The Cyber Jack Podcast: Does Ransomware Get Worse Before It Gets Better? - Huntress, John Hammond

On The Cyber Jack Podcast we sat down with John Hammond, Senior Security Researcher, Huntress to discuss skyrocketing ransomware attacks, ransomware gang activity, how organizations should be preparing, and if the U.S. government's actions against the criminal use of cryptocurrency is making any difference in the battle.

[automated translation for your reading leisure]


Jack 00:04

Today John Hammond, Senior Security Researcher at Huntress joins us to talk about the growing threat of ransomware the cyber criminals behind the attacks and the role of cryptocurrency in the fight. All this and more on the show. John, thanks so much for joining us today excited to talk about ransomware with you. As always, we kick it off with our guests telling us a little about themselves. Can you share a bit about your background and current role at Huntress?


John Hammond 00:41

Awesome, well, Hey, thank you so much, Jack for letting me come hang out for a bit happy to give a I guess a super brief background on myself. Hi, hello, my name is John Hammond. I currently work as a senior security researcher at Huntress. Traditionally, I come from kind of a little bit of a government military background, I got my feet wet with the US Coast Guard, then pivoted over to the department defense to work as an instructor and trainer for cybersecurity and cyber threat emulation, trying to teach some of the military personnel and civilians how to be an operator on the keyboard. And I went to try and go do that myself over at the defense threat reduction agency. And then our head honchos over at Huntress Kyle, one excellent fella, he, he reached out and said, Hey, john, you want to start doing this? You know, for the 99% for the small to medium businesses and managed service providers. And I said, Hey, you know, that sounds like a ton of fun. Now I'm partying with them over at untrust as a threat researcher working in understanding malware, and still trying to do a lot of outreach and education for shows like this.


Jack 01:42

Great. Well, we're happy to have you. And I know today we're talking about the threat of ransomware, which seems like every company's biggest security nightmare right now. And I know Huntress has really been in the thick of it in terms of ransomware. So I would love to hear from you what's been going on in the past year with ransomware. And the ransomware. Gangs behind the attacks.


John Hammond 02:02

Absolutely. Yeah, thanks for wanting to tune in on that. We have been trying to be in the trenches, you know, as much as we can be. We've been wanting to be on the front lines and just help the community in the industry. Because it's no secret ransomware has been a bit of a hot topic these days, I think especially this year in 2021. We've seen however many certainly double digits, maybe triple digits. I'm not even I wouldn't know the exact number off the top of my head. But you hear about the big ones. Right? We hear about Colonial Pipeline. Certainly we hear about JBS meat supplier, we hear the very, very recent ones. Now we're chatting about New Cooperative with the BlackMatter ransomware gang that could say of [inaudible] incidents, I think Fuji films, I think there was even the steamship, right, of course in Massachusetts. I joke occasionally, right? You wake up in the morning, and you normally just check your phone to see what's the news, the same way we would turn on the TV to maybe see what the weather is for the day, if you're going out to work. Now I know we're all working from home, we were living in different times. So now we're sort of checking the bad cyber weather. Is it raining ransomware this week, or this whole month? As it seems to be the trend this year?


Jack 03:11

Ransomware has been top of mind for pretty much every company that holds sensitive data over this past year. But a question that comes up a lot from folks that aren't too deep into the weeds is, do these attacks have a pattern? Do these ransomware gangs have some sort of order of operations?


