcement are worlds ahead, I think, of someone like me who's like, let's write really great detections because we have to come at it from both angles, right?

Cynthia Kaiser: Absolutely.

Sherrod DeGrippo: We have to have the technical detection angle. We have to have the protection mechanisms and all of those security basics that we talk about. But this policy part that you're talking about, adding a felonious murder aspect to it, is that gaining traction? Is that something that we potentially could see?

Cynthia Kaiser: So I think that there's a lot of interest in it. The issue is that, when you have a ransomware attack at a hospital, they go to paper records.

Sherrod DeGrippo: Right.

Cynthia Kaiser: Like, the records are really hard to keep, right? And it can be difficult to prove this one death was caused by ransomware versus other factors. It's a lot easier to say, Well, hey. There's just this excess of Medicare deaths.

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: And there's no other explanation other than the ransomware. And so that's more of an aggregate. But we can start really monitoring this. And we saw it in the UK where there was a baby that died because of delays in testing on their side because of ransomware.

Sherrod DeGrippo: I hate hearing that.

Cynthia Kaiser: I know.

Sherrod DeGrippo: I think that's part of why public-private partnerships are so incredibly important because, as a technologist, I really believe that a massive part of ransomware protection is on our backs. It is our responsibility to apply every technical mechanism, every technical pressure, every technical protection that we can possibly create and push out and then partner with anything that gets around that with our law enforcement partners.

Cynthia Kaiser: Absolutely. That's been one of the wonderful things about coming to Halcyon.

Sherrod DeGrippo: That's what I want to talk about next.

Cynthia Kaiser: Yes. So, at the FBI, I was responding to a lot of attacks. And part of responding and investigating those attacks is trying to prevent others, to put out advisories, to put out information. But now I get to be so much more in the contain and prevent side, so I'm preventing everybody's worst day instead of helping them after their worst day. And that's amazing. And the fact that there are these technical solutions that exist -- I think Halcyon is really unique in that it laser focuses on ransomware. It works really well as a sidekick to EDRs like Defender to bring in that, like, this feels weird, this is acting weird; but we know from our understanding that this is ransomware -- to try to stop it early. But we also kind of have this fail-safe at the end. And this is what was really cool when I came -- when I was looking around and deciding where I was going to go is we almost man-in-the-middle attack the ransomware itself --

Sherrod DeGrippo: I love that.

Cynthia Kaiser: -- if it gets to that point. So we capture artifacts during an attack that allow us to then decrypt without ever having to pay a ransomware actor, ever having to have a decryptor. And isn't that pretty awesome?

Sherrod DeGrippo: That's amazing. And the peace of mind that comes, I think, for organizations when they feel -- first of all, never get comfortable. But there is a peace of mind that comes with knowing that you have a response if something happens, that you have tools in your toolkit that you can use because a lot of organizations end up with ransomware having never discussed it, thought about it, made a plan for it. It just happens to them almost like an act of God, almost like all of your technical controls have just disappeared. What are you going to do now? You can't access anything. And they say -- a lot of organizations don't have a way forward. They just are surprised.

Cynthia Kaiser: And they haven't thought through the full risk profile. I see different leaders across organizations say, but we have cyber insurance, so we're okay.

Sherrod DeGrippo: Ooh. I don't like that at all.

Cynthia Kaiser: I know, I know. And it's like you're not going to be okay. Number one, if you pay, you're known as an organization that paid.

Sherrod DeGrippo: You're a cash cow.

Cynthia Kaiser: Yep. You're much more likely to get hit again. Decryptors aren't magic. They don't float into your network magically bring everything back.

Sherrod DeGrippo: They take work.

Cynthia Kaiser: Like, you're still probably looking at over 20 days of downtime, right? How many medium-sized organizations can weather 20 days of downtime? Rough. And, okay. You paid. You got your information decrypted; you're back online. The ransomware actors have the data they stole forever. They don't delete it. It doesn't matter if they tell you they did. At the FBI, we would see organizations -- we'd get onto their infrastructure -- that said they were going to delete it if you paid, and they did not. So I think this is like this real misconception that, like, I'll be fine, but there's also this misconception, like, I'm just going to buy stuff to protect and defend. And they're not thinking about, like, what happens, if an actor gets in, how do I contain? And, like, you really -- in this world of, like, deepfake social engineering and, like, different types of attacks coming in -- you have to almost assume breach.

