[01:51] A Really Cool Job

Rachael: We've got Tom Hoffman, Senior Vice President for Intelligence at Flashpoint. I can't wait to jump into this. You've got a really cool job, Tom. Could you talk about what you do in the intelligence round with the dark web and all of that awesomeness?

Tom: First of all, thanks for having me on. I as you said, oversee our Intel operations here at Flashpoint. Flashpoint is a risk intelligence company. We provide technology that helps firms across the globe, primarily Fortune 500, to understand different threats to their organization.

It spans everything from what you would expect from cyber attacks, fishing emails, nation-state attacks, and criminal activities, but then also to really where cyber and physical come in.

We help a lot of executive protection teams as they're trying to understand threats that emanate from the internet against their executives, where they need to beef up their protection. We're really involved in a lot of these illicit communities where we can keep our eyes and ears on activities that are ongoing.

We help really inform that conversation and help people better protect their employees and their assets.

Rachael: You're spending your days on the dark net though. How do you even log in? I tried to do the tour browser one time, but I didn't know what to do once I got there.

Tom: You're most of the way there.

Eric: You're not an adversary.

Rachael: No, not in the least.

The Deep and Dark Web of Ransomware 2022

Tom: It's interesting. A couple of years ago, the deep and dark web as people heard it, was this spooky thing, but it is increasingly becoming more accessible to everyone across the globe. The technologies are getting better. It's sometimes as easy as installing a browser and you can be up and running and connecting to these parts of the internet that are not indexed by Google or Yahoo.

You can start seeing different things happening on the internet. That's where we operate quite often. As you can imagine, the anonymity that these places afford, allows some of the illicit activities to really fester. That's where we operate many times.

Eric: So, it's really like being in the red-light district at two in the morning. You're observing what's going on and you're trying to understand the ever-changing landscape of cyber activity.

Tom: Yes. A lot of garbage is what you're looking at quite often. It's things that you'd rather not see, and you can't unsee. Something you really don't want, especially if you're a large company, your employees are on. It's not something you want your security teams to deal with.

This is something we’re doing in a safe manner where you can actually have protection because a lot of people don't even think about it.

What happens if you inadvertently click on a link, and you come across some child pornography that's being hosted on a website? That is a risk that really a lot of companies want to avoid. We have systems in place that can help block that, keep it off our system, and scrub it before it ever gets to the eyes of some of our employees.

The Cesspool of the Internet

Tom: But it is just some of these aspects of these environments. Unfortunately, it's the cesspool of the internet quite often. What you come across is not something you want to talk about at the kitchen dinner.

Eric: It reminds me of 20-plus years ago. I worked with AOL heavily. The AOL search team had to search AOL's infrastructure for illicit, bad content. It was pretty traumatic to a lot of the searchers and it was very manual back in those days. They automated many things, but you would come across child pornography. You would come across,

I don't think we had beheading videos as popular back then, but graphic things you never wanted to see. It took a toll on the employees, so I can only imagine.

Tom: Some of the larger contracts we support with a lot of the technology companies, have certain precautions built into our contracts. On a monthly basis, we provide different counseling and mindfulness coaches to help people deal with what they're coming across. I think it's not a great place, but the people who are really hands-on, day-to-day, there are additional resources there.

I've definitely seen that this had a great impact on our employees. It gives them the ability to talk through what they're dealing with on a daily basis and not have to take that home to their families.

Eric: It almost makes ransomware seem clean.

Tom: Ransomware is a big business. Even when we're dealing with victims, we say, just remember, you're in a business negotiation here. You are dealing with a very big profitable business on the other end. You're right, in many respects, it's much cleaner.

Eric: Much more costly, but much cleaner.

Ransomware 2022 Gang

Rachael: You were in an article, I think it was back in November about the whole groove project, Tom. I found it really fascinating that there was this RAMP, this forum that was set up. It's for all the people that were too toxic for the other ransomware gang, and cybercrime forums, so now they had to of creating their own faction.

It's like, are there moral codes going on with these ransomware gangs? Then it turns out groove was just trolling of media. What's going on with these guys? This is crazy.

