- We've all heard the horror story. Some of us have even lived it already. You log onto your computer to start another busy day and you're confronted with the red screen with a skull and crossbones and countdown clock that is already counting down. The message on the screen is stark and chilling. Your file's been locked. You must come up with the ransom right away, or your files go public. You suddenly realize that everything you need to get done is now locked behind that screen. You have been dragged into the world of ransomware, which is now a modern day and full-scale organized criminal enterprise. We'll discuss the many aspects of this modern day criminal enterprise and compare two of the most notable ransom hacks. Saudi Aramco in 2012, and the U.S. Colonial Pipeline nine years later in 2021. This is the 10th episode of Know your Adversary. - It's a pity that we call it ransomware. It's the word now. It's extortion, really, of all kinds. - This is Guillermo Christensen, Managing Partner of the Washington DC office of law firm, Ice Miller. Given the sensitive nature of his work, Guillermo wants to make it clear that even as a partner of Ice Miller, what we are about to discuss are his personal views and experiences in high stakes ransomware investigations and negotiations. After spending some time working for the Central Intelligence Agency, he now runs the national security practices that manages high end cybersecurity, including sensitive government investigations, dealing with sanctions. One of the key issues that keeps him busy is this type of ransomware that hits very large organizations. The type that when they stop operating, we all feel it. - The kind of extortion, ransomware attacks that most people are dealing with most of the time these days tend to be things like, you come into the office one morning and all of your computers are apparently crashing. The network is down. And initially, probably most people will think, well, somebody did an upgrade last night and it didn't work well or something, right? And then when their IT team digs into it, they begin to see that this is something much more serious. And usually, what I'll call that cold shiver down the back of your spine comes when they see the ransom note. Which is usually just a text file left on some part of the network that hasn't been completely destroyed. - Perhaps the most infamous ransom attack happened to the biggest company in the world in 2012, which was the oil giant, Saudi Aramco. This is because this attack was not about stealing emails and HR records. It was about getting access to the valves and pumps that make oil flow and bringing mass disruption. And that in a world that still runs mostly on oil, even a hint of trouble hits people at the pumps and on the markets. - Most of the energy sector and most critical infrastructure, usually has two types of networks. IT, so the same kinds of networks that most companies have, email, databases, customer relations, all of that stuff. Critical infrastructure, pretty much anyone that deals with things that move through the internet. In other words, they have switches. They have devices called PLCs that control whether a valve is open or not, or whether an elevator goes up and down, they have something called an ICS system, an OT system. It's basically, it's a system that controls devices through the internet protocol. Traditionally, those systems were not supposed to be connected to the internet. - This becomes the weak point for companies in heavy industry. Because an internet connected OT system becomes extremely vulnerable. Especially, when it comes to hands on management of the system from traditional IT networks and outsourced IT vendors. - So rather than sending people on site to manage those resources, hey, let's open up links so these guys can access this stuff outside the office. Of course, the moment you do that, you also make it possible for anybody who can get access to that network from outside now can actually get in and mess with things that potentially could go boom, or if they stop, something bad happens. The attackers targeted their IT systems. And in the course of that, they, I will say degraded confidence in the security of the entire network, including the SCADA systems, the ICS systems that control things. - This is what happened at Aramco. The system was breached and then it had to go into full alert and triggered emergency measures, like giving gas away for free. - And so, Aramco started shutting everything down and that included not being able to pump gas at their stations in Saudi Arabia. And so, that started to cause a lot of issues. Eventually, they just began giving the gas away until they were able to recover the systems and different attacks that they've been hit by have been tremendously damaging. And one of these, over 30,000 computers at Aramco were effectively destroyed because the attackers implanted a piece of malware. Not unlike ransomware, that destroyed the boot up sectors of the hard drives. So the computers were basically dead. - The scale of this attack was huge, but the attackers didn't want a ransom. They just wanted to destroy. 