loader from loading.io

Democratizing Ransomware as a Service with Nisos Intelligence Advisory Paul Malcomb

Know Your Adversary™

Release Date: 03/28/2023

Democratizing Ransomware as a Service with Nisos Intelligence Advisory Paul Malcomb show art Democratizing Ransomware as a Service with Nisos Intelligence Advisory Paul Malcomb

Know Your Adversary™

In Episode 91 of TheCyber5, we are joined by Paul Malcomb, Intelligence Advisory for Nisos. Paul brings over 15 years of experience from Fortune 500 security teams and the public sector including incident response, threat intelligence, and third-party risk management.     In this episode, Paul explains how the ransomware-related ecosystem is evolving and provides insights to some of the newer threats organizations face.   Below are the three major takeaways:   Ransomware actors no longer need to be end-to-end capable and are now very decentralized:   Gone...

info_outline
Insider Threat Extortion Attempt of $300,000 Leads to Arrest show art Insider Threat Extortion Attempt of $300,000 Leads to Arrest

Know Your Adversary™

In Episode 11 of Know Your Adversary®, we chat with an undisclosed security team that prevented an insider threat actor from extorting $300,000 from a global company. The result of the six months long investigation resulted in the arrest of the suspect who, as it turns out, was motivated by pride and money.  One morning, the security team received an email asking for $300,000 as an extortion payment or the data would be released. Upon showing “proof of life” that the attacker possessed the data, it became clear they maintained elevated access beyond that of someone living abroad in...

info_outline
Compare and Contrast Saudi Aramco and Colonial Pipeline Cyber Attacks show art Compare and Contrast Saudi Aramco and Colonial Pipeline Cyber Attacks

Know Your Adversary™

In Episode 10 of Know Your Adversary™, ICE Miller Managing Partner discusses the difference between the 2012 Saudi Aramco destructive cyber attacks and the 2021 Colonial Pipeline ransomware attacks. In 2012, Iran attacked Saudi Arabia-based Aramco’s information technology (IT) infrastructure, denying service to the entire company to the point that Aramco gave gas away for free. Fast forward to 2021, a Russia-based ransomware gang Darkside attacked the IT infrastructure of Colonial Pipeline, particularly the billing system. When Colonial Pipeline couldn’t determine how to charge...

info_outline
OneSight Backstage Management System: Attributing a Chinese Marketing Firm’s Tools to Disinformation Campaigns show art OneSight Backstage Management System: Attributing a Chinese Marketing Firm’s Tools to Disinformation Campaigns

Know Your Adversary™

In Episode 9 of Know Your Adversary™, Nisos researcher Zeshan Aziz revealed that Chinese commercial marketing firm OneSight, developed a sophisticated social media management and monitoring system called OneSight Backstage Management System to propagate political disinformation against the Uyghur community. The research indicates the Chinese Communist Party (CCP) likely conducted the campaign. Previous research into a breach of OneSight identified sophisticated social media surveillance tooling was used for widespread disinformation campaigns across many prominent Chinese and U.S. social...

info_outline
Human Intelligence Recruitment of an Employee to Deploy Ransomware show art Human Intelligence Recruitment of an Employee to Deploy Ransomware

Know Your Adversary™

In Episode 8 of Know Your Adversary™, we detail an August 2020 investigation when a Russian gang member named Egor Igorevich Kriuchkov traveled to the United States to recruit an employee of a US-based manufacturing company and to install ransomware on the network via USB thumb drive. He offered the employee $500,000, and if the operation was successful, the Russian gang was going to extort the company for $5,000,000.  Fortunately, the company prepared the employee for this type of scenario and reported Egor. A subsequent FBI investigation arrested Egor and deported him back to Moscow,...

info_outline
Investigating the T-Mobile Hack: Direct Threat Actor Engagement with John Binns  show art Investigating the T-Mobile Hack: Direct Threat Actor Engagement with John Binns

Know Your Adversary™

In Episode 7 of Know Your Adversary™, we detail the August 2021 compromise disclosure of T-Mobile. In August 2021, John Binns, a US Citizen living in Turkey, disclosed that he compromised T-Mobile customer data. While he initially stated his motivations were in response to physical abuse, further investigation indicated that Binns was driven primarily by financial gain. Our guest is ShadowByte Head of Research, Vinny Troia, a security researcher who directly interacted with John Binns.

info_outline
Supply Chain Attacks Escalation and Evolution by Foreign Nation States  show art Supply Chain Attacks Escalation and Evolution by Foreign Nation States

Know Your Adversary™

In Episode 6 of Know Your Adversary™, we detail a previous supply chain attack from 2007 and then again in 2015 against a security software company. Our guest is Lucidum CEO, Joel Fulton. Foreign nation states conducted detailed recon and knew when a router was going to be rebooted for maintenance updates. Upon rebooting the router, the attackers “slipped through the crack” and into the software provider’s network by exploiting a vulnerability of the router model.