Tom: It's the wilderness of mirrors. It is the RAMP environment. I think it stands for Ransom Anonymous Marketplace. It specifically stood up because as you said, the heat got a little bit too much with some of the postcolonial fallout.

As governments were stepping in and elevating this threat to a national security level, some of the traditional criminal forums started banning these groups or banning conversations about ransomware. 

It's funny, you just change the way you talk about it, and you say, well I am offering up company access, do with it what you will. We know a lot of times that's for ransomware. But they really did not want that attention.

They do not want the US government and our national security agencies coming after these criminal groups. The forum stood up to fill that void. This is actually something that we see quite often. Once there's a takedown or someone's arrested or the ransomware group goes away.

That's not the end of the problem, it just pops up somewhere else as someone steps into the void.

Rachael: You got to have a moral code, every organization.

A Higher-Level Moral Code

Eric: I suppose at some level. I would think a monastery. The monks would have a higher-level moral code potentially than some of the people that Tom's dealing with.

Rachael: You get principles. Principles, you got ransomware gang principles and you don't want to cross that line.

Tom: Early on, it was interesting, back in 2016, 2017, even within some of the criminal communities, there was an open debate about whether ransomware is something that should be done. It was looked at as the low brow, it wasn't technically sophisticated. It wasn't really something that these criminal communities really thought was interesting or novel when it comes to cyber-attacks.

There was also the moral dimension of whether we should go after critical infrastructure. What happens if it's a hospital? That debate is gone. There's so much money in this and there are so many people that have their hands in the proverbial cookie jar that it's not going away. Any semblance of thinking that there is some line that won't be crossed, they've all been crossed.

Eric: I'm sure the almighty Bitcoin took that concept or that thought right out of everybody's mind. There's always somebody willing to grab some money.
Rachael: Double extortion. What was it? The Maze ransomware, where it's not enough to get the one pass now we're going to get the two paths.

Eric: Why not?

Tom: Innovation is really the key within these communities. The maze was one, as you said, they brought this double extortion, realizing that, we locked up networks before, but we're not getting paid all the time. If someone has good backups or just doesn't want to pay, then they can't get paid from that victim.

[10:38] A Novel Technique in Ransomware 2022

Tom: Well, they came up with a novel technique to steal data before you lock up the systems. What we see quite often within this ecosystem, once there is a technique that proves to be effective in getting paid, it is quickly adopted across to all the communities.

The last count as of last month, I think there were between 35 and 40 different groups, big groups that are actively doing the double extortion and they continue to bring innovation into the space.

Eric: I read the history and evolution of ransomware attacks off your website in preparation, which was phenomenal. I already gave you the answer, Rachael, but isn't it crazy that ransomware emerged in 1989? Tom, we will link to it in the show notes.

It's a great blog article. We'll credit Veronica Drake for doing it. But how many ransomware groups are out there in your estimation?

Tom: Ransomware groups? There are over 150 different variants that are using malware to encrypt systems and try to extort victims to get the decryption keys. The larger groups that are doing the advanced scouting and have customized software are also doing the double extortion.

We see that there's been about 30 to 40 over the past couple of years.

Eric: A third, a quarter?

Tom: Yes. What's interesting here is the group that we were talking about earlier, Maze, they're defunct, and the half-life of these groups is about nine months. That's fascinating with this as well.

Eric: But is it like a startup where Maze was a good run for nine months? We made a couple million in Bitcoin, let's go start Maze too, or let's go start something else.

Going Through a Negotiation

Tom: I think it's partly that, which is there's so much money. Once you have made all that money, ironically that notoriety brings in more attention, especially from law enforcement. While they are able to cash in on their name and when they victimize someone, when you're going through negotiation with these groups, sometimes it's helpful to know you're dealing with one of the more reputable groups that have always followed through with delivering the decryption keys.

The decryption keys work, but that only lasts so long.

These groups also know they need to disband, because if they're too prominent, then there's too much attention. It's easier to break apart the group and reconstitute it under a different name, it wipes the slate clean. It complicates law enforcement efforts and attribution.

That's something that I think we have seen quite often that the groups for many different reasons will choose to cease operations. But the actors behind them, reconstitute and come out with a different name.

