Breaching the Boardroom

Ransomware Explained for Business

Share episode

Ransomware is more than just an IT problem—it’s a billion-dollar criminal enterprise that’s targeting businesses of all sizes. In this episode of Breaching the Boardroom, host David Mauro (NetGain Technologies) sit down with Jon DiMaggio, former NSA security analyst and Senior Threat Researcher at Analyst1, to break down the reality of modern ransomware operations.

From the evolution of ransomware-as-a-service (RaaS) to how criminals infiltrate networks and why they operate with impunity, Jon shares insights from his years spent infiltrating and tracking cybercrime groups—including his conversations with Russian ransomware gangs.

💡 What You’ll Learn:
The business of ransomware – How cybercriminals operate like organized crime
Ransomware-as-a-service (RaaS) – Why attacks are rising and how hackers ‘license’ access
How they get in – The most common attack vectors (phishing, unpatched systems, and access brokers)
Why paying the ransom doesn’t guarantee safety – What really happens when companies pay
What businesses can do now – Steps to improve cyber resilience, from EDR to incident response planning

📢 Could your business recover from a ransomware attack?
Learn how NetGain Technologies helps SMBs strengthen their security posture and prepare for worst-case scenarios.

👋 Connect with Us:

📖 Resources Mentioned:

🎧 Listen now and subscribe to Breaching the Boardroom

🌟 Who Are We?

NetGain Technologies is a leading managed IT and security service provider with over 40 years of experience helping small to mid-sized businesses succeed. 💻✨ Specializing in IT management, cybersecurity, and strategic consulting, we empower businesses in healthcare, finance, manufacturing, and beyond to turn technology into a competitive advantage. 🚀

🌐 Website: www.netgainit.com
💼 LinkedIn: NetGain Technologies
📅 Meet with Us: Schedule a Meeting

Meet Your Hosts

I am your host David Morrow and in the studio today is former security analyst with the NSA and security researcher and senior security analyst with Analyst One, John DiMaggio. John, welcome to the studio, my friend. It's good to be back. This is, I've been on no other show I've been on as much as your guys. So I appreciate the love and you guys having me back again. Well, you're always welcome. You're definitely a friend of the show and I'm just telling you like if

Like cyber crimes up. So it tends to be something that we need to keep bringing you back. We're like, right. He's going on with this and you know, you mean it's not. Yeah, I thought we won. Didn't isn't it over? Is it mission accomplished? Right. There was an executive order yesterday, man. We got it. Yes, I saw. Yeah, I thought they outlawed cyber crime. Aren't we done with this? That's right. It's against the law, man. so let's back up a little bit.

So walk everybody through a little bit about your history because for those that may not be aware of who you are and where you came from, I think that'd be interesting for everybody. Sure. Former military police, former SIGN analyst with the NSA as well as some other government agencies over my career. Last, I don't know, 10 years or so, I've been in the private sector.

I specialized in espionage when I was in the government and I did that for Symantec as well, in the private sector side for many years. And Analyst One around 2020, I dove into cybercrime and I really got into human, which is human intelligence, which is virtual human in this case where you...

pretend to be other people, or sometimes you're yourself and engage with, with criminals, trying to extract intelligence, get information combined that was CTI. And I write reports, probably most, the most known report series that I've written is the ransomware diaries, which is something I spend a lot of time doing. Probably going to take a break here for the next six months on that and do some other projects, but that's definitely my baby. Yeah, that is one of my, one of my favorite things. Like whenever I'm trying to explain to anybody.

how the ransomware enterprise works because it's big business, right? And how and why they do what they do and understanding the modus operandi. I kind of refer to that quite often. So let's talk about there's there've been a lot of ransomware attacks. Obviously they're always in the news. They didn't always used to be in the news. So before, you know, 15 years ago,

We didn't, it was very rare to see them in the news. Um, it was really between, seems to me like, and I can be wrong, but it seems to me between 2011, 2013, cyber criminals started to like productize their offerings. And then they started to, you know, it, almost morphed from everybody's view of what a hacker is like a kid in a hoodie, cracking Red Bull, like, you know, in their mom's basement, like creating all this complicated code and

Hollywood has portrayed them as being these cool geniuses and stuff, but it really changed. And we started to see it more in the news when they started to just write the code and create a platform essentially, and then license that platform or licensed access to the code to just anybody that was criminal. And then, then it kind of exploded because there's a lot more criminals than there are people with technical ability. Walk us through like,

You know, what did you see just high level over the last 15 years? Is that kind of your understanding? that, is that a good kind of summary or recap of what we've seen, why it's gotten so popular? So I guess let me, let me walk back and we'll just do a brief summary on, on that timeline. So yes, in the, that timeline, we did see, you know, I guess the first.

we started seeing it being used to encrypt enterprises was the business club with Crypto Locker. But it wasn't that they were locking down the whole enterprise and using it. It quite is the same as we see today. But that was sort of the seed being planted. And when it really took off was in 2015 when we heard when Sam Sam ransomware became prevalent and that ended up being attributed back to Iran. It was a couple of Iranian guys that put that together.

