0:00:15

Luke Connolly

Welcome to the Cyber Insider, Emsisoft' podcast all about cybersecurity. Your hosts today are Brett Callow, threat analyst here at Emsisoft, and I'm Luke Connolly, partner manager. Our guest today is Ryan Chapman. Ryan is the author of SANS Forensics FOR528 Ransomware and Cyber extortion and is a certified instructor for SANS. In his day job, he's a consultant for threat hunting and incident response. Ryan often presents at conferences, including running workshops for the last four years running at DefCon, he spends his free time with his daughter, watching anime, plays plenty of Street Fighter, and enjoys playing retro video games.

0:00:56

Luke Connolly

Ryan, welcome.

0:00:59

Ryan Chapman

Thank you.

0:01:00

Luke Connolly

I provided a brief bio. Can you expand on your experience and your area of expertise and along that line for people listening who may not have heard of sans or maybe they've heard of sans and aren't familiar with it, can you describe for us what is SANS?

0:01:15

Ryan Chapman

Yes. So I've been working in digital forensics and incident response for a little bit over twelve years now, and I started in a security operations center, moved over to a cert, and then moved into consulting. So I was doing IR consulting when the hackers come in, one of our teams gets called in kind of thing, and it was a rush, straight up adrenaline junkie for it, but it got to be too much. So work life balance wise, or lack thereof, I should say.

0:01:44

Ryan Chapman

So in the past couple of months, I actually transitioned over to managed threat hunting. So I get to basically hunt for threats within large client environments. And that's also very fun. Not so much when you have to inform them of something like, hey, this is really bad, you need to go look at that. But I've been working for SANS now for about four years, and so the SANS Institute has been around since, as far as I know, the late ninety s at least.

0:02:07

Ryan Chapman

And it's primarily focused on security, ongoing training and education. So you take a four, five, six day course on a particular topic, be it offensive operations or digital forensics, like what I do. They've got management courses, things of that nature. And so my course is on ransomware and it's specific to ransomware in terms of prevention, detection and hunting. And we see the numbers going up and up for ransomware, and I don't want that anymore. So trying to help educate the global community, the royal we, so that we can be better prepared to prevent it and get rid of it.

0:02:46

Luke Connolly

I think sans actually just doing some research before this. I think SANS actually started in the late 80s, so its founding was contemporaneous with the Morris worm, which allowed people to look up on their own time on Wikipedia.

0:03:03

Ryan Chapman

Yeah, we can probably date ourselves if we start talking about the initial things we worked on and looked at. For sure.

0:03:12

Brett Callow

What's the difference between an incident response consultant and an incident responder is the one.

0:03:22

Ryan Chapman

So typically we consultants are third parties, so we're brought in via the first party. So usually the victim. Right. Or we're brought in via insurance or legal counsel will typically bring us in. And to me, an incident responder is anyone who is going to be dealing with an active incident. And so many times organizations feel we don't have incident responders. I'm like, yeah, but you do because you have people in it.

0:03:50

Ryan Chapman

And some organizations say, well, you work in it, so you're our incident responder without any formal training or whatnot. But incident responders can be someone on a security operations center computer incident response team, or CIRT CerT. However, it's defined at that given organization. And typically their job is to be the ones to respond to an incident. But in my mind, anyone, including folks who are on the applications teams, the server teams, the software patching cycle teams, those folks are all going to be involved in a large scale incident. So I consider them all incident responders.

0:04:27

Ryan Chapman

But we third party consultants live a life where it's day to day incidents. And so we see this wide breadth of various types of attacks, going from a simple crypto minor all the way up through a crazy large ransomware case, and then leading up to something like an advanced persistent threat attack, something like that. We have mage cart attacks in the middle of that. Financial crimes, stealing and scraping credit cards from websites, we see it all.

0:04:56

Ryan Chapman

And I think that internally, one of the issues that IR folks have when they say, I'm an incident responder, but they don't feel confident about saying that is because they haven't worked a ton of incidents, which honestly is a good thing for the most part. Right. You don't want to have worked tons of incidents for your organization because that points to a poor security posture. But yeah, I think overall, we're all in it.