John Hammond 03:29

Oh, so there's so there are a lot of really cool things to sort of unpack and chat about when it comes to ransomware gangs and these threat actors and what their patterns might be or what they go after and what they target. I think there's something to be said, of any threat actor, any ransomware gang, any bad criminal just trying to target below hanging fruit. We saw that certainly with the Microsoft Exchange incidents and those initial access and exploits could potentially lead to ransomware. Because those cyber criminals are just sort of scanning the internet in a spray and pray model to see what's out there. That's vulnerable. And All right, cool. Let's exploit that. Let's get some access. And now let's move on to the next thing. Let's target one after another after another and just try to cast a wide net in that attack. I think that's one potential. Right. And we certainly see that but the other patterns that you were alluding to, I think when we talk about some of those other big incidents this year, certainly JBS certainly colonial pipeline, certainly the kasay via say all of these have an interesting tidbit and that they all seem to occur on maybe a holiday weekend, or just a small little vacation, where the industry all of us workers and employees, we're kind of letting our guard down because we're ready to go to the beach and maybe have some pizza with the kids. Right? It's gonna be a Friday, and maybe we're just shutting down for the weekend because we know hey, we got some time off an extra day. In the weekend, well, that's the prime time for cyber criminals and ransomware actors to strike because maybe everyone's leaving early, maybe no one's checking the alerts and all those bells and whistles and alarms that go off on the dashboard. Maybe they just get overlooked, or it's a pain to be told as a responder, you know, in the defense. We've been working some pretty long weekends, it seems these days on on the holidays, we want to be with our families.


Jack 05:26

Yeah, it sure seems like these hackers are paying attention to the calendar for holidays and PTO but for the wrong reasons. So let's shift gears just a bit to protection. What are the best practices organizations need to be following to defend themselves against a ransomware attack?


John Hammond 05:44

I hate to sound like a broken record. You know, I hate to sound like just everyone else that says these same things. But the reason we keep saying the same stuff over and over again, is because these are the barebone basics, the absolute boilerplate, cybersecurity, hygiene, whoever you want to brand it, but it's the simple stuff like hey, having that long, complex password may be generated with a password manager, right? Whether you use LastPass, or any of the other specific products that might help with that not using the same password for every account. That's certainly one thing. two factor authentication certainly helps with access, etc. Using layered security solutions between Okay, ingress and egress filtering or having your antivirus and having whitelist, etc. Those are all necessary foundational things. When you get to the topic of ransomware. There's the clear and obvious issue. What about backups? Because if we have the entire network encrypted, or if we have one computer that's encrypted? Well, we might just have to roll back time and get back in action with our backups. The issue there, when you start to see a lot of these incidents, cyber criminals and ransomware actors, they know that you're relying on your backups. So you might try, they might try right now, those threat actors might encrypt your backups, that's a pain. So whatever you can do to have redundancy, whatever you can do to have prepared offline backups that aren't touching some portion of your network, they're just ready and waiting. And certainly having them tested and validated. I don't know how many organizations you can chat with or how many teams or security professionals you could say, Hey, have you actually either really tried to redeploy from backups before? Before stuff hits the fan before there's an incident and right in your lap, whatever you can do to be proactive to role play this out to do those tabletop exercises? I know it sounds cheesy, but it's it pays in dividends when it's really time for action.


Jack 07:45

Yeah, with ransomware -- it seems like preparation is just everything. But I did want to ask you as these attacks become more sophisticated, what are some new procedures or tools that companies should consider adopting to prevent ransomware attacks?


John Hammond 08:00

I think there are efforts, I think there are initiatives and things that we've tried to do as part of the industry because a lot of the playbook that ransomware actors use and operate with. And we see that specifically with Conti. Right when we had the Conti ransomware. Tehir leaked playbook. And we've done so many analysis between Ryuk, and obviously REvil and DarkSide all of these different gangs and syndicates, they sort of go through a weird checklist or strange order of operations. Is there any aspect that we could break in that chain? I think there are some open source tools out there. And I really want to actually venture that if you do your own research if you do your own homework. Florian Roth, one incredible researcher has put out a tool Raccine that sounds like it's meant to be a vaccine for ransomware.


So if it can detect maybe the use, or the behavior of deleting volume shadow copies or trying to remove backups, those things will just try and neuter and kill the offending process or the evil payload that might be delivering that. That is one great step in the tool and technology aspect. We also think about canaries, we think about sort of a little trip wire or something that will really act as the indicator we are seeing malicious activity we are seeing encryption take place. I think that is another strong contender for tools and technology that can help us just try to add little honey pots, right, that might be able to better detect and help us better respond when we see ransomware being deployed.


