This week on the podcast we welcome back Ryan Estes from the WatchGuard Endpoint Security attestation team to discuss a recent deep dive analysis of NoisyS0cks. After that, we give an update on the latest trends in Ransomware targeting SMBs.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443 Security Simplified. I'm your host, Mark Laliberte, and joining me today is not Corey. I have invited on Ryan Estes from the Watchguard Threat Lab and our Endpoint Security Attestation team to talk through both a new malware variant that he analyzed just recently, and then some updates to the ransomware tracker, so Ryan, first off, thank you for joining us.
Ryan Estes 0:24
Yeah, thanks for having me back. The people have spoken, they wanted me back, and I'm back.
Marc Laliberte 0:29
I mean, I sense your intended sarcasm in that, but in reality, it is awesome every time we have you on, because I think you give a lot of on the ground insight from specifically ransomware, which is your specialty, but I'm really excited to dive into this. This new malware, would you call it, pivot,
Ryan Estes 0:49
pivot framework, implant, backdoor? They're all used interchangeably, but pivot framework, I think, is the most correct.
Marc Laliberte 0:55
Awesome. Well, with that, let's go ahead and pivot our way in and get rolling.
Ryan Estes 1:00
Well played,
Marc Laliberte 1:08
so I guess, like, to start, Ryan, I want to talk about a post that's going to go up. I think by the time this episode drops, it should be on our Cyclicity Thought Research blog about noisy socks, and I guess to start, you want to give us the like high-level summary of like what you found and what's interesting.
Ryan Estes 1:28
So I'm part of the attestation team, so part of my job role is to analyze suspicious files that come into the queue, and it's literally just an application with a queue of files that are suspicious, quite literally. And so when I see files that are like very suspicious or knowingly malicious, I get really interested, because I want to dig into them deeper, and this was one of those. It was called Tiering Engine Service dot exe, which is a known trusted Windows file, and so when you see something that's deemed suspicious that you know is not suspicious, you can kind of infer that it's interesting or malicious off the bat, and so I analyzed this file and figured out that it's a Golang file, that was, I mean, Windows files aren't really Golang, especially if they're in system 32 and so I just kind of dug into it and analyzed it,
Marc Laliberte 2:17
so a lot of, I guess, a lot of red flags to start with when you first take a look at some of the metadata around the file, like where it's located, what it looks like, architecture, like you said, it's compiled Golang, maybe walk me through, like, how did you find this first, or like what, what was the, the overall like incident that you were investigating to when this popped up,
Ryan Estes 2:42
so it act like the file came first, so we blocked the file, and then I actually had one of the other analysts kind of pinged me and said, "Hey, this looks really kind of weird, I don't really know exactly what it does, can you take a second look? And that's kind of the good thing about the attestation team, is it's a community, we'll help each other make sure we make the right choice for the clients and customers, so he said, 'Hey, take a second look at this. So I took a second look and figured out that, you know, this was a really interesting malicious file in Golang, and that looking at the telemetry of it probably used a red sun exploit, and it had a lot, red
Marc Laliberte 3:16
sun, like that recent zero day drop by what was it, Nightmare Eclipse against Microsoft.
Ryan Estes 3:22
Yeah, he's been dropping a few recently, but it happened right around the time Red Sun came out, so I was like, oh, this is another, you know, Red Sun use in the wild, and so obviously I had to dig deeper into that. So that's kind of how it came about, is like a second opinion, we're like, hey, I don't know exactly what's going on here, can you check this out, and it's kind of how it started,
Marc Laliberte 3:43
and I remember you reached out to me because, like, you found some additional telemetry that indicated that this was a part of a potentially successful attack against this particular client, too, where at some point the telemetry just stopped, which was indicative of, like, an EDR blinder getting deployed. Right?