30,000 computers at Aramco were effectively destroyed because of the malware that was implanted called Shamoon. Aramco IT had to go and buy 30,000 new hard drives. In one fell swoop, it bought 50,000 hard drives. The company paid higher prices to cut in line of every computer company in the world. Temporarily halting hard drive supplies to everyone else. World supplies of hard drives already backed up because of flooding in Thailand at the time, as one example, became even more constrained, but the damage goes far beyond the drives and the computers themselves. - When you have an attack like that, if you aren't well prepared on the left side of the boom equation, you haven't got a good idea of how bad this attack could be, how far it could penetrate. You know, if you're being careful, if you're being cautious, you tend to shut down as much of the infrastructure as you can, in order to avoid a network lateral movement, which is one of the nightmares for network administrators. - This is the type of attack that replicated itself in the US with Colonial Pipeline in May, 2021. when people don't know the extent of the damage, they're forced to shut everything down. - They were primarily or solely breached on the IT side, but they had no idea what was going on from what we've been able to read of the reports and what people have said. And so, they also shut down the pipelines and the systems connected to them, 'cause obviously a breach of a pipeline control system could potentially cause some serious disasters as pressure builds up, valves are closed and opened. We've seen this in tests that were done years ago with large generators that basically were destroyed by cycling power on and off in a haphazard way. So, they did that and at the end of the day, a Colonial Pipeline attack is best viewed as one that has immense political repercussions because what happened then was everybody understood fuel to the East Coast was going to be curtailed, prices shot through the roof, politicians became involved and the issue became very hot in a negative sense. - So going back to Aramco, one of the goals of the investigation had to be to find out who was responsible. - Attribution of attacks like that is time intensive, but eventually we figure out where they come from because digital crime is inherently traceable. And it's not always because you have the digital crumbs to follow it's often because there's a gap where you should find data or there are gaps in certain things that give you a fingerprint of how the attacker worked. Especially, the Iranians and others were not quite as good at covering their tracks as they are becoming these days. So, I think the attribution was where did the implanted malware get in? How did it get in? How was it controlled? And of course, with an attack on Saudi there aren't that many likely perpetrators. Because it's gonna be at that point, it would've been a sophisticated threat actor. And when the Saudis find out when the US finds out, there's gonna be some retribution. So, it's not likely to be someone that would be susceptible to feeling the pain that could be inflicted that way. - Sophisticated attack like this needs sophisticated players. And this means either a well-organized criminal gang or a nation state actor, but regardless they use techniques that drill down most often to the most obvious weakness. And sophisticated computer network exploitation operations like this, all the different phases are typically done on a series of redirectors and misattributable infrastructure. So, work done on spear fishing, reconnaissance, exploits, exfiltration, lateral movement, first stage and second stage implants, setting the ransomware, et cetera. It's typically done by different people on different networks, with different segmentation in between. But back in 2012, Iran didn't have these capabilities and they mixed and matched the different stages. Thus making attribution pretty straightforward. - So they launched probably one of the largest incident response efforts, short of something, you know, probably the OPM hack or something in the US. They brought in almost everyone that they could to quickly get to the bottom of the situation. Understand that the production side of their network was not affected and forensically attribute, not just who did it but how they did it so that they could quickly understand that it was limited to certain parts of their network and then began restoring and rebuilding. The delivery method in all likelihood was a combination of some type of phishing or credential compromise. And in the case of Colonial, the likely entry point was a VPN a virtual private network that we use for security because it guarantees some encryption as you go through the internet to get to your network. But it was one that was end of life, meaning it was no longer supported. It was no longer getting updates and patches and was known to have security vulnerabilities. And I think I also have understood that, that system was supposed to be taken offline. And at some point you move into a new piece of software and they forget about the old system. They leave it up because usually, you want to have it there for backup in case the new system doesn't work as expected. But nobody ever goes and shuts it down. And while it's open, while it's running, whatever vulnerabilities there are just as accessible to someone else. And so, that's apparently one of the ways in which Colonial Pipeline was breached. And one of the difficulties with a lot of our networks is, once you are in and have compromised a user's credentials, it's often not that difficult to elevate your credentials. In other words, you and I usually are working with what I'll call just basic user credentials. I can't install software. I can't change network settings. I can't do things that potentially could be harmful. I need to be an administrator either on that local machine or the network. Usually, if you get on someone's machine, you can often find the credentials for those administrators, especially Windows machines. And if you can do some magic on them, which is not a lot of magic, basically hacking, you can then acquire the ability to elevate. And once you elevate, you then open the door to the rest of the network and you can insert malware designed for ransomware purposes that spreads laterally throughout the network very quickly. - From the moment an attacker