a16z Podcast - All About Ransomware
Episode Date: February 25, 2021In just the last couple years, ransomware has grown into a multibillion dollar industry. It has evolved from taking systems and servers hostage to stealing data, and it has proven capable of shutting ...down global organizations. In recent months, ransomware groups directly shut down Kia Motors North American IT systems; indirectly may have contributed to the death of a patient due to hospital ransomware; and allegedly stole sensitive files from a law firm whose clients include former President Trump.In this explainer episode, Tom Hofmann, the SVP of Intelligence at Flashpoint Intel (which monitors ransomware criminal syndicates and assists organizations with prevention and response) and a16z security operating partner cover: how ransomware works, from the anatomy of a hack to how the groups operate; the role of nation-states, insurers, and regulators; and what to do if your stuff is taken hostage.For more on cybersecurity, check out our coverage of organized cybercrime and hacks and our 16 step guide to protecting your data.
Transcript
Discussion (0)
Hi, and welcome to the A16Z podcast. I'm DOS. Today's episode is all about ransomware.
We've covered a lot of different types of organized cybercrime and hacks on our show over the years,
many of which you can find at A16Z.com slash hacked. But in just the last couple years,
ransomware in particular has grown into a multi-billion dollar industry. It's evolved from taking
systems and servers hostage to stealing data, and it's capable of shutting down global organizations.
In recent months, ransomware groups directly shut down Kia Motors' North American IT systems,
indirectly led to the death of a patient due to hospital ransomware,
and allegedly stole sensitive files from a law firm whose clients include former President Trump.
So in this quick explainer episode, Tom Hoffman, the SVP of Intelligence at Flashpoint Intel,
which monitors ransomware criminal syndicates and assists organizations with prevention and response,
shares his expertise with us,
Along with A16Z security operating partner Joel Delagarza, we cover how ransomware works
from the anatomy of a hack to how the groups operate, the role of nation states, insurers,
and regulators, and what to do if your stuff is taken hostage.
But we start with Joel explaining what exactly is ransomware.
Ransomware is kind of the pinnacle of the crimeware slash hacking for profit type activities that we see.
It is basically software that's used to take your computers or your data hostage and hold
them for ransom until you pay the hostage taker money to release them.
It isn't sophisticated espionage led by a nation state.
This is very much about how do you at scale get enough victims and have enough of an infrastructure
to successfully monetize the hacking that you're doing?
It is literally the fastest growing area of cybersecurity like ransomware is just proliferate.
at such an insane rate.
Why are we hearing so much about ransomware right now?
Like what's kind of led to its rise?
So there's a couple of factors that have come into play.
The first is all businesses are essentially, you know,
tech, data, computer businesses.
And so when you start to be able to take those kinds of information assets hostage,
it gives you the leverage to demand money from them in order to release them.
I think definitely in the last five years,
the monies associated with this are a lot higher a couple years ago. The higher-end ransoms would be
$200,000. Occasionally you'd see it up to half a million dollars. Today, the starting point is
probably $200,000. And we've seen up to $40 and $50 million ourselves. And we've heard from others
that they've seen a couple that went up to the $100 million point as they keep getting bigger and
bigger paydays, the next ransom is getting bigger and bigger. So this is one where the economics
over this all, it's attracting more and more of these groups. And like the amount of money that
it's being paid to ransom takers, the amount of money being paid to secure all this infrastructure,
there's no silver bullet because it isn't an actual technical threat that we can build a product
for. In reality, it's a business process. And you could actually conduct a ransomware attack
without using any software.
You could guess the password to someone's server.
You could log into that server and then, you know,
decrypt the hard drive with the passphrase that only you know.
And you did this with no software.
You just connected through terminal services.
You didn't need any malware or zero days or any of that.
And so ransomware is kind of less of a product and more of just a business model.
In the landscape of different types of cyber attacks, where does ransomware fit in?
You've got things like malware.
You've got fishing.