Um, and then I would say a few years later, maybe, uh, want to say more 2018, 2019, uh, timeframe. We started to see the first ransomware as a service model. I might be off a little bit on those last dates. It kind of blends in with, with, with the doing this every day, but yeah, somewhere around that timeframe. And that model is really sparked. And for, if people don't know what that is ransomware as a service is a, partnership. It's sort of like a service, um,

a service partner model. think about you have a service almost right? Yeah, correct. Yes, you pay for the software, the infrastructure, and that the service provider who would be the ransomware gang, provide, they provide all those resources, you as the hacker go and use their tools and resources to to compromise and extort victims. And then the two entities share in the profits, or at least that's how it's supposed to work. Criminals aren't the most trustworthy people. So it often goes bad.

And then the drama breaks out and then we have the ransomware diaries. Right. Exactly. Exactly. So, so ransomware as a service is a service model where, just to recap, where the, developers of the code, the first group, the technical group or the criminal enterprise, it's like the, the, the council or the senior when you, when you do an analogy to the mafia, it's like the, it's the management.

It's all the dons. It's all the heads of the families that kind of have that. Right. So they control things and then they have different, you know, digital mercenaries that affiliates that will go out and do the dirty work. And they don't necessarily know other people that are involved so that if they get caught, there's really not much they can show sometimes depending on how much buffer they have.

And yes, and in this, I'm sorry, go ahead. Yeah, no, no, no, please. I just wanted to add one little thing to that in this mafia model, since I love the Godfather movies. Yeah, the the the ransomware as a service provider, they build and equip you with a gun, if you will. So they build what's called a ransomware builder, which is what creates a payload that has a decryption key. And they use that or they have a key and they use that and it's different for each attack.

Yes. And that key is what the victim is paying to get back. So they provide that builder there. They develop the ransomware. They provide the infrastructure. Oftentimes they'll provide tools to steal data or whatever it might be. They provide what's called the data leak site or DLS, which is where victim data is posted. And it's all done through a nice graphical interface. You know, you, you, you get the data, it shows up on the platform. You can use our tool that you start the timer when the timer is up.

The data is leaked or they pay and you stop the timer and it's not leaked. sounds simple, but it's not quite that simple, but that's basically how it works. So when a criminal enterprise breaches an organization, they'll either encrypt the data, right? Launch the ransomware or they'll exfiltrate the data. They'll take it and then they'll, they'll use both of those. It's like a double extortion, right? To kind of blackmail them into paying for.

Either on encrypting the data and give them the decrypt key or even sometimes if they don't encrypt, it's still, we're still going to publicize it. Right. And that's what's on the leak site. That's right. That's right. And the data stealing data and extorting them for data has become more and more prevalent. We even see some that are just doing that.

But I would say that the encrypting victim systems fall secondary to that as far as getting victims to pay because the data is far more sensitive. And with your systems, you can rebuild. can't get that. You can't put the toothpaste back in the bottle. You can't get the data back once it's released publicly or sold to criminals. Yeah, exactly. So so let me ask you this. How in general, generally speaking, there's a million different ways, of course, but in general overall.

How are these affiliates, the actual hackers, the criminal digital mercenaries, how are they getting in to some of these organizations? Because sometimes I hear it's through, a lot of times it's through phishing or it's a combination, it's clearly a combination of different tactics, but there's phishing, there's social engineering, which we talk about all the time. But oftentimes they'll buy access through like initial access brokers. Can you walk us through that and what that is?

Yeah. So access brokers, basically they are hackers that go out and they compromise the organization. They silently gain access, but they don't, they don't do much when they're in, because they don't want to be identified. They gain that access. They might escalate or usually they'll try to escalate their privileges. get administrative privileges because they can sell the access for more if they have that. And then they go to usually underground dark web forums. Sometimes you'll see it on telegram, but they'll go and they'll sell this access and.

Ransomware bad guys are one of their top customers. The other model is where the hackers have to breach the system themselves. And something he said, it does happen a lot with phishing emails and things like that. what, at least from the bad guys who I talked to over say the past two years, I've seen more and more sort of the preference of a lot of these adversaries is a digital look forward infrastructure that hasn't been patched, that's not secure.

or that has a new exploit for it and or an old one if it's company still hasn't patched it. And that's how they gain access is through infrastructure. And it kills me when it's things that all they had to do was update and patch their equipment and this would have mitigated it and they don't. that's becoming, you know, they scan, they look and they gain access and they don't have enough to bother with the phishing emails. But that does still take place. But I'm seeing more and more of that. it's really shocking to like you. You'd think that

that a lot of these organizations that everybody's doing like they're, they, they have the people in place or they have the companies in place to do the patching and it just isn't done. And it's just an, it's an non updated patching or it's, it's on such a delay. Yes. patching that it doesn't get done and it gets taken advantage of. It's just absolutely shocking. It does. And to be fair, you know, a lot of these companies,

especially larger companies, they have concern about just patching something on how it will affect other servers and software that they have. they're slower to do it. But the times have changed. Yeah, sometimes when you patch, you break things. You break other things. That's right. of configurations, right? Yes, yes. But times have changed and the risk associated with doing that.

my opinion, is far greater. I feel like it's better to have something break and have an outage than it would be to have your data leaked and your own and compromised and all your systems are encrypted. So they're rolling the dice and when they do that, but that's just the world that we live in is, you know, it takes time sometimes for organizations to update. And I get that, but when there's also organizations that just, they don't even know what they have out there and they don't patch it.