Jack 09:35

That's great. Thanks for sharing that insight. And there's also been movement in terms of public and private sector collaboration on ransomware. Can you talk a bit about how the US government is responding to ransomware? For example, the latest sanctions on cryptocurrency exchanges. Is that really doing anything?


John Hammond 09:54

Yeah. Oh, thanks so much for asking that question because that is certainly a case of worms. I don't I don't mean to try to act as if I have all the answers. I don't mean to act like as if I know everything, but I think it's clear. It's so evident that cryptocurrency is one driving factor in ransomware in the world today, right? Because the cyber criminals can demand cryptocurrency, whether it's Bitcoin, whether it's Ethereum, whether it's Mineiro, or what have you, that gives them that gives the hackers and the criminals that gives them the advantage. They have this perfect getaway car. Because you're relying on a form of currency, you're relying on money that has no physical trace, you have no accountability, you have no, there's a certain amount of permanence, right? Once someone sends that money, they can never get it back unless the recipient were to just give it back to them. It's such, the perfect getaway car is really what I've kind of come to describe a lot of cryptocurrency and ransomware. Acts, when you talk about what can we do to stop that? Yeah, you get into the discussion of Hey, what is government? And what are the federal agencies doing in the realm of cryptocurrency? Because we ask ourselves, should we make stuff like this Bitcoin? Ethereum. Should we make that illegal? I don't know. I don't know if that's the right answer. It obviously has its own unique purpose and functionality, but it's being used and abused by ransomware gangs, this sanction that has come now from the Department of the Treasury. I have I'm hopeful, this is very, very new. I think as we're having this conversation jack that might have released this week, that maybe just a few days ago, it's too early to tell how this will impact cybercrime or if it will, even. But I think that it is a step, a step forward. I don't know if it's a step in the right direction.


But it's better than not doing anything at all, because we've tried that. And we see that that doesn't work. For too long. victims have been helpless. And cyber criminals and ransomware actors are using this, like it's open season. So I think some efforts some thing is the best that we can do to try and combat this.


Jack 12:18

So how do you think this evolves? Is ransomware going to get worse before it gets better? Or is there going to be some sort of breakthrough?


John Hammond 12:27

Now I'm not Nostradamus, right? I don't have a crystal ball. But and I don't mean to be all doom and gloom, or Fudd, fear, uncertainty and doubt, I, I think it will still get worse, I think we will still see incidents, I think we will still see ransomware activity. And it's going to go on for a while until we figure this out until we crack the case and get something better in place. And that seems to be this treadmill that we're on and that we're in security, right? Where we have these poor victim businesses, organizations, we have vendors trying to sell and promise and act as the Savior. But still these incidents are happening. Again, I don't know the answer. But I don't get it is certainly something that we need to pay much more closer attention to all these efforts that we're seeing from government from the federal agencies from these taskforce we're creating, these are the right moves. But it is going to take everyone playing in concert, it takes a village really to take down these threats.


Jack 13:31

Absolutely. So do you have any final parting words of wisdom for our audience of CISOs and security professionals,


John Hammond 13:38

I would out offer. Look, we all have to be in this fight. That includes every single one of us. And the most tactical way to do that is to keep your ears to the ground and be looking for this new threat intelligence keeping up to date with indicators of compromise, really diving into what's going on in the news, these headlines of what the attacks are happening and how they happened and what we could better understand from them, really knowing the adversary understanding what we're up against. I think it's extremely valuable to hunt to actively look for where things could be going wrong to try and find malware in your network to try and find indicators that there's access and there's some other evil lurking in the organization. You have to look at it. You have to go hunt it down. And you really have to brace for what's out there.


Jack 14:32

Well, there it is, believe all the listeners with that. John, thank you so much for being here. We really enjoyed the conversation on ransomware. For all you listeners. See you next time.