A lot of these guys started.
spamming, like in the late 90s, like their business was building these massive infrastructures
to send out really annoying emails. And so as spam got cracked down on, they just repurposed that
infrastructure. And so it became less untargeted spamming and became more focused on like
fishing. And then as fishing stopped working, they pivoted towards like malware. And so they
use the infrastructure to deliver bots. And then they build bot nets. And I think at a high level,
that just describes the evolving process that we've seen with these global criminal organizations,
which is that you build an infrastructure to accomplish mission X so you can steal their banking
credentials. Once that avenue shuts down, you still have an infrastructure, you still have a team
that you've built, and so you want to find ways to further extract value. And now they're
using a lot of the same infrastructure to either grab your account and go after you personally
or grab your local machine and encrypt all your data and then try to sell it back to you. Ransomware is
one of the new heads of the many-headed hydra of this organization. Yeah, we monitor a lot of the
Eastern European criminal communities. And what's interesting there is there are some of these modules
where depending upon who the victim is, the botnet can automatically determine which module to drop,
whether it's an information stealer, or it just lurks and goes and monitors and I'll check back in
at a future date. And others identify if it's a large company and write for a ransomware variant.
They'll look at your latest filings. They'll see how much money you have in your bank accounts.
We've seen one where they knew what the insurance policy, what they're insured up to.
So part of the negotiation was, hey, we know you're insured up to $20 million.
Just get your insurance company to pay this.
There's a lot of companies have really advanced anti-fraud detection techniques.
It's really made it harder to monetize a lot of these infections.
That being said, when we look at all those same.
infections, they figured out kind of where they can bypass a lot of these fraud protections,
which is you take a actually relatively simple technology, which is encryption, and they lock up
your systems. Walk me through kind of the anatomy of a typical attack today. What happens when
somebody takes something hostage? So how they gain that initial foothold, it's actually very basic.
They scan the internet for these vulnerabilities, these open, exposed ports. A lot of the infections we
are from remote desktop protocol. So RDP, where these RDP connections will be brute
forced by a bot until they gain access. We've seen the use of phishing emails. They will
deliver some piece of malware and what they're exploiting. It's typically vulnerabilities from
2018, 2019. So all things that have existing patches, once they gain that initial foothold
into someone's network. They are increasingly using tools like Cobalt Strike. This is a legitimate
pen testing application. There are cracked versions of that that are available within some of these
criminal communities. The Cobalt Strike is quite often used to really move laterally across
networks to deploy additional beacons, to deploy additional payloads. A lot of organizations,
you're most worried about getting those patches deployed on anything that's externally exposed,
and anything internal, they kind of push to the back burner because how would anyone ever be able
to exploit that?
It's those internal systems that the patches have not been deployed that enable take over a lot
of key accounts.
They're trying to get to the domain controllers.
And once they have access, they'll try to remove backups.
They'll disable any endpoint security solutions you might have.
And once they have your network at that point, it's typically ready to be encrypted.
from initial infection to full network encryption could be as soon as five or six hours.
Is it just computers that are being taken hostage?
Is it the data?
Is it a mix of both?
Does it vary by attack?
Like, what is it actually being taken hostage?
Yeah, so there's definitely been kind of an evolution in the way that ransomware has taken
things hostage.
And in the old days, you know, two years ago, it would focus on taking hostage sort of hardware
assets.
And this could be routers.
it could be Wi-Fi access points.
It could be laptops or servers.
And basically getting in there,
changing the password to something you don't know,
and then trying to sell the password back to you
so that you can get back into your equipment.
With attacks like that, people generally have backups.
It's easy to recover.
You just reinstall the operating systems
and people would just recover instead of paying the money.
As it's evolved, they started to actually target
encrypting hard drives.
And as defenses kind of got better,
and people started to understand how that attacked worked
and finding ways to either recover
and reboot. They actually started going after data. So how does that work? You know, they get in and
a hacker is encrypting your data. What exactly is happening on the technical level? Yeah, so for the
purposes of simplification, there are ultimately kind of two sorts of encryption. One of them is
a symmetric key encryption, and the other one is an asymmetric key encryption. So in the one instance,
there is one key, and you use this one key to encrypt everything.
So I generate, let's say, a number, the number is 32, and I encrypt all of your data with the number 32.
And then at some point in the future, I sell you this number to decrypt your data.
