Episode 113 of the Public Key podcast is here and this is our “Live from Links” series, where we showcase our podcasts recorded live at the Chainalysis Links Conference in NYC. Data extortion, Malicious links and Initial Access Brokers are all terms that those who have been a victim of ransomware are well aware of. In this episode we get to speak to Andrew Davis (General Counsel, Kivu Consulting)m who walks us through all the latest and most sophisticated tactics and strategies used by ransomware attackers in 2024
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 113.
Public Key Episode 113: Inside the World of Ransomware and Payment Negotiations
Fresh off the stage of the Links Conference, Ian Andrews (CMO, Chainalysis) speaks to Andrew Davis (General Counsel, Kivu Consulting), who presented in front of a packed house and shared insights about new ransomware strategies and how companies can better protect themselves.
Andrew discusses the evolving landscape of ransomware attacks and the challenges faced by victim organizations when deciding whether or not to make payment.
He shares the wide spectrum of new typologies, including cyber extortion and data theft and how the major exploits of pharmacy payment processors and oil pipelines has attracted law enforcement to take swift action against ransomware groups.
Andrew also highlights the most common attack vectors and social engineering attack vectors, while presenting the new challenges that AI will have on deep fakes and image/video modifications used by ransomware attackers.
Quote of the episode
“We only saw about ⅓ of the organizations that we wound up working with and assisting… were making, so ⅔ were not making payment, which is kind of a nice thing to see. But they still got compromised. They still had to rebuild systems. They just weren’t paying for the decryption key to recover their infrastructure..” – Andrew Davis (General Counsel, Kivu Consulting)
Minute-by-minute episode breakdown
2 | Overflowing Interest in Cybersecurity at Chainalysis Links Conference 2024
4 | Rise in cyber extortion and data theft and strategies for handling ransomware attacks
8 | Negotiating ransomware demands and law enforcement dynamics
12 | Strategies and sanctions risks in ransomware payment decisions
17 | Ransomware attack disrupts major pharmacy companies, oil pipelines and casinos
21 | Debating the ban on ransomware payments and understanding Initial Access Brokers (IACs)
23 | The perils of reused passwords, account breaches and sophisticated fake recruiting attack vectors
28 | The evolving threat of AI and its role in sophisticated ransom attacks
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
- Website: Kivu: We fight cybercrime. We protect humanity
- Article: Can Organizations Still Pay Ransomware Demands?
- Article: Emerging Threat Alert: Drive-By-Compromise On The Rise As Gootloader Malware Exploits Seo Poisoning To Target Victims
- YouTube: Chainalysis YouTube page
- Twitter: Chainalysis Twitter: Building trust in blockchain
- Tik Tok: Building trust in #blockchains among people, businesses, and governments.
- Telegram: Chainalysis on Telegram
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- Andrew Davis (General Counsel, Kivu Consulting)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcript
Ian:
Hey everyone. Welcome to another episode of Public Key, live from Lynx. I’m your host, Ian Andrews. On this episode, I’m joined by Andrew Davis, who’s the general counsel at Kivu Consulting. Andrew, welcome to the show.
Andrew:
Thank you for having me. Thanks for having me at the conference here at Lynx.
Ian:
You just got off a panel. You told me that it was a packed house. They actually had to bring more chairs in to the conversation.
Andrew:
First time in my life I’ve ever seen that. Packed house, standing room. Even when they brought the chairs, there were still people along the back wall standing and it wasn’t a small room. Again, I am used to maybe 25, 50% capacity of the rooms you’re in. Plus it was the first panel after lunch. You really don’t know what you’re getting there.
Ian:
That’s a hard one to fill.
Andrew:
But no, it was a great panel. It was good discussion, good questions. Not enough time for all the questions. People coming up afterwards and wound up getting ushered off the room for the next session because people actually wanted to come talk to all the panelists.
Ian:
Nice. So what were some of the hot topics in the conversation?