Eric: Unlike traditional organized crime where it's almost like they're in a specific business in a territory and they may change leadership over time. The groups literally disappear and then reconstitute in some other form.

Tom: Exactly. We know the underground communities. This is where they do a lot of the recruiting within the Eastern European cybercriminal community. We're really probably only talking maybe several thousand people at most who are active within this space, but they're making a lot of money.

They have really broken up the entire attack chain, where there are certain people that just focus on gaining access to someone's networks. There's another part of the community that just focuses on looking for vulnerabilities.

Ransomware 2022 Is a Service

Eric: They're specializing.

Tom: Absolutely. As these groups get the van back together, they can put advertisements out. They can solicit for different people to join their groups if it's highly profitable. The ransomware is a service.

People want to come to bring their talent to these criminal groups because the money is so lucrative. Being part of one of these ransomware gangs can bring in hundreds of thousands of dollars and multiple millions of dollars for some of the individual participants on a yearly basis.

Eric: How often will you run across, Rachael Lyon's ransomware extraordinaire incorporated, whatever? An individual who dips their toe into the dark net pays for a ransomware package and just goes out to make a few bucks.

Tom: It's hard to tell. A lot of these communities take a lot of care to really hide their true identity. What is interesting is as these groups we saw with the Russia, Ukraine war.

One of the more prominent groups called Conti turned against themselves and dumped internal chat logs all over the internet. They dumped details about how the organization was operating and we're seeing a lot of researchers picking up the pieces there.

They are going back through the histories. They’re able to identify some of the individuals and they're posting some of the details of these individuals online. They take a lot of care to keep themselves hidden, but again, in the criminal space, you can't trust anyone. There are slipups that these people make, and you can identify the individual sometimes.

Eric: To summarize then Rachael Lyon's sole proprietors, probably not the most lucrative way to make money, should go corporate.

High Risk, High Reward

Eric: But she has to watch her back then because if the group falls apart, people could out her, and it's a high risk, high reward.

Tom: We've seen that. That's actually quite often how it happens. Someone who's very prominent nowadays had to get a start somewhere and that start might have been four or five, six years ago. Typically, what we see happen is they had a slip-up, they revealed their personal email address and an account where you can get an associated phone number.

Once you get that, now you can start tying it back to people's real-world identities. That's something that the criminals do because they also have their reputations, they're actually tied to their criminal identity as well. There are links and there are ways in which you can track this.

The nice part and what I love about law enforcement, is they're on this case. They're looking at activities that happened 10 years ago. They are just waiting for some of these individuals to get to a place where they can nab them, and extradite them.

I'm highly confident we will continue to see people, maybe when they're out of the ransomware gangs. They've gone legitimate in their 40s or 50s, maybe they'll get scooped up finally and have to pay for their crimes.

Rachael: It sounds like these ransomware gangs have HR departments, maybe a pension. I guess would you have to go legit? Sounds like you could almost retire from them.

Eric: In Tahiti.

Tom: That's what I sometimes wonder as well, how much is enough? Because of some of these groups, I think it's pride that they don't go away. Maybe some of them have gone away and we never hear from them again.

The Sanctions for Ransomware 2022

Tom: Sometimes, I look at some of these groups. Conti, I think when the details of their wallet were revealed, it was over a billion dollars if I recall correctly. Now again, some of that is the fluctuation in Bitcoin. It's not quite as much today as it was nine months ago, but it was an immense amount of money.

Rachael: It's crazy that they're making it, it's not slowing down and in fact, it seems to be escalating, accelerating. We were talking a little bit earlier too about the sanctions, the treasury department has these sanctions. If you're a company and you can't pay ransomware to, I guess a group that's on the sanction list, that's a real bummer.

Eric: I think that's a benefit.

Rachael: It's not slowing anything down. Personally, Tom, if I have a company and I'd be like, I'm going to pay it on this side. I'll give you a little cash under the table to get my stuff back because I don't want all my business out in the world. What are you seeing?

Tom: I feel so bad for the small and medium-sized businesses who, through no fault of their own, fall victim, and their entire existence as a company is put in jeopardy overnight. 

