WEBVTT 1 00:00:00.480 --> 00:00:03.060 Mathew Schwartz: How can we expect to see cybercrime evolve 2 00:00:03.360 --> 00:00:06.840 over the next year? Hi, I'm Mathew Schwartz, executive 3 00:00:06.840 --> 00:00:10.410 editor with information Security Media Group. And to help me 4 00:00:10.440 --> 00:00:14.730 answer that question and share his prognostications, I am 5 00:00:14.730 --> 00:00:18.780 joined by John Fokker, McAfee Enterprise's principal engineer, 6 00:00:19.050 --> 00:00:23.190 and also head of cyber investigations for its Advanced 7 00:00:23.310 --> 00:00:27.180 Threat Research group. John, great to have you back. 8 00:00:28.050 --> 00:00:30.300 John Fokker: Great to see you again, Mathew. Always a 9 00:00:30.300 --> 00:00:30.810 pleasure. 10 00:00:31.200 --> 00:00:33.600 Mathew Schwartz: Thank you. Well it's always great, interesting, 11 00:00:33.600 --> 00:00:37.290 fascinating and sometimes horrifying, to talk ransomware 12 00:00:37.320 --> 00:00:41.730 with you, and you've been looking at the state of play, 13 00:00:42.420 --> 00:00:46.230 and where you think this whole little ransomware thing is going 14 00:00:46.230 --> 00:00:51.570 to be going in the future? If you please, share some of your 15 00:00:51.570 --> 00:00:52.320 findings. 16 00:00:53.290 --> 00:00:55.030 John Fokker: Yeah, and it's no secret that I have an interest 17 00:00:55.030 --> 00:00:58.090 for ransomware, that's kind of obvious, that's been pretty 18 00:00:58.090 --> 00:01:03.340 obvious for the last recent years. And every year from 19 00:01:03.340 --> 00:01:06.340 McAfee Enterprise, we bring out our threat predictions. So we 20 00:01:06.340 --> 00:01:10.900 look: what can we expect ahead? And actually, it was, maybe you 21 00:01:10.900 --> 00:01:13.660 can say I'm cheating or not, because it's already happening, 22 00:01:13.690 --> 00:01:16.960 as we can say, but still, when we wrote this up, it wasn't 23 00:01:16.990 --> 00:01:20.200 going on at that time. So we're, we can still call it a 24 00:01:20.200 --> 00:01:23.770 prediction. But anyways, what we're seeing and what we think 25 00:01:23.770 --> 00:01:26.560 is going to happen, that there is going to be a power balance 26 00:01:26.560 --> 00:01:30.730 shift. So historically, and we've reported on this, and I 27 00:01:30.730 --> 00:01:34.630 think it's been explained in the media quite often is that if you 28 00:01:34.630 --> 00:01:38.110 look at ransomware as a service, it was pretty much from the 29 00:01:38.110 --> 00:01:41.710 beginning, when it started with CTB-Locker, like, like years 30 00:01:41.710 --> 00:01:46.690 back, a pretty - how would you say? - there was a strict 31 00:01:46.690 --> 00:01:49.900 hierarchy, it was kind of a pyramid type of structure, where 32 00:01:49.900 --> 00:01:52.630 you have the ransomware developer at the top, or the 33 00:01:52.630 --> 00:01:55.810 admin system, I call it, and they would say: OK, I need 34 00:01:55.810 --> 00:01:58.870 people to distribute my ransomware. So that could be in 35 00:01:58.870 --> 00:02:02.710 this case where people who own the botnets, or could do 36 00:02:02.710 --> 00:02:05.050 spamming runs and things like that, and they would get a 37 00:02:05.050 --> 00:02:08.800 percentage and it worked all the way down. And if you do not 38 00:02:08.800 --> 00:02:12.490 perform, so you do not send out X amount of installs or 39 00:02:12.490 --> 00:02:16.540 whatever, they'll kick you out. This kind of evolved, and it 40 00:02:16.570 --> 00:02:19.510 went on that model was something