Security Unlocked 2.2.22
Ep 57 | 2.2.22

A look at Cybercrime in 2021


Nic Fillingham: Hello and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft Security Engineering and Operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft security, deep-dive into the newest threat intel, research and data science.

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.

Natalia Godyla: And now, let's unlock the pod.

Natalia Godyla: Welcome, everyone, to another episode of Security Unlocked and welcome Nic. Today, we have Jason Lyons on the show. He is part of the Digital Crimes Unit, Principal Investigator in the Digital Crimes Unit, and he'll be joining us to continue the conversation on the 2021 Microsoft Digital Defense Report, so this will be the third conversation so far and it will focus primarily on the state of cybercrime. And there is a lot to cover. It is a hefty section. So Jason will be joining us to focus the conversation on ransomware and extortion, malware and malicious domains.

Nic Fillingham: Yeah, absolutely, this is a really meaty chapter, this one, and as with previous episodes, if you want to download the report and read along with us at home, it is, this is chapter two. You know, we had 60 minutes with Jason which felt like, "Oh, that's a breeze, we're totally going to cover everything and get into all the nooks and crannies." We didn't. And so we didn't get a chance to cover phishing and other malicious email, we didn't get a chance to cover adversarial machine learning. But the good news is that we will cover those in future episodes and we have some great content actually in the podcast library, so if you're interested in adversarial machine learning, please go back through the archive and you'll find some great episodes on that.

Nic Fillingham: But this was a great conversation. Jason specifically had a ton of detail and context to provide to us around ransomware, around extortion and around the realities of, you know, how do these groups operate, how do they, you know, create and continue their infrastructure, but then also, what is the real-world experience for victims of ransomware? Jason is uniquely qualified to provide that perspective as an investigator in the DCU and it was a great, if not sobering, conversation. And then we finish with sort of learning about something new which I... this was brand new to me when I first read the report, which is the idea of not just malicious domains but domains in the blockchain and how they're being utilized by cyber criminals.

Natalia Godyla: And just a fun titbit there to intrigue everyone who's listening to this episode. He calls those blockchain domains "unstoppable" so we have an interesting conversation about how to make the unstoppable domains potentially stoppable in the future. I think with that, on with the pod?

Nic Fillingham: On with the pod.

Nic Fillingham: Welcome to the Security Unlocked Podcast. Jason Lyons, thank you so much for joining us.

Jason Lyons: Yes, happy to be here.

Nic Fillingham: So, Jason, you are a Principal Investigator in the Digital Crimes Unit and you are also one of the authors of the Microsoft Digital Defense Report, which can be downloaded at You're going to talk to us today about chapter two in the MDDR which is the state of cybercrime. Before we jump into that, Jason, let the audience know please, if you will, a little bit about yourself. What does a Principal Investigator do in the DCU? Tell us a bit about your day in, day out and how you came to be a contributor to the MDDR.

Jason Lyons: So my name is Jason Lyons, I am Principal Investigator at Digital Crimes Unit. Been with Microsoft about eight years now. For the last really about seven years, I've been working on the Malware Botnet Disruption Team, really focusing on disrupting the largest bot nets in the world. Within the last year, you know, obviously there's been a huge focus inside Microsoft on ransomware, so I was asked to, about a year ago, to help co-lead the ransomware initiative inside DCU which is also just a smaller, really larger group within Microsoft, really trying to tackle the hard issues of ransomware.

Jason Lyons: So really, my day to day life is examining ransomware, understanding how it works and how it impacts our customers and our victims, and then what are the processes that we can possibly examine and investigate to possibly disrupt the ransomware process from impacting people?

Natalia Godyla: Wow, that sounds amazing. Well, thank you for joining us today and starting with a big question. So how has the cybercrime economy continued to evolve? What's new in the way the cybercrime economy operates?

