This week on the podcast, we bring on Ryan Estes from the WatchGuard Threat Lab to discuss the latest trends in ransomware operations. Ryan is an expert in ransomware analysis and currently owns the data behind WatchGuard's public Ransomware Tracker on the WatchGuard Security Center.
View Transcript
Marc Laliberte 0:00
Hey everyone. Welcome back to the 443 security simplified. I'm your host, Marc Laliberte, and joining me today is Ryan Estes from the WatchGuard threat lab. Hey, Ryan, say Hi, Hi. How's
Ryan Estes 0:12
it going? It's good to be here.
Marc Laliberte 0:15
On today's episode, we are going to talk with Ryan, who is our resident ransomware expert, and go over some of the trends he's been tracking some of the most recent activity from ransomware as a service operators, and just interesting stuff about ransomware. And with that, I guess let's go ahead and jump our way in. Let's do it.
You Yeah, Ryan, folks may not know, but we sometime last year, I think was at the end of the year, we launched the the ransomware tracker on WatchGuard.com keep me honest on this one, I don't remember when it went live.
Ryan Estes 0:54
I believe it was significantly before that, but that's all right for that. But
Marc Laliberte 1:00
we on the WatchGuard security hub. If you go to that page, there's several links there, including a link to cyclicity and this podcast itself. But one of the links is our ransomware tracker, which Ryan diligently maintains, mostly by himself on most days, keeping up to date on just the latest information that we can find about ransomware operators out there, and figured he would be a great person to have on and just give us the latest update. I think we had one of these episodes probably about a year ago now, talking about ransomware trends, and think we're
Ryan Estes 1:35
due, yeah, it's been a while. It's been a lot of updates, so lots of talk about for the tracker, and then a lot in the ransomware landscape too. So yeah, a lot
Marc Laliberte 1:43
everywhere you're just telling me, we're at like, 250 like, annotated ransomware operators now on the tracker,
Ryan Estes 1:50
just hit it today. Just added one today. Hit 250 Yep,
Marc Laliberte 1:54
dang, at the time, I guess. First off, though, like are, have you been seeing any interesting like trends lately with maybe emerging actors, or anything going on in the ransomware as a service space that you thought was interesting in your research?
Ryan Estes 2:10
I think the most obvious trend, the one right out of the gate, is the data exfiltration versus encrypter. So usually you think of ransomware as just like getting into a network on endpoints and using an encryptor, encrypting everything and demanding a ransom. And sometimes they'll just do data exfiltration. And what I'm seeing more now is just more and more data exfiltration without the encryptor usage. So basically, just steal all the data, and if they need to, for whatever reason, they'll throw an encryptor in there, encrypt everything, Cripple it all and then demand an extortion amount. So I'm seeing more and more groups that just extort data or exfiltrate data, extort victims, and not even use encryptors. And the ransomware tracker calls these data brokers when you just do data. And for the most part, this is what everything is, because that's what a lot of ransomware is like, hey, we have your data. It's either encrypted or it's stolen or both. And hey, give us money. And then they use different methodologies of blackmail to basically extort victims. So that's the main one I'm seeing out of the gate.
Marc Laliberte 3:14
It's interesting because, like, when I think of ransomware, I think of how it exploded in, let's say, like 2013 or 2016 or so, where threat actors went really hard into just straight up blocking data, and that was the primary way they extorted people. And it was effective, because we all collectively sucked at backup and recovery methods that clearly we the industry, have gotten better at that. And I don't know it's interesting seeing a turn back towards just data theft as the main method of stealing or getting money out of people versus encrypting it.
Ryan Estes 3:50
Yeah, it's been, I mean, a lot for the most part, it's always been kind of data exfiltration. And this is like a lot of what malware is like information stealers. They steal your data for the most part. They don't extort you afterwards. They just steal it and either sell it or do whatever. But now they get their own data leak site on the dark web or even the clear nowadays, and they'll just use different blackmail methodologies that are increasingly complex or weird, to be honest, and they'll just use that to get as much money as possible.
Marc Laliberte 4:20
Yeah, yeah, let's actually, I'm curious about that because, oh, in our offhand conversations, you've mentioned a few, like, extortion types that seemed pretty far out there. Do you have like, a top three or top five, like, weirdest ones you've encountered?