Ryan Estes 3:59
Yeah, I did a lot of threat hunting through the telemetry, and it was, if I was a betting man, it'd be a red sun exploit, but I don't have, like, the hard evidence, and I play a lot with hard evidence and assumptions, so I'm assuming it's red sun based on all the telemetry, because red sun is basically it's like a race condition, you place the operator places a file in a directory, like downloads, for example, a known malicious file, and a lot of it's like an iCar signature, so like it'll get flagged, it'll knowingly get flagged. This Microsoft Windows Defender says, "Hey, I know this is malware, but the file has a cloud tag on it. So basically, Windows Defender Cloud handles it, and how it handles it is it replaces the file in the exact folder, but with the race condition, they can switch the path, so they switch the path to system 32 It writes it to system 32 as a malware file, instead of quarantining it, and then it runs it, and so that's how it exploits it. Basically, it switches the path on the fly in the middle and runs.
Marc Laliberte 5:00
Man,
Ryan Estes 5:00
Windows Defense,
Marc Laliberte 5:01
pausing there for a second. I gotta have you on more often, because you just eloquently explain what, like, 10 minutes of stumbling through trying to explain Red Sun that Cory and I did about, like, a month ago. Yeah, because that is, like, yeah, exactly what happened. And actually, I remember we worked with the the rest of the endpoint research team on this one, and so it looked like it was a successful attack, but there were some additional extenuating circumstances, like this particular client had added protection exclusions for any file ending in dot exe or dot dll, which basically means like anytime one of those executable files shows up, the EDR tool will just intentionally turn a blind eye because of those configured exclusions, which is not how it should be set up.
Ryan Estes 5:47
Yeah, that's like all files, basically.
Marc Laliberte 5:49
Yeah, and it would explain why something was able to succeed on that system, unfortunately. But, like, enough about that. Like, I want to know, you went and did a big deep dive into this particular tool that got deployed onto the system, and you wrote like an extremely thorough post that folks can go check out on cyclicity if they want to nerd out with you in the weeds, but maybe just start with like what was kind of new or unique about noisy socks that you saw compared to like other similar types of tools that you've analyzed, or even just compared to what you've seen in the last six months.
Ryan Estes 6:27
Yeah, to preface, I rarely see Golang files like this, and especially like back doors that are really complex like this. I rarely see it. So, this was kind of a learn and go, learn as I go, if you will. So, I was.. why do
Marc Laliberte 6:39
you think that is, is that normally like, because they're obviously malicious and get blocked by the zero trust application service, because I mean, when something ends up in your plate, like you said, it's a suspicious file, it's something where there wasn't strong certainty that it was bad or that was good, so now the human, you has to go look at it, right?
Ryan Estes 6:57
Yeah, so we don't see files that are obviously good wear, we don't see files are super malicious, like low hanging fruit. Everything in between comes to us, not everything, but it's going to be in between if it comes to us. And so, yeah, we see all the suspicious files that come in. And what was the question again? Sorry,
Marc Laliberte 7:13
yeah. So, like, what was new or unique about this one? And you were teeing it off with, you don't see a whole lot of Go Lang stuff normally, and I assume, because, like, a lot of it is just obviously malicious, whereas this one kind of squeaked through, but, like, as you were going through it, what else stood out to you?
Ryan Estes 7:31
Yeah, so it was, well, it started, it was obfuscate with Garble, which is an open source tool that basically just obfuscates everything, so you can rarely read anything, and then I think the main kind of novelty about this was the way it obfuscates communication, and this is kind of skipping a few steps on how it works, but basically a backdoor, the objective is to be quite literally almost like a backdoor is to have a way into a network without being detected, it's persistence mechanism, and so the way it communicates, it's like a, it's a dual-faced protocol, and this is I internally called this Janet, Janus Bridge, Janice is the god, like the two-faced god, because it's a dual transport protocol, so I called it Janus Bridge, by the way, also called this a smuck screen too internally, but anyway, it uses KCP over UDP with DTLS or TCP over our noise over TCP with TLS. So, basically, when you take a PCAP, or you see this on the wire, it'll show up as like UDP packets or DTLS packets, basically a stream streaming packets. So, it looks legitimate, even if you have deep inspection or deep packet inspection. This will look like a legitimate, it won't raise any red flags, but if that, if that doesn't work, then it falls back to like a TLS, so like basically a TCP basic conversation on the packet on the wire there, so it has two mechanisms that are very obfuscated, multiple layers to communicate back to the c2 and on top of this, it multiplexes this with a tool called Smux, and if you haven't heard of any of these tools, that's because they're very prevalent in the China Great Firewall, like to bypass their firewall. So this is almost exclusively used by Chinese users, you could say, and so you can almost assume this is a China Nexus individual or someone in China using,
Marc Laliberte 9:21
so, like, sometimes used for, let's say, like, quote unquote, legitimate to bypass, like, state level censorship, but also tools capable of being used in malware to have it evade, like, enterprise grade security controls.