Now, the issue with that kind of a system is that I'm sending this key to you to encrypt it as well as to decrypt it.
So if you can intercept this key, you can then just undo what the ransomware author is done.
So what they've tended to do now is asymmetric or public key encryption where they'll send you a public key to encrypt your data.
And there's no way even if you intercept that public key that you could decrypt that data.
You actually have to get a private key that gives you the ability to decrypt it.
And the attackers hold on to those private keys and they sell them to you for hundreds of thousands to millions of dollars.
So with that asymmetrical key, why can't you crack the code and just decrypt it back?
They're using industrial grade encryption, which means that it would take all of the computers on the earth 35,000 years to decrypt it if you don't have the key.
It's just the game of making recovery of the data more expensive than just paying the ransom.
And that's ultimately, like it's kind of weird to say, but that's how the market finds its price.
If you destroy all of these laptops and it's going to cost you $70,000 to replace them and they're asking for a $500,000 ransom,
you probably just pay the $70,000 to replace the hardware, right?
And that's kind of price discovery in an illicit market.
The thing that's maybe most striking to me in this conversation is that these
ransomware, you know, literally evil corp, evil corporation, is functioning much the same way
as legitimate businesses.
So what are their different departments, different functions, different specializations
that are really critical to how they operate?
A lot of the botnets that are operating, they are really some of the more commodity malware,
the dropper mawers, but a lot of these criminal syndicates, they really are bringing in
additional expertise, technical understanding, how to run these bot nets, how to deploy new modules
so they can better prioritize where they want to target these ransomware deployments.
And I think Evil Corp is a good example.
What really brought them into prominence was they were running the global botnet, Drydex.
How they developed that botnet really brought in expertise from how do you do the reconnaissance
for who your victim list is going to be.
As it was spamming, you had to have someone operating the spam botnet and how that was going to bypass
all the email filtering software.
Then you needed the actual module you're going to deploy.
So you had different parts of the organization that were really focused in on
that payload. And once you got the payload on someone's systems, well, you needed to maintain the
command and control infrastructure where this was going to call back to, and how the malware would
insert itself in the middle of your session with your bank. Once you have that information,
then you had to figure out how you were going to use that. Well, you had a different part of your
group that was the information reselling network. So it really is every part of that cyber kill chain
than these groups. Some of those were part of the larger syndicate. Other ones were just brought in
as needed where it was a specific exploit. Is there like an in-house operation or is this
kind of different functions of an assembly line and each one's kind of its own organization?
It's kind of that age-old tech question of, you know, how much of this is vertically integrated
and how much of this is different slices of the infrastructure stack. There's a lot of online
communities where a lot of these individuals come together. There are specific forums in how you
develop exploits. There's other forums that you can go and learn the latest in cryptocurrency
and the different fraud schemes that are associated with that. So we've seen that there are a lot of
opportunities for individuals who want to get involved in this type of activity. You really start
at the lower end and you develop some relationships. And over time,
You start doing more advanced operations, and as you start getting money, you can go to these same forums and you can solicit for additional support.
And over time, we've seen, especially in the Eastern European space, there are individuals who have been there for decades.
They moderate content on these forums and these communities.
And we've seen that with that trust and that reputation online, when you want to do some operation, you'll get the best of the best to come.
together. So to know it can be they put out the call for papers. They had, I think, 40 to 50 technical
papers submitted. They chose the top three who got cash rewards for the first, second, and third
prize. And then they were invited in to join the syndicate, which could earn you up to $60,000 a
month. If you're running your own ransomware scheme, you can rent out the ransomware service,
you can rent out the infrastructure, you can rent out negotiating services, you can rent out
all pieces of this, and you get to keep 80% of your illicit proceeds, and then you give 20%
back to the larger collective, and they use that to reinvest in the technologies that allow
them to go continue to innovate and deploy these malicious campaigns, and it's just a,
what's the opposite of a virtuous cycle? That's where we are right now.