Ryan Estes 4:36
Well, weird, slash, kind of crazy. I mean, a few years ago, bloody did the they attempted to employ a hitman. I don't know obviously, if they did or not, but they talked about employing someone to kill someone else that was a victim of someone they ransomed or stole data from. So that was probably the craziest one I've seen recently. There's been more like software exploitation, slash like kill. Chain analysis. So you'll see, I think it was a group. Let me get the name here. Hold on. It was, oh, man, I'm blanking on it. I forget the group. But it was a group that basically they, they exploited the software. Oh, it was SEC P zero. That's what it was. It just clicked. So SEC P zero, they exactly. There's so many weird names. It's hard to remember them all, but they basically exploited this password manager and did a whole analysis on how they did it, just, I mean, step by step, here's how I did it, here's what we did, and then exploited them and saying, Hey, this is what we're gonna do. Recently, there's been a lot of regulator complaints. So they either force victims to self, like regulatory complaint against themselves to say, Hey, we got extorted, or cyber attack or something. And this is a lot with the SEC they do that. And I think this was first done when I first saw it was a black cat, or also known as alpha v, a few years ago. They did it with, I think Meridian Link was the victim, allegedly. So you got, like, software kill chains. You got employee hitman. Let's see what else. Force disclosures. So they force, like I said, they force people to disclose against themselves, or they'll do it themselves. I've seen where they'll they'll write a complaint to these regulatory bodies, and they'll just extort them that way. So just a bunch of different ones. Those are probably the off top of my head, the most bizarre that I've seen recently,
Marc Laliberte 6:25
or Hitman one is nuts. Do you remember what the ransom note was like for that? Was it literally, you got to pay this or we're gonna come murder you? I
Ryan Estes 6:34
think that was actually on their telegram page. They said they posted a chat on their telegram saying, Hey, we're gonna employ a hitman to this company if they don't pay. And it was, I don't have a screenshot or anything, but I documented it for sure. It was very odd. It's
Marc Laliberte 6:49
like, I know that's extreme, and I don't remember hearing about any sysadmin getting murdered because of ransomware, so I assume it didn't succeed. But yeah,
Ryan Estes 6:59
it was probably mostly just chatter and a lot with these ransomware groups, it's mostly just you don't really believe it until, like, you see hard evidence of it, or, you know, news stories or something like that. But a lot of they lie a lot, let's be honest. That
Marc Laliberte 7:13
is, that is definitely true. What I mean, which is interesting, because their job, like they want people to believe them that when they are telling the truth, because the whole reason they get paid is people trust that they aren't going to like then leak their data or whatever if they pay the extortion. But I guess in every collection of organizations or people, there's always a few weirdos that just go off the deep end. So I guess I could explain that,
Ryan Estes 7:42
and this is mostly like online nowadays, with being anonymous, is that reputation is everything. So if you gain a good reputation, you'll get you'll be more believable. And if you lose that reputation, and we've seen this with lock bit recently, they got taken down so many times. And recently, their dashboard was leaked on their Lock, lock bit four website, and I haven't gone through it yet, but a lot of just Bitcoin addresses, you know, names, affiliates and just chats that you lose reputation that way, and then you'll lose affiliates, and you lose money, and it just kind of daisy chains from there.