Ryan Estes 9:34
Yeah, it's basically anti-censorship tooling, like, weaponized, essentially. Damn,
Marc Laliberte 9:40
and it makes sense why they'd want to try and hide the command and control interface, like that's a one of the relatively easier ways to detect an ongoing malware infection, is like new or interesting connections, and just unexpected traffic within a typical protocol, and so like if they're making it look like legit. Commit traffic very well, that can make it more difficult to detect at the network perimeter or any other network tools you're using to analyze that traffic.
Ryan Estes 10:08
Yeah, and in the post, if you want to pull this post up while you're reading or listening, this I show pictures of how, like a packet would look, literally the packet itself or the datagram, and how it would look on the wire, and I even took a pcap that shows the communications between the c2 and the victim machine. So, I believe it or not, I actually caught communications of the operator sending commands to my sandbox. Oh, damn, I thought was,
Marc Laliberte 10:34
what were they trying
Ryan Estes 10:35
to do? Oh, I broke it down before I got to that, because I had VM and redo it all a bunch of times, so because I figured it would keep going, so I broke it down, try to go back at a different angle, and then it just didn't happen again, so but I got a picture of it.
Marc Laliberte 10:50
So, speaking of like commands and stuff, did you dive into what the capabilities of it were?
Ryan Estes 10:55
Yeah, I mean, but the main thing about this one, and that it's also unique, is that the bridge relay is a two-way relay, and basically it's the relay is a mechanism to just shuffle bytes along, it doesn't know what the bytes are, it just shuffles them, and so Smux basically says I want to open a connection on the victim's internal network, so let's say, for example, my machine got like this implant, the operator could dial internal networks on my network without connecting to them directly through my machine, so basically says I want to, for example, attack SMB, so it'll dial the IP, it'll dial the port, and then it'll connect to it, and you can run multiple of these at once via Smux, so I can do an SMB attack, I can run Bloodhound and do more attacks, I can do Kerberosting all at once on the same tunnel,
Marc Laliberte 11:48
so it's like a, like, like you said, an implant inside the network that basically gives them a foothold in there, like kind of like if they want to
Speaker 1 11:55
pivot,
Marc Laliberte 11:56
yeah, there we go, they can remotely access internal resource, so it itself doesn't necessarily have any capabilities to like go and do stuff, it's more of a facilitates that connection, so that another tool outside the network can tunnel its way in and start enumerating systems and grabbing other data and stuff.
Ryan Estes 12:16
Yeah, and this is why I say it's a pivot framework more than an implant or a backdoor, because a backdoor is basically just a way in an implant is just kind of like a, it's a service running on your machine that's sending data back, a pivot framework is allowing the bridge to them to send commands and then get data out of it and then send it back to the c2 so in the reason I call it a framework as well, by the way, is that it's config driven. There's a configuration built into the file, which kind of hints at this is kind of like purpose built and has more versioning within it. So, per se,
Marc Laliberte 12:54
and so for attribution, you think some were trying to align just because of the tooling that they use, like the the framework they were using to get past the Great Wall of China. Right. Yeah. Okay.
Ryan Estes 13:09
And I'm assuming the kill chain here is that the red sun gives you the privileges,
Marc Laliberte 13:13
the
Ryan Estes 13:14
noisy socks gives you the persistence into the system, and you can gather information, so you can enumerate, and then you go further, and this one used a bring your own vulnerable vulnerable driver to kill the EDR, and that's when the telemetry stopped, and then further attacks after that.