Jason Lyons: Yeah, I think we've seen the explosion of cybercrime really happen, especially in the ransomware space, because of cryptocurrency, right, and the general acceptance that cryptocurrency has now taken in our world and almost everybody, you can't even watch TV almost without seeing some kind of crypto ETF, you know, buy, transfer service or Coinbase or some other type of exchange commercial. But, you know, with the emergency of the adoption of cryptocurrency, we've just seen an explosion in these very, very high dollar ransomware scenarios where we see these large corporations, large companies, who have the ability to pay large ransoms, being targeted and being exploited and then impacting all types of people's lives. You know, whether it's from hospitals to supply chains to the Colonial Pipeline like we saw this summer. So it's impacting everyone.

Nic Fillingham: Do we have our hands around the sort of economic impact at a macro scale of ransomware? Like we know it's exploding, we know it's huge. Millions? I'm assuming maybe it's in the billions? Do we have a number that either is in the report or something that you sort of are aware of? Just to sort of like understand the magnitude.

Jason Lyons: Yeah, it's definitely in the millions. It's really hard to determine what the scale and impact of this, because a lot of times, people who are victimized by this type of cybercrime don't necessarily always report, right? Because, one, there's a brand reputation tarnished, obviously there's a lot of possible regulatory violations that impact the victims of ransomware too, so we're talking about HIPAA and privacy. So it's really hard to understand, even when you talk to law enforcement, federal law enforcement agencies, you know, they feel like they only have a certain perspective because not everybody is going to report that they have been victimized. And now that we even see further penalties if a victim does pay a ransom let's say, and the person that they paid was on an OFAC list or a sanction list, they could even, you know, get further fines from the government. So really understanding the whole threat picture, the whole dollar amount around ransomware is very difficult because of the victim exploitation angle.

Nic Fillingham: So we're going to dive deep into ransomware as part of this cybercrime topic, but for those listening at home, just one more time, the URL to download the report if you want to read along with us is, it is chapter two.

Nic Fillingham: Jason, I just want, before we sort of jump into the individual subsections in the chapter, what really stood out for me on the title page, or the first page of chapter two, is the big, bold quote on the right hand side that said, "With no technical knowledge of how to conduct a cybercrime attack, an amateur threat actor can purchase a range of services to conduct their attacks with one click." That's sort of a frightening statement, but could you put that into context for us? Is that a new development in the world of cybercrime, in the cybercrime economy, in the sort of last 12 months? Has it always been like that? How should we sort of think about this new - I don't want to use the word accessibility, but I sort of can't even think of a better one - of cybercrime for amateur or even brand new threat actors.

Jason Lyons: Yeah, I mean we've seen these types of, I call them crime kits, pre-made kits, you know, in the past decade, but not at the prevalence that we've seen it now, right? We've seen where, you know, people would go on, be able to go on Dark Net forums and buy, you know, crime kits that, you know, get YouTube tutorials on how to use those. But really, with the explosion of ransomware, we're really seeing this ransomware economy break into what we call the affiliate model, right? Where there's the core developers of the ransomware and basically you sign up as a person or an affiliate, part of that program, and you join their network and by joining their network, they are going to give you the technology that's required to encrypt someone's files and be able to do that. And your part is now you have to do basically a ransom cut with the developer. So we see, traditionally we've seen these splits like 70/30, 30 going to the developer, 70 going to the actual person who is conducting the ransom.

Jason Lyons: So yeah, we've seen the ease of use into ransomware, the technical abilities to get into this type of cybercrime is lowering, and we're actually even seeing, you know, what we see build panels where, once you do sign up as an affiliate of a ransomware program, you basically just plug and play your stuff into this panel and they basically create this ransomware, malware for you with all your-- whether you want to have email addresses or how you want to make contact with the victim. So the bar has definitely been lowered.

Natalia Godyla: So the ransomware services are just one subset of all of the services that are available in this cybercrime economy, so can you kind of give us a harbor cruise through some of the different types of services that might be for sale and what those price points look like? What really is the cost of being able to pull off an attack nowadays?