Andrew:
Touched a little bit on AI and how that’s starting to work its way into ransomware and how threat actors are starting to utilize it. Touched really just the evolution of ransomware and how public and private sector can actually get on better and do what we all want to do in terms of fighting cyber crime, because it’s very easy to talk about and say we’re going to do it and work together. So our company, I’m dealing with victim organizations a lot. One of the biggest pieces of feedback we get from them is … Maybe it’s a question more than feedback. What can government do for me? Why should we work with law enforcement? It seems like it’s going to be a one-way street.
Ian:
We give information.
Andrew:
What do get?
Ian:
They’re not going to arrest somebody. They’re not recovering my money. I probably still need to pay the ransom or figure out how to rebuild all my IT infrastructure. Should I bother?
Andrew:
Yeah. And it’s that classic, if it does go to litigation at some point, am I going to have to relive this? This is the worst couple weeks, month, however long the full recovery has felt of my business life. Do I really want three years down the road if they actually do get somebody to have to relive that, take more time out? So it’s a hard sell sometimes. Some organizations very eager and apt to get in those conversations and work with law enforcement at the outset, but a lot of times there’s still some bridges to be built with the trust.
Ian:
Absolutely. Well, I’m sure that it was a hot topic because according to our research, last year, ransomware victims paid over a billion dollars for the first time in our recorded history to these ransomware organizations. So they took a little bit of a break in 2022, but they came back with a vengeance in 2023. Tell the audience a little bit about your company. They may not be familiar. Kivu Consulting. What do you all do?
Andrew:
If you haven’t heard of us, that’s probably for the best. Means you haven’t had one of those bad days. Kivu Consulting, our mission statement, protect humanity, fight cyber crime. Good plug. Really what we operate as is a full service cybersecurity company with a really heavy focus on ransomware. And helping clients both prepare for what hopefully never comes. But it’s at this point some type of cybersecurity incident, be it business email compromise, an accidental disclosure of information or ransomware or extortion, it’s almost a when, not an if.
Ian:
Absolutely.
Andrew:
So we have a proactive side where we can do penetration testing, tabletop exercise, playbook development. But again, really focused mostly on ransomware because if we can get them ready for that, they can pretty much handle anything. And then the bulk of the business … Been around since 2009. What we’re most known for is the ransomware response. Digital forensics incident response, the threat actor communications negotiations piece, if needed, payment and all that that entails. The OFAC and sanctions due diligence and all of that handled in-house. And then we also have a recovery team that will help with the remediation, get you back to operability while we’re trying to figure out what happened. And I’ll admit because I openly do so, a network of third parties on that recovery that we can rely on if we really need boots on the ground quick in a specific geographic location because we do operate globally, can cut down on costs and time and also sometimes cultural or language issues if we have a network that we can tap in for that on-site stuff.
Ian:
Yeah. Amazing. So I would imagine you were really busy last year.
Andrew:
It was not slow. We were, but the interesting thing about that … The number’s high. Over a billion. We only saw about a third of the organizations that we wound up working with and assisting make payment. And when I say approximately, it was actually exactly a third. We saw 33% were making … So two-thirds not making payment, which is a nice thing to see.
Ian:
But they still got compromised. They still had to rebuild systems. They just weren’t paying for the decryption key to recover their infrastructure.
Andrew:
So yes, with a little asterisk. Because what we also saw was a rise in double extortion or suppression only. So we call it all ransomware, but really in that case it’s just cyber extortion. They haven’t actually come in and encrypted anything. They’ve just come in through some means taken data and said, we’re going to publish this if you don’t pay us X by X date.
Ian:
Wow. Okay.
Andrew:
So now there’s that in the mix and a lot of organizations really fearful about some of their proprietary information, some of it not even what would be considered necessarily PHI or PII. It’s trade secrets.
Ian:
Absolutely.
Andrew:
And things like that, they just don’t want out there.
Ian:
So if you’re a software company like us and you get all the software code, that’s really problematic if that gets published on the internet.
Andrew:
Exactly. Yeah.