Marc Laliberte 13:29
Got it. And further attacks, like one example we saw, was ransomware deployment. Do you see, did you get a chance to dive into any other examples, or any assumptions on what they might be doing, or do you think it is probably predominantly ransomware?
Ryan Estes 13:46
I would say predominantly ransomware. I don't see a reason. I mean, if you can get persistence onto a system, get all the information you want, information stealing, even, and then kill EDR, there's really not much room for imagination on what can happen after that.
Marc Laliberte 14:03
That's crazy. Anything else that you thought was interesting out of
Ryan Estes 14:09
it? I mean, it's very matured, so I mean it's it's config driven, and it has an option to embed it or run it from a path, so it's dual face in that sense, and it's very.. it was very matured from what I thought I was analyzing, if that makes sense. So, I thought it was just an implant at first, but no, it had like versioning configuration driven, it had very graceful cleanup, so it drops a batch file that deletes everything and gets rid of all kind of like kinds of
Marc Laliberte 14:37
tracks,
Ryan Estes 14:37
yeah, everything about it. So, I would say this is going to be developed even more based on what I was seeing, because there's like v ones all over the place, and like versioning, and the config allows for more, I guess, capabilities down the road, so
Marc Laliberte 14:53
and I guess by nature of it ending up on your desk, like this was a suspicious file, and so I. I mean, if we can plug our own stuff, like this is one of the benefits of zero trust application service and WatchGuard's endpoint security, where normally, like for other tools, the suspicious file is something that the administrator has to take care of, they've got to either go analyze it themselves, make the determination, or just allow it through, like many others do, versus with ZTAS, like it's blocked by default when it's in lock mode, when the endpoints in lock mode ends up on your desk for that final attestation and analysis, and you can confirm that it is malicious, feed that back in, and now it's blocked across all endpoints too.
Ryan Estes 15:35
Yeah, and I mean, if you don't really know much about operating systems and like networking stuff, if you were to see this file or see this running, you wouldn't really think much of it, because it's disguised as a legitimate Windows file. It's running as a service, as a legitimate Windows name and description. It runs out of system 32 So, I mean, if you don't really know what you're looking for, this would look legitimate.
Marc Laliberte 15:56
Yeah, man, pretty sketchy. But I mean, good news, it's something that we caught largely thanks to you and your help on doing the analysis.
Ryan Estes 16:06
We also bring on Vernable vulnerable driver as well that was caught, and I have a post coming out about that sometime in the future. I'll say
Marc Laliberte 16:15
that's awesome. So, for this one, it's on the Watch Guard Security Hub on our Scyclicity blog, the noisy socks post. It's a really good deep dive into all of the details on this one. Definitely recommend taking a look at it if you are, I don't know, technically inclined, like, like I am, and some of our listeners are.
Ryan Estes 16:34
I mean, I do write it with the intention that people who have no freaking clue what this is, is going to read this too, so I sometimes over give too much information, I guess you could say. And then I go really technical too, so you'll get both of them.
Marc Laliberte 16:50
It's good you can straddle the line like that.
Ryan Estes 16:53
You have to.
Marc Laliberte 16:55
So, moving on, though, the second thing I wanted to have you on, so you are the like head maintainer of the ransomware tracker on the WatchGuard Security Hub, too. You do the bulk of the work on curating and investigating and bringing in all the data from ransomware operators that are spinning up or tearing down victim information, things like that. And it's always awesome to have you on and just hear about, like, hey, what's new on it? So I guess, like, to start, like, let's dive into the ransomware tracker itself, and some high-level metrics. Are there any like big changes that you've seen over the last half a year or so on this
Ryan Estes 17:32
half year? So, yeah, 2026 basically. I did just write a post about two weeks ago, which highly recommend reading, about Deadlock. They were the group a few months ago that was observed taking c2 I guess, data from Polygon blockchain. Basically, they were pulling it from the blockchain, and they were able to get C twos that way, and I mean it's not mutable, so you can't really edit it. So those are kind of hard coded in there, and then now they are embedding their data leak site within their ransom note, and they pull the victims from that blockchain as well. So, basically, whenever you open the ransom note, you can see a tab that says leaks. You go over there, and that has their basically their data leak site on it. And then, also, yeah, those have their data leak site on a clear net domain too. But you don't really need to go there. That's pretty interesting. Why do you
Marc Laliberte 18:21
think it's on the clear net, like normally they're on dark net locations? I imagine to make it more difficult to take down.