gets a set of credentials and gets on a network they can elevate and take over a system in the matter of hours. This gives even the most sophisticated security teams little to no hope let alone a small business with no security resources. They simply don't stand a chance against ransomware gangs. This means organizations are often left working blind, not knowing what to do, who to talk to or how much to defend. - In the initial hours of the response, it seems pretty clear that the Colonial Pipeline team had no visibility into how far this attack was moving. And one of the things you do when you are aware that you've got lateral movement, fast moving ransomware or malware in an environment like a network, you have to start disconnecting at a minimum, if not powering down the key nodes that connect the network. Because otherwise this thing it spreads like wildfire. Your security team is going to say, we need to bring the network down. That's their main tool for responding. It's a little bit like you've got a wildfire and it's the break. The fire break that you've got built, or you try to build to slow it down. That's the first thing. Now, one of the difficulties when you bring your network down is you also can't see what's going on. So then you've gotta start thinking about where do I bring up various parts of the system that I can see the extent to which they may have been compromised or not. And that's a very complicated process, but if you're trying to bring a system back up like that and you haven't tried doing that before, it's not easy. It's probably one of the more complicated things you can do in the IT world because system dependency. So in other words, one network can't really function without having the other one without the data flowing through. So isolating them, figuring all that out, especially in the middle of a ransomware event, is a pretty challenging process. So you're gonna have to bring in people who are gonna have to learn about the network because they probably didn't know how it worked before, your incident responders. So it takes time. - With pipelines, these connections aren't just computer based. There are multiple systems that kick in. Pumps and devices connected to other devices that need regulators and fail safes. Simply turning off a tap somewhere could lead to an over pressure situation and a critical failure or explosion. And these types of situations can't really be practiced as a drill. - Bringing the pipeline systems back up as the whole pipeline is probably something they don't do ever, even if they did it in practice. Tabletop exercise type things, doing it at the whole thing on one go is a big, big lift and doing it again in the middle of, we're under attack, is a horrible situation to be in. - In the case of Aramco, where their billing system was the target, their contingency was to continue to deliver gas to the nation's gas stations and give it away. Which is something that could not be considered in the United States. - The system for distributing gasoline in the United States is very different, I suspect than in Saudi. The most of the stations where you go pump gas in Saudi are probably owned by Aramco. Whereas in the US, when you go pump gas at your local Exxon or Shell, it's a mom and pop franchise. And in fact, a collection of them are now suing Colonial Pipeline in a class action because they lost a lot of business when they weren't provided with fuel to sell. - So now we bring in DarkSide to the picture as a routine in varsity league player in ransomware extortion as a service. They have numerous levels within the organization. Sellers, access brokers, malware developers, operators who conduct the attack and negotiators who collect the ransom. - DarkSide is definitely one of the most sophisticated or was one of the most sophisticated groups. They really developed some of the now commonly-used techniques. They were very good about figuring out the way to pressure victims and to operate the model that's now almost standard where different teams, different parts of the business, focus on different parts of an attack. So, in most people's kind of conception of how hackers work, it's one, usually a guy in a basement with a hoodie, fingers on the keyboard, you know, doing magic, right? Mr. Robot, that kind of stuff. These teams operate much more I would say like a business, but also like governments operate in this space. So they have teams that are charged with figuring out how to get access to compromised credentials. And there's now an entire industry of access brokers, people who buy and sell log in credentials and vulnerabilities in systems, very lucrative. You also have those who design the malware and tweak it for new systems. Every time a malware sample is out there, all of the software security firms will analyze it and will put that fingerprint. So the way to recognize it into their system to try to block it, identify it. So there's always, there's a fight there. They've gotten now to be good enough, in many cases, where one of the first things they do when they gain initial access is to turn off those security, those pieces of security software. So that they can operate relatively free of interference. Then you have a team that after the initial entry is done, and it's usually a combination of either phishing emails, remote access, or other things like that. Once they've gotten in, then you have another group that is specializes in elevating the credentials. And they use tools often the same tools that we on the defense and the security research community use, things like Cobalt Strike a very powerful tool that the criminals have exploited incredibly well. And they use those to begin embedding things we call beacons and the other tools in order to understand