Ian:
And I can imagine that’s true in healthcare. Anybody that’s doing pharmaceutical development. There’s a tremendous amount of intellectual property that can be stolen with a potential compromise. One of the things that’s always fascinated me about these organizations on the ransoming side is that they operate customer service teams. So if you’ve never experienced this, you find out that you’ve been ransomed, your infrastructure’s encrypted or you’ve been notified that they’ve stolen some data and they say now you get to come negotiate. Here’s your instructions, here’s how to reach us. And they have a help desk. They have a support team. They have people that follow up if you’re not being proactive. Your team does the negotiations. What is the strategy that you employ when you get pulled into one of these things? Client calls you out and says, Andrew, I need help.
Andrew:
So there’s no one size fits all, just like there’s no one size fits all for business. It’s very much driven on the business needs. So let’s start with the classic ransomware. They’ve come in, they’ve encrypted things. You’re not operable. First question we’re going to ask, do you have viable backups? Did they come in delete them? Did they encrypt them? What are your backups? Where are they? How old are they? Do we need to really go down this road of a potential payment? Once we have that established, then it’s a discussion. Who are we dealing with? Do they typically negotiate? How much do they negotiate? Do they have a countdown timer because they apply these techniques to just apply pressure to the victim organization. So second, you log into that chat portal, it’s got a 72-hour clock that starts ticking down. You have … Abstract numbers here. Nothing that I’m actually citing to, but you have 72-hours to pay us $10 million, and after 72 hours, that number will double. That’s a lot of pressure.
Ian:
That puts pressure.
Andrew:
Yeah. I’m sweating thinking about it. And so depending on the group and based on our own dealings with them, and then also open source … It’s a community out there. So talk to other vendors and things to get an idea about some of the newer groups as they pop up to manage expectations and really get an idea of what is the likelihood of driving down the price and what is a reasonable number to counter with. A lot of times in that first 24, 48, 72 hours, the organization’s still taking stock. So really you’re just opening the line of communication, asking the threat actor to prove. Okay, you say you did this, you say that you can decrypt, but can you? Did you take any data? If so, what data did you take? What assurances do we have that you’re not going to re-extort or actually publish the data? At the end of the day, you’re dealing with a criminal, so you’re taking them at their word. They’ve already come in. So with all of those negotiations, there’s again another asterisk that you trusting the person that broke into your house. And really the negotiation tactics kind of derive from there. What is the need of the client and how can we get them to the best possible bad scenario because they’ve already been hit.
Ian:
Yeah. Do you generally find that you’re able to bring down that initial number that they present?
Andrew:
Generally speaking, yes.
Ian:
So it’s a little bit like car shopping. The sticker price is not always the ultimate price paid.
Andrew:
I prefer to operate and think of it in terms of medians because when you use averages and you have a drastic outlier … Like in 2023, the highest ransom demand that we saw at the outset was $150 million. So when you have that number in your data set, it’s going to skew things. So the median gives a little bit better feel for things. Actually, when it comes to discounts, the median and average both align right around 50% with what we achieve. And I think we had in prepping for this, possibly queued this up for a little bit later in our discussion, but recently there’s been a decent amount of law enforcement activity that we’ve noted. BlackCat ALPHV disruptions, and then shutting down LockBit 3.0. After some of those, we’ve seen the threat actors actually tell their affiliates because they’re operating ransomware as a service. It’s the head and then they operate as a business below. We’ve seen them basically say, “No more negotiating. Don’t do it. The demand is the demand. Make them pay.” We have not seen that unfold in practice, but we have seen, I would say this year, a little bit more strictness in keeping to the demands or less disparity in coming down significantly, at least at this point in the first quarter.
Ian:
Is the idea that that’s like a revenue management? Like, hey, we lost a bunch of revenue because we suffered a take-down or a law enforcement disruption, so now we’re going to collect more from the remaining victim?
Andrew:
So on one hand, I think yes. And this is a little bit of speculation and also talking with people. So when they have these take-downs, it’s weird to think of them like a business, but their brand recognition also has a little bit of a taint to it now. So how do you convince your affiliates to stay with you and not go to somebody else? We’ll now implement a measure where there’s going to be more money on the table for you to get, so stay with us.