You started answering the next question I had, which is who is at the top and who are these
kind of ransomware founders? Do we know who they are? Are they mysterious figures? Or are they
kind of out in the open? There's a couple out in the open. The one Maxim Yakubets, there's photos of
his Lamborghinies and his wild party lifestyle. What's also interesting with that is I believe
his father is a local mayor and his father-in-law is potentially FSB in Russia, the FBI equivalent.
When the U.S. government or someone else is able to identify the actual identities of some of these
criminal actors, they typically are very closely connected to those in powers, which I don't
think we've had a smoking gun yet, but there's one degree of separation, which really leads to
a lot of questions about what role does the state have in this?
I think for me, one of the most shocking things I sat through was the Secret Service briefing
on cyber criminal gangs and how one of the leaders of one of these large organizations
is actually a member of the parliament of a national government and is a bit of a folk hero in
his home country. What determines the role or the incentives of a nation state?
The nations who have really strict controls on access to the internet, we see over in China
with real name verification, it actually makes it quite hard to be anonymous on the internet,
make it hard for criminal groups to operate within cyberspace.
And on the flip side of this, you see in Eastern Europe, in particular Russia,
where there is not really an effort to de-anonymize the users.
It's almost an implicit understanding that if you don't attack former Soviet bloc countries,
that you'll be left alone.
So it has allowed these groups really to feed.
emboldened to conduct some of these attacks where they don't really feel that the long arm or the law
is ever going to reach out to them. And I think that's a really important point that underlines why this
is such a difficult problem. There are a lot of countries where you don't have the same divisions
between criminal police and military. And so you'll have someone who works for, let's say,
a government agency during the day and then freelances for some organized criminal syndicate
at night. I think one of the big differences is that we generally have treaties with a lot of
countries that we will respect their system of justice and policing and execute on valid warrants.
They typically call these M-LATs mutual law enforcement assistance treaties. And we have these
with a lot of our allies so that in the event that you had some super criminal working out of
the UK, we could coordinate with law enforcement there, have that criminal arrested and brought
to jail. With adversarial countries, there's no such agreement. There's no such treaty.
It's actually very difficult to work with law enforcement in these countries and bring them to
justice. And it's also really difficult when the activities of the folks who are committing
these crimes in these countries align to their national interest, which is to antagonize
Western governments. And so as long as there isn't a framework for enforcement or a framework for
criminal justice, then you're just basically creating these incubators where you have these really
innovative dynamic organizations at the cutting edge of committing crimes. So you've talked about
the incentives of different nation states. What role do cyber insurance regulators have
to play in incentivizing or disincentivizing these attacks?
You see in movies, there's always this statement that the U.S. doesn't negotiate with terrorists.
And the reason why is that it creates a really dangerous incentive structure for the bad guys to
continue escalating their very negative behavior. And so cyber insurance is something that's
been around since probably the mid-90s. And for 20-something years, it was the best business
you could be in because you'd collect these premiums and never pay out.
there were all these clauses and cyber policies that wouldn't let you pay out because every intrusion
was different. They would cut out nation states. They would cut out cyber crime. They would cut out all sorts of
things. Well, lo and behold, they started writing policies that they had to pay out on. And these were
the ransomware policies. I'm pretty sure. Initially, the calculus for these insurance companies was that
they're making so much money that it was just cheaper to pay the ransoms, right? And it was cheaper than
fighting them in court and cheaper than trying to pay for recovery. And the criminal actors figure
this out. And they've built a very sophisticated business as a way to extract these payments from
these insurance companies. And now you're looking at probably the first year where a lot of the
leading cyber insurers are going to lose significant revenue. They're going to have to increase
premiums. As a basis, I think next year, you'll see premiums going up 40 or 50 percent across the board.
And if you're a company that's paid out a ransom, you're probably going to see your premiums triple or
go up by a factor of 5x.
I would also add on to that.
We're seeing that as companies are renewing their policies,
they're ensuring that there is coverage for these types of events.
So the actual number of insured companies is, I would have to double check,
but I think the last I saw was maybe 30% of companies have a cyber insurance policy.
And over the next 10 years, that's expected to go 60% to 70%.
I think cyber insurance, the insurers have found a way to build sort of
the perfect storm, right? The lack of criminal prosecution in these countries is one thing.