Marc Laliberte 8:14
Do you suspect that maybe once they do lose enough reputation, they just pop up under a totally different name? Have you seen like patterns across ransomware operators, where you may not have a hard link, but you really suspect that it's the same organization a lot,
Ryan Estes 8:30
actually, yeah. And usually when they do like, when they say, Hey, we're shutting down, or Oh, we got taken over, or something happened, it's usually a ploy to either rebrand come back as something new, or like, lay low for a while. If you're familiar with Grand Theft Auto game, you'd be like, trying to remove stars from your five stars, or something like that, similar to that. So it's usually when I first see it that's the first thing I think is, oh, what are they going to rebrand as, you know, unless there's arrests or something like that. So it's usually like, Norm
Marc Laliberte 9:01
Black Cat's an example of that, where, after the United Health Care hack, and after they straight up cut and ran with the the payment and didn't pay out the affiliate, they did, they dropped off the map. But, and I haven't, I haven't seen them come back up. Do you suspect they're operating under a different name? Or do you think they really did just like cut bait and run and retire at their $20 million extortion
Ryan Estes 9:23
it's hard, no, of course, but I would say there's a good chance that they either rebranded or they kind of disbanded. And a lot of times this happened with our evil the group that did all the pipeline hacks a few years ago, they basically just broke off into different groups and created either more groups or kind of just joined others. And that's kind of what Conti did as well. When their locker leaked and they shut down, they rebranded to black. Boss does one of them and a couple other Russian based groups. So they just basically rebrand and kind of just move around. And a lot of times this is obvious, because they'll the extortion sites will look exactly the same, or they'll use exact same Lang. And style, but most of the time it's it's almost impossible to
Marc Laliberte 10:03
know, because sometimes you hop on like, their telegram channels too, right? And do you ever see like, I don't know how in depth you look into the details for those communications, but I'm wondering if there's like, you can tell that this is what's his name from some other operator, just because they talk about the same stuff or link the same stuff. Like, I bet if someone popped up and said, I'm going to call a hit in on this company, if they don't pay the six store, she'd be like, Oh, that's probably that those guys from that one, but I would say it's mostly
Ryan Estes 10:33
technical. Like, you'll see they report back to the same IP, or they're hosted on the same IP, or something like that. That's how you usually get, kind of the you kind of connect the dots a little bit. And there's a few analysts that do that beyond me, of course, but there's a Bushido token. I don't know if you've heard of him. He does a lot of analysis like this, in depth, and he kind of connects the dots on who's, you know, rebranded, or who's who and stuff like that. And he's very, very good at it. Okay,
Marc Laliberte 11:02
so there's, like, a whole collective of researchers out there like trying to piece this together, too. There's
Ryan Estes 11:08
a few, I'd say there's a few researchers that I follow that do almost exclusive ransomware work, and they're very good at it. I mean, I use a lot of their work on the tracker, and I give them credit at the bottom, you see references, and I'll reference them if I use their work. For sure,
Marc Laliberte 11:23
what walk me through, like your typical day of like researching and updating a record and like the ransomware tracker, I'm curious what that looks
Ryan Estes 11:32
like. I guess it depends on the entry, of course. But usually when I get a new group, I kind of follow like this, almost like a research project like it's methodical, do the same thing and just follow the same process, almost treat each entry like its own little research project. So get a group or find out, and I'll might hear from the grapevine or another researcher, and I'll just start go to the website and see what's on there. Go to their victims and just do a little analysis, like check their certificate, their IPs, and see if anything's on, like Twitter or open source information, and it's basically just looking around and basically looking at the resources I have to see if there's any new information. And if there's new information, I'll add a taxonomy to it, or like an extortion type, I'll add the extortion type. So it's basically just going through each data point I have and filling it in as I know it, and trying to get as accurate as possible. And that's the point of the tracker is to be the most accurate, not be like, the first. I'm not interested in being like, Oh, I was the first one to have it. I don't care. Actually, would prefer to for all the data to come out and me to collect it and be the most accurate out there. And so when people go to the tracker, they can see that this is going to be the most accurate. And if I need to find more information, there's references at the bottom, and there's other places I can go to get more granular details, especially like TTPs and stuff like that.
Marc Laliberte 12:49
And we you collect samples as well too, and like, review them to look up, like encryption methods, and like, when you're trying to figure out file extensions and stuff too.