It's not just the company, it's all their employees and all these people who are dependent upon the business for their livelihoods. That's when it becomes very real because that is what the business owners and the executives are going through. It is an existential crisis for them. This is not that they want to pay these groups to get their companies back up and operational.
 

Getting To the Point

Tom: That's an aspect to it, but many of these victims they're looking at their employees and they're saying, my God, we're not going to be able to function if we can't recover these networks. If we can't get our plans back, we can't recover the manufacturing systems that have been locked up.

That, unfortunately, is what happens quite often and the reality of what a lot of these people are going through. When we step into talking through how this process operates, we're just talking about the business aspects of how this operates. And when we step in and explain to a victim how this process plays out and there's a normal timeline, there are typical steps that happen in any negotiation.

When you get To the Point where you're contemplating a potential payment and you introduce the sanctions list that the treasury department maintains, most businesses are like, what is that? Then, when you walk them through and explain that there are certain individuals in certain countries like Iran, and North Korea, where the US government has said, you may not do business at all unless you have a specific waiver.

When you step into this, we need to also look for these ransomware gangs. Are they on this list?

The potential penalties associated with an inadvertent payment or any payment to these groups could result in severe penalties that the treasury can levy across everyone involved in that process. We've been involved in some engagements where there's been a connection to a potential sanctioned group or a sanctioned entity.

We had to explain to the company, and even they eventually said, we're not going to pay because of the liabilities associated with the potential inadvertent payment, and you just really feel bad.

[22:21] Retarget or Relocate

Tom: Well, you can pay exactly. You can also go and there is a process to request a waiver from the treasury to make a payment.

Rachael: Only takes a year or so, something like that, I'm sure.

Tom: We've had somewhere some organizations have tried that, but it three, four months later they were like, it's too late at that point, the need to get those systems back.

Eric: I'm going to argue the other point. I think if you take the incentive away if you cannot legally pay the ransomware gangs, at some point they're going to retarget or relocate. Or maybe they target Europe instead of the US, but I think there's a benefit to taking away that incentive to them. That payment stream, that's important.

Tom: Whether payments are exacerbating the problem?

Rachael: Yes.

Tom: Yes. I think that is, as you read the official line in the US government. They do not encourage ransomware payments because it encourages more of these groups to make more victims and get into the trade. We have absolutely seen the high-profile nature of these attacks and you see it in the news.

When people hear that ransomware payments are netting millions of dollars, it's making the problem worse. But the challenge here is you have businesses that, as we said, will cease to function if they can't recover. That's one where the government doesn't want to make a victim twice over by preventing them from being able to make a business decision to recover their networks.

Eric: I equate that to the US policy on paying for hostages. I believe the theory is that since we don't pay for hostages, fewer people take US citizens hostage.
 

Eastern European Gangs in Ransomware 2022

Eric: Because we don't legally pay, we tend to avoid that as a nation. Now I know there are private payments made and everything else. The nice thing is we have the military to go help us out sometimes.

Tom: Payments are making this problem worse, there is no doubt about it. The amount of money that is being funneled over into these Eastern European gangs; is attracting more talent. It is enabling them to innovate, to really reinvest in their capabilities, which is making it an even bigger threat. Now, they're even more capable than they were a couple of years ago.

It is why the US government says they do not encourage ransomware payments for that exact reason, because it does make the problem worse. Then there is the other reality, which is this is a business decision that the US government in some ways can't help prevent these things.

They can't help make a private sector organization their network security perfect. When they do fall victim it's a business's decision ultimately of whether they're going to pay or not.

Eric: I think making it more difficult to pay probably drives some incentive for the adversary to go elsewhere where it's easier. I know it's tough on the attack if you will.

Tom: I think the government is also doing the right thing. Over the past couple of years, they have taken a lot of steps to at least get the reporting of what is happening flowing back in so they can even understand the problem. I think four or five years ago, it was unclear who to report to, and whether it was something you had to report.

Victims Are Not Going to be Penalized

Tom: Do you go through law enforcement or file SAR reports if it's outside council and it's underprivileged? I think the government has taken a lot of steps to make it clear that they are not going to penalize people for coming forward for being a victim, they're there to help.

We always encourage victims who we're working with to engage the FBI because they have been a wonderful resource as victims are going through this event. To really understand what the government knows, what they're seeing across the different ecosystems.