how the network works. And that's really key for them. They want to know how can they do maximum damage quickly? - Speed is of the essence, because ransomware is very different from data theft. After all, this is a crime, not espionage. So criminals have to have a return on investment concerns as well. - In ransomware, unlike with data theft, you don't wanna hang around very long. Because if you get discovered, you get booted outta the system and you lose all that. Whereas with data exfiltration, IP theft and things like that, you need to move very slowly and slowly get the data out without tripping the sensors. So, with ransomware, you wanna move in fast, get basically, all of the pieces lined up so that you can hit the network hard where it hurts. And that's where their developers are getting better and better. Now, we often see ransomware that encrypts very small parts of key files and it's enough to cause damage. - Once the crime has been committed, attention then goes to the consumer facing side of the organization who negotiates the ransom. - When you find the ransom note and you go to their, usually it's going to be a tour site. Some of them use ProtonMail, other anonymizing types of communication systems. You'll reach out to them. And that's when you start the negotiation dance, which is sometimes it's one of the most interesting parts. And certainly, one of the most frustrating parts for the clients when they're talking about how do we negotiate millions of dollars of reductions in ransom demands with a group of criminals who are sitting far away and you can't really do much about them. - It's a perfect parallel for legitimate businesses. When tech companies scale, they have to pivot from designing and servicing individual clients and build for the mass population through a platform. They acquire specialists in marketing, sales, engineering, customer success, and product management as examples. Ransomware gangs have the equivalent of these specialists and access and data brokers, exploit developers, operators and then the consumer-facing side. So they can attack thousands of organizations, not just a couple. And they operate in a platform, meaning the gangs have modules that connect together for different users at different stages. The access brokers have their module, the technical operator doing the hacking has their module and the negotiator also has their separate module. You can see the pattern. After all, this is a precisely what a platform is. It's not just something that you log into that has connectivity to enterprise. It's different modules that have interoperability and connectivity to gain efficiencies and speed and profits. And that's exactly what they do. - So today, you have most of these groups operate on the basis of something called ransomware as a service. They've created a platform that does most of these things for someone who's got the information to be able to access a victim system and bring them down. And their affiliates, people basically, sign up to operate on that platform and they have to pay for it. They're vetted, because many of the platforms don't want amateurs who might bring more attention to the platform and who don't succeed because then they have a certain reputation, right? So when I'm engaging with a threat actor, if I know who they are, I can tell, look, they're going to be reliable in these areas. Their descriptors will work or won't work. They follow through. There's really a reputational issue here. That's almost integral to the business. - The sophistication of these groups goes far beyond their abilities with hacking technology and even customer service. They also know who they're going after. - Many of them now have a pretty sophisticated front end where you will see information about what they know about you. And they've often done their research. They use Zoom info, for example, to figure out your revenue, your scale, et cetera. So, you really can't try what I've seen a lot of negotiators do, which is, oh, we're such a small business. Yeah, last year you revenue was $5 billion. That's not a small business, right? So they know a lot about you. And on that portal, it'll tell you often how much time you have before one of two things happens, the ransom increases or and they begin to leak the data that they took out of your system. 'Cause I just said before, most of the time they want to get in fast, hit you and start that process. Some of the more sophisticated ones have learned if you can take sensitive information that the victim does not want publicized, you get to do double extortion. So you're extorting them not only to get their system back, but also to keep that data from not being publicly leaked. And that is very powerful. In fact, we often have cases where we're only paying the ransom in order to keep the data from being leaked, which I find even more painful than paying ransoms. - Guillermo's team is brought into action to assist with the negotiations. It's important to start with old school negotiation techniques called proof of life. - I don't particularly like that statement. It's a carryover from traditional ransom negotiations when you have a person. In the context of a ransomware incident, what you're usually doing is you send them two files that were encrypted or something that was encrypted on your network and they send it back decrypted. So they show we have the decryptor key and we can decrypt. And that's when you start really talking about the money. - And like old school negotiations, it's a three-sided game. With Guillermo's team talking to the criminal organization. And then back to the victim company to work out some sort of deal, depending on how desperate or confidential either side is. As time slips away, the pressure on both sides