Sherrod DeGrippo: Yeah. You should.

Cynthia Kaiser: Right. And then be able to contain it, know how to get it off your system. I've talked about like a defender-Halcyon combination sometimes with clients, and I've been like defender's your wall, and Halcyon's your barbed wire. Like, you've got to figure all this out, right? You've got to have defense in-depth.

Sherrod DeGrippo: I think, too, organizations -- honestly, what I would say for most enterprise -- treat every incident and every breach like it is a precursor to a lockout event, a precursor to an extortion event, a ransomware event, etc. because every time a threat actor accesses your environment, they could do a ransomware event; or whatever path they used to access your environment could then be used by a threat actor specifically for ransomware. I think ransomware is the number one thing that organizations need to prepare for because it is such a broad, common threat type that really does have answers. It really -- you can survive this if you plan for it.

Cynthia Kaiser: You can, and two things on that. One is in any breach -- it doesn't even matter ransomware -- like, at the FBI, I would see the organizations that recovered the fastest were the ones who took it seriously right away.

Sherrod DeGrippo: Right.

Cynthia Kaiser: It's not the ones who were the least compromised. Sometimes people were not -- like, you know, the compromise wasn't as broad across their network. But because they didn't take it seriously, because they didn't move fast, they were still behind others in the same campaign that maybe had had a more significant intrusion across all their systems. But they took it seriously. They did something right away. The most important thing to do is to move quickly on your side to contain, but it's also really hard to do that nowadays with people alone --

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: -- because ransomware in particular has gotten so much faster, even in the last year.

Sherrod DeGrippo: Let's talk about that.

Cynthia Kaiser: Yes.

Sherrod DeGrippo: So I want to understand what you think is the driver behind ransomware dwell times becoming minuscule over the past year or two years and what that landscape is going to look like.

Cynthia Kaiser: So we're seeing ransomware attacks right now, and we should have some intel coming out from our team soon talking about groups that can do these attacks in under an hour.

Sherrod DeGrippo: I mean, that makes sense to me because dwell times have never gotten longer. They've always gotten smaller. And, if you look on that curve, they're always going to be approaching almost zero.

Cynthia Kaiser: Exactly. Now, I've heard some people talk about like well, this is because AI, right? AI is making everything faster. I don't actually think so. I think AI is doing some other stuff. Let's talk about that. But what really has occurred and made things a lot faster is, number one, the groups just have gotten more practice. Like, they have their tactics down. That means they can do them faster, use them faster. But it's also this kind of virtualization of everything. I mean, how many of us have more devices and more connected devices than we did just a few years ago. So getting onto systems, really being able -- we see actors consistently go after hypervisors, so ESXi -- like, these types of things in your network that allow remote access, virtualization, like speed across all the network. But that speed and that connectivity allows ransomware actors to move really fast and encrypt really fast once they've gotten to that point.

Sherrod DeGrippo: Let's talk AI. So I do think that AI is working as a tool for threat actors. We definitely know that. We see that. I don't see it being autonomous yet. Maybe that's something down the road. But I do see these groups have been operationalized. They have been organized for quite some time, for years. And, when you look at their willingness to use tools that are available to them -- they use ticketing systems. They use productivity software. They have project management apps. They have project managers within ransomware groups. You better believe that they're going to take AI and use that as a great tool to improve their workflows.

Cynthia Kaiser: I assume every group out there is using AI the same way businesses are.

Sherrod DeGrippo: Yeah. Exactly.

Cynthia Kaiser: Making themselves more productive. There absolutely is an increase in initial access ability; and that's because of AI, right? So take deepfake videos; the vishing social engineering, right, the video kind of deepfakes that we've seen; or just being able to more rapidly and more tailored put out phishing messages, more rapidly exploit vulnerabilities once they're known and out there. All of that AI has absolutely ramped up. I think that's where you see the most gains. Here's where I also have concerns, though, is I agree with you 100 percent that we're not seeing good autonomous attack capabilities yet. I know there's been reports that have gone out there. As I look at those, I still see, even if you've created some kind of AI-orchestrated campaign, the way in which you've gone out or the agents have gone out and created those campaigns is still across known signatures. So, if an organization has the defense basics on their system, they're likely able to rebuff those. And the AI-orchestrated campaigns that have been publicized have a very high failure rate. The advanced group -- ransomware actor groups don't, so why would you use AI? Like, why would you have this high failure rate when you already are good at what you do.