The government, I think, has done a fantastic job of getting a better handle on at least what's going on. Hopefully, there will be more policy decisions in the future that could get us to where you're talking about, where maybe there’s a future where ransomware payments are not going to be needed.

Rachael: That would be awesome. Although I think about the US way of life in business and the almighty dollar, and it's the desperation of one's business. Would they know that you've been a victim of ransomware if you didn't tell anybody? Could you keep it on the DL and just slide a few bones over to get your stuff back? Are there ways to track that? I don't know.

Tom: I think that's always the big question. We've seen some smaller businesses that get the ransomware note. They don't have the resources to engage instant response firms who do understand the reporting requirements, or they don't have a cyber insurance plan where they're doing it themselves. I think in those situations, there's probably the reporting could be improved.

Instant Response Firms on Ransomware 2022 Threats

Tom: However, for the firms who do have cyber insurance and contact their carrier to understand if the specific incident they're going through is covered, you'll see that there is a very robust process where there are law firms engaged. There are instant response firms engaged, there are negotiators engaged.

At that point, I'm highly confident that there is plenty of reporting. There are a lot of people that really understand really the laws that govern data breaches, that govern cyber security incidents. That is where you see a lot of the reporting coming from.
I don't think it's perfect, but I think in the last couple of years, the government has made it much more clear about where and what to report and how to engage. Then, all of the firms who are engaged in the incident response, they're also aware of their obligations as well to report. I do think that there is better transparency about what's happening in this space.

Rachael: It's come a long way from where it used to be. I’ve always likened it to car insurance. I won't say how I did it, but the bumper on my car came off because I parked weirdly anyway. But I chose to pay cash for it rather than go through insurance.

That's how I think about these ransomware incidents. It's a calculation, I guess, what are you willing to pay out of pocket versus lean into the insurance and then have it go on the record? I'm not encouraging unlawful or anything like that.

Tom: Even when there are many companies when they first encounter, even if it let's say it's a $25,000 ransom, have you ever acquired cryptocurrency before?

Reporting Requirements

Tom: Do you have an account of where to get cryptocurrency? You're going to have to open that up and that exchange if it's a reputable one it's going to have its own reporting requirements.

We've seen some people try to go that route. As they try to fund it, it immediately flags different anti-money laundering features, so their accounts were locked up. They're like, I was just trying to make a ransomware payment and everything, all my accounts were locked up. I was like, yes, because there are protections in place for exactly that reason.

Eric: You think there'd be a concierge service that the adversary provides? We're going to make this easy for you. Here are the major objectives, we're going to assign Veronica to walk you through this. If you have any issues at any time, I want you to reach out via Signal to Veronica. This is what we're going to do.

Tom: You're not too far off, you're spot on. The customer support for these ransomware gangs is better than most businesses.

Eric: They're not a high bar but keep going.

Tom: They're there to help you along. They will answer questions. They’ll give you proof that they can decrypt your network. They’re there to explain where to get cryptocurrencies. They want to make it as you said, as easy as possible for them to get paid. They actually have help desks and we know that they run these and they even hire their own negotiators.

Sometimes we're dealing with the same ransomware group. One week they're very nice and accommodating and they're back and forth, and the next week they're confrontational and they're telling you to go pack in.

Customer Success Organization

Tom: You can't get any discounts and you realize you're dealing with different parts of their customer success organization.

Rachael: Nice. Customer success, that's amazing.

Eric: So, when you're working with customers, your customers, I know one of the things you do is you conduct tabletop exercises to practice. As part of that service, I'm assuming what you'll do is inform them of the landscape. This is what we're seeing. These are the typical techniques, tactics, and procedures that ransomware groups are working on right now.

Then to me, the tabletop exercise that you discuss is really a drill if you will. We're going to go through a simulated ransomware attack and see how you operate and then we'll critique it. We’ll help you understand what you can do now in preparation for a ransomware attack. Is that close?

Tom: Yes, you're really close. I think the traditional training evolutions that many organizations have done, really focused on, as you said, the TTP. How does the malware work, how do I keep it off my network, how does it propagate, and how do they get in? But it was very much focused on the cyber defense standpoint of, how do we prevent this from happening to my network? Where a lot of our tabletops have moved over the past three years, it's now at the board level.