You know, one of the big ones, I think I used this example previously, but was with the, the, subcontractor that led to the breach of, space X that subcontractor had public facing equipment. stuff that's available to access from the internet. it still had default passwords that come when it's out of the box from the vendor and they just walked right in. that type of stuff, there's no excuse for that's right. That's right. see that a lot with internet of things devices, right?

Like the smart refrigerators, the smart other devices, you know, the, the doorbells, like you name it, my favorite Allen best buy. like the security out of the box is like admin one, two, three, and everybody knows what it is. And yet nobody goes to the panel to reset that to a actual password.

That's right. And they don't make it very easy. You know, let's say you're a small business. They don't make it very easy to seclude those. Like I do it in my own. My home network is set up with I have a work network that uses business level great equipment. And even with that, I have to have a separate network in my house at the three. I have to have a separate to put all of those devices outside of.

network that I use because some of them, you know, it's very difficult or you need to have access to them. You can't have cameras or doorbell and turn off the Wi-Fi for it. Now, your, you know, your refrigerator is your toaster, you wash your dryer, all those easy, just block and turn them off. For me anyway, I think it's not worth the risk, but there's others where you just have to have that. So they make it difficult is my point for consumers, small businesses, larger businesses have the engineering, they have the money, they have the equipment that make it a little bit easier. But yeah, it's definitely a problem.

Let me ask you this. There's so many reports where the affiliates or certain types of threat actors are getting in networks and staying in there undetected. They're able to move laterally. They're able to escalate privileges. Why are organizations not able to see that stuff?

You know, one of the reasons, honestly, one of the reasons is because a lot of these adversaries, gain access and then they use what's called living off the land techniques. So they don't actually bring in malware. They'll use services that are implemented for other purposes, like to administrate your network, but they'll use it for in malicious means in order to continue to gain that access. And then they download tools once they've escalated their privileges and they...

They have a hold on the network and they can turn off security appliances. I'll never forget the first time, this was like 2018, the first time I saw an adversary turn off an EDR service on a victim's environment on their systems. And it was crazy to me that they were able to gain privileges high enough to do that. But it happens. were able to go in and turn off the endpoint detection and response. That's right.

Yes. It's impressive. is just crazy. Yeah. Yeah. It is. It's hard to believe they can do that. But to answer your question on why they're not, a lot of companies don't detect this, you know, honestly, it's so difficult to do. So you've got to have the money invested in it because you have to have something like an EDR. That's my opinion, the number one way to help prevent that is having a good EDR. SIM, you know.

Well, and then threat hunters, you need the humans to be able to go in and identify false positives or look at the stuff that isn't a red flag, but it's just suspicious because these guys are creative and they're constantly coming up with new ways to get on your networks. And, you know, I harp on this when I, when I teach courses and things, but as a security analyst, you cannot sit there and wait for something to tell you that something's bad. That's, that's, you're never going to be able to find new threats that are going to take, that are going to be present in your environment. You got to go look for it. You got to look at the stuff that's suspicious. That's not necessarily.

flag flashing red screens. Hey, this is bad. It's not always going to work out that way. So you got to be creative. You got to be passionate. You got to go look for this stuff. You got to take that extra step. Yeah. And I, I hear that a lot in the SMB space. I hear a lot. Well, we've got a, we've got an IT company and they're, they're monitoring my network. So, so I feel, I feel okay. And I'm like, but they're not, they're not, they're not doing SIM or they're not doing EDR. They're not monitoring the network looking.

for security risks. They're monitoring it for health of the device, disk space for, you know, like in order to, to, patch. They're not like it's, they're looking at the same technology, but for different things. Their job in the IT support range is to keep you productive, keep things going. They're monitoring whether you're online or offline, that type of thing.

It's the security teams that are the socks versus the knocks that are monitoring for anomalies, looking for escalated privileges, looking for intrusions or data loss, things like that. That's right. And that's also why, you know, one of sort of a rule of thumb is the more secure you are.

the less ease of use your environment's going to be. And many of these organizations, especially ones that cater to services where it needs to be easy for people to use and access, they have to weigh those decisions, making it more secure and a little harder for people to use or being more secure. that's why, one of the reasons why education and academic organizations are such, and healthcare are such big targets is because those all have to be available and timely to the customer base that they serve.