Ian:
Interesting.
Andrew:
So it in theory is a business tactic to help them keep their followers and keep their employees.
Ian:
It’s fascinating to think about the structure of these organizations. They tend to represent externally as being independent, almost like different companies. But I know the blockchain analysis that our team’s done indicates that there’s a tremendous amount of cross-pollination or disloyalty if you want to frame it that way, where different developers work with different operators, different regional actually exploit teams, and it seems like sometimes they don’t get along.
Andrew:
Sometimes. I think it really does depend on the group. But there are individuals and some of them take pride in their work. I’m an expert coder. I am so good at developing. I’m an expert initial access broker. So I think there is a level of that, but I will also say that one of the things that keeps me up at night, one of the rabbit holes that I don’t love going down … Sometimes we get called into due diligence after a payment’s made, and we will utilize chain analysis for some of that. Tracking where the money goes after it hit that initial wallet you can learn a lot about where it is shooting off and tracking those trends. And looking over time you can develop an understanding. As 20% goes here, that was probably the initial access broker. As maybe 5% goes over here. Okay, they’re paying somebody for some more minor role in it, and then the bulk goes here. That’s probably the affiliate. And then they pay 25% over to the actual ransomware as a service corporate head.
When you get that initial demand, it’s normally coming back to a clean wallet. It’s normally clean, never used. We run that down. It doesn’t flag any sanctions or any issues. But when you start looking after the fact and post payment, it can help you build a profile sometimes you don’t want to see as to where the money goes and where it hits.
Ian:
Yeah. Well, I think our research says something like 75% of all ransomware payments ultimately accrue back to groups operating in Russia. So if you’re concerned about sanctions, that’s a pretty big sanctions red flag. What is the current industry best practice when you do decide that it’s in your best interest to pay one of these ransom demands? How should people think about sanctions exposure or any risk that they may be taking on as a result of paying?
Andrew:
The first thing I would say is you should consult with a professional. It’s probably not the company’s day to day. It’s why companies like mine exist.
Ian:
Absolutely.
Andrew:
Mine. The company that I work for. No. It’s why-
Ian:
You’re the only one here from Kivu, so you can take ownership. I’m totally fine with that.
Andrew:
If our founders are watching, I … So I think that I would just strongly encourage hiring a professional. The stigma with law enforcement, one of the reasons, we have good relationships with them. If we’re looking at IOCs and TTPs and trends and things that just seem a little off to us, even if it’s not coming out with an absolute flag, we can anonymize certain IOCs and talk to law enforcement about them and pick their brain about what they’re seeing. And while the US federal government’s position is we do not recommend engaging with or paying these ransomware threat actors, it’s just not a reality for a lot of businesses.
Ian:
Sure.
Andrew:
So we can have those conversations and get to a clear level of understanding of what we’re seeing and whether it actually is something that they, in their back channels, the government is actually tracking towards a sanctioned entity, or if they’re not seeing anything. There’s the saying, the absence of evidence is not the evidence of absence. I’m not able to necessarily go in as we do all of this due diligence and say, I can guarantee that it’s not going to go to someone affiliated with Conti or a sanctioned individual. That’s not what the clearance process is. The clearance process is, we don’t see anything that does link. And there is a nuanced difference, but it also does come down to what is that business’s capacity for risk? Because there is always that slight little risk that you don’t know exactly where the money’s going. We’re giving you a best guess.
Ian:
Now, you said that last year, two-thirds of organizations that your firm worked with chose not to pay. What does that mean for them, practically speaking? So they get to the decision of, yep, not going to do anything. What happens next?
Andrew:
So there is the delineation then of whether or not … Because we saw that rise in data suppression extortion. If they were hit solely with exfiltrated data, it’s basically a business decision saying-
Ian:
It’s fine.