info_outline
Nisos Attributes and Unmasks Insider Threat Saboteurs Who Caused $1M in Business Loss show art Nisos Attributes and Unmasks Insider Threat Saboteurs Who Caused $1M in Business Loss

Know Your Adversary™

In Episode 5 of Know Your Adversary™, we discuss a 2018 Nisos insider threat investigation of network sabotage that caused almost $1M in business operations loss. Following a recent M&A transaction, IT engineers of the nearly acquired subsidiary were upset with their new roles. The results of the sabotage were a complete subsidiary network outage for over a week and a subsequent Nisos, partner, and FBI investigation that led to the arrest and detention of one co-conspirator.

info_outline
Attribution to Russian GRU for 2015 and 2016 Cyber Attacks on Ukraine Energy Power Stations show art Attribution to Russian GRU for 2015 and 2016 Cyber Attacks on Ukraine Energy Power Stations

Know Your Adversary™

In Episode 4 of Know Your Adversary, we are joined by Gigamon Senior Manager Joe Slowik. Our discussion takes a look into the world of Russian nation-state hacking units, particularly the GRU and the SVR. We take a deep dive into the 2015 and 2016 cyber attacks against the Ukrainian power grid and review how Russia’s capabilities are increasing in sophistication, mainly through lateral hand-offs between the teams of hackers operating in IT and OT environments.

info_outline
Identifying and Disrupting Malicious Bot Programmers and Security Researchers show art Identifying and Disrupting Malicious Bot Programmers and Security Researchers

Know Your Adversary™

In Episode 3 of Know Your Adversary™ we are joined by Shawn Valle, former Chief Information Security Officer at Rapid 7. Our discussion takes a look into the world of online platform abuse and fraud. We explore threat actors’ use of bots to make bulk purchases online. We also tell the story of a security researcher on the wrong side of the law. Learn about the path he took from disclosing a breach to demanding a ransom payment.

info_outline
 
More Episodes

In Episode 91 of TheCyber5, we are joined by Paul Malcomb, Intelligence Advisory for Nisos. Paul brings over 15 years of experience from Fortune 500 security teams and the public sector including incident response, threat intelligence, and third-party risk management.  

 

In this episode, Paul explains how the ransomware-related ecosystem is evolving and provides insights to some of the newer threats organizations face.

 

Below are the three major takeaways:

 

  1. Ransomware actors no longer need to be end-to-end capable and are now very decentralized:

 

  • Gone are the days where threat actors have to be masters of all, with the democratization of services, affiliates with little to no technical knowledge can now execute sophisticated cyber attacks. Ransomware operators needed to possess the full scale of technical and non-technical capabilities within an organized criminal group. Initial access brokers, supporting operators, and/or the actual malware developers no longer need to be the same entity. Today, individual attack components are outsourced in order to provide an affiliate with end-to-end solutions filling nearly any unmet need to include but not limited to: payment negotiations, money laundering, infrastructure creation, payment collection, etc. 

 

  1. CTI, Red and Blue teams must unite and move faster to adjust to the decentralization:

 

  • It is becoming more and more critical to fuse CTI teams with their respective Red and Blue team components in order to emulate an organization's most pressing threats. Blue teams sometimes have minutes to detect and remediate a ransomware actor once the initial access is gained. This initial access is often gained through misconfigurations or unpatched vulnerabilities on legacy systems. Similarly, privilege escalation and lateral movement tactics commonly leveraged can also be mimicked enabling Blue team detections to be optimized against a specific adversary. This type of adversary emulation is only possible through the fusion of the three (3) teams (CTI, Red & Blue).  Smaller and medium sized businesses (SMBs) have almost no chance to avoid ransomware unless they are using managed services to detect, correlate and respond to events. Managed Intelligence Service providers have experienced personnel, proven processes and the appropriate tools needed to accurately scope RaaS-related-risks and help guide SMBs through the challenge of hardening their systems focusing on cost effective risk reduction strategies.

 

  1. Living Off the Land attacks make detection harder by an order of magnitude:

 

  • With the growing percentage of attacks not having any type of signature file or easily identifiable IOCs, timely adversary threat intelligence focused for a specific organization is often the only early warning indicator capable of identifying potentially malicious activity pre-impact. When ransomware attackers use the same commands and tools that are native in an Enterprise environment, attackers become significantly more challenging to detect because it looks like expected or business-as-usual (BAU) traffic. Over 70% of ransomware is now non-malware attacks meaning ransomware groups don’t need to use custom malware that can be detected from a file hash.The new formula requires only initial access then common administration tool know-how and thanks to the democratization of RaaS, now even these components can be purchased and all an Affiliate needs is the desire to attack and the finances to pay the ecosystem to act.