0:05:20

Ryan Chapman

We should all have the mindset that we are a responder, and all we have to do is just be confident and capable with our particular realms so that whoever's actually running as like, the incident commander, we can help them and provide whatever answers they need whenever they need them.

0:05:38

Luke Connolly

So you must have been at this for a while, so I'm sure you've seen some really unusual cases. What's your most interesting war story?

0:05:46

Ryan Chapman

My most interesting is going to be my first, and that was back in 2012, and it was the early days of carbon black, the endpoint detection and response software. And I had never seen an EDR before. And I found myself in an environment where we had multiple apt groups from a particular country. I won't name the country, but you could probably guess within two or three guesses. And I was able to actually monitor the commands they were running nearly in real time. It was just seconds away from as they were running them.

0:06:20

Ryan Chapman

And while it was my initial foray into incident response, it was also one of the most capable threat actors I've seen to this day. And every little thing that we were doing, we would then see them undo it right away. And like, for example, we would do some registry change, and all of a sudden we would see them do a reg delete or a reg add from the command line. And we'd be like, okay, how'd you see that so quickly?

0:06:47

Ryan Chapman

What's going on here? And they were so persistent. So some examples is we identify, okay, they're coming in via RDP. So we drop RDP from whether geolocation or however we were doing it at the time. And then they'd come in via the VPN, and we're like, oh, okay, well, they have access to these accounts, let's just disable these accounts. And they come in with more. And then they come in with more. And they were like, okay, you know what? We have to just drop VPN, except for just us.

0:07:12

Ryan Chapman

And then one of us had their credentials utilized, and it was like, how are they doing this? And they just kept coming back and back and back. And then we eventually dropped all VPN connectivity. The company was affected, and all of a sudden they had these backdoors and we found them active on other machines. We're like, stop it. And it was this game of cat and mouse. And while working in IR, especially as a consultant for the past four and a half, almost five years, doing third party consulting, you work day to day incidents.

0:07:44

Ryan Chapman

And the only threat actor I've seen who's as persistent has been scattered spider, also known as muddled Libra and a number of other names that they have assigned to them. But their ability to get back in was on par with this initial group. And whenever I think about it, it's just crazy watching them literally undo everything that we had just done. In order to prevent them, we're doing a deny terminal services connection at registry key. We're turning off terminal services RDP, and they just enable it right back. And then we remove users from remote desktop users, and then we see them on another machine using a domain admin account, adding them right back. And it's like, stop it.

0:08:23

Ryan Chapman

And so I think that's my favorite war story, just because it was literally like a war. It was like an active real time engagement, and it's not as common these days, especially working a lot of ransomware cases that we see that level of skill.

0:08:38

Brett Callow

You mentioned scattered spider. Just for the benefit of people who may not be familiar with them, what can you tell us?

0:08:50

Ryan Chapman

So I have so much to say about them. There's a group that's known as the, and there's a very large, let's say very large subgroup of threat actors who specialize in multifactor authentication, bypass social engineering of help desk environments, and then sms phishing, so smishing, as we call it, so phone based phishing. And a subgroup of this is known as scattered spider. That's Crowdstrike's term for them. Palo Alto calls them muddled Libra. There's a number of other names. Microsoft has their own name for them, but it's primarily this group of, I believe the last estimate was 15 to 25 year old males, for the most part, because they're so juvenile. And they hang out in these groups where there's just constant onslaught of large organizations, including like telecoms are a big one that they're constantly trying to get into.

0:09:52

Ryan Chapman

And they're really good at getting into very secure environments. They're also good at getting into non secure environments because, duh. But we have our MFA set up. Not we, I'm just saying the royal we. The client that I've worked with may have MFA on even RDP. A lot of people don't have that remote desktop protocol. And this group will just, they're so good. I mean, they'll go on a video call with the help desk, and they'll show their face and everything and say, hey, I'm so and so, and I work with so and so. Then they'll have another one come on to the video call and be like, yes, I'm so and so's manager. This is me. I'm verifying my identity.