The board and the C-suite, are asking questions about, how are we prepared to defend against an attack. What happens if we become a victim? We walk the C-suite and the board of directors through how other organizations of similar sizes have also had very good defensive postures. Who have become victims, how they responded, and walked them through the decision-making process.

[33:02] How This Ransomware 2022 Ecosystem Operates

Tom: Quite often, they asked the same questions, how does this ecosystem operate? Why is this even allowed to happen? What is Bitcoin? After we get through all of that and explain how the entire system operates, then we walk through, okay, you're a victim.

Who's going to make the decision to pay or not? All of a sudden, it's like, wait, I always thought that was going to be our CISO or someone in the technology department.

Eric: Yes, CISO. I'll give them a billion dollars of Bitcoin, no problem.

Tom: Now it's no, it's the COOs and CEOs making these calls. We've seen businesses for many different reasons make decisions to pay that are beyond just the decryption key. Sometimes, it's medical information and they don't want that spilled all over the internet. Now, it's the data where they don't want to make the payment, but they also don't want all their customers and all their health records spilled online.

Personally, if one of my doctors was impacted, I wouldn't want my medical information all over the globe. I still know it's stolen, and I still expect to be notified.

But there are these types of situations where there are other decisions at play. We walk the decision makers through how other people have done it, and the different curve balls that always come in. It really has helped them better understand how they would respond, who would be making decisions and how communication is going to flow.

Who's going to be controlling the media inquiries and how you're going to notify the relevant regulators?

The Most Important Things a Business Should Do

Tom: It has really been eye-opening in many different ways because this is something that should not happen. This environment shouldn't be allowed to exist, but it does. Many businesses are now thinking through exactly how they would respond in a similar situation.

Eric: I'm going on record here saying, to me, this is probably one of the most important things a business or organization can do in preparing for their cyber defensiveness. Because it's easy to go back to the board or to the C-level and say, we need to buy firewalls. Who cares what the technology is? But you miss the why many times.

Even when you explain it, you have somebody on your board of directors who's never dealt with cyber security, they don't fully understand. You put them in that role-play effectively, that tabletop exercise, that walkthrough, whatever you want to call it.

I really think it becomes real for them, it becomes more personal. Wait a minute, I'm involved in this decision as a member of the board or as the CEO I'm involved in, what do I do about it?

How do I prevent this from ever happening? What do I need to do? Well, let's sit down and talk through that then. We had a session on cyber ranges a couple of months ago but being able to go through and actually war game and imprint on somebody's mind, something that they just weren't aware of. What's the likelihood of cyber activity?

I don't know. It’s pretty low until we get hit then it's really high. I think that's an amazing activity. No question statement there, check me in 10 years and I may be totally off base.

Is My Organization Protected From Ransomware 2022?

Tom: I think you're spot on. The questions that come from the boards after they go through this tabletop are a complete 180 from where they started, and it is very real. What's also interesting, is then they say, well how well is my organization protected? They have invested in all those firewalls and the controls that you spoke about and say, well, what else could impact us?

Then you say, well, all of our critical third-party vendors who have privileged access to our networks. It's like, wait, what are we going to do about that? How are we going to monitor their health?

That's where this now becomes an even bigger problem. They realize that this is something that is going to be something we're all dealing with for a long time. It is something that there is no silver bullet solution. As you said, it's the layered defenses. It's doing the basics. It is making sure that you have a plan in place.

It's making sure that you continue to track what's happening in the larger ecosystem because the threats just continue to change. They change tactics. Once you shore up one area of your network, they're looking for the other one that you weren't even thinking about.

Eric: But you're educating the decision makers on the art of the possible. You're giving them the ability to ask open-ended questions instead of binary questions. Should we upgrade our firewall infrastructure? If you're at the C-level, it's I don't know, I need to use this money for an inventory asset management tool or something, which one's more important? That's more targeted to the business.

Open-Ended Questions

Eric: I don't think you have that understanding of why and you can ask those open-ended questions. To me, it's a great and highly needed exercise that I'm betting most companies never do.