But the combination of zero consequences, zero costs, combined with outsized financial returns,
earning millions and millions of dollars, you're essentially incentivizing kind of the best
and brightest with outsized financial payments, very little risk of any kind of criminal
prosecution. And so you've built this system where you're just going to continue to have these problems,
this escalation. I want to transition into talking a little bit about the regulators because it
seems like that's really related here. So what's been the impact of regulators and of regulation?
I think the big impact that we've seen in the last couple of months was that the U.S.
Treasury Department issued some advice that paying some of these ransoms to people that were
on the OFAC list could get you into some serious trouble.
Could you clarify real quick what OFAC is?
Yeah. So the U.S. government maintains this list of terrorists and dictators that commit genocide.
Literally just the worst of the worst. And so if you do business with those
folks, if you conduct any kind of financial activity or transactions with them, you're subject
to criminal penalties under U.S. law. And so the U.S. Treasury issued a directive earlier this year
that paying ransom out to anyone who's on an OFAC list could potentially subject you to criminal
liability. And then they turned around and added evil corp or one of the big Russian crime
syndicates to the list. So at this point, you've kind of set up people in the U.S. who made plans
to essentially pay out these attackers, that they're going to get themselves into a situation
where they've been breached by an organization that's on the Offect list. They're going to pay them
at ransom, but they can't because then their executive management will face criminal liability.
Tom, how are you seeing that play out with the different executives and companies that you're
working with? Yeah, this actually dominates a lot of our conversations, especially when we're
dealing with victims. And once a company gets to the point where they're contemplating a payment,
it's a lot of questions around how do we know if someone's on the OFAC list?
How do we know that even if they aren't on the OFAC list now,
that I won't be held liable if they get added in six months?
And the answer to all this is you don't know.
You check the OFAC list through the Treasury, the EU, the UN.
There's a lot of different lists that you can check.
The reality is every week there's a new group.
Some groups that will call themselves a new name next week.
So now the attribution of who's really behind it, you don't know.
As Joel said, there's really only one group who made it on the OFAC list, and that's
the Drydex and the Evil Corp.
So now people are afraid about paying into that group, but it's still unclear because you
don't actually know who's on the other end of that payment.
We always encourage victims to talk to law enforcement.
I'll say the FBI has been fantastic hopping on phone calls with different.
victims, walking them through what others have experienced, what they've seen, what they do
know. So while they will never give a green light to go make these payments, we have seen that
talking with law enforcement helps the victims really better understand really the legal
environment which they're operating. So I want to make sure we get into some of the prevention
and response. So, you know, you talked a little bit about how ransomware is finding its way into
organizations and that it's sometimes it's really basic stuff. It's a fishing email. It's an
on-patch system. Given the vulnerabilities that they're exploiting, what are the things that
organizations can do to prevent attacks? These guys are using low effort, low technical sophistication
operations at scale to then try to monetize and find a way to make money. From an attack and
penetration perspective, a lot of these organizations are really just sort of using bottom
feeding tactics. They're going for things that are easy to fix. And the reason for that is
quite simple and it's economic. If they had a sophisticated attack, a zero-day exploit, or some really
clever way to gain access to information, they wouldn't use it for ransomware. They would actually
probably sell it for millions of dollars to some sophisticated actor who would then weaponize
it against a high-value target. That's really where just doing basic hygiene. I hate to shamelessly
self-promote, but we wrote a really great blog piece on this, about 16 things you can do to protect
yourself. I think if you just follow the first five on that list, you probably keep yourself
out of trouble with ransomware. It is really just as simple as using 2FA, patching your systems,
and just doing good IT hygiene. It's not rocket science. It's not cool. It's not sexy. It's like
brushing your teeth. Yeah. And to add on to that, password managers, you have to make it easy
for employees to do the right things. And if it's expecting an individual to remember 20 different
passwords to 20 different sites. It's just unrealistic. And I know from our perspective, we see
stolen credentials coming through the different malware C2s that we monitor every day. We see the
different databases being sold every day. We see the different combo lists that are uploaded to
various sharing sites every day. Just in the past month, we've seen 100 million new credentials.