Andrew:
All right, the data’s out there, we’ll deal with it if they publish. We’ve already made the business decision to advise our clients and internal stakeholders, and we don’t think that the word of a criminal that, oh, yes, we deleted the data, which trends show with a couple groups that that’s not the case. Even though they told you it’s deleted, it’s on a server potentially somewhere. So, okay, we’ll deal with it. We’ve already dealt with it. We’ve already disclosed. Now let’s move on with business. If it’s a company where they have viable backups that maybe date back two months or something, they’re rebuilding from that and it’s a long process to get things up to speed. Unfortunately, it’s you’re rebuilding from whatever point in time you can.
Ian:
Yeah. Is your sense that more and more companies are preparing for this potential eventuality better than they were a year or two ago? Meaning they have better backup systems, they figured out how to isolate them from the network so that they’re not also compromised or encrypted?
Andrew:
I do think so. But I will also note that there’s also this trend of places using virtual machines and ESXi servers and things like that where EDR is not deployed on that virtual machine. It can’t be hosted there. So vulnerabilities and a potential with whatever virtual system, vulnerability there is a potential way in, and if that gets shut down or encrypted, that’s a bad day. So I do think that there is an awareness, especially in the Fortune 500 and large companies. But with the middle market, there’s also a cost-benefit analysis. What is the likelihood that we’ll get hit being XYZ company that’s not really a target? They might not be a target for the big game hunters of ransomware and extortion, but that doesn’t mean they’re not a target for … I don’t want to say lower level players, but the affiliates that are industry agnostic into who they’re attacking and looking for. So how much money do they have to spend on this? And how much money do they have to spend now versus are they willing to roll the dice that maybe they won’t get hit, or if they get hit, it won’t be that bad?
Ian:
Yeah. Yeah. Over the last month, the big news has been this healthcare organization that sits in this payment processing middleware layer. I’d never heard of the company before it came out that they had been ransomwared, but if you’ve ever interacted with any of the major pharmacies, your transaction is likely passed through this company’s systems, and they got hit hard from what I read in the press. I don’t know if you’re able to talk at all about that incident or it was something you all were involved in.
Andrew:
Not involved. Aware of it based on-
Ian:
Media of course.
Andrew:
Media and what it’s done in the market and the ecosystem of people talking about it. I also have a neighbor who works there who was at the initial outset, just a quite frustrated with the inability to use a laptop and things like that. Some of these pharmacies, they were going to hard copy processing of prescriptions and things like that. It had a major impact. I want to say millions, but arguably probably billions given the proliferation that they had in the market of how … Okay, the ransom I think was because it’s 20 million I think was alleged by the one affiliate that was paid to the actual ransomware group, but then the affiliate was alleging that they didn’t receive any of the funds and therefore they felt that they were still owed money.
Back to your comment earlier about not getting along and things like that. With the affiliate model, that’s a very upset employee. The portal goes dark essentially. They say that they still potentially have the data on a server themselves, but the company … The actual ransomware variant group that was paid … You find it might be deleted from those servers, but we still have it so we want our money. What do you do in that scenario? The world already knows about it. The data was/is out there. And there is this level of … I pretty much know as much as we can glean from the internet and all the stories that are published about it. It’s a messy scenario that shows that these groups really don’t care about who they’re targeting.
Ian:
Exactly. Well, I think that’s probably the widest impact ransomware that I could think of since Colonial Pipeline where you had gas stations shutting down because Colonial had turned off their entire operational network and weren’t delivering any gas to the east coast of the United States. When Colonial happened, it was an uproar. I remember it was on the news every night. You had law enforcement from different jurisdictions and state, local and federal and international collaboration. People were upset. And then there was a bunch of follow-on in the months after the administration here in the US, we’re going to have a ransomware task force. There were lots of press conferences with important looking people behind the podium. I haven’t seen any of that. Maybe it just hasn’t happened yet in this case, but I’m wondering, is it now normalized or maybe I need to wait longer? What do you think’s going on?