Jason Lyons: Yeah, I mean scale is everything and finding the right victim is everything. We've seen definitely a more investigative mindset towards ransomware, you know, where we saw traditionally, back about three years ago, it was more of a pray and spray kind of attack where they would just put ransomware URLs and emails and send them to everybody, hoping that anybody and anybody would click on these things, get encrypted. You know, Grandma, a hospital, school, whatever. It didn't really matter, they just were trying to get one or two Bitcoin from somebody. Into this really more targeted and focused where they're really buying now, they're actually buying access, so this is part of this ransomware model is, not only do you not have to go out and develop the ransomware, you can probably buy access to a high dollar value company from somebody else.

Jason Lyons: So, for instance, I want to go out and attack Colonial Pipeline or some kind of infrastructure provider that I know.

Nic Fillingham: Hypothetically.

Jason Lyons: Hypothetically, has cyber insurance, right, and can pay a very high dollar amount of bounties. So, you know, traditionally we see that, people buying access to compromised enterprises, then, you know, buying access to ransomware and then extorting these high level, high dollar victims. So it's really, it's almost like a tiered model, business model as you look at it from someone where you're buying access to a compromised computer to you're buying access to the ransomware and then being able to do the extortion. And then you have the double extortion model on top of what we're seeing today in the ransomware, is even in, you know, value added for the criminal.

Nic Fillingham: And what do we know about the actual folks that are conducting, or I guess the clients of the people that are coming to these cybercrime as service providers? I mean, are they just sort of entrepreneurial but have sort of misguided morals? Is it as simple as that, they're just looking to earn money, or is a lot of this sort of nation state sponsored sort of activity and it's just sort of disseminated in a way to make it look perhaps ad hoc and democratized, or something else?

Jason Lyons: Yeah, I mean there's definitely a connection between nation state actors and really highly sophisticated cybercrime, right, and we see that a lot where there's sometimes always some blurred lines where, you know, maybe these individuals are doing, working for both the state and for private enterprises. But traditionally, what we know about these guys is, you know, as we investigate the infrastructure they use to perpetrate the crime, they usually have to buy hosting services, they're usually coming from IP addresses. We learn more as we do incident response with people as we respond to these crimes, we develop indicators of compromise, we understand what they're tool sets look like, how they're being delivered and where they're operating out of. And so that's really how we're able to determine, you know, how these affiliates really work in the cybercrime model.

Jason Lyons: And then what we try to do inside the Digital Crimes Unit is then take this information that we have and then be able to do criminal referrals to law enforcement, to federal law enforcement, so we can give them some insight based on our research and investigations into the criminal activity.

Nic Fillingham: It's fascinating, it's scary, but I am also, I guess, a little relieved that folks like yourself, Jason, and others in the industry that are doing this sort of investigative work and really trying to understand what's going on, are able to provide that perspective.

Nic Fillingham: Again, we're talking about the Microsoft Digital Defense Report,, we're in chapter two. Jason, let's jump into ransomware, big topic. Natalia and I have a few questions we want to pepper you with. The first one though is, why are we still talking about ransomware? It's not that new, but yet it seems to be only gaining in either awareness or perhaps in sort of volume of attacks. How come, as an industry, or even as a society, how come we haven't been able to put a lid on it or even sort of stop it entirely? Why is ransomware still such a big thing and maybe even getting bigger?

Jason Lyons: Yeah, I mean, when you look at information security as a whole, everybody likes to call it the onion approach. You have so many different layers that you protect your network from, whether that's now the perimeter, the inside host value, whether that's just doing regular backups of data, having incident response plans when things go wrong. And so typically, you know, every case is different, but typically what we see is that there are security controls that haven't been properly implemented, there's not a proper backup procedure for important and business continuity data, so there's not just one, unfortunately one syllable that we can just point to and say, "Hey, this is the sole reason of why ransomware is so prevalent."

Jason Lyons: But, I think it also has a lot to do with the adoption of cryptocurrency and how the value of cryptocurrency, like of Bitcoin, you know, over just the last two or three years has tripled in value. So it's making it a commodity that people want and a commodity that people can access and pay with some pseudo-anonymous, you know, properties around it. Although a lot of people think that the cryptocurrency tracking payment is completely anonymous, it's not, it's really pseudo-anonymous where you can actually, you know, investigate and track some of the payments and understand where the money flow goes.