Ryan Estes 18:29
I actually don't. That's a good question. Actually, I think part of it is kind of the emboldened nature, and that, that I mean, the numbers speak for themselves. The groups, there's just more groups, there's more victims. The payouts are bigger nowadays. There's less people paying out, but the payouts are bigger, according to most recent research. So, I think they're just kind of like, who's going to stop me, kind of thing. But that's a good question. I don't know, maybe something like into
Marc Laliberte 18:58
trying to look it up. So, they're for deadlock that you're mentioning, they're hosting it on live blog 365 which is trying to find the hosting provider for it, because I'm wondering if it's like a bulletproof host, and that's why they're able to keep it up for so long.
Ryan Estes 19:15
Yeah, I mean, a lot of them use that, the Noisy Socks was using one of those too,
Marc Laliberte 19:21
but yeah, anyway, so like, beyond deadlock, like, you're in there every single day, you're looking at new, like, victim blogs as they come up, you're reviewing existing victim logs. Have you noticed anything like interesting over the last couple of months from what you've been looking into?
Ryan Estes 19:42
I didn't finish answer your question, I'm sorry. Yeah, I mean, like I said, the numbers are a lot more abundant, but there's just.. I think there's around 2500 per quarter as of the past three quarters, which is very high. The there's not much encryption anymore. I don't want to say that like. There's no encryption. I'm just saying, instead of always encrypt, it's like encryption optional, like it's it's almost an option for them, and they use it as kind of like an extortion tactic, like, hey, we steal your data and we're going to encrypt your crap too. So that's kind of like another thing they do to extort, and then they just do a bunch of different extortion types that are just get very clever nowadays, but sometimes the
Marc Laliberte 20:24
lack of encryption was, I think, our first prediction this year, for 2026 that a crypto ransomware goes extinct, and, obviously, like you said, it's not extinct, but they are trending away from encrypting data as the force first form of trying to extort you. Said, though, there's some interesting, like, extortion types too.
Ryan Estes 20:44
Yeah, I was a Keelan Qui Land - I never know how to pronounce it, but they're the ones who have the most victims by far this year. I think they're up to almost like 700 this year, about 100 a month on average, which is a lot. But most of the big names are also ransomware as a service user, so I mean they have affiliates that do the work on their behalf, they just provide the infrastructure. Let me get some data here. Hold on.
Marc Laliberte 21:07
Chillin, I think is how it's pronounced, or Chilin, because it's a Chinese, right? So, yeah, Qi is Chi.
Ryan Estes 21:14
Yep. Sorry for my being ignorant of that. I
Marc Laliberte 21:18
only know this because we, we talked about them at the last WatchGuard Impact conference, just a couple months ago, and I had to make sure I was pronouncing it very correctly when it was on stage in front of 500 people.
Ryan Estes 21:29
Yes, so they have a call a lawyer button on their daily site, where you can invoke, like, I guess, legal counsel. I don't know, I haven't clicked it, I haven't looked too much into it, because there's like 100 plus names I have to keep track of actively, so I don't have hard data constantly, but they have a, they have a lot of extortion types that are very unique, a lot of extortion types of like hitman type stuff, or like bounties, for example, I think Han dollar did that, but that's an Iranian back group, don't know too much about them, but they do offer money for data, I guess. You could say, like, a lot. I think it was that was the group that offered 50 million for Trump and Netanyahu type stuff. Oh
Marc Laliberte 22:10
man,
Ryan Estes 22:10
couple months ago. So,
Marc Laliberte 22:11
yeah, the call a lawyer one's interesting. I wonder, like, I'm trying to think of what their reasoning is, and maybe they, as an operator, have better success negotiating ransomware payments with, like, law firms that have done this, you know, multiple times, versus, like, the specific company that this might be their very first ransomware experience. I don't know.