0:10:30

Ryan Chapman

And the help desks often, especially those third party help desks, sometimes will be like, oh, okay. And then they'll reset their passwords. They'll even reset MFA, just take off the phone associated with it or whatnot. That's one of the ways that they get in just straight social engineering, but of live interactive human social engineering versus like a phishing email. Right? And then another thing they're really good at is what's called Sim swapping.

0:10:56

Ryan Chapman

So most of our phones have what's known as a sim, whether it's internal or literally when you pop in and know, and that's where your account is basically stored. And so if you were to change phones with certain providers, like non CDMA, for example, is the most common, and you can just swap the phone and take your SIM card out, put it in the new phone, or if for whatever reason you lose your phone, you might have to purchase a new phone or a new SIM card.

0:11:25

Ryan Chapman

And so what these threat actors do, the scattered spider group, is they're really good social engineering, telecoms, so I should say mobile providers. And they'll call them up, they'll go into the store. They have this wide network where they have like one person holds the phone, one person works the actual social engineering attack, the other person is the one who gains entry. And then once they've gained entry, they hand it off to another group who does their thing.

0:11:52

Ryan Chapman

They're really good at getting bypassing MFA via sim swapping. And one of the ways they do that is, for example, I was on a call one time with a client, actively on a call with a client, mid engagement, and the call dropped. And I just thought, okay, well, he'll call me back in a couple of minutes or whatever. So about 15 minutes later, he calls me back via FaceTime and he's like, so I just got Sim swapped. I was like, what?

0:12:21

Ryan Chapman

He said, yeah. So what happened is the threat actor, they also have these people on payroll and so scattered. Spider has this network of people who work at stores where they, I won't mention names, where they sell cell phones, know, cellular services, and sometimes they'll actually steal the management pad. There's these little, I don't know if they're iPads or other, but there's these pads that allow for swapping of accounts that typically the manager of a store will hold, have access to. And they'll steal those, like literally just take them out of the store.

0:12:53

Ryan Chapman

So they have people on payroll, essentially, they have the ability to steal some of those pads and then social engineering. And if you have your multifactor set up to use SMS text messaging to where when you log in, you get a text message that says, here's your code and whatnot, they love that. So be careful with that. For anyone watching, if you're using a multifactor authentication, try to avoid using SMS applications that are installed on the phone, especially those that require that you put a number in when the app pops it up. A little notification are more secure. I was going to say far more secure. I'm going to go with more secure because of this group and groups like them. And they're so good. They're so good. Once they get into an environment, they can go anywhere.

0:13:39

Brett Callow

In terms of trends, what really jumps out at you over the last year?

0:13:45

Ryan Chapman

That's the trend. Those are the trends right there that that group is utilizing and it's SIM swapping and smishing. And overall years, for years, most organizations didn't have MFA leading up to. It was only like what really four or five years ago when it started to become like fairly commonplace. Know, organizations implement MFA in the first place. And now that we have know, we're like, oh, we're compliant, we have like, we're no, you may not be fine, especially just because of simple social engineering.

0:14:20

Ryan Chapman

So I see SMS phishing smishing as this new trend that's going to get worse and worse and worse. And it's because if you think about it, most organizations still use a BYOD, a bring your own device policy, and few of them are using MDM. Mobile device management, I'm going to have acronyms all day long. But so mobile device management allows the organization to have purview over that mobile device, to be able to implement their firewall rules on the mobile device, to be able to identify malicious numbers, or even just malicious providers like anonymous phone numbers services, VoIP services, things of that nature.

0:15:03

Ryan Chapman

But so many users just have a phone, and a lot of folks just pull a phone out of a drawer from years prior and go, oh, I'm going to use this for my work phone. And these phishing messages, there's very little oversight into the phish messages coming in. And when the user clicks on one of those links, I said click. But when they tap on one of those links and they enter their credentials, you're not seeing that because it's not on your network, it's on the user's mobile network or on their wi fi connected on their home connection, and they're becoming more and more successful and it's worrisome. And I think that more organizations need to look into Mdm.

0:15:42

Ryan Chapman

Of course, that's easy for me to say because I'm not fronting the bill. They're not cheap solutions, if you will. But it just worries me that there's so many phones out there that are susceptible to being attacked and these threat actors are well aware of it at this point.