And that makes them right targets for ransomware bad guys. Yeah. And to me also, mean, just from a high level, seems like years ago we had two versions of our world. Like we were able to, yeah, we had computers in the office, but you know, we were still able to conduct sales, make payroll, engage with customers, render medical care and do all these things without technology. We could use technology. It was like an electronic.

version it might speed things up, but if it went down we could still function. But ever since like all the vendors got everybody to scan all their files and digitize everything and now everything is digital trans digitally transformed. Now when something goes down like last time if anybody's been to a physician lately right like the nurse doesn't come in with the freaking big padded.

paper and go, here's all your medical records. Let me see how you're doing. Right. It's all on a tablet. It's all connected to their systems. And so when those systems are down, they can't render medical care because they don't know your history. They can't see it. Like they can't access stuff. That's right. You know, honestly, secure than, yeah. Yeah. It seems to me, therefore the effect that the cyber criminals are having is worse today than it was before. Because before we get some fun.

100%. You know, I'm going to sound like a boomer here, but critical services, critical infrastructure, secret squirrel government stuff, your healthcare, like all of that would be so much more secure, not as ease of use, but it would be so much more secure if we still use those models. Honestly, you know what, like when let's use a healthcare for example, this will never happen. But

I would much rather that I'm responsible for my data and when you need my medical data, I give that to you when I go to a physician or something. To me, I would rather that's on me because other people clearly can't protect my data and we're helpless. There's nothing we can do. You can't say, no, I'm not gonna let you treat me today because I don't want my data being out there, but there's nothing that you can do. I mean, just sending a message to your doctor, it's permanently there on your record when you go to these portals. mean, everything's there. So you have no control of it and you have to hope.

that these third parties are going to protect you. we know from the reading headlines every day, it's often not the case. Unbelievable. So when we're talking about ransomware as a service, some of these platforms now in your your role, I said like five thoughts at once. So hang on with me. So in your role, you have done things like gone undercover and spoken to like Russian ransomware gangs. You've you know, you've you've

That's, that's really amazing. My question is these, these, these gangs, like, how are they not arrested? I know the answer, but I want you to explain it. Like, how are they not like, how can they bankrupt a hospital or bankrupt a manufacturing company in Kentucky or Illinois and have no consequence like any make

tens of millions of dollars, hundreds of millions of dollars, and the business is just destroyed, right? And then they leak it, and then they go to the press, or if there's compliance, they notify the SEC, they notify HHS, like they're really terrorizing small to mid-sized businesses in the US. How can they get away with it? It's like they operate within punitive.

Well, the reason that they get away with it is at least today, the majority of ransomware attacks that we see in the U.S. originate from Russia, the Ukraine, general region, but primarily Russia. the issue that we have is obviously Russia is not friendly with the U.S. and they provide sort of protection. It's laughable if we were to try to extradite someone from Russia, they wouldn't even entertain it. So these guys, they have sort of protection as long as they don't...

do attacks that would take place against Russian entities. So that provides them the ability to, even when we indict them, they're not arrested. They can't be turned over to the U S they will never be charged unless they screw up and leave and get caught in a country that will actually only if they connect, make a connecting fight.

flight through like Miami that we can get them right. Canada or something, right? Like there's places or the UK or somewhere like that. Yeah, absolutely. You're correct on that. Now I will say that we are seeing an uptick in ransomware tax that do come from other regions of the world. There's been

an uptick of seeing ransomware attacks coming out of China and places like that. But still, by far, Russia, that general region is the most prevalent for ransomware attack origins. they operate with impunity and then they're not able to be arrested. And really, the country that they live in is happy because you just brought in millions of dollars of revenue that otherwise would not be coming to the country and you're going to go spend that in their cities.

That's right. Well, not just that. One of the things, and I know this firsthand from the relationships that I've had with bad guys, when they get indicted, often they get a visit from the FSB. And I've even seen, and I'm not going to say any names, just cause I don't want to get- those who don't know is the Russian kind of the old KGB in a sense, the Russian FBI, it's the Russian senior federal police, That's right.

That's right. a lot of often it's very corrupt and they'll pay visits to them and either they'll have to, they'll want them to give them money, sort of the right thing to go away, or they will also, they also sometimes have, you know, have their thumb on them and you know, now they have sort of an entry point to know what's going on, use those resources that they want, which we've seen happen a few times, but they definitely have an interest because those guys are elite hackers and we know the world.

you know, runs on cyber. it's in their best interest to get those guys to work with them. And if you had to pick between going to prison, going to the front lines and the Russia-Ukraine war, or, you know, going to work for the FSB part-time and still doing crimes, what are you going to pick? Right. Absolutely. So it's almost like getting back to that mafia analogy. It's almost like the local gangster part of the mafia that will like go to the businesses.

Right. And demand money for protection. Right. That's right. Got to do this otherwise. You know, your place may burn down. We don't know. Right. And it's like the FSB comes in and says, OK, the Western states have an eye on you. Like you're going to you're going to do what you do, but you're going to help us a little too. Yeah, that's correct. And there was something funny that happened around Christmas time. One of one of the guys that we indicted as last name, I'll be saying it wrong, Matt Veve.