mounts. - The closer you get to the end stage, the final number and whatever that's gonna be, it starts iterating and moving much more quickly. And I do this with a team and we're often, having hundreds of different discussions before we even go to the next stage in the negotiation, because you really wanna understand. I mean, I hate to say it this way, but what's the best outcome for both sides. Obviously, my best outcome would be that my client, the victim, figures out a way to restore their system without having to pay. And they figure out that the data was not really exfiltrated and that happens. And I also like it when the victim company comes in with a very strong desire, not to pay the ransom for many reasons, including we're patriotic. And we don't wanna send money to bad guys in bad places. I think that's outstanding. I do wish sometimes that they would've been thinking about that before and they would've done the things that we tell them to do so that they avoid being in that situation. But we deal with the hand we're dealt. - With Colonial Pipeline, the process was pretty cut and dried. With the US Eastern Seaboard quickly drying up, there was just one priority. Get back to business. - Based on the timeline, which is that they paid, I think inside of 24 to 36 hours, don't hold me to that. But it's certainly within a matter of days, there probably wasn't much of a negotiation. It probably was what do you want? Okay, we'll pay it because they were clearly desperate to get the system back up as quickly as possible. And so, they probably paid very close to the actual demand, which again is unusual. We always, I think almost without exception that I can think of get a reduction, usually, a pretty decent size reduction in the amount by taking time. And they clearly felt they did not have time. - The negotiation business has a number of intricacies as well. This is a practice that requires some up to date analytics and years of experience. And the outcomes can depend a great deal on how well you know your adversary. - I've had negotiations that have taken a couple of days and gotten a 50% reduction. I've had negotiations that have taken several weeks and have led to 30, 40% reductions. The most, I think you can usually get is around the 90%. And we have seen those with different groups and every group has a different approach. And then when you add this issue of the affiliate operating on the platform, they may have rules on just how much they can also negotiate. Because again, there's a reputation here. If every time you get attacked by Hive, for example, which has been negotiating much larger discounts than others, you know you can probably get them down by 70 or 80%. That's what you're gonna aim to do. And so, much like buying anything, you know, at a bizarre or a car, if you know that everyone's getting a 30% discount, you're not gonna stop until you get at least 30%. And you're probably gonna want at least 35%. - How do organizations know that the ransomware gangs aren't going to leak their data, even if they pay the ransom? - Often, what happens is these groups maintain a leak site that is accessible, not necessarily to everyone but accessible. And they begin by dropping a few percentages of what they've acquired. And they'll say, you know, you've got 48 hours, 72 hours to begin negotiating, or we begin putting more of this. And we've seen some cases and they're unfortunate where people have not engaged with the threat actor. And the threat actor then begins increasing the amount of data that's showing up on the leak site. Security researchers monitor those sites and it quickly becomes public that Company X has been attacked. And so, obviously they already know they've been attacked, but pretty soon it comes a public relations issue, which is another aspect of these response scenarios that's very difficult to manage often. - And the reputation with the most professional organizations does extend into the resolution of the attack. - I would say, generally speaking, most of the groups now tend to follow through on providing you with a workable decryptor. So it's a utility that will decrypt your files. And most of them appear to follow through on the commitment, not to leak the data on their leak site. - Sometimes the decision to pay or not to pay requires input from Guillermo's team. Circumstances such as whether the victim company can bring back the system without decryption, whether it has backups and whether they can actually be restored. - We will walk through. And I, you know, have an entire sort of set of questions that I work through with my clients. What's the value, right? Value, time, calculation, for the system, for your business. And usually, if we can sit with a business unit, the CFO for an hour or two, we can usually come up with a number that then rolls up. And that's really helpful because if I can, like in any negotiation, if I can anchor it into numbers, I'm in a much better place as a negotiator and as legal counsel to be able to give them a sense for do it, don't do it. And I do almost without exception give clients what I will call my opinion, 'cause it's their choice, but I will give them my opinion based on what I've seen. I wouldn't pay in this one or I would, there are a lot of lawyers I think probably don't feel comfortable giving those opinions. But I think that's one of the things that people are asking and paying for is to get my opinion. And of course, they do what they feel is right. The much more difficult one is the data exfiltration. Because we can't give them a guarantee. In fact, we're very, very clear. We have no idea where that data's gonna go. It will probably show up somewhere else. So if you pay for this, you're just buying a small part of the protection. There's