Ryan Estes 12:58
I give myself ransomware a lot, so I'll just pull it up in like a segmented virtual machine, and just run them. And just keep running and take pictures, if they're different, and just document, you know, ransom notes. Sometimes I'll have to break them apart and reverse them to see encryption types ransom notes. Sometimes you have to get in there a little bit encryption, file extensions. That's another one. But again, these, a lot of you just run them and it happens, so it's pretty immediate and obvious,
Marc Laliberte 13:26
yeah, because you're you mentioned, like, reverse them to figure it out, because your day job is actually on, like, the endpoint attestation team of regularly reviewing suspicious, not necessarily malicious or benign, files, and make that final determination for our endpoint product, right? That's it, yeah, hopefully you don't see a whole lot of ransomware on there. I imagine, once it ended up in there, it's more of just a sketchy program. Yeah,
Ryan Estes 13:53
a lot of the so a lot of encryptors are like the last stage, so they'll have to get past, like, your network, and then the endpoints and all that. They'll have to get multiple stages. And then they're on machines for a while, usually collecting information about like domains and other endpoints and stuff like that. And then if they need to, like I said, They'll encrypt but they usually exfiltrate data first. So if you see a lot of data exfiltration on an endpoint, that's usually the first sign. And then if you see a bunch of file name changes, that's, well, it's too late, honestly. But that's usually the sign. And then, yeah, that's, that's how, you know,
Marc Laliberte 14:27
I'm curious, um, back on, like, the trends for ransomware operators like, you get to see you're pretty plugged in to, like, what's going on in the space. Do you I've had this suspicion that we're probably seeing more and more like even less skilled ransomware as a service, operators trying to hop on the gravy train, like maybe less mature ones. Is the word I'm looking for. Do you like, what are your thoughts around? Like, are there? Do you see a higher volume of operators coming up? Do you see ones that are just clearly you have no idea what the heck they're doing? Or, like any. Along those lines,
Ryan Estes 15:01
I would say all the above you have like, your big names, like, obviously, lock bait used to be a big name. It's not really much anymore. Black Cat used to be a big name. Now you've got groups like, play is a big name. Clop, they do. They don't do a lot of affiliate work. I don't think they do a lot of like, zero day exploitation, supply chain attacks. And they did one a few months ago, where they post like 250 victims, and so they're big on, like software exploitation, and then a lot of groups just do, like brute force on RDP, or like zero day attacks, like I said, software exploitation, and just other random things to get into networks that most people usually already do. It's all malware. At the end of the day, it's just a different type. So they usually follow the same methodologies, a little bit different, but at the end of the day, it's just malware that encrypts files instead of usually steals information or whatever.
Marc Laliberte 15:52
Have a when it comes to like, affiliate versus non affiliate, if you had to, like, ballpark, a guess of at least the ones that, like, you're aware of, like, what is the split on that? Like, is everyone just operating as a ransomware as a service model? Now, I mean, you already mentioned a few don't specifically like clop, or is it like 5050, what do you think?
Ryan Estes 16:17
Yeah, it's hard to know which ones, because some don't even say like, they'll just some say like, Hey, we have a ransomware as a service. Here's we take, like, 10% here's how it works, and here's what you get, and here's what we offer. Things like that. Some are just like, here's some companies, here's some data. And those are impossible to know unless they kind of say it or, you know, they find it on Twitter and affiliate or something like that. But for example, NOVA is a group that just rebranded from ra group, which is believed to be related to China state actors and stuff like that. But they offer an affiliate program, and now they've created their own like built in tool, end to end encryption chat tool that they can use to chalk to chat to victims and they can use to chat to each other and things like that. So they've created their own proprietary chat tool, and so they can use that, as you know, ransomware as a service model. And there's other groups that, you know, most of them, that are ransomware as a service advertise it as they'll say, hey, we want that's how they make money. It's like, make a cut from other affiliates. And they just kind of sit back and you know just, hey, I'm making money. I offered the service, and make sure everything's tidy, and make sure their daily sites going well, and things like that. Do you keep
Marc Laliberte 17:28
track of what percentage cut some of these folks get, like, what's the biggest slice of the pie? You've seen like a ransomware operator take out.