I know him as Boris Wazawaka and other handles that he's used, but he posted to social media a picture of his Christmas tree and it had all this US flags and stuff on it. But then at the top of it, had this large cutout of.

President Trump's face on it. And I'm not gonna lie, I laughed when I saw it. just, it was so comical. It was on this tree. And I'm like, this is this is just crazy. I mean, these guys have no fear. Like they just they laugh at us. And it sucks. But I laughed because I didn't expect it. Not not because I'm on the other side. Just to be clear, it was just one of those things that was so absurd. It just I'm like, this is nuts. These guys have no fear of being arrested at all. Like they're posting on social media. Yeah.

Exactly. And what is some of their, what's some of their motives for it? Like, I mean, I would think it's kind of obvious. Like I would think there might not be great opportunity where they live for economic prosperity. And if you go to the dark web, they have like recruitment sites where these guys are like make $10,000 a week, which is a fortune over there. Right. It's

It's not as expensive as where we live generally. And you know, in terms of what you can do with, with, with that, and then, and you can operate with impunity and you can get it fast. It's fast, easy money. don't, they care about what you can do your individual skills today. Not where you went to school, where you, know, what type of education, what grades you got, like none of that matters. Can you hack? Can you do this?

right and there's sort two points there one you know some of these guys have have made comments and said things to me like you know there's not work here i can't go use my skills to make money to support my family but i can make a lot of money doing this and then you know i guess the second point you know that the the indicted affiliate bastard lord

He was the editor last year, big time affiliate for LockBit. He had worked for the RIVO ransomware game previously and others with him. was like, you the first payment I big payment I got was 150,000 cryptocurrency, but he's like, that was life changing for me and my family. So I could never make that. we were barely getting by. His mom had his mom had medical conditions. Right. had a lot of medical bills and he was used to working in a factory where he would have to like tape his shoes and

barely have a coat. Yeah, he security guard in a school with no heat. That's right. Yeah, was freezing. I could. read that on ransomware diaries. That's right. That's right. So I'm not saying we should feel bad for people, but we also shouldn't. that's their motive. Like that's why. It's good to understand. for the grace of God, like if I was sitting there, I don't know what I would do, right? Like you would, you would at least be challenged. Like morality, you would probably steer the right way. like,

from circumstance, you're like, well, at least you understand the context of why they're doing it. it's one thing to be, you know, have an understanding of why someone does it. And let's say that there's a reason that you can even be empathetic to like, if I was in that situation, I don't know what I would do type of thing that that's one thing. But when they keep doing it and they have all this money and they still keep doing it, that's just being greedy. You're a bad guy. That's right. Yeah, exactly. Well, and and who they do it to, there used to be that's right.

I mean, it used to almost like, you know, the mafia was always like, Hey, we're not going to touch the, we're not going to deal drugs. We're not going to do this. We're just going to do like gambling or whatever. And then they lied about that. They were lying about that anyway. Very similar story to the ransomware gangs were it used to be publicized anyway from them. Hey, we're not going to touch children's hospitals, cancer. That's right. Like places like that. We won't do that. We're just about

you know, these, some of these big companies, they have all this money, they're just being jerks. We're gonna, we're, it's like a Robin Hood mentality. And then they don't personally have to take accountability because it's me doing something bad. It's a noble cause, right? That's right. That's not even the case. Is it like they go after those hospitals? They go after those hospitals. And you know, when I was at DEF CON, I talked about this extensively, but the biggest sort of the end of, of my fallout with,

with LockBit was when they had attacked St. Anthony's Hospital in Chicago. And it has a children's cancer ward. And because everything was encrypted, they didn't have services. They're going to have to move these kids to another hospital. That's not an easy thing to do. It puts these kids at risk. And I spent an afternoon talking to him about it. And I had naively believed that I could get him to.

give them back the encryption key. Cause at the end of the day, if you're a bad guy, you can still get money by extorting them for their data. Not that I'm condoning it, but I just wanted these kids to be, you know, be able to get their treatment and other things. And I really thought I could convince them to do that. And I was wrong. And that's what, you know, sort of changed the tide, you know, as far as, uh, trying to, uh, change how I, that's right. That's right. That's right. Yes. Wow. So, so you're somebody that has gone undercover and actually spoken.

with them. Now let me ask you this, do they speak English when you're talking to them on these talks channels or on the Most of them can speak in at least broken English because you got to remember. Or they use a translator. That's right. Yeah, but a lot of them do speak broken English because all their victims are usually English speaking. But yeah, there are occasions where they don't. then either, you know, we use Russian speaking nationals to help with these operations or

You can use translator, but you're not going to trick anybody using a translator. But I also have talked to these guys just of myself. Once they ransomware diaries kind of put me in the map and a lot of these guys just at the time wanted to talk to me. So I've done both. But for those of you who may not know, and if I can find the image of it, I will pop it up here. I just don't know if I'm able to find the image. But after one of your initial ransomware diaries where you talked about lock bit, they read it and they put your face.

on their website on the dark web of lock bit. They made it their avatar. Yes. Yeah. That avatar was your face. Yes. Yes. for, for you the time, the number one, yeah, the number one most like wanted most ruthless, notorious ransomware gang on the planet. And your face is there. Yeah. I'll never forget that. That causes some lost sleep.