Sherrod DeGrippo: Yeah. And I think they know they're good at what they do. They know their business. And so I think that these ransomware groups know where to strategically deploy AI within their workflows, not necessarily in their actual breach and ransom flow. Like, it's going to be more, Hey. Help me make this script. Help me organize this. Help me get my infrastructure set up in a really effective, nicely organized way. Help me put together a great email that someone will definitely click on in the right language with the right wording. Help me scale this. I have a great email. I want to now send it to a million people or specifically only these types of targets -- help me find them. I don't see right now a lot of ransomware threat actor groups just hitting a button and saying, you know, putting into an LLM, Go ransom things.

Cynthia Kaiser: You know who you see do that? It's the people who can't do ransomware but wannabe.

Sherrod DeGrippo: Right, right.

Cynthia Kaiser: So the wannabe actors are trying to do these AI-orchestrated campaigns, trying to incorporate them. And I think in their minds they're like, if I can get to five percent success, I mean, that's better than my zero percent. Like, recently we saw a ransomware group -- and this is timely because they're in the Middle East region and, like, targeting more Middle East targets. It's called Sakari, and it was pretty ugly. Like, when we looked at the back end, right, of how all the code -- like, it just obviously looked like they tried to do like an AI, probably tried to vibe code each step and then, like, chain them together. They did it wrong.

Sherrod DeGrippo: Yikes.

Cynthia Kaiser: And they didn't create a master encryption key for the encryptor. And, like, for people who don't kind of know what that means, like, for ransomware to be effective, you need three things. You need a lock -- encryption. You need a key -- the decryptor. But, like, the key has to go somewhere, right? You have to be able to use that decryptor in something. So, like, a keyhole in a lock, didn't have that. Like, they'd forgotten to make that. So it didn't matter if you paid for the decryptor or not -- like, you -- it's almost destructionware at that point, not ransomware because you're never getting your stuff back. So it's dangerous to have these wannabes out there using AI trying to create something where they can't do anything. And I think you're also going to see a really big increase in SOC fatigue, right, the security operations centers having to just deal with a lot of junk.

Sherrod DeGrippo: So, like, essentially what you're saying is, like, we're seeing ransom slop being created and deployed.

Cynthia Kaiser: Yes. I saw somebody -- this is not my term, but I'm stealing it. It's called -- they're calling them sloperators.

Sherrod DeGrippo: Yes. Oh, I like that.

Cynthia Kaiser: I know. I really liked it too.

Sherrod DeGrippo: Malicious sloperators are out there. Everyone should be careful. But I think, like, that's -- that's a takeaway that we should mention. Inexperienced, new to the game threat actors, amateurs, whatever you want to call them are pulling together AI-created code and trying to deploy that. And that's different from the way that it's always been for a long time, which was you could generally reliably say, if you pay the ransom, they will decrypt you. Eighty percent of the time, that was generally true. If lots of amateurs are getting their hands on these tools trying to make a go of it, they're not going to be in line with that same kind of respectable criminal operator that we've kind of stereotyped.

Cynthia Kaiser: They don't need the bona fides, not just across the cybercriminal ecosystem but across victims --

Sherrod DeGrippo: Right.

Cynthia Kaiser: -- to -- if they're fly by night and they just want to make a little bit of money before they run away, their reputation doesn't matter. So it doesn't matter if negotiators know they don't pay. When I think about AI, though, I do like to think about the cybercriminal ecosystem and this whole underground marketplace we talk about --

Sherrod DeGrippo: Oh, gosh.

Cynthia Kaiser: -- because do you think there's a lot of criminals who are worried for their jobs?

Sherrod DeGrippo: I think -- you know what? Okay. I'm a big AI person. I am constantly AI'ing all the time. I'm writing tons of code and all this crazy stuff that I never did before I got ahold of it. And I'll tell you what. It's a bit woo-woo, but I will say it really depends on your mindset. You can see AI as an opportunity, or you can see it as the end of humanity itself. It really comes down to do you have an abundance mindset? And I do, and I'm sure some of the criminals also do.