This is where, like, the thinking that a password is going to keep you safe, that's not realistic.
I want to move over to response.
Someone has been hacked.
How do they assess what their options are?
When someone finds themselves a victim of ransomware,
what we always say is ask for help first.
Do not try to do this on your own.
We've seen too many times where a proactive IT specialist thinks they'll handle it quickly
that has come back to just exacerbate the problem and make it even worse.
the first thing that happens is they say we have backups we'll be back up and run in 24 hours
and then several hours later they come back and they say oh actually our backups aren't they
haven't actually been backed up in a long time then at that point is wait what do we do and it's like
well we're going to try to recover and this typically just erodes confidence as it goes further and
further once that encryption is there I hate to say it if you don't have good backups and you
don't have those offline. The chances of recovery are pretty slim. Once you're at that point,
it's really a discussion of how valuable is that data. Some companies we've worked with, the data
really wasn't all that valuable, and they're like, yeah, we'll just rebuild the systems. Other
companies, one was engaged with some DNA research, and they needed to get the data back, but they were
very interested in how the decryption process would work, because they needed to have absolute
confidence that bit-for-bit the decryption process was not going to corrupt any of their data.
And unfortunately, we couldn't give them any assurances because how that encryption process proceeds,
it depends kind of what state that database was in at the time when it was encrypted.
And nowadays, there's a lot of information being stolen as well.
So the ransomware variants, they're threatening the post-stolen information, which includes
customer details.
It sometimes includes medical information.
So this is also a complicating factor where some companies, they might be able to recover
from offline backups, but really what they're worried about is protecting their customers,
protecting health information that they don't want to have exposed.
For every situation, it really depends on what the victim is trying to achieve.
Once you have somebody and they've kind of decided on their response,
and you're getting then in touch with the other side and starting a negotiation,
what does that negotiation look like?
How does that normally proceed?
Yeah, we've seen it typically proceeds down to the paths.
Sometimes you'll be giving an email that you're to reach out to.
It's typically a proton mail email, and you'll ask what the ransom demand is.
They'll give you typically in Bitcoin, what they expect to be paid.
And from there, we will go back and forth and really try to get it down as much as possible,
but depending upon how much the victim has revealed and how fast they want to move through,
the process will really dictate kind of how that plays out. The other thing that we're seeing
more often is a victim in the ransom note is given a site that they will go access,
typically on the Tor network, the dark web, and you'll typically have to put in an alphanumeric
code that will allow you to get to the specific site that they have set up. So you'll see on
the portal, they'll have your ransom demand, how much you need to pay, when you need to pay it
by. And typically, that will start a timer. And once it hits zero, they tell you that the ransom
will double. So this really is just a complicating factor, especially when victims are trying to
figure out, can they pay? Do they have an insurance policy? If so, who do they need to notify?
If you're going to be spending millions of dollars, typically need to go up to get board member
approval to do that. So the criminal groups do that for a reason. It's the ratchet up the pressure.
Another reason why we say do not reach out to that criminal syndicate by yourself either because sometimes just by the simple fact of logging into that page, and that might be the first time they actually know they successfully deployed it and you couldn't back up.
You know, I'm thinking kind of the analog equivalent of these attacks where somebody has somebody hostage and that moment of payment and return is such like a high suspense kind of high stakes moment.
How does that work with a ransomware attack?
Like how do you know, hey, I've just sent you money.
I'm actually going to get back what you've said,
especially because we've pretty much established
there's not a lot of scruples on the other side.
Yeah, it's throughout the entire negotiating process,
these groups, especially the more established ones,
they will point back to the press headlines and say,
hey, we're a legitimate business.
It's in our best interest to actually deliver the keys
and make it work or else no one in the future will ever pay us.
For some of the groups that we were talking about,
sometimes it's automated,
where once you log into the portal where they're managing your specific victim case,
once the cryptocurrency, once it's submitted into the specific wallet that they've designated,
it just automatically releases decryption keys within the portal.
And then we have others where you're going through email,
and typically they'll get back to you in about four hours,
and sometimes they'll ask you for the specific alphanumeric codes
for the different encryption variants that are on your network,
and they will give you specific decryption keys that will work for each one of those.