It does. It does. And then over time, because they kept doing that for, I don't it was about a year and a half until they got kicked off the forum, they kept it. So I would see the lock bit having these arguments with other ransomware leadership. your face. With my face. And you got to be like, at some point he's got to be a guy, who the hell is the guy I'm looking at? then they're probably looking me up and stuff like that. So yeah, made life interesting. Yeah. Or some.

some federal agents reading that and they don't even know that it's you and they're doing that. Then they go and get a coffee in Washington and see you and you're like, you're like, I've seen that guy. He's a cyber. He's what he must be visiting from Russia.

Or other analysts that I know that that are also tracking them and they see my face every day I've heard it from everybody but but yet all the law enforcement guys know me nowadays But yeah, but there was a time and yeah, it's it's I mean all I can do to laugh about it now But it definitely made for a funny story after the fact. I've got a question. So when a ransomware gang Threatens to release the data and it goes on their dark website

I've heard business leaders say, well, I don't go to the dark web nor to my customers. So why would I care? Right. Like, but the issue is, is everybody, even though it's the dark web and most business people don't go there, everybody else does. Like everybody that is involved in security. so it makes its way to the news and to the mainstream media. Right. Yes. I think that mentality is changing because there's been so many.

cases now, it starts on the dark web, but that's not where it ends. That's just where it starts. That data makes its way out of there. And then it's used not only against those organizations and their customers, but it can also be used to further compromise like their partners who have trusted relationships with them. And it just leads to more and more of this. Well, and I'm starting to see some of the cybercrime gangs also have things on the clear web or through certain apps. Like you'll see a gang

have a website or a page on Telegram and on like regular, which is on the regular web, basically. Like you can, any of us can access that. You don't need the Tor browser and tails and a VM to get over to the dark web. And then a lot of them also have, like you said earlier, like some of have social media, like they're notifying it. And if you still don't pay and you still ignore them, they'll start reaching out.

to some of your customers or your partners. yeah. Yeah. No, they'll do that. Yes. They also interview with the media, but yes, they'll reach out that I've even seen several times now where they've actually hired call centers to read a script and call customers of big companies telling them that their data has been taken and they need to contact the company and tell them that they need to pay to not have this, this leaked.

Which is absurd, right? That that actually takes place. That is so like they're complete bullies. Like in the, in the schoolyard, somebody needs to stop that kid. You know what mean? Like really brutal. And then if let's say you're in an industry that has regulated, right? They've been notifying HHS, the SEC. Yeah.

the organizations like, they're like, Hey, by the way, we breached them. They haven't notified you yet. Or they're not being like, they say we don't have access. We're the guys that did it. We have all the access.

That's right. And they'll actually use that to extort them. And they'll be like, our extortion demand is less than what you're going to pay in fines and fees. If this has to be go public or if we notify them. And so yes, you're, you're going to have your, your data leaked. It's going to affect your customer base. It's going to affect your reputation. Your systems might be encrypted. It's going to take a ton of money to fix that. And they're going to report you even themselves to these government organizations that track and find a private sector companies. It is, it's a tough place to be in. And I say this all the time, there's no.

There's no shame in becoming a victim. Anyone can get, can get hacked. don't care how good you are. It's possible. It's how you handle it after the fact. And what I have an issue just as much as, as I have issues with ransomware bad guys, I have issues with when, when corporate companies be greedy and they lie and it's their customers who end up, you know, taking the hit. And if they had just been honest and disclosed, things could have happened much smoother and.

protections could have tried to have been implemented. But yeah, when they lie about it and they don't tell the public about it and they say, we weren't compromised. In fact, they were. It's the consumer. is a huge red flag when I see a story of a data breach and like, they didn't access anything. I'm like, it was freaking black cat. They accessed it or it was locked bit. Like I'm telling you, they accessed it. And then three months later you find the whole find out the whole story.

But it's absolutely brutal. know Black Cat's not gone. They're gone. They did the exit scam. didn't mean to use them as an example necessarily. No, you're fine with that example. It's still relevant. Yeah, mean, some of the stories are just phenomenal. And I love the names because it's so good for creating characters. There's like the cactus, like dark angels. Like, how cool is that?

for a name, Dark Angels. Like I threw that name and I was going to write a article about them. And I'm like, I threw that name into AI, like image generator and got some really cool images. And I'm like, you know, the their logos and their tattoos are going to be cool. We're the Dark Angels. Well, I think the most interesting, the most interesting name was Reval because it was based off of a video game Resident Evil. You know, I mean, you can't make this stuff up. You can't make no, it's just they're all children.