Ryan Estes 17:37
I don't track that, but I've seen it a few times, it's mostly either 10 or 20% I don't think I've seen much other than that. So what's the
Marc Laliberte 17:47
like? The Have there been any? So, you know, they've all got their little their happy blogs, or whatever, their victim blogs. I'm curious, have there been any that stand out to you as, like, I don't know, unique or extravagant or something, or all them kind of cut and dry and just a list of stuff,
Ryan Estes 18:05
a lot of them actually look good, like visually web design, like lock bits was good. The one that stands out right up right away is funks, which is a few months old. And they stand out mainly because they do data auctions on their website. They have their own, have their own AI chat bot that they use to interface with victims and make their own encryptors and malware and tools like that. And so that's kind of the first group that's kind of popularized AI usage, and I see that kind of probably increasing in the future, is they're basically using llms and other like things like that to create their own tools or expedite ransomware creation, or even just chat bot, chat bot with victims like, Hey, here's my ID. All my victim got stolen. I was told to go here, and then the AI chat bot talks like, talks back to you and things like that. So
Marc Laliberte 18:55
negotiate pricing. Is this like that? Was it like a Chevy dealership or someone convinced them to sell a car? The chat bot to sell a car for a buck. Can I negotiate down my ransom extortion with these things? I have no
Ryan Estes 19:07
idea. It's very new, and that's the only one I've actually seen use it, especially in like a commercial type setting, to interface with victims. I've actually not even seen any others use it. They might in the back end, but it's like a chat bot on their data lake site. So, ah, yeah. Funk SEC is a very interesting one. It's a small group, I think it was about four people that claim to have, like, no experience, and they've kind of created everything from scratch and have this AI stuff and auctioning and a bunch of domains to do a bunch of different stuff. So very interesting group. So
Marc Laliberte 19:40
auctioning, like an eBay kind of situation where they say, Hey, we have data from XYZ company. It's these number of records and, like, this data type, and, yeah, five days to tell us to get the winning bid,
Ryan Estes 19:52
something like that. It's, it's part of their hexagon extortion technique where they, it's like a six step process they use. It's like. Like, double or direct, double extortion. So the typical like, hey, we stole your data, or so. And then they wait like, a month, and during the month they'll do like, advertisements saying, Hey, we stole your data, this company got extorted. And then if the month goes by, they'll start DDoSing them. And then, I don't, actually, don't remember all six I got it right here somewhere. Let's see what it is. Oh, here it is. Then they sell the data to forums and auctions, so like public forums that are, like hacking forums and stuff like that. They'll go there, and then they'll re attack the company, and then they'll start attacking, like, workers of the company and even their families, and I've actually seen that a few times, where they'll start attacking family members and colleagues and stuff like that. Or, like, calling them and saying, Hey, I extorted this company and stuff like that. So it gets kind of crazy in that sense. And then the last one is just to leak the data. So they call it the hexagon extortion, which is probably the most, yeah, it's the most unique extortion I've seen. Like, especially, like a multi step process.
Marc Laliberte 20:59
This feels like a bunch of like, failed, like, Stanford graduates, or something that couldn't make it in the real world, but wanted to use all their business acumen to, like, go onto the dark web and spin up a ransomware operator.
Ryan Estes 21:13
Yeah, you can tell when there's a lot of inexperienced operators, or, like, daily sites, you can kind of tell right off the gate. But some, some of these are sophisticated, like clop, for example, they do a lot of zero day attacks and stuff like that supply chain. You can tell they're not just a few kids in their basement doing stuff. They're, you know, communicating and doing a lot of research and exploitation work. So command get a mixed bag.
Marc Laliberte 21:38
That's pretty crazy. What's the Are there any that, like, kind of keep you up at night in terms of their capabilities, like, maybe, like, the sizes of the victims that they went after, or the, just the sheer volume of victims they've been able to know, I
Ryan Estes 21:53
would say clop, actually, clop right after that, because, I mean, zero days you can't really defend against, and they've been attacking, like, File Transfer Tools and that a lot of big companies use, and we've already seen it when they did a few, like, a few years ago. They've done, like, four, right? That was one of them, yeah, was move it. The most recent one was Clio. That was a few months ago. And so if you're a company that uses these tools and they zero day them, then you are at risk. And so, I mean, there's a lot of big companies that use these, and so you not, you're not just one victim at this point. You're hundreds of victims right off one attack. So that's the one that keeps me up at night. At least, it's definitely one
Marc Laliberte 22:30
of the trends that we're tracking this year of ransomware operators and even affiliates going after like, supply chain attacks to compound the ransom attacks, yeah, like, obviously Clio and the move it ones, they're not the first that use that model, but it's proving effective every time it is used. So it totally makes sense, especially, like, I mean, Clio, that's, that's legal software, but move it like you said, File Transfer service that, like any organization under the sun, could potentially use. See them going after MSP tools as well, like the RMM software that we all use to manage our systems at scale. It's pretty nuts. Yeah, there was
Ryan Estes 23:10
another one a few months ago called null bulge, I think it was, and they embedded malware into a GitHub repository that AI tools use to, like train on, I don't remember, to be quite honest, but it was an AI tool and on GitHub, and they embedded malware into it, and then it led to ransomware. So it's, I guess that's a supply chain attack kind of thing, but it's still, it's things that keep you up, like, like that is embedded malware into tools that people use and can't really defend against until it's too late, almost.