But we tell victims all the time, you're dealing with criminal actors, there's a risk,
and we've seen it even recently where you make a payment, and the actors just say,
nope, now the ransom is double, pay me more.
Thankfully, that's the exception and the norm.
I was just going to say, I don't know if it was, I don't know if it was a joke or if it was
actually happening, but I had heard that there was a ransomware crew that was hyping its NPS score,
So it's net promoter score saying that it had done such a great job at getting people return to
functioning service that that's why you should actually trust them. So I think they are concerned
about their reputation and do want to make their victims whole again. We were on kind of the
moment of payment and return. And I'd love for you to then talk a little bit more about once the
data has been decrypted, how does that disaster post recovery work? And, you know, what do
organizations do to come out of this? Once you get the decryption keys, depending upon how
larger network is, it's at least a week, probably closer to four weeks until you really get all
your systems back. You prioritize what systems you want to bring back first. So all the critical
systems come back online. You can typically get those back functional within a few days and then
bring everything else up. Before even starting the decryption process, it's needing to understand
how did that initial infection occur and figure out exactly where it is.
So you eradicate that before you bring the systems back up.
Ransomar groups will say that they won't re-victimize the same victim twice
because that's not good for business either.
But what we've seen is there's a lot of groups that are going after these same
vulnerabilities that are running the same system.
So it might not be the same group, but it might be a separate group that tries to come in the same way.
Ransomware's been in the news a lot lately, largely because of the increased attacks on these
critical infrastructure, most notably hospitals, you know, I think it was like October
2020, where you had like the first death attributed to ransomware with the German hospital
that was attacked. And then as a result, I think a patient died because they couldn't receive
treatment. How is that changing the response or calculus? That conversation as it pertains to
the health care has actually been around for a couple years now.
Back in 2016, within one of the Russian illicit communities,
they were actually debating the ethics of using ransomware against hospitals.
And it was really split right down the middle where half the participants were saying,
yeah, that's a bridge too far.
We should only use ransomware to go after companies who have money,
but once it goes into impacting or someone's life is at stake,
that's too far. Then the other half, we're saying, eh, it's money. We're going to do it. And I think
what we've seen over the last couple years, some of these groups will pay lip service into not
going after hospitals or critical infrastructure, but the reality is they're all doing it.
Yeah, I mean, the thing that's particularly concerning is that these guys are going after
parts of our critical infrastructure at a time when we're particularly vulnerable. So the
targeting of hospitals right now is particularly worrisome. I think,
that's a clear national security threat, right? Not just to the financial prosperity of our country,
but also this is a genuine risk to the lives and well-being of our citizens.
When it's been lives at stake rather than just wallets, does that change how you advise or work
with somebody who's been a victim of ransomware? From the responder's standpoint, it makes it more
personal. Unfortunately, at the end of the day, it's a business transaction. The other side,
They just want to get paid, and we try to get them there as quickly as possible.
We've seen ransomware, and kind of over the course of this conversation, it's evolved
organizationally.
There's obviously been technological advances.
Where do you see ransomware going from here?
How's this field evolving and what's coming next?
Where it evolves from here, it only gets more dangerous, I think.
Everything is digitized.
And I think what is scary as we look forward, these groups are also understanding that
right now it seems like they're very much just posting the information and they don't really
know what's in there. What comes next? I think it's going to be using that information to identify
individuals. And I think that's going to be one, which is going to be much more personal to all of us
as companies who we do business with. Once that information is stolen from them, and once these
actors have that, what can they do to the individual and to the customers and employees to really
extend this criminal enterprise to your home and your family.
Doing the basic hygiene to protect ourselves from these attacks, that's good, but as we've
seen, they'll come back with something else.
And if this revenue stream dries up, it's not that they're going to go away.
They're just going to come back in a different form.
So I think that's why the way out is going to be part of this public-private partnership.
It's how we work with international law enforcement, how kind of these, these
norms around cybersecurity are really codified and need to be embraced.
Well, thank you very, very much.
Take care.
Thank you.
Take care.