Ryan Estes 22:32
Yeah, they also have, there's a couple groups that ask for, like, cyber insurance, so they can kind of toe the line and make sure they don't have to pay out insurance and stuff like that. There's a, and there's just so many. I think there's a list of like 30 or 35 extortion types on the ransomware tracker. I think recently we talked about a lot of times groups are now like contacting the organization, or like clients of the organization, and so they'll say, "Hey, we have your clients' data. If they don't pay up, we're gonna leak your crap too, and so, yeah, it's they just.. there's really clever ways they try to get in. I mean, the obvious one is they call into call centers or call you directly, or like call your vendors, and so it's just getting.. they're just getting more clever because they're not encrypting data to say we have all your data, like how can we get them to pay up, and they just get clever,
Marc Laliberte 23:22
and so now that, like, data encryption isn't the main method of operation, like, you can't just rely on recovering your, your backup in order, and then just move on, like, you actually potentially have to be worried about the data loss that they've stolen before trying to encrypt it, that they're, they're extorting you, like, feels like the tide has turned towards prevention, is really important to prevent the data from going out, like data loss prevention, and just overall cyber hygiene to limit the data exposure within an organization, but like preventing that data loss is even more important than recovering encrypted data, and the modern year is that fair,
Ryan Estes 24:02
yeah, and a lot of the attacks are now supply chain attacks, where they're intentionally taking data because they know it's from 400 different organizations, for example, that's becoming almost the most common thing, I think, is like going
Marc Laliberte 24:14
after a service provider to get all of their clients,
Ryan Estes 24:16
yeah, I can reach one organization and get maybe 300 ransom payments, for example, or something, right? It's not realistic, but that's kind of how the thought process is. I don't have to hack a bunch of different organizations, I can hack one or two and extort multiple people. Shiny Hunters is doing this. Who was Icarus? A new group is doing this. Huntress came out and talked about that the other day. I'll let them speak for themselves, though.
Marc Laliberte 24:42
Have you seen off the top of your head any specific, like industries that are getting hit more often than not?
Ryan Estes 24:50
Yeah, did
Marc Laliberte 24:50
anything stand out to you, or is it a good spread?
Ryan Estes 24:53
It's a good spread in general. Overall, I think when you do trends for sectors, it's mostly group. Based
Marc Laliberte 25:00
or
Ryan Estes 25:01
like time-based, like within a certain time, but like overall, it's if I depict one, it's mostly just manufacturing. I think that's just because most companies are manufacturers, if that makes sense. So, I mean, most companies manufacture things, so if you're gonna just the numbers, basically, but I don't think there's like these groups are going after manufacturers, I think they're just easier to breach because they're less secure and there's more of them
Marc Laliberte 25:27
that can make sense. Then, yeah, I
Ryan Estes 25:29
do not have the hard date on that. I wish I did one day.
Marc Laliberte 25:32
Put in a feature request, we'll get that next.
Ryan Estes 25:35
Got it?
Marc Laliberte 25:38
I know, didn't you just pass like what was your big number? 300 at the end of last year, and on track for probably 500 by the end of this year of total ransomware folks in there that you're tracking.
Ryan Estes 25:51
Yeah, it's mostly new groups this year. I like to get like full entries, and when you see a blog post with an ID next to it, that means that entry is completed. By the way, anyone's wondering, I didn't make that clear, but basically I haven't completed very many entries. I've only just been adding new ones, because there's just been so many. There's been about 4040, to 45 new groups this year, roughly. So,
Marc Laliberte 26:12
damn,
Ryan Estes 26:13
yeah. So,
Marc Laliberte 26:14
ransomware is still a booming business, annoyingly.
Ryan Estes 26:17
Yeah, it's like two a week on average. I think
Marc Laliberte 26:20
that's crazy. Any other takeaways you want to leave our folks with based off your ransomware analysis lately?