Marc Laliberte 23:42
Or in the case of that, AI one like use and may not even understand they're using like side picture, like, if you're using like, let's say AI assisted software development, and you're literally just vibe coding your way through something on an extreme end and accepting what it puts out. What if it has been trained up on like through adversarial machine learning trained up to suggest, hey, insert this bit of code that actually goes and downloads and executes ransomware eventually, and got some vibe coder that has no idea what the heck they're doing that could be it.
Ryan Estes 24:15
Yeah, I wouldn't be surprised if that happens in the future, to be honest, because you can't really check for that until it happens as an AI tool, to be honest. So, yeah,
Marc Laliberte 24:24
that's nuts, yeah. So, yeah, tools, stuff
Ryan Estes 24:28
like that. I mean, the funk SEC group kind of is foreshadowing, in my opinion, kind of what we're going to expect in the future is a lot of like aI chatbot usage to x, you know, do the work that they don't want to do, you know, post victims on daily sites, go through the data, interface with victims. I mean more automation, in that sense, creating malware tools
Marc Laliberte 24:50
like on the cutting edge, then of ransomware operations.
Ryan Estes 24:54
Yeah, so that's, that's one of the groups I've been highlighting recently, is func sec. Um. There's a couple new groups that I'm eyeing right now, but I'm still doing a lot of analysis on them, because there's just so many. I think we have like 91 active groups. So I think there's a few that are might be inactive from that, but just a lot to keep track of manually. One person
Marc Laliberte 25:14
that's insane, yeah? Definitely need to get some more threat intelligence help
Ryan Estes 25:17
on that. One Yeah or automation,
Marc Laliberte 25:20
yeah or automation, yes, please. Hey, maybe we can just have chat GPT do everything I hear. It's got, like, a research mode now too.
Ryan Estes 25:28
Let's do it. About it, I need help you think
Marc Laliberte 25:31
chat GPT like, obviously you can search the web. Can it search the dark web? Does it have capabilities to pop open a Torah browser
Ryan Estes 25:38
to a question? I don't know. I've never tried it put me on the spot. But no, I'm not trying to. I
Marc Laliberte 25:43
wouldn't be surprised, but
Ryan Estes 25:47
teach it to connect to the tour like tour, and then kind of browse the web like that. So I don't know that's a good question. Some I might do later.
Marc Laliberte 25:56
Maybe we can ask I saw So Microsoft is adding a new like their new co pilot update. You can basically share a application with it, like your web browser, or something like Adobe Photoshop, and it can render or like, understand what's going on inside that window and offer guidance. So like the example I saw was, you don't know how to use Photoshop, but you have a copy of it, so have copilot walk you through how to do whatever you're trying to do in the photo. Maybe that's an application of copilot. Pop open Tor Browser and say, Hey, let's go hunting for ransomware operators. Yeah,
Ryan Estes 26:34
it might be the industry I'm in, because we're in cyber but when I think, when you say those things, all I can think about is, how can this go wrong? Exactly, what are bad guys going to use this for? It's the first thing I think of, oh, but, yeah, it's, I have a feeling that's going to be used to kind of interface and, I mean, that can be used for, like, remote desktop automation, to be honest. Yeah,
Marc Laliberte 26:56
well, I mean, that's the plan. I mean, now we're pivoting off ransomware and into AI, but what they're aiming for with general artificial intelligence is basically like a an assistant kind of thing that can do any task a human assistant could potentially do, like a technology research assistant, yeah, it could be nuts, yeah. I hope not, too. I'm curious so you mentioned, like, the AI chat bot being used by funk sec. Are there any others that, like, advertise AI applications, either in like, payload development or phase? Like, I don't know anything interesting in there. I
Ryan Estes 27:35
haven't seen it personally. But, like I said, there's a lot of data and groups to go through, and a lot of like, like, other ransomware tools like that automate these victims and stuff. They'll post like, you know, when they catch it, the victims and stuff like that. But I don't, I go through all of it to see and so it just takes me a while to get through all the victims and the pages and to read what's new and stuff like that. But I personally have not seen any other group publicly say they either use AI a lot or, like, use it in official capacity. But I would not be surprised, in fact, that'd be a little naive to say they're not. Could
Marc Laliberte 28:12
see one application, like, one of the things AI and specifically, large language models are great at, is going over huge amounts of data and providing like, summaries or insights, yeah, like, I could imagine, as a operator or an affiliate, you just stole 20 gigabytes worth of like, random data from an organization, and you want to know, like, what are the juiciest bits that could really earn you some money? Like, trying to dig through all those files yourself is a very time consuming process. Feed it into ransomware, GPT, and say, Hey, what's the most important stuff in here? Like, I could see that as a differentiator for some of these operators. That was a something they advertised. I wouldn't