Tom: More and more are, which is the silver lining. I think the other part of it is, especially for many of the larger organizations, they have this impression that they spend enough, they're secure. Then, when we walk them through, one of their peers in their industry who had the same level of investment in the same defenses was impacted. They're like, now I need to better understand what else we need to plan for.

Eric: Let's hit the tabletop, you've now been impacted, your operations are down. Your data's encrypted, you need $5 million to get out, your employees can't work, they're calling. You start going through that exercise, I think it becomes real. We did an exercise at Cipher Brief, a conference I went to I think it was last October. 

I talked about it on the show, but it was at the national level where we had the president and the secretary of defense simulated of course. We had industry and we had the intelligence agencies and DHS and everyone. I really think that exercise opened people's minds. People who are very powerful make decisions every day about the inner workings of the government, just the government in that case.

When the commercial industry was getting hit by a ransomware attack, a scaled out, large ransomware attack, not just one organization, it opened everybody's eyes. Just how do we communicate? What are the lines of communication? The roles and responsibilities? I think you need that within a company. But I've beaten this one down, we need more of it.

Ransomware in the Next Few Years

Rachael: Given all this, what do you see in the next few years? I don't think we're going to get ahead of it, we can all say that. But are we going to get closer to, I don't know, can we troll back? There's got to be some recourse we have to gain some foothold versus just these really strong defensive. They're trolling us, can we troll them?

Can we so indecision or I don't know, some fear. I don't know, but what can we do as organizations, like Joe public? What can we do to help get ahead or get on even footing?

Tom: This is one where I think from the government perspective, I get the impression there's a lot more going on behind the scenes. Since this was elevated to the national security level, we have seen a lot of groups be taken down. Their infrastructure has been taken offline. You have seen sanctions against different crypto exchanges and different mixing mechanisms that had been used by these criminal groups. 

We have seen the infighting, we've seen the details about the inner workings of these groups, and all of a sudden, they are online. I just have a suspicion there are many people who are actively trying to disrupt these groups' ability to coordinate, to have that safe haven.

While we might be doing this all in cyberspace, there are still ways in which I think there is having an impact with at least sowing some discord within these communities. I hope that continues because that just makes it a little bit harder for these groups to continue to operate with reckless abandon. From the victim's standpoint or the organization's trying to protect themselves, it is so cliche.

[42:25] Cyber Hygiene

Tom: It's cyber hygiene, two-factor authentication, the multi-factor authentication. I’d say that for your personal accounts as well. I even tell my family members, your Gmail account, just enable the multi-factor authentication and it is going to prevent 95% of the bad things from happening to your account.

If people could just do that simple thing, we'll be in a much better spot. I think organizations, same thing. It's making sure that they understand where people can access your network and make sure that you at least have strong passwords and you rotate those. You have additional protections in place to just monitor because that's where a lot of these threats continue to get that easy foothold.

Eric: Is it safe to say that by making yourself a more difficult target, the adversary will just go to the easier targets and you're probably safer?

Tom: You're probably safer, absolutely.

Eric: If you're patched, if you're using multi-factor authentication, you're a more hardened target. The likelihood is unless somebody is absolutely targeting you personally, or your business, they're just going to move on to easier, more open targets.

Tom: Most of these attacks we've seen are opportunistic. It's exactly what you said. They're using tools that are scanning the internet for some unpatched system, for something which they have an active exploit for. Then they start their operations from there. So yes, if you make yourself a harder target, they are not going to persist and come at you over and over again, they're just going to move on.

Eric: Good advice. That's not super costly, both in dollars and or time.

A Bridge Too Far

Eric: I know multi-factor authentication is a pain in the, you know what, but it's not horrible. Rachael, are we using it at this point? We had a debate a couple of months ago that multi-factor authentication was a bridge too far.

Rachael: Such a hassle, but it's good.

Eric: Are we using it? The question on the table is, are we using it on the important account?

Rachael: I am. It's just I have two phones and sometimes I got to authenticate on the other phone. I don't have the phone with me. You know what I mean? I wish it was easier, but I guess that's the point, it's not supposed to be.