0:15:59

Luke Connolly

Actually just this morning, and I'm sure you guys were the same in most of our audience, I got one this morning that was kind of funny in terms of it wasn't at the high end of the gene pool for an SMS attempt. It said, hello, dear. This is whoever from wherever. It's like no one calls me dear. It was a poor ESA attempt. I get, everyone asks me every week, I get a question from a friend or an acquaintance.

0:16:31

Luke Connolly

I get this text, should I respond? No, the answer is no. Don't finish your sentence. The answer is no.

0:16:40

Ryan Chapman

Delete.

0:16:41

Luke Connolly

Yeah. In terms of pre incident planning, are there some fundamentals that companies still get wrong?

0:16:51

Ryan Chapman

What do they not plan for the fundamentals themselves? My take on things is that if organizations around the world paid more attention to what I like to call security 101, a former manager of mine, Sean, if you're watching at this point, hi, Sean used to say companies are terrible at security 101. And I mean basic things like you set up your active directory, you have, whether it's ten or tens of thousands of users, you have permissions just over permissioned like crazy.

0:17:27

Ryan Chapman

I wasn't getting into too many specifics, but overall it's Security 101. And what bothers me is that ransomware is successful. My world is ransomware and I'm obsessed with it. And the top three infection vectors are RDP being open on critical servers with port passwords and no MFA. Security 101. Those are all security 101 things. Phishing, which things like not blocking in your email, security gateway, certain attachment types.

0:17:56

Ryan Chapman

There's a website called Filsec IO I believe it is. And it lists all these different types of attachments, potential attachments that should be blocked, like a cab file. Cab is a Microsoft cabinet file. It's what they use for a lot of their Windows software. They don't use zip files internally in Windows, right? They use cab files. Why would you want to attach that to an email? Why would that need to be able to get through your email security gateway? And so that's just one random example for phishing is just not blocking malicious file attachment types.

0:18:32

Ryan Chapman

Another most common top three for ransomware is software vulnerabilities. And where do most of those come from? Well, when I say when they come from, I mean where does the problem really come from? It comes from poor patching cycles or inadequate patching cycles, or, oh, we patch within 60 days. Okay, that's kind of long. Now, I know we need to test in dev and then push it out to this group first. Like, okay, well, you need to cut that.

0:19:01

Ryan Chapman

60 days is way too long. 30 days is too long in my opinion. And then you've got groups who just outright fail and there's so many. So if you're out there watching, hey, pay attention. Your network appliances, your firewalls, your VPN concentrators, the things that we purchase and implement and maintain to help secure us, we're not patching those. And many of them end up with vulnerabilities. And oftentimes ransomware and other actors find that and they go, ooh, cool.

0:19:30

Ryan Chapman

And what are the things I just mentioned? Having RDP open to the Internet on a critical server, not blocking well known attachment types that should be blocked and not allowed to ingress into your user email boxes and patching. Right. I mean, we could talk about asset management and all these things. They're all security 101. And I just see that it's such a problem and I don't know if it's ever going to get fixed because too many organizations have become complacent with the way that they're doing things and they don't realize change is needed until something bad happens.

0:20:07

Luke Connolly

It's funny. Sorry, I'm just going to do one link here. I know that you interviewed, and part of your job with your webinar is you interviewed Cher de Grippo in November, and we interviewed her as well in August of last year, 2023. But when you were talking to her, she mentioned an essay written by Bruce Schneider in April 2000. And the title of the essay was security is a process. And you read the essay today, which I did, and almost to the letter, it's all still applicable.

0:20:41

Ryan Chapman

100% agree. By the way, I we love her. The royal we love her. We even had her as a keynote for a conference for Cactuscon in the Arizona, in the United States area this past year. Absolutely love her. Hi. If you're watching, by the way, and that paper, you read it today and it's like it didn't age at all. It's the same concept still applies. I look back at talks from security conferences from ten years ago and I go, yeah, that right there, that's still a thing.

0:21:17

Ryan Chapman

And it just doesn't seem to be kind of catching on. And I'm not sure when it will, which is one of my big things, is trying to help with that.