Ryan Estes 28:51
be surprised they're using it, because they'll see, you know, these groups post like, hey, we have 76 terabytes a day at this company. Like, how did you go through and know what's in it? Because they'll, sometimes they'll publish, hey, we have this. We have this. We have that with this and stuff like that. But we've seen it on the other side of the coin is that when Black basta, for example, and even most recent one that got dumped Blockly at 4.0 is these, basically, they take the data dump and they'll create a chat GPT bot for it with the data, and we just, I mean, black boss to happen within like, a day someone created like a chat bot to interface with all of this data, and it works really well. So I would be surprised if on the other side of that coin that they are doing that as well. Yeah, damn
Marc Laliberte 29:32
well. Do you have any predictions of what the rest of the year might look like for ransomware? The ransomware ecosystem,
Ryan Estes 29:40
obviously more AI chat bot and AI usage. How much? Who knows? I probably predict more law enforcement action. Actually. There's recently been a lot of law enforcement takedowns and arrests and stuff like that. And I wouldn't be surprised if that kind of stays the course or even picks up a bit, because, I mean, we're seeing it now. They're. They're doing more offensive work. Hey, we're taking these websites down. We're arresting people. And so they're Why wouldn't they get more aggressive with that from the United States point of view, I mean, obviously, if they're in other countries and they don't have a good relationship with the United States, it's kind of difficult to do that, but we've seen it in Europe and even in Russia and other countries too, that they they actually do arrest these people when they know who they are and are causing issues. But the problem with things like Russia is that they put their the people who use ransomware there, they'll put like cis restrictions, which is the Commonwealth of Independent States, which is like the old Soviet Union. They'll put like geolocation checks. And so a lot of times, the decision makers in those countries will just look the other way, because they're like, We know we're not getting attacked from these people, so why do we care? But that's more political stuff,
Marc Laliberte 30:48
meaning the operators put those in place where, as long as they don't, you know, piss off residents of these former Soviet countries, and they're allowed to operate for for you, basically. And
Ryan Estes 30:58
you see it in malware a lot, a lot and malware, they'll do a geo check to see are they in CIS countries, or where are they just in general. You know, you see a cis check quite often. I
Marc Laliberte 31:12
guess the good news is that even if we can't, like, arrest folks, either from the US or like interval or international law enforcement working on it, if we can at least name and shame them. We can stop them from ever leaving these former Soviet countries again, and no more vacations to Switzerland or Prague. Yeah, that's happened. Silver lining,
Ryan Estes 31:33
yeah, there's a lot of sanctions on a lot of Russians from the United States and Europe. And there's been a few times where they do leave and they get arrested at airports. I've seen that a few times. I think the most recent one I could think of is in France. I forgot the group he was related to might have been an affiliate, but they, I mean, they do arrest them, they do track them. And I'm not in law enforcement, so I don't know what depth they do that, but I know it does happen.
Marc Laliberte 31:56
Yeah. Well, this has been awesome, Ryan, I appreciate you hopping on and giving us another update of what's been going on in the world of ransomware for the last year. My
Ryan Estes 32:06
pleasure. I live in it. I'm there often. I don't know
Marc Laliberte 32:09
about you, but I'm hoping that at some point we can stop talking about it, because we've solved the issue. But, uh, something tells me we're still a bit of a ways off from from that end, if it would ever come.
Ryan Estes 32:19
It's a cat and mouse game that'll never stop. They might try different techniques, might not even or they might like not using cryptos anymore because they might be able to defend against it, but it'll just be something else, and I'll try and track it
Marc Laliberte 32:31
if I can. Well, thanks again, Ryan. I really appreciate it. This is awesome.
Ryan Estes 32:37
No problem. Happy to help.
Marc Laliberte 32:42
Hey everyone. Thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate, review and subscribe. If you have any questions on today's topics or suggestions for future episode topics, you can reach out to me on blue sky. I'm at it's marc.me. All of us are at WatchGuard underscore technologies on Instagram, and Ryan is trolling the dark web under different pseudonyms, so good luck finding him. That's right. That's right. Thanks again for listening, and you will hear from us next week.