Jason Lyons: So, yeah, I think it's a combination of just the adoption of cryptocurrency, the combination of large enterprises now having large cyber insurance policies, having the ability to pay these ransoms and really just make themselves stand out as a possible victim.

Nic Fillingham: Wow, so the combination of the sort of ransomware or cybercrime as service providers and the accessibility of semi-anonymous, or at least perceived anonymous payment methods through crypto, perhaps it's sort of those two factors, it sounds like that's what you're saying are a part of the big reason why we haven't been able to put a lid on ransomware yet and why it's unfortunately still growing.

Jason Lyons: Yeah, absolutely.

Nic Fillingham: Wow.

Natalia Godyla: First of all, in the report there were some really great diagrams, walking through the different components of ransomware. I'd love for you to just walk us through how one of these attacks progresses, from the cyber criminal working with these as a service in organizations to gather what they need, all the way through to post-breach.

Jason Lyons: Yeah. So we can talk about it at a very high level to try to keep it simple.

Natalia Godyla: Yeah.

Jason Lyons: But usually how these cyber criminals work is they'll usually buy, or gain access to, what we would call a high-value target, right? And once they get that access, they will then do their research into not only what sensitive data they can possibly ransom, but also exploit from a regulatory perspective. So we almost see this as what we call the double extortion model, where the victim almost gets victimized twice; once with the data getting encrypted and twice, you know, if you don't pay to get your data decrypted, they're going to sell or publish your private data and now you're going to face regulatory fines.

Jason Lyons: So once that high-value target has been found, they usually gain access, go lateral movement inside that victim's network, make sure they're getting the most sensitive data, make sure they're getting the most, you know, the prize that they're willing to pay the most for, and then really stage their attack on the most sensitive data. And then staging that attack, then the ransom process has begun and usually what we see is a couple of things happen. One is, they'll usually exfiltrate the victim data prior to encryption, so you'll see a large quantity of data being exfiltrated from the victim's network, and then the data is encrypted, right?

Jason Lyons: And then the victim is now presented, Bob from IT shows up, you know, on Wednesday morning and he turns on his computer and all he sees is this ransom note, right? And the ransom note really is the instructions now for the victim on how to get their data back. And each one of these actors have different ways of communicating with victims. We see, you know, via email, we see via chat, we see via all these different mechanisms of ways of, you know, communicating with the victims.

Jason Lyons: And then that's really where the negotiation starts. Now the victim has a real mess on their hands. They're now trying to figure out, "I can't access my data, now they want $15 million to get my data back, where are we going to get the money to pay for this data, to keep up operations?" I mean sometimes some of these operations are very sensitive, we're talking about hospitals, things like that, right, where they can't really afford to even be down for a day. So paying the ransom, it sounds very good to them.

Jason Lyons: And then once the victim figures out the communication channel with the threat actor, the negotiations begin and those negotiations can take days, hours, weeks. This really depends on the motivation of the victim to want, how bad do they want to pay, can they pay? And most of the times these ransoms are paid in, I would say 99.9% of the time, these are all paid in Bitcoin. So what we see is, you know, their cyber insurance companies that insure these victims who then have crypto-brokers and ransom negotiators, almost like hostage negotiators, so the cyber insurance companies can facilitate their victims to getting hold of the cryptocurrency needed, right, and then actually provide some expertise in the negotiation too.

Jason Lyons: Because a lot of times we'll see, several firms round the world specialize in doing ransomware negotiations for the big cyber insurance companies and so the negotiations will start. The cryptocurrency is then secured and then payment is made. And then usually within 24 hours, the criminal, the threat actor will then receive, and it could either be email or something, but will supply a decryptor to the victim. And even during the negotiation process, you'll see proof of decryption being requested from the threat actor and they will actually, you know, decrypt a small set of files, just to prove they have the capability.