0:21:29

Brett Callow

Governments are certainly taking cybersecurity more seriously, I think, than they've done in the past, but are they doing enough and are they doing the right things?

0:21:42

Ryan Chapman

I think that many government organizations around the world are doing things where they say, you need to, you need to, you need to, rather than saying you need to, and here are resources to do it, you need to, and here's funding to do it. You get the idea. So I don't think that they're doing a very good job with enabling. I think it's more of a shaking of the finger. And while that's where you want to start, you have to do this.

0:22:16

Ryan Chapman

That's great, but then how do we make that happen? So, organizations in healthcare who work with protected health information Phi, they're told you have to comply to all these things, and then there's really not a lot of assistance with learning about them. Just being told you should have endpoint detection on all your hosts. Right. There's many organizations out there who are like, first off, Google or Bing, if you're a binger, endpoint protection software.

0:22:55

Ryan Chapman

And then 40 vendors come up and they're like, okay. And then they have to try to run a proof of concept, a POC with one of them, and they have no idea what to look for. They have no idea. Oh, we caught these seven alerts on our test. How many commands did he run? 117. Is that good? They don't know what they're looking for, basically, is what I'm saying. And I think that we need a lot more resources that are government driven, especially training.

0:23:22

Ryan Chapman

We provide training through Sans, and we have government discounts at Sans, but that's not the government coming in and saying, hey, you in these critical sectors, here's some courses. And I don't mean just sans courses. I mean just any types of courses. Or for that matter, here's a bunch of free resources. There's one person out there that just came to mind randomly. Here she goes by Defer Diva DfIR, and then diva Diva. And her mission is to amass as much free training resources as she possibly can.

0:23:57

Ryan Chapman

And I've thought many times in the past, I've just sat there and thought, what if she worked for the US government? And what if she pushed really hard to get that more formalized and driven out? If she ever watches this, she's going to be like, whoa, whoa, Ryan. But we have people in our community who work their tails off trying to provide a ton of free resources. I do a lot of it myself, and I just don't see the governments doing a lot of that. And I think that there could be a better job done there. And I'd be remiss if I didn't mention that in the United States, we have this group, the run through the United States Secret Service, which I'm not sure if many folks in the United States know about this many ransomware cases. When they get reported to law enforcement, it'll typically go to the FBI when they're worked, like hands on worked. However, the actual responses are typically handled by the Secret Service.

0:24:58

Ryan Chapman

Most people don't know that. And most people see the Secret Service and they think, presidential protection, bodyguards. There's a lot more to the secret Service. They run a group called the National Computer Forensic Institute, NCFi, and it is phenomenal. They have amazing training, but they are so underresourced compared to what I would love to see, right. And getting a lot of law enforcement agencies and things of that nature trained up. But I had to make a shout out to them because I've worked with them before, and if any of them are watching, I didn't want them to be like, hey, we're working out here. Like, yes, they are.

0:25:37

Luke Connolly

So some researchers and reporters actually engage with cybercriminals for the purpose of producing reports and stories, and that's been the subject of some criticism. On the one side, there's the argument that researchers learn valuable information that ultimately may be helpful in countering threats. But on the other hand, interacting with cybercriminals glorifies their actions and by doing so, helps with their messaging sometimes and encourages them to continue. So what's your take on this?

0:26:09

Luke Connolly

Should we be engaging with them and platforming them?

0:26:14

Ryan Chapman

My response might be a bit polarizing for anyone who watches or listens, but I'm of the mind that we should be interviewing threat actors who want to do an interview. And my whole thing is, I want to humanize them. When I say the media, I mean, whatever your media intake methodology might be, right. The media portrays, for example, ransomware as this massive, crazy, ridiculous threat. There's no stopping it. And it's just this mythical creature, essentially this living entity.

0:26:48

Ryan Chapman

Now it's humans with their hands on the keyboard doing dumb stuff and being criminals, right? So I look at it like a good example would be a particular fellow who goes by the name Wazawaka, along with a number of other names. Ransom Boris is one of his names. He is prone to doing interviews, and I absolutely love those interviews, because the more you get people like him to just talk, the more you understand their mentality, the way that they think.