Ryan Estes 26:27
No, I will say the ISR is coming soon, so you'll see all the updated ransomware data. I'm updating the active groups tonight. I have all the inactive groups. A lot of this is manual still. A lot of it intentionally is manual still, because some other, I guess you could say competitors just kind of grab the posts and just post them, or I go through each post, I go through like I don't download the data, but I go through and try to verify when the breach date was, so I go through a lot of the extra work to get the data I have, so a lot of data that's on the tracker is very accurate, I would say on that thought, I'd say the big groups right now are Chilin, I guess you could say the Gentleman, Akira, I think I have the hard date on this, Dragon Force, Night Spires, kind of come out of nowhere, no one's really talking about them, but they're one of the top groups in terms of numbers right now, don't know too much about them, to be honest,
Marc Laliberte 27:19
are all of these ransomware as a service operators, or like majority of them,
Ryan Estes 27:23
I was gonna say all but one, all but one of the top, like seven, are ransomware as a service, the only one that's not is Play, and they're also the only one that doesn't really use vulnerable driver exploits either. So play is kind of unique, they're very consistent, they're a closed group, and they have a lot of numbers, I guess you can say, and then Incransom is another one too, so say those names right now, they're all ransomware as a service, so they have affiliates working for them, getting these numbers, I guess you could say. What else? One other thing that came to mind is there's a new, not extortion type, not new group of the new entity called Leak Bazaar, and their whole thing is they take data from other groups, analyze them, and kind of extort on their behalf, so they're like a data processor for ransomware
Marc Laliberte 28:11
extortion as a service,
Ryan Estes 28:13
essentially. Yeah, so that's one of the new things, and there's probably some more I'll touch on on the ISR if I come across,
Marc Laliberte 28:21
man, the entire industry has just become commoditized at this point, every single step of the attack, and including the extortion. Yeah,
Ryan Estes 28:29
and you commonly ask me, like, you know, how's the ransomware landscape, and I always say something along the lines of, it's not getting better, seemingly not getting better, so I don't, I don't know. Well,
Marc Laliberte 28:41
I mean, if we're going to give some defensive tips, like good endpoint security, good data loss prevention, and just basic cyber hygiene to limit data exposure, so if an account gets compromised, they hopefully can't steal everything that you own and post it up for sale somewhere.
Ryan Estes 28:58
Yeah, I'm glad you said that, because the main ways ransomware groups are getting right now are kind of the same thing, it's phishing, social engineering, credential theft is a big one right now, a VPN credential theft, especially, and like four to afford to bleed, I think it was, and I suspect, by the way, that this red sun exploit was started with a four to bleed, because I suspected it started with the Fortigate of VPN credential stealing. Now that this Ford, a bleed came out, it's possible it could have been that. Sorry, that's kind of popped in my head right when I was saying it, but it
Marc Laliberte 29:34
totally makes sense. I mean, it was 10s of 1000s of credentials stolen in there, so I could see that being a good source of initial access into an organization.
Ryan Estes 29:44
Yeah, so it's just credential theft, social engineering, phishing, same old zero day exploits are big right now, but it's nothing new, it's just different exploits, different phishing types, different social engineering types, but it's the same overall kind of mechanisms,
Marc Laliberte 29:59
if it keeps. Working, I don't see why they would want to pivot for sure. I know, but Ryan, thank you so much for taking some time to hop on here and talk through this. This was as enlightening as ever. Again, reminder for everyone, the Cyclicity blog on the Watch Guard Security Hub will have our deep dive posts on noisy socks, and then Ryan's regular posts on different ransomware operators, it's a great resource to go check out, but yeah, thanks again, Ryan, I appreciate it.
Ryan Estes 30:27
No problem, thank you.
Marc Laliberte 30:31
So, hey everyone, thanks again for listening, as always. If you enjoyed today's episode, don't forget to rate, review, and subscribe. If you have any questions on today's topics or suggestions for future episode topics, you can reach out to me on Blue Sky. It's, it's marked at, it's marked out me, Ryan. I'm sure you can find him on LinkedIn or something. Ryan, do you have a social media handle you want to share, or are you on LinkedIn? I don't
Ryan Estes 30:52
really use it. I exist. It's kind of like a, an internet resume,
Marc Laliberte 30:57
perfect. It exists. So then you can reach out to all of us at Watch Guard underscore technologies on Instagram. Thanks again for listening, and you will hear from at least me next week.