Jason Lyons: And then the victim is just left with remediation at this point, trying to get back up, try to get back up and running, working with incident response firms, trying to determine what the root cause of the initial incident was, how did they get into their network. And hopefully, you know, reset and go back to whatever their business was.

Nic Fillingham: You talked about, Jason, the sort of double - I forget what phrase you used - you talked about sort of like the one-two punch.

Jason Lyons: The double extortion.

Nic Fillingham: Double extortion, yeah. It almost feels though, like it's maybe even potentially more than that. I remember reading, definitely in last year's MDDR, and I'm sure it's covered here as well - I might have blurred the two in my head - that some of these ransomware actors will ransom you, they'll extort your data and then they'll, you know, they'll sit dormant and then they might come back again six or 12 months later and have another go. Are we still seeing that? Are we still seeing the fact that the ransomware - I mean not that you can expect a ransomware operator to be ethical - but are still seeing them sort of behave in this sort of un... extraly... sorry.

Natalia Godyla: [LAUGHS]

Nic Fillingham: What's the word for, like, being like more unethical than unethical, where you're paid them the ransom, you've gotten back to a previous sort of known good "state" and then six months later, they've been dormant and they just come back and do it again? Does that continue to happen? Are we still seeing that?

Jason Lyons: It does, it does and unfortunately too, I feel bad for these companies because a lot of times, when they hire these outside incident response firms to come in and help determine what the root cause of the initial breach was, they'll miss it, right? So the vulnerability will still exist, the backdoor will still exist. And so we do, we see the same people being victimized time and time after again. Usually these are, you know, relatively small to medium businesses who have limited IT staff, who have limited capabilities, who hire incident response firms to come in and hopefully fix the problem right the first time, and a lot of times, yeah, we see them come back.

Natalia Godyla: So you started to talk about this in your explanation, but you know, what factors come into play as to whether you decide to pay the ransomware or not, or pay the ransom or not? I really liked some of the examples that you had given in the MDDR, like the fact that the decryptor can be buggy. It's just such a good reminder that there are humans behind this and they will make mistakes and that can be in your favor, but what other considerations should people have in mind when they're trying to make this decision?

Jason Lyons: Yeah, so funny enough, the ransomware business is all about reputation, and that's why you'll see these ransomware actors brand themselves with these brands, you know, you'll hear the term Maze or Conti or REvil, Ryuk, so these guys are actually building their brand and that's part of that ransomware process is, hey, if you get hit by Conti or you get hit by Maze, they have a reputation of supplying the decryptor, right? So it's almost, they're almost building a brand saying, "Hey, listen, we have a track record of getting people their data back if you pay." Right?

Jason Lyons: And so the trend now we're seeing through is, as these guys build these brands, as these guys are, you know, getting people to pay these high dollar ransoms, we see the government now putting these groups on these OFAC sanction lists, right, these "do not pay" lists. And so what these guys end up doing then is just rebranding themselves as something else, right, so if I'm rebranding myself as Maze the last six months and now I'm put on the OFAC sanction list, people are gonna quit paying my ransom because now they may face government sanctions if they're connected to paying this ransom. So I'm going to rebrand myself something else.

Jason Lyons: And so the tend we see is these affiliates, they'll come hot for, you know, six to nine months, they'll get enough scrutiny put on them, they'll built up the reputation for people to pay the ransom and then eventually the government will place them on this do not OFAC pay list, and then we just see them rebrand themselves as something else.

Nic Fillingham: Is this almost like a Yelp for ransomware operations, so that if you do get attacked you can at least sort of understand, am I dealing with someone that sort of, is sort of going to play by the rules - and I'm doing air quotes that people can't see because it's a podcast - but versus someone who's just in no way, shape or form engaged with them. Like is that sort of where we're at?