0:27:21

Ryan Chapman

And they do give tips and tricks on how to approach the overall situation. And sometimes they even will do. Like, when you ask me, what are some trends you're seeing, ask them like, hey, what are some trends you're seeing? And then whatever trends they're talking about, go focus on those. That could be a problem. But I like the overall humanization factor of it. They're people. Yes, they're criminals, but they're people. And the more we understand that it's not this imminent threat that is mythical, but rather is a human being or a group of human beings operating a business as they see it, the better.

0:28:03

Ryan Chapman

And I think a good example of that is I was working a case with the former. They're no longer around. Well, the team name is no longer a brand, but the actors have moved around. But it was a team called the Maze team. Like, you're traversing a maze. And they were, in 2019, the ones who basically made popular data exfiltration, stealing data from organizations and using that as typically a second form of extortion.

0:28:29

Ryan Chapman

They're the ones who made it really, I don't want to say popular, but basically popular with the other ransomware actors who were like, oh, yeah, that's useful. We should do that. They put a press release out in July of 2020, and many of our countries were in the midst of lockdowns, and we had Covid-19 and it was this crazy world environment. And their little press release was like, hey, we know that we are in a worldwide economic crisis.

0:29:01

Ryan Chapman

Dot dot dot TlDR for listeners. We don't care. It doesn't matter to us. We're also hurting for money. So, sucks for you, basically. And then they laid out these additional parameters to working with their clients. They call them clients, by the way, not victims, but their client or their partner. And just reading through the press releases really gives you a better feeling for how they think and how they operate. And those types of things can help with things like negotiations and understanding. Truly, the intent and the, let's just leave it with intent for right now of these actors and how far they're willing to go.

0:29:44

Ryan Chapman

I think that's important. And I don't mean to give them a platform where we're going to have on a national news channel like, hey, this is so and so. And he's ransomed 30 hospitals the past year. Let's talk to it about all that. But just having a group with a spokesperson and seeing that person and realizing you start to, I should say, not instills, I think it removes a bit of the fear of this unknown entity. And I think that's a good thing.

0:30:16

Brett Callow

Yeah, I agree. We actually asked ransom Boris to contribute to our annual predictions blog post.

0:30:26

Ryan Chapman

That's right.

0:30:27

Brett Callow

Which you did too. And he actually came up with quite a thoughtful response.

0:30:34

Ryan Chapman

I totally forgot about it. That was just a couple of months ago too. Yeah, I loved seeing his name in there. I was like, ooh, check it out. I think that's important. I don't think that it's trying to make them famous. Or in some cases maybe you do want to make them famous. Like, hey, this is a person. And by the way, that's the person right there. Yeah, I loved seeing that in that article. And I think another thing that it kind of helps squash is that these are not just, what did I call it? A mythical creature or a mythical entity that doesn't exist. Right.

0:31:08

Ryan Chapman

Not only are these humans, but for many of these actors, the royal we, not the world per se, but many people in the research community, they know who they are, they know who the actual human being is, what they post on their social media profiles, what they're up to, how they launder their money. A lot of these things could be a little more public knowledge. And a lot of folks don't realize that they typically reside in, I'll just call it non friendly countries.

0:31:38

Ryan Chapman

Right. Countries where they're going to attack their, know, they don't have extradition policies, for example. Right. So ransom Boris is a very well known entity, but they're not going to send them. They're like, all right, yeah, got on over to the United States. That's not going to happen. Right. So I think that giving them the ability to let us see them as a human being, I think it's important.

0:32:02

Brett Callow

Yeah. And I think what a lot of people probably don't realize too is that there are quite a few occasions where relationships with the threat actors have enabled people to walk them back, to talk them back from doing some quite bad things.

0:32:22

Ryan Chapman

I like that a lot, actually. Many of the ransomware actors for the folks watching that may not be aware, they communicate via these darknet forums. Darknet simply just meaning that you have to usually connect via a Tor circuit. In other words, just using Tor. Right. And you connect to, whether it be a marketplace or a forum, a lot of their discussions are public, at least in that forum. And being able to review those and see how they operate and see how they interact and see how they communicate, I think that's really important.