Andrew:
I do think there’s a level of numbness that’s come with it. Over the summer of last year, we saw the two … MGM and Caesars get hit. I understand very different type of impact that winds up having. But you have these two massive names, probably two of the biggest in the gaming industry, susceptible to it. Very publicly known. And I would argue that these are those big game hunting incidents where you are seeing them with such frequency that-
Ian:
It’s just expected.
Andrew:
Yes. Again, it goes back to that, it’s not an if, but a when and what type of incident might they suffer? This one, it did have and still is having far-reaching impacts into fulfillment of those prescriptions. But I think the lack of uproar … There’s also been, again, law enforcement federally and internationally taking steps to really try and disrupt and give the bad guys a bad day. We saw the ALPHV BlackCat, we saw LockBit-
Ian:
Hive.
Andrew:
Hive. You’re seeing these take downs and these disruptions. That being said, with some of them, it is more of a disruption. LockBit back to operability. I think public sector is trying.
Ian:
Yeah. I agree. I see the same thing.
Andrew:
They are working towards it. So one of the questions posed in the panel earlier was, should ransomware payments be banned? And that’s such a hard question to answer as you sit here. In a perfect world, yes. That’s a great way to just cut it off. They’re not going to make any money off of it. What’s the incentive to do? It? Sounds awesome. But I don’t think, and the consensus on the panel as well, that we are at a point where all of the infrastructure and the support network on the back end of that, that these businesses would need is ready to say, okay, ransomware payment should be banned today.
Ian:
Yeah. That’d be a hard call for MGM who their entire casino operations in Las Vegas were shut down. The hotels were paper and penciled to put people in rooms. That’s hundreds of millions of dollars a day probably. That’s hard to walk away from. For them paying 20 or 50 or a hundred million dollars ransom actually probably makes economic sense on some level just to get back to operations as quickly as possible.
Andrew:
On that billion dollar number that you mentioned, that’s the cost of the ransom payments. Because you’re not getting hit in that immediately making payment. But all of the other costs that are associated with the response to these … The notifications, potentially class action lawsuits, the dealing and interfacing with whatever state, federal regulators, any contractual obligations that companies have, there’s a lot of considerations and costs that in many cases far exceed what those ransom payments are.
Ian:
Yeah. I’m curious on the attack side. We’ve seen a professionalization of access brokers. People who don’t actually carry out a ransomware attack or a data exfiltration directly, they’re just finding a vulnerability, the soft spot in an enterprise’s infrastructure gaining access. They’re then selling it online. That seems to be on the rise that as a distinct profession and component to this whole process of attack. But I’m curious, you’re much closer to it than I am. What are some of the trends that you’re seeing? How are these organizations evolving? How are their tactics that they’re using either to gain access or throughout the life cycle of an attack changing?
Andrew:
So unfortunately, one thing that isn’t changing is that social engineering, human error is still … That and unpatched vulnerabilities, that is the overwhelming majority of the initial access.
Ian:
Soft targets.
Andrew:
You can train, retrain, but we’re all one mis-click or one accidental or one bad password or reused password away from having an incident.
Ian:
My wife, actually, we were traveling last week. We land, she turns her phone off airplane mode, and she’s got six emails from Starbucks saying she had bought a couple gift cards. She’d sent the gift cards to people, and then the person she’d sent them to had redeemed them, which was strange. Initially I thought it was fake emails trying to get us to click on a link that would then actually somehow compromise either her phone or give up credentials to an app like the Starbucks app. But after looking at it a little more closely, I was like, no, these are all legitimate emails. I went into the app and you could actually see the transactions. They had happened while we were in the air phone was on airplane mode. And so I was like, oh, reused password, right, honey? And she’s like, yeah, of course. And fortunately it was a small amount of money, less than a hundred dollars. And in fact, I emailed Starbucks customer support and they hadn’t been spent yet. So they actually reversed the transactions, which was really nice. But yeah, that entry point of a reused password that had almost certainly been compromised through some data breach somewhere else months or years ago, and the fact that we had a saved credit card in that account.