Jason Lyons: Yeah, and so these guys actually maintain open sites too. So I think in the MDDR, we actually reference Conti ransomware. They control two different types of structure - one is a ransom negotiation site and the other one is what they call their new site. And so during the course of a negotiation, they'll send you a link, the victim a link and say, "Okay, the timer has started on the negotiation." And they actually have progress bars at the bottom so let's say I'm a hospital from Maine again, as an example, they'll start slowly publishing my data on their new site as negotiation starts, to further add leverage to prove to them that they are serious, right?

Jason Lyons: And then so, yeah, specifically Conti used in the MDDR as that specific example of them doing the double extortion and actually using the publishing model as leverage to get the victim to pay.

Nic Fillingham: Two questions to wrap up the ransomware section so we can sort of move on, because this is a huge chapter in the MDDR and there's a lot of great stuff to cover. The first question is - I'm going to ask the two questions and I think I want you do do them in reverse order. The first question is, what is our guidance for ransomware? Is it "do not pay" or is it something else? So that's the question I wanted to get to.

Nic Fillingham: But the first, the other question is, there is an example, sort of a frightening example on page 13 of the report where it's a ransomware negotiation chat. So first of all, Jason, you confirmed to us before we started rolling, this is an actual, real example of ransomware negotiation that you were able to get from a customer who was victimized by ransomware, and what you see in this chat here is basically the victim, the customer, the entity, contacting the ransomware, operator, obviously through the information they get through the ransomware notification on an infected endpoint, saying "Hey, we can't afford this price." And then the ransomware operation responds and says "N-n-n-n-nuh, we've done pretty extensive research on you, including in your own network, including in your own files, we've look at your financials, we've looked at your bank statements, we know exactly how much money you have and this amount that we are ransoming you for is based on what 'we now' that you can afford to pay."

Nic Fillingham: How common is that scenario where the ransomware operator has at least this perception of knowing the sort of financial liquidity or the ability for the victim to pay? Is that a common scenario? And then, you know, let's lead into, and then what is our uber-guidance here to customers in terms of do you pay, do you not pay, do you contact Microsoft, do you contact a third party? What is the guidance for customers if they find themselves a victim?

Jason Lyons: Yeah, so yeah, this is a trend that we're seeing that's dramatically increasing with the threat actors researching their victims prior to infection, and we've seen the adaption of what we call these high-value targets in ransom. And particularly in some of the examples that we use in the report, specifically Conti, you know, they're so specific that in the ransom note itself left being for victims is a unique key at the bottom of that ransom note. And so the victim actually takes that key, copies it from the ransom note, puts it into the chat server so the Conti actors know who specifically they are talking to. So it's a very, very defined attack.

Jason Lyons: And as you mentioned in the report, you know, we capture a conversation where they've done their research about the victim, they know what their ability to pay is. A lot of times they even know what cyber insurance company the victim has and has done even research on that cyber insurance company and seen what their willingness to pay ransoms are, right. So a lot of research goes into this, this is big money, we're talking, you know, these big ransoms are tens of millions of dollars.

Jason Lyons: And so the guidance. Ideally, in a perfect scenario, we would never recommend anybody to pay a ransom. You know, ideally someone would have the proper hygiene, the security posture to stop and prevent these attacks. You know, data backups are a huge thing in ransomware, right, and we see a lot of people not even leveraging, you know, things like the cloud for data backup. So obviously preparation, preparing for these types of events is so important for an organization from a security perspective because a little bit of preparation can save you a lot of heartache, especially if you're dealing with your businesses, you know, being down and not functional for a couple of days. Or you're actually thinking about how many years of potential lawsuits you may have because you're now, you know, HIPAA data's out there with your patient data, you know, and you're responsible for that. So, obviously it's, a perfect world we wouldn't recommend anyone to pay ransomware.

Natalia Godyla: So moving along to one of the other sections in the cybercrime chapter of the MDDR, Jason, so for malware, let's start with the macro question. What trends are we seeing with malware right now?