0:32:57

Ryan Chapman

And I think being able to have any type of influence on some of them just like you mentioned. Sounds like it could have a lot of positives.

0:33:08

Luke Connolly

An interesting anecdote that I heard just recently or late last year, is that on a lot of these sites, and I'm sure you guys know this, but on a lot of these sites, there are socks or people acting in disguise, whether they are researchers or law enforcement personnel. So sometimes you have people talking to each other and you're not sure, am I talking to law enforcement? Am I talking to a cybercriminal? Or am I talking to a researcher who is maintaining an identity on this site?

0:33:38

Ryan Chapman

Right. Bret, wouldn't it be funny if you and I have talked to each other before? That would be hilarious.

0:33:48

Brett Callow

Finally, a question that we ask to everybody. None of our counter ransomware efforts are working. The problem isn't getting any better. Should we just ban ransom payments?

0:34:00

Ryan Chapman

That's a rough one for me to answer. So because of my course and because of how many presentations I do on ransomware, I have to be very careful for my answer in terms of not saying what I really want to say, which I'll say right now, no one should ever pay ransoms because then it would just go away. Done. Right. Yeah. In a perfect world scenario, if everyone stopped paying ransoms, then what would be the utility in performing the attacks? Right.

0:34:29

Ryan Chapman

But when it comes down to, like, I'll just say legislation, no, that's a little too us centric, I guess, when it comes to laws and putting them in place and banning ransomware. Sit. And I think about what happens in many countries when a human is kidnapped, which, by the way, we're fairly lucky here in the United States that it's not anywhere near as common as it is in many other countries around the, you know, if a human being is kidnapped, is it illegal to pay a ransom to get them back?

0:35:03

Ryan Chapman

Right. Is that illegal in many countries? It's not illegal in many countries. It's actually suggested, yeah, just go ahead and pay the ransom. What do I think about ransomware payment bans? And I just repeated the question so I could buy myself more time. See, I did that. I think that banning could be problematic because when it comes down to it, it's a utilitarian decision. It should be a utilitarian decision. What's going to do the most good for the most number of people?

0:35:34

Ryan Chapman

Unfortunately, there's a lot of unknowns in that. A lot of people don't realize that some of these cybercriminals, the funding that does go to them, is used for some devious stuff like business email compromise, which is simply when a business email system is compromised. Hence I guess the name right. There's a couple of groups, including one very large one who I don't want to mention right now, out by their name, but they are notorious for basically slaughtering entire villages of people, of human beings and just snuffing out life. And they use Bec to fund a lot of their basically I've just considered like a pirate kind of lifestyles.

0:36:20

Ryan Chapman

And we haven't necessarily seen, at least I haven't yet seen that directly attributed to ransomware. But you never really know where that money is going. Is it going to a number of fancy cars in a large garage or is it going to something a lot worse? But I always take the easy way out and say that some organizations, if they were not to pay, then they would have thousands of people lose their jobs and there's no way around it. At the same time, when you pay a ransom, you have to remember you're working with criminals.

0:36:54

Ryan Chapman

That's who you're trusting. You're giving implicit trust to a criminal and that's never really a good idea. Right. So I don't think that most ransoms should be paid. I think that 99.9% of ransoms should not be paid. But I think that if governments go around and make it such that there's additional fines on top of or jail time or whatever it might be, it's going to complicate things for organizations who have no other choice but to take that risk.

0:37:27

Ryan Chapman

And it is a risk paying a ransom. So I think that as opposed to banning the payments, that we just need more government funded. I mean around the world, not just us centric, that we need a lot more training and a lot more security. 101 reviews and oversight and fewer at the same time, fewer checkboxes because we have so many programs that end up just know, oh, I checked a box, I checked these boxes so I'm secure and then meanwhile, not really at all.

0:37:58

Ryan Chapman

So that's my sneaky answer to that question.

0:38:02

Luke Connolly

And with that, I'd like to thank you, Ryan, for joining us today. It's been really interesting to learn from your experience as an educator and with incident responses. So as always, thank you very much. And we'd like to thank our listeners as well for tuning in to stay up to date on the latest cybersecurity. Be sure to subscribe to our podcast, our.