an unknown that's very hard to quantify. - The Colonial Pipeline incident revealed another interesting element of the forensics of ransomware resolution. And that was in the supposed secret money trail. - What's interesting about Colonial Pipeline though, is something that we very rarely see. And that is, when the payment was transferred to the wallet of the threat actor, they had made a mistake. They had somehow compromised, the key, the private key for the wallet and the FBI had it. And once you have the key, it's very easy, you just move it to another wallet. And so, that's what they did. So, the FBI think was able to recover at least half, if not more of that ransom. So, pretty spectacular success, I think. Obviously, now that the bad guys know this, they're gonna be even more careful about making that mistake again, but still, kind of nice that once in a while, things work out well that way. The payment structure, that the way the payments work has become fairly standardized. You usually involve a third party. And I work with a couple that outstanding service in this area that have access to sufficiently large amounts of cryptocurrency to be able to make a payment very quickly. Especially, things like Monero, which is much more difficult to get in large amounts. You need to have people who can raise it. And I do still sometimes hear people asking, well, should we get some cryptocurrency just in case? And my answer always has been, no, protecting a digital wallet is itself a major security problem. And obviously, cryptocurrency has, you know, fluctuated quite a bit. You don't need to do that. There are people there who can help you when you need it. And basically, the way it works is, once we've reached a point where we're gonna make the payment, we test it. We send small amount to the wallet to make sure that it's the right wallet. And if you've ever seen a digital wallet is a very long line of incomprehensible characters, make sure it goes to the right place. We get confirmation. And then typically, the wallet is the victim's wallet and we deposit Bitcoin into that. And then we help them to make the transfer. There's sometimes variations on that, but it's pretty straightforward. And there are blockchain analytics companies more and more of them that, have almost real time capability to see the movement of the cryptocurrency through the system. But I think it's still nowhere fast enough for law enforcement to act on it for each one of those. 'Cause it that is pretty intensive. And the other issue is the bad guys are not operating on what I'll call the established above board exchanges, where you could go and say freeze that. They're operating on these sort of off market kinds of exchanges. Some of which that a US government has been sanctioning, meaning you can't operate on them. And those are the ones that basically don't do, you know, know your customer types of diligence like they should be doing. So pretty much anybody can be on them and they can be transacting moving crypto around. And in some cases also transferring it, basically, cashing out in fear, whether it's rubles or whatever else. - This is a high stake business with great many pressures from threat actors, but also from an inconvenience public. And the use of cryptocurrencies is a place to launder and hide ransoms adds yet another layer of complexity. And as with much a cyber crime, the bad actors vastly outnumber the good guys. - I think the FBI is doing good work in this area. They've really been trying to keep up with the threat, but there's only so many special agents. I think, probably 10, 15,000 in the country. Only a small percentage of them are doing cyber. On the other side is a very large population of bad guys doing this, not nowhere near the same levels. But to put it into context, one of these IT specialists working in a group like DarkSide or Conti can make probably 30, maybe 100 times what they could make as an IT engineer at a company working legitimate. It's big money and relatively low risk, even if they're put on the list because most of them figure if they're in that business, they know they shouldn't travel to places that have extradition agreements with the United States or would put 'em on a plane and send 'em over here if we pick them up. - So where does this all end. Ransomware certainly isn't going away. - I don't think you can stop this. I think this is a long term management of a threat kind of a problem, similar to crime, terrorism, all those. I think what you do is first you target the most dangerous part of the spectrum. Much like with terrorism, you target those who can fly planes into buildings, set of dirty bombs and things like that. In this case, I think you target those that have the capabilities to do very serious harm on large-scale enterprises. And then you also help those enterprises to defend themselves better. Then there's an entire additional part of the marketplace that remains vulnerable as long as they don't do the five or six things that largely make you much less susceptible to being attacked by ransomware. And that's probably a combination of better cyber insurance that requires you to do things before you get the policy. And to some extent, making it more difficult for the criminals to get away with the money. And that's where the OFAC sanctions will be probably instrumental. I have been expecting the Treasure Department to put more groups on their list. Right now it's just a handful, Evil Corp, Lazarus, which is North Korea. Those are the ones that are on the list, but as they, I think amp up their interest in this area, they can probably put a lot of other groups on there And how they do it is gonna be very interesting. And it's sort of brings us back to what we do and what we've done in the