Andrew:
If you really want to get scared, you can go to haveibeenpwned.com. Type in your email and it will tell you every incident where your email was compromised and all of the other data points that may be associated with that email. So if it was your password associated by the email in X, Y … Zynga, the game app Farmville, I think one of them from back way when when I played that username and password for me had been compromised. I’m glad I’m not using that anymore. But it’s simple like that. Password complexity is something that people … You want a password that you … Don’t write it down. Okay, well, it has to be something I’m going to remember. But it shouldn’t be any actual words. Well, I’m not going to remember that. A 12 character alphanumerical with special characters, but I shouldn’t use exclamation point because that’s the most commonly used. So we should definitely use an ampersand.
It winds up really adding up. Am I guilty of having a hard copy book of secrets at home somewhere? Maybe. But it helps me remember.
Ian:
That’s right.
Andrew:
The complex passwords that I have to use. And I have tiered levels of passwords, complexities and things like that. If you want to get onto my Instagram, maybe it’s a bad thing to say, but it’s not the most complex password that I’ve ever had. Does it have any of the standard things that you would look to guess? No. But you can look at pictures of my dog.
Ian:
So unpatched vulnerabilities, weak OPSEC, like bad passwords. And then social engineering. We’ve seen in quite a few of the crypto thefts that have occurred over the last couple of years, a shift towards a very specific type of social engineering, which is recruiting oriented. “Hey, I’ve got a job offer. It’s going to pay you 3X your actual market value. Wouldn’t you love to come interview for it?” “Oh, yeah, sure. I’ll have a conversation with you.” “Terrific. We’re going to use this software to conduct the interview. Please click here to download and install on your machine.” And of course, you do that from your work laptop, your primary machine, and then they’ve got access to everything. Are you seeing a lot of that level of sophistication in social engineering or is it still the more classic spoofed email addresses or hidden attachment type emails?
Andrew:
It is still by and large I would say a lot of the same. But I will agree that we are seeing … You mentioned the job application. LinkedIn. I can tell they’re bot emails. I get those messages in LinkedIn. You should be great for this. Click on this link. One of the first things that you should do when you get any link, whether it be in an email or whether it be on one of those platforms like LinkedIn, check it. Go to the company’s hard website and see if they’re actually hiring. I understand it might take an extra 17 seconds, but Google the company, look for open positions. If it’s not there, don’t be afraid to pick up the phone and call. I am in that generation where we’re constantly made fun of. Oh, the biggest thing you dread is a phone call and talking to someone on the phone. Sometimes, yeah. But there is something to be said for checking and looking into something that is going to have such a potentially high value amount of information that you would be sharing. Even if they’re not trying to necessarily gain initial access, they’re going to glean a lot of information from you in that sharing process that could help them target and find a way to get into whatever account they’re after.
Ian:
Sure. Sure. You wrote a blog recently about drive-by-compromise. What is that?
Andrew:
I didn’t write it. The company did.
Ian:
Your team.
Andrew:
My team. So drive-by-compromise … And I’m trying to remember. I believe that was the article about Gootloader. And so essentially you go into a search engine and you type in chainalysis, links, NYC Marriott. Try and find, try and find your hotel room here. And one of those links may be corrupted. It’s not an actual link to the Marriott here to book in my hotel room. And the second you click on that link, it’s downloading a payload and it’s behind the scenes and it’s a zip file, and then it opens things up, and the next thing you know you’ve got Cobalt Strike on your computer. Maybe not the next thing. There’s probably a step or two in between, but you’ve got Cobalt and Strike on your computer beaconing out, and now they can remote it and they will through whatever applications, wind up keystroke loggers, credential harvesters, and you won’t even know it’s there until it’s too late.
So again, that checking links thing and looking at the initial website that you go to, because when you click on it’s not going to be the most clear. It’s not going to look like it should, or it might give you that error loading. It’s basically that you’re on the internet, you’re searching. Sometimes it’s those ad on Google when you’re looking for the actual link, but the first thing in the top is ad. Don’t click on that. Click on the actual website.