Like we're all children. agree with you. But you know what? thing, tell me what you think of this as we wrap up. Like, would you agree that not all breaches are created equal? Meaning you see certain breaches and even smaller breaches, but businesses are down for weeks and their system, like they didn't prepare like, and the bad guys were inside those networks for a long time.

creating back doors, gaining all these privileges, exfiltrating data, like there's those and then there's some where like, yeah, they got it. They had services or they had some team in place or they acted, they prepared for like through incident response planning and they like triaged immediately and they took it more seriously and you see there's still damage, right? There's still happened, right? But I think it goes to your point of there's no shame in being a victim.

Unless you're more of a victim than you should have been, had you not been negligent. You know what I mean? Like, I guess would you agree with that?

A hundred percent. get really upset when I hear about like that example I gave or organization still had a default password set on public facing infrastructure. know, companies should have more of a responsibility to protect our data. Yes, anybody can be hacked. But when you are, you know, just it's ridiculous and you don't take through the basic things that you should be doing to protect people and you have their data and they either don't have a choice. They have to either allow you to use it they don't. You know, there should be more repercussions for those situations. There are victims that do everything right. They should

do is to look compromise. But the ones who don't, where it's just incredible to me that that takes place. And those are the companies that they should have penalties and they should have punishments. It's not okay. And then one other thing I just want to bring up, there's also, in my opinion, these companies that pay like Change Healthcare, for example, great example, they pay twice, they pay $22 million, allegedly.

twice. you know, that's the blackhead story, isn't it? Like where they paid and but but then blackhead said, No, we're taking down like we're out of business. And they ran away. They took the money. And then the actual affiliate is still there going, Hey, I don't know what just happened. They just ripped me off on my commission on this. I'm going I still have your data. I'm still going to do the exact same thing that they were going to do. He went back to them and they had to pay again.

Yes. And the problem is that money, it feeds that ecosystem. It encourages them to do more attacks. And I feel like there's got to be a responsibility of some of these companies. it, it just, it's, it's ridiculous. Now I'll admit that, you know, when I see something like that, make sure that they've actually deleted the data. It's hard to make sure that they've actually deleted the data.

fact that they don't delete the data. That is a myth in these companies that believe it. I've seen it with my own eyes. I've had the conversations. There's black and white evidence that they don't delete the data. You're a fool. You're paying for them not to publish your data now and hoping that a criminal keeps their word, but it doesn't happen. We have these takedown events. There is almost always data from a previous entities that it was supposed to be deleted and it's still there. Yeah. What is the average percentage right now of

people that once they pay a ransom, they actually get the decrypt key and they're able to restore their data. Yeah, it doesn't, it doesn't solve the fact that they might've taken a copy of it and could still release it. But in terms of getting back up and running,

Yeah, most of the ransomware groups, the successful ones anyway, they treat it like a business and they know if they have the reputation of just taking your money and not doing what they say, that future victims won't pay. So most of them will actually abide by that. But the point is they keep your data and then when things go south and their enterprise is interrupted, their operation is interrupted, that's what they have left now to use to still obtain financial.

gain is they can sell that to other criminals. They can read blackmail the company. There's all sorts of scenarios. But at the end of the day, like I said, even when companies do things right, it's still that money that's spent on all this to fix this or to get it.

to the extortion or whatever it is, at the end of the day that falls on the consumers, know, that it's put into the pricing and you end up paying for it or people lose their jobs. I mean, it's the little guys and girls that end up getting, getting hurt in this. And that's not as traceable when you just look at the incidents. So it's not as apparent, but that's the reality of what happens. That's amazing. Well, John, thank you so much for your time. Thank you for what you do for.

U S businesses, U S organizations, U S critical infrastructure, honestly, like what you do, you are serving the country. Like I don't like nobody probably ever tells you that, but I'm really, really glad to be your buddy and, and, to highlight the things that you're doing. people want to find John or check out analyst one look up, ransomware diaries. I'll throw a link in the

Oh, my book. I see it behind you. Oh, of course. I always forget that. I forgot the book right there. The Art of Cyber Warfare, which is a really good book. I'll tell you, if you're not technical, right, and you don't want to get into the technical aspect, most of that book still talks about the espionage and the people and everything else, because I'm not technical. And part of it, I was like Googling all these acronyms and all this other stuff. But then I learned something there.

But you didn't even have to do that. Just the stories in there are phenomenal. Like that's a really, really good book. I try to write and make things entertaining to read and understandable by a larger audience than just technical people. Cause I think it's important that the, that everyone can understand what's taking place and you don't have to have an engineering degree to get the idea of what's actually happening. Well, I'll tell you, I'm I'm a former prosecutor back a long time ago, right?

And I remember that the detectives that I knew that would go undercover in some of the gangs, they'd get burnt out. It would really take a toll on their like, it's hard to be a bad guy and not get hot and not get your cover blown. It's just a lot. So that's me right now. That's where I feel like it's got to be like, does it wane on you? Like it's got to hit you.