Tom: I will tell you one of the things, Flashpoint has processed all the exposed usernames and passwords that we've ever observed. We are able to look up someone's email address, and even for me, I'll pull up my email address and you see all your passwords and you're just like, oh my gosh.

That really drives it home. It's 40 billion credentials. When you see the malware, what it's stealing off your computer nowadays to include all the cookies in your download folders. It's pulling off all those files as well. When you look at this, you're like, okay,

I'll put on the multi-factor authentication.

Eric: Any chance we could get as a benefit of the podcast here, just a quick view into Rachael's life and send it over to her? I don't need to see it, but maybe if she saw it, like the tabletop exercise, it would become more real, more tangible.

What Showed Up in the Dark Web

Rachael: Some things you can't unsee, I don't know. I get the alerts. You showed up on the dark web or whatever, sometimes. I don't know what it means, but I just figured it's probably already out there. I can't even remember my passwords though. So, I don't understand how other people can get if I don't even know what my passwords are.

Eric: But do you use a password manager?

Rachael: I don’t. I just make up random passwords.

Eric: Test me. Password manager, good, bad?

Tom: Indispensable. Need to have it.

Eric: Encrypting your data? Probably not a bad thing.

Tom: Always a good thing.

Eric: Multi-factor authentication, we've already talked about, and then patching. If you can do those four things,, you're probably better off.

Rachael: Definitely. But it's just inconvenient, that's all I'm saying.

Eric: It is, but the same thing applies to governments, to businesses, everybody. It's the basics that will prevent the bulk of the issues.

Rachael: You're right. You got to stop thinking that, why would they want me? I don't have anything of interest, but I guess I'm a gateway to you. And I got to do it for the greater good, I think is what you're saying. We have to think that way.

Eric: Just protect yourself.

Tom, I wanted to talk about attribution. It's one of my favorite topics. I know we don't have enough time for it, but it's been great having you on the show. Hopefully, our listeners will take a little bit of this. If you just look at the history of ransomware, it's growing. We know that from the data.

Rachael: 1989.

The Attribution of Ransomware 2022

Eric: It's not going anywhere anytime soon, so we have to do a better job of dealing with it.

Rachael: I would love Tom to come back, we could talk about attribution. We could talk more about surfing the dark web because why isn't there a browser? I just want to Google for the dark web so I can just go see, what if I want to buy a puppy or something?

Maybe someone's got a good rescue dog on the dark web that I can't find elsewhere.

Tom: There are a lot of legitimate reasons that people want to anonymize their browsing. I think it's going to be something that’s going to become easier and easier in the future as more people become privacy-aware. They don't want to be served up advertisements, they're like, how did someone know I was searching for drapes?

Eric: There aren't a lot of legal puppy sales on the dark web though.

Tom: There are more and more things that are legitimate.

Eric: That's part two. Next time you're on we want to hear, what you find on not illegal, but legal puppy sales on the dark web. Rachael, you're probably okay on the old World Wide Web there, the dub-dub-dub.

The VPN at Home

Rachael: Maybe I don't want people seeing how much I search for puppies to adopt, they'll think I got to thing. There's something to be said for privacy. I'm all about that. I haven't really figured out the VPN at home thing.

That's on my to-do list to learn. I think over time we're all going to get more savvy for sure, in the world that's to come. That's a conversation for another time with Tom. I hope you come back and join us.

Tom: I would love to.

Eric: Tom, thank you for joining us today. For our listeners out there, hit the subscribe button. Give us feedback on what you love, and what you don't love about the show. We're here for you, so we want to hear from you. Tom Hoffman, Flashpoint, thank you so much for your time today.

Rachael, good luck with the dark web puppies. Maybe spend a little more on multi-factor authentication. Take care and have a great week. We'll catch you next Tuesday, same time, same channel.

About Our Guest

Tom Hofmann leads the intelligence directorate that is responsible for the collection, analysis, production, and dissemination of Deep and Dark Web data. He works closely with clients to prioritize their intelligence requirements and ensures internal Flashpoint operations are aligned to those needs. Mr. Hofmann has been at the forefront of cyber intelligence operations in the commercial, government, and military sectors, and is renowned for his ability to drive effective intelligence operations to support offensive and defensive network operations.