Ian:
Right. You mentioned AI was a discussion topic on the panel. How much are you seeing some of these new generative AI tools playing a role in ransom attacks or initial compromise? Are the threat actors getting more sophisticated in using those tools?
Andrew:
So with the generative AI, I think the tools that we are most commonly seeing is that using something like ChatGPT. Because the mastery of the English language to communicate has gone up exponentially for some of these groups where it was not. So we’re seeing a bit more narrative and a bit more conversational language with them. There was an incident that I spoke about on the panel, and it’s not one that I myself encountered, but it was one that someone else in the industry did. But it was actually using AI to doctor images that were taken from an individual’s social media to make it appear that they were taken more recently and at a location that this individual would frequent to then apply pressure to get them to pay. We know where you are, we know where your family is, make payment. And that horrifies me. You can go download a picture from social media, go on someone’s … And then use the generative AI to alter the background input the people walking in wherever and make it seem like it was taken two days ago to apply pressure to get payment. That’s horrifying to me. But that’s a pressure and pain point that they, they’re escalating their tactics to try and get payment.
Ian:
I’m particularly watching the text-to-voice space because as someone that has now hundreds of hours of my voice available for easily download for free … Don’t forget to subscribe. But it’s out there. So with a small sample, you can make me say anything.
Andrew:
It’s in like 15, 20 seconds, isn’t it? Someone told me that even that small-
Ian:
Yeah. Yeah. OpenAI hasn’t made this available to the public yet, but that is the pitch they gave was with 30 seconds of someone’s voice, you can then type until your fingers are sore and you’re saying all those things, inflection, intonation, accent. And there’s some tools also that’ll do translations live on video. So you can have a video like this one of us speaking, and then you can make me say anything you want. The mouth movement matches where unless you’re looking really closely, whatever you’ve typed in looks like I’ve said, and it could be in English, it could be in a foreign language.
Andrew:
That’s horrifying. I think we’re very far away from Skynet, especially based on the costs that these threat actors would’ve to undertake to be able to really delve in that far. But as it becomes more open and proliferated out there, the costs will go down so I guess it’s a real fear. You’ve given me a new one. Thank you for that.
Ian:
Glad I could help. The social engineering aspect of it is the one that seems like it’s most likely to be where AI gets applied quickly. Maybe in the code vulnerability or something like that, but that seems more technically complex. It seems really easy for non-technical people to use one of these LLM Chatbots and rather than a hokey email that’s like ham-fisted, claiming to be my CEO asking me to urgently wire him money because he can’t get out of a meeting.
Andrew:
Mine’s asking for Amazon gift cards.
Ian:
Nice.
Andrew:
It’s really weird.
Ian:
Versus generating a voice message that you could leave for somebody that sounds just like me, that’s written in well-constructed English. That seems like it will have a much higher rate of success potentially. So lots to watch out for there. I think that’s a great place to leave is open communication. Don’t be afraid to work with law enforcement. Call the experts like your firm. If you find yourself in one of these situations, don’t try and negotiate it on your own.
Andrew:
Worst plug ever. But even if it’s not us, call somebody. If you have insurance, I’ll even say this, call your insurance company because they might direct you to somebody, but seriously call a professional.
Ian:
Yeah. Yeah. I’m sure we’ve terrified everybody. Any last words of advice that you want to give to people to give them some hope?
Andrew:
You’re not alone. You’re not. It is really the type of event … Sometimes it might even just be you clicked on the link, but you shut it down before anything bad happened. That’s still, in theory, some kind of intrusion. That’s scary. It’s okay. It happens. Human error does occur. There are people outwardly and behind the scenes who are there for you. And don’t be afraid to raise your hand and call them as a resource. Especially proactively. I would say implement MFA. Get EDR. There are costs there. Invest in your infrastructure so that you’re not calling us on the bad day.
Ian:
Absolutely. Well, Andrew, thanks so much for joining me on the show. I appreciate it.
Andrew:
Thanks for having me. I appreciate it.
Ian:
Thank you.