Cynthia Kaiser: I love that. I love that. It's been interesting coming over to Halcyon when I did as AI tools were getting really good because I'm building a threat intel team, and it's been fun to almost build an AI-native threat intel team.

Sherrod DeGrippo: Yeah. Yes.

Cynthia Kaiser: So, I mean, I agree with you in that the way we've been able -- I'm building a team, right? I'm not reducing people. I couldn't just do AI for threat intel and that's it, but I get to do so much more --

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: -- because I have AI, and it's really cool. But you've got to be good. You have to know what you're doing to use those tools effectively.

Sherrod DeGrippo: You have to know what you're doing. And, for those of you out there, if you're using AI to write code, please, please, please instruct it to write secure code because that is the potential next terrifying frontier for all of us in security is all of this pushed AI-created code that has no security checks, that has got API keys in the public repos; and it is everywhere. If you're doing -- I don't want to say vibe coding, but if you're doing generated code, please, please do the security checks. Hire somebody to do your security checks. Hire a human.

Cynthia Kaiser: I love that. I also see organizations want to create their own in-house models instead of using the existing models that are out there. And listen. If you have great developers and you do everything right, that's fine. Most people don't do everything right. And what you've then done is create this, like, flashing light to be like here's the great stuff. Threat actors, come here. Come find --

Sherrod DeGrippo: Yeah, yeah. It's like a beacon.

Cynthia Kaiser: -- anyone who has privilege -- at least has privileged access to all the great stuff. And, if you have not put extra security around that, like, really developed that with security first, you're making the threat actor's job a heck of a lot easier.

Sherrod DeGrippo: So, Cynthia, last question: If we're sitting here five years from now, which you'll come back on the podcast, what would success look like in the ransomware ecosystem?

Cynthia Kaiser: Success to me is actually the same as it was when I was at the FBI. And what I used to tell people is the world I want to live in is a world where everything is patched right away; when the FBI or the private sector say there's something wrong or a vulnerability or a tactic, that organizations immediately go and fix it because then we can spend all of our time and focus on the really hard stuff, the sophisticated actors who are developing a zero-day and they're spending billions of dollars and thousands and thousands of hours creating these tools, these tactics. And then we focus on outing it so they lose all that time, they lose all that money because right now we're in a system where why would you use the expensive stuff when the cheap stuff works?

Sherrod DeGrippo: Yeah.

Cynthia Kaiser: But here's where, like, I'm -- but I think we can get there in five years, because AI-enabled cybersecurity really helps us and helps make manual effort of patching a thing of the past. I think we're really going to get to a point where AI can help and almost self-heal software as it identifies bugs. And so then what we're really going to have to focus on is the legacy software, legacy hardware that maybe doesn't have that in there. But, overall, we can get to a point five years from now where AI has made the attack surface so much more difficult that people like you and I, we really get to be the threat hunters we want to be and take down these organizations by shining light and bringing transparency to the bad things they do.

Sherrod DeGrippo: I love that, and I am sending you a meeting invite to block your calendar five years from now so that we can review this prediction and hope -- hope that we're there.

Cynthia Kaiser: Gosh. Let's be optimistic. Let's say three years.

Sherrod DeGrippo: Let's say three years. All right. We're hitting goals, everyone. Ransomware: It's one of those threats that sits at the intersection of technology, economics, geopolitics. As Cynthia pointed out, fighting it requires collaboration across government, industry, the broader security community. We all have a part to play. Cynthia, thank you so much. It's been great having you on the show. Thank you for joining us. I love hearing your perspective, and I love being in the fight with you.

Cynthia Kaiser: Thank you so much for having me. This has been really fun.

Sherrod DeGrippo: Thank you all for listening to The Microsoft Threat Intelligence Podcast. If you enjoyed this episode, you can find more conversations with security researchers, analysts, investigators at msthreatintelpodcast.com or wherever you listen to your favorite podcasts. Thanks again, Cynthia. Thanks for listening to The Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more; and subscribe on your favorite podcast app.