past, which is, people are gonna need a lot more intelligence about these groups, the attribution. Because as soon as a group understands that they are not gonna get paid because they're on the list, they're obviously going to do everything possible to look like someone else. Either someone else that hasn't been identified yet or someone else that's not on the list. So attribution is gonna become much more difficult to do. And we've already seen one of the groups that's been the most active and probably one of the most successful a group called Conti. A lot of people in this space are not engaging in negotiations or making payments to them, because they had some leaks, their own leaks, where it became very clear that some of them are certainly sympathetic to Putin. And also, may have been collaborating with the FSB with the Russian Internal Security Service. So, that's another one of those situations. And obviously, the North Koreans, for example, being unable to get hard currency because they've been sanctioned almost completely. Almost airtight by the United States and are doing their best to try to get hard currency through crypto. And they're doing apparently a pretty good job of hacking cryptocurrency exchanges, but also ransomware in order to raise those funds. And that's, you know, if you have a ransomware group that you're dealing with that you can attribute to North Korea, you have a very serious problem. - One thing companies and organizations can do is do their diligence on the types of technology they're choosing to employ. Fear, uncertainty and doubt are unfortunate hallmarks of the cybersecurity industry that is always interested in marketing the best thing without backing up the claims with genuine results. Or still, is when money that could be used to hire talented specialists goes to these packaged solutions instead. - I've seen an enormous wave of company's talent, innovation, moving into this area. Unfortunately, like everything where you have a rush to innovate in an area that no one has previously really been involved in, there is a lot of chaff and probably even snake oil in this. One of the things that we often encounter is the inability to discriminate between good and bad security solutions and marketing is a big part of those efforts. One of the things I sometimes try to figure out if I can, is what's the ratio of marketing spend versus R&D. And that gives you an idea of what they're really focused on, but it is problematic. And also there's a mindset. And I think this especially strong in the US business community, more so than outside. That you can buy your way into a solution And it usually involves technology. So we see networks that have multiple security appliances and systems operating often to their detriment because they don't work well together. And that causes other issues. So, I do think that there is a premium for simplicity versus complexity in this area. And I think that there's a premium for having what I'll call real hard life experience in the area of crisis response, cyber dealing with bad guys in that world. The theoretical is not really a good guide to the problems and resolving them. So, I think that that's a big part of it. And that pool of talent is always going to be small 'cause there just aren't that many opportunities for people to work in the places that you and I worked in and to do the kinds of things that we did. So, it's just sort of like, when there are only gonna be so many special forces operators, because population only has a small percentage of people who can do that. You can't make other people into fitness fanatics who can shoot well, have a low resting heart rate, love it, adrenaline, all those things. Just that's a very small side of the bell curve. - Ransomware, the modern day online version of kidnapping and extortion has evolved to become a sophisticated business that combines technological wizardry, with risk analysis and old school brinksmanship. Its bottom line requirement is to truly know the adversary's weak points. With Aramco, the weakness was a stoppage of gasoline products to its customers. And a simple hack that spread like wildfire, leading to mass disruption was all that was needed. Nine years later with Colonial Pipeline, it was the same thing that just started in the building system. Nothing actually needed to be blown up to squeeze money out of the victims. But chillingly, is all to apparent that this second option is now often just a few mouse clicks away. Guillermo Christensen has made a career negotiating on the part of his clients, but he'd be the first to welcome a day when his services were no longer needed. - My long-term plan is, you know, if I could to put myself out of this business and then I'll find something else. But unfortunately, I think I'm not gonna succeed in that. - Many thanks to Guillermo Christensen of Ice Miller for sharing his story on Know Your Adversary. The most fascinating part of this is the psychology behind these attacks. Groups who know how and when a company will fold, based on rigorous analysis of their physical infrastructure, but also with their relationships, with their insurers, investors and customers. All of which could be assets or liabilities depending how the game is played. Thank you for joining us. Thank you for listening to Know Your Adversary. Every other week, we will bring you a new cyber crime attribution investigation that is representative of the work of Nisos operators, past, present, and future. If you have any good stories to pitch, please reach out as no two investigations are the same and simultaneously fascinating how digital clues come together to bring context to crimes that victimize enterprise. For more information, please visit www.nisos.com. Thank you for listening.