Jason Lyons: Yeah, and so the last year, year and a half, DCU, the Digital Crimes Unit is focused on some of the bigger malware bot nets, right, and I want to reference to the disruption we did last October/November around Trickbot. And really, you know, what we saw with Trickbot was this emerging threat with, over the years, that really started out as a banking Trojan, right, really focused on trying to target online financials, stealing Grandma's money, things like that, and really shifts a lot of their focus to actually providing the access to ransomware threat actors as we talked about earlier in this episode, where people are now buying access from these large bot nets to these high-value targets. And so that's one of the reasons why that Trickbot last year was so important for us to do that disruption in conjunction with law enforcement.

Jason Lyons: And we're seeing a trend now where a lot of these traditional cybercrimes, such as targeting financial online institutions, you know, it's more fruitful, it's more lucrative to now actually co-mingle, coexist and provide access and so we see these large, large botnets now being that mechanism and providing access to other cyber criminals.

Natalia Godyla: So with some of these changes, how does that shift our recommendations if at all? Are there new ways for security teams to think about how to protect against malware?

Jason Lyons: Yeah, absolutely. IOT devices, you know, offer a whole 'nother range of things that now you have to have some kind of control mechanism over, right? And a lot of times these IOT devices come with firmware that are not patchable or updated, depending on where they come from, the manufacture. So having some other, you know, mechanism to be able to, not only understand what your inventor is of IOT devices are, but having a plan in place to be able to update those and then bring those up to date and make sure they're not vulnerable to attack.

Nic Fillingham: Well, again, this is really amazing chapter. It's chapter two of the MDDR, if you'd like to download it. We're not going to be able to cover everything in this chapter, but something that stood out for me as what I think, Jason, is sort of a new topic or a new area that I sort of haven't heard much about in the past, is this idea of blockchain domains. This is something that you specifically focused on in writing. What is a blockchain domain? Like I have a rudimentary understanding of the blockchain and of sort of the public ledger and how that sort of works. How does that work in a domain sense and then why is that in the MDDR? How is that an issue from a security perspective?

Jason Lyons: Yeah, so let's talk about the traditional domain system and how it's kind of made up. So let's say, you know, people buy domains because they resolve to IP addresses and humans automatically can remember names and letters better than then can, you know, remember a 12 digit IP address, right?

Nic Fillingham:, for example.

Jason Lyons: For instance, yeah. And so if I'm going to set up my botnet, I'm going to set up some kind of domain. It's easier for humans to understand the domain system. So I will go out to a register who I can buy a domain name from. Let's just say I'm a threat actor, I'm going to buy I go out to a registry, buy

Nic Fillingham: Billy Eilish owns that, but keep going, good example.

Natalia Godyla & Jason Lyons: [LAUGHS]

Jason Lyons: And then, you know, I then have that placed into a name server zone where it now resolves and IP address, so when someone looks up it says, "Hey computer, you're going to go to this IP address and this is where the site's going to be resolved." And all of this is kind of controlled by this regulatory body called ICANN, and ICANN is this independent regulatory body that's supposed to monitor and regulate these registries and be able to stop harm when called upon, right? So, you know, you can report abuse, you can, you know, report all different types of, you know, criminal, fraudulent activity to these registries and based on the terms of ICANN, then they can take these sites down.

Jason Lyons: So in our blockchain domains, which is based on the same technology, the blockchain technology, as Bitcoin and so what the blockchain is, is this transparent ledger that is out on the Internet and the nice thing about the blockchain is, it's transparent and pseudo-anonymous, so you can see every transaction that happens out on the blockchain, so it's semi-transparent. And so what we see now is these blockchain technology companies. Registries are investing in these domain name systems using blockchain technology and they are basically now outside the regulatory body of ICANN.

Jason Lyons: So what does this mean? That means that I now can take cryptocurrency, go to one of these blockchain domain providers, buy a domain that now I am the sole possession and control over, right? So I control what IP address it resolves to and nobody has the regulatory authority to take down my domain, not even law enforcement. So this is the thing about this. This is a scenario where even the FBI, the NSA, this type of scenario where you have this existence of malicious infrastructure out there, has no ability to disrupt or take down this site because it's solely possessed by the person who, private key, who bought the domain from the blockchain provider. So there's no, there's really no disruption scenario and it's really one of the trends that we're starting to see cyber criminals use a lot is this ability to leverage blockchain domains in criminal infrastructure.