I'm done with that operation with Lockditt and all of those guys and like that's why said I'm taking a break from ransomware diaries. I'm gonna do some academic stuff. Like I just need a break. Like it takes an unbelievable toll and it's hard to convey that on your shoulders. It doesn't stop me. Yeah, it's like 24-7 fight or flight mode. You're on the Miggdala hijack 24-7 and it takes a toll.

It does high pressure, high anxiety. It affects you, your family, the people around you, all of that stuff. So there's no vacation, especially when you're pretending to be somebody you're not, there's no nine to five. There's no weekends. Like you're that other person. You can't just be like, I'm taking off. Sorry. So yeah, it's, it's a lot. It's a lot. Well, thank you for what you do and the sacrifice that you made there. Um, but dear God, just go, go teach some kids how to like break into cyber. Like, like just take it easy a little bit. Like,

That's the plan. Yeah. Hey, let me ask you the latest on lockbit just as in the final moments what like the last we spoke the head of lockbit lock bits up they were they were like gonna release the the feds were going to release the identity. There was like geo location found of where this person was he kept telling you that's not me. They got the wrong guy. They got the wrong guy. They always say that. Yeah.

It was him and we know exactly where he is and pictures of him and everything and the stuff he liked, right? Like the sports he liked, the cars he liked, where he liked to shop. Gardening. Yes. I loved it. was like a Southern Charm magazine exposition on like Martha Stewart. I'm like, this guy's ruthless. And we're like, yeah, he loves to garden and his favorite like cognac. I'm like, what? Oh my God.

It was great. So what's the latest with that? With that? Is it still just it's just in in plateau phase because you can't go arrest them like you can't go get them right? That's right. You can't. So so since then, since then, their developer has been he was he's actually been arrested because he was outside of Russia. I saw that. Yeah. he had pictures on social media. He had pictures on social media, like at the beach, smoking, all that stuff. That's right.

Yup, relaxing, that's right. So he was arrested. So the operation itself on paper and what's in a lot of news headlines and statistics makes it look like they're still one of the top one or two groups. But for a trained eye.

They're posting a lot of fictitious victims or victims that were previously extorted and breached. And they're also posting victims from other, when other groups, because they're affiliates who do it, other groups that they've worked for and done it. So they're sort of stacking the deck. Now there are still legitimate breaches, but they have 100 % taken a hit and are feeling the pain because of the sanctions that makes it hard.

for victims to pay. if you're a bad guy, why would you work for them when you deal with all the hassle when you can go to somebody else? So they're your top tier hacker affiliates, that's not gonna be their first choice of where to go. And LockBit is trying to come back and he's releasing in a couple of weeks, he's releasing a new program updating it from LockBit 3.0 to LockBit 4.0.

And there's a lot of headlines about that, but here's what people aren't reporting. When they, NCA, so that's made up of like Europol, the FBI, a bunch of law enforcement organizations worldwide. When they took them down, they obtained the source code.

for this new variant that's going to come out. So it's being marketed and it's being reported. Like it's going to like this big comeback, but I don't think that it will be as big as, as things have been with them in the past again, because law enforcement has obtained that code, which makes it easier to defend against. I'm not saying that it's not going to be effective at all, but it's not going to be what we saw in June of 2022 when LockBit 3.0 came out and it changed the whole dynamic of ransomware forever. It's not, it's not like that. I don't think.

will be time will tell but I believe that they'll keep being out there doing their their PR and trying to get their name out there but I think they'll continue to diminish but time will tell. Wow who are the big players out there now Black Matter? Ransom Hub. Ransom Hub is one of the big ones that are out there you know there's a lot of groups from if you remember the Conti Ransomware group

When that ended, they broke up into many different groups. And that is a model that we're kind of seeing more of. And that's what I'm actually working on right now is looking at sort of Black Cat. went away and we're seeing now a couple of different groups that have a lot of code similarities that have a lot of the same people working for them. It's not a one for one, but we have to stop looking at things as a group goes away, there's a rebrand and they're the same group. Well, no, they're actually now becoming multiple groups. It's splinters, right?

That's right. Different groups. Yeah. Which makes it hard to track, hard to get your mind around and hard to do attribution on correctly. So it's difficult. That's actually what my next paper is going to be on, on how to do proper attribution. And I'm going to do a use case to show that. anyway, they give me lots of good content for examples for a use case. Crime's always up. So, all right, man. Hey, thank you so much for your time. I really appreciate it. Always great insight. We'll have links. Please connect with John. Follow him on.

LinkedIn, you and your team at Analyst One are phenomenal and everything you do is just outstanding. So, I really appreciate it. you. Have a great weekend. will talk to you soon. Okay. Thanks, man. Sounds good, babe. Bye bye. Thanks for joining us on Breaching the Boardroom. Join me in my pursuit of growth anywhere you listen to your podcast. For technology tips and tricks and leadership hacks, find me on LinkedIn and don't forget to send me a DM or leave a comment on a topic you want me to cover next.

This podcast is powered by NetGain Technologies, a top 250 internationally ranked managed security services provider headquartered in Lexington, Kentucky, with offices across the Southeast and Midwest.