Nic Fillingham: So is it less about blockchain domains in and of itself being sort of a risk or a threat factor and more that they just further enhance the ability for the threat actors to set up and maintain their infrastructure in order to run their cyber criminal enterprises? Is that basically it?

Jason Lyons: Yeah, I mean, if you look up blockchain domains, you see a lot of people describe them as "unstoppable domains" or "forever domains" and that's just because there is no disruption scenario around being able, for any kind of legal authority to take control of those domains. The issue with these types of domains is they do rely on like a third party proxy service to resolve that IP address and so there is a vulnerability which you can, as a law enforcement or government agency or private entity, sometimes impact is the way that these people are able to resolve these blockchain domains.

Jason Lyons: But what we're traditionally seeing now is now that these blockchain providers, who provide the domains, also provide the resolution service as well, so it further prevents disruption.

Natalia Godyla: How is the industry responding to that? I mean, is there a push from, let's say government, but we can consider other entities here as well, to find a way to be able to stop the unstoppable?

Jason Lyons: So what we've seen, the trend lately, as we saw Dot.Bit for instance was being used, a largely upused blockchain domain, and a lot of domain resolution services were resolving these domains as just part of a, like information freedom thing. What we're seeing now is that these DNS resolving companies are no longer willing to resolve blockchain domains, right, and so you have to go to some kind of specialty provider. So there is a trend within the security industry to stop supporting these types of domains but there's also another wing of the Internet freedom security community who says that, you know, there should be non-censurable things on the Internet and that's the reason, you know, one of the reasons why the Internet exists.

Nic Fillingham: Does the onus there fall on perhaps the part of the industry that builds the networking hardware and the networking software that is taking the inupts of, in this case, the blockchain domain and then potentially reporting back to the end user, reporting back to some sort of centralized admin, that blockchain domains are being used there and then maybe looking for a reputation service to understand whether it's malicious or benign? And then obviously now you get into the argument of what's malicious and benign. But is that one possible way to tackle this?

Jason Lyons: Yeah, so you're seeing, you know, from a large organization's standpoint, you know, people can put in policies not to resolve blockchain domains to protect themselves from that and that's easily doable. It's usually the smaller or medium size, you know, organizations that find them, you know, vulnerable to blockchain domains because usually, if they have an infected computer inside their organization, they're already using a third party software to resolve that and so sometimes they can bypass, you know, the simple security protocols. But, yeah, it's a trend, it's a bothering trend that, you know, it's a very scary thought to think of that, you know, we could have a whole host of infrastructure out there that not even the top level of government could have any impact on.

Natalia Godyla: Well, Jason, before we wrap up here, it would be great to maybe just have a conversation around hope, have a little bit of a glimmer of hope on the cybercrime. So I know you shared some great thoughts in the MDDR on what the positive trends are. Can you give us a little bit of insight into what makes you hopeful?

Nic Fillingham: Yeah, bring us back up, Jason. [LAUGHS]

Jason Lyons: I mean, listen, there's, you know, you think about automation and all the good that technology brings us. You know, the ability, especially with, just look at the pandemic, right? What happened to us the last two years. The ability for kids to be able to go to school, be able to communicate with their friends and still stay safe. So I mean, technology brings a lot of hope, but it also brings a lot of innovation in cybercrime as well. So I think it's definitely one of those conversations where you look at it and say, you know, there's more hope than bad but there are just a lot of these new threats that a lot of people don't even really understand are targeting them or coming after them.

Natalia Godyla: Well, I really appreciate you joining us today, Jason, to further this conversation. It's been a pleasure having you on the podcast and hopefully we'll be able to bring you back for another episode.

Jason Lyons: Absolutely, thanks for having me, guys.

Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.

Nic Fillingham: And don't forget to tweet us at msftsecurity or email us at, with topics you'd like to hear on a future episode. Until then, stay safe.

Natalia Godyla: Stay secure.