that we saw with GandCrab, 41 00:02:19.540 --> 00:02:23.680 really, really obvious because they have had a lot of like job 42 00:02:23.680 --> 00:02:27.520 interviews, and it transitioned over into REvil. And the 43 00:02:27.520 --> 00:02:32.410 funniest thing was happening, actually is a, we think it's 44 00:02:32.410 --> 00:02:35.110 part of a result of like, the things happening with the 45 00:02:35.110 --> 00:02:38.020 Colonial Pipeline attack and all the major attacks happening in 46 00:02:38.020 --> 00:02:44.500 the U.S. where, at a certain moment, ransomware was always 47 00:02:44.500 --> 00:02:48.400 had a safe haven on cybercriminal forums. So there's 48 00:02:48.400 --> 00:02:50.920 a couple of top-tier Russian-speaking cybercriminal 49 00:02:50.920 --> 00:02:53.740 forums where ransomware actors could actually open up shop, 50 00:02:53.950 --> 00:02:56.830 they could present what they had, and they could invite 51 00:02:56.830 --> 00:03:02.500 people to join their ransomware gang in order to infect people. 52 00:03:02.830 --> 00:03:07.420 And what we saw that as a result of basically the political 53 00:03:07.420 --> 00:03:12.370 reaction to the very impactful ransomware attacks, they banned 54 00:03:12.460 --> 00:03:17.410 the sale of ransomware. So inevitably, what they did, they 55 00:03:17.410 --> 00:03:19.990 made sure that these ransomware actors did not have a shop. 56 00:03:20.830 --> 00:03:24.550 They're probably still around on the forums, but not as obvious. 57 00:03:24.940 --> 00:03:28.960 So you see it: they're not really portraying that top-tier 58 00:03:31.060 --> 00:03:34.600 place that they usually have. Theyh lack arbitration, for 59 00:03:34.600 --> 00:03:37.390 instance. So if you're not, if you're an affiliate, and you got 60 00:03:38.260 --> 00:03:42.490 scammed by a ransomware actor, there's no way to complain. 61 00:03:43.090 --> 00:03:45.940 Because the forum would do that for you, you would have that, 62 00:03:45.970 --> 00:03:49.180 you would see if a ransom actor would come on a forum, or 63 00:03:49.180 --> 00:03:52.690 ransomware group, if they made a deposit. So how trustworthy are 64 00:03:52.690 --> 00:03:56.590 they? They were being somewhat held accountable by the other 65 00:03:56.590 --> 00:03:59.590 set of cybercriminals that are on the forum. And that whole 66 00:03:59.590 --> 00:04:04.690 power balance, because they were bad, is starting to shift. And 67 00:04:05.110 --> 00:04:09.250 not only that, we saw some other things happening that in spite 68 00:04:09.280 --> 00:04:13.090 of, and it's funny, because I come from organized crime. And 69 00:04:13.090 --> 00:04:15.310 if there's a lot of money involved, there's always people 70 00:04:15.340 --> 00:04:19.030 unhappy. I guess it's not only crime, but it's probably also 71 00:04:19.030 --> 00:04:22.030 true in business. And there's always people that feel that 72 00:04:22.030 --> 00:04:26.380 they are entitled to more. And in this case, it was the same 73 00:04:26.380 --> 00:04:30.070 thing with I believe, with Conti ransomware where an affiliate 74 00:04:30.070 --> 00:04:32.920 - somebody who actually worked and did the installs did the 75 00:04:33.010 --> 00:04:39.010 intrusions on the network - wasn't happy with the amount of 76 00:04:39.010 --> 00:04:43.870 pay that he received. So they were attacking organizations, 77 00:04:44.050 --> 00:04:47.410 extorting them for millions of dollars, and all he saw was a 78 00:04:47.410 --> 00:04:52.210 $1,500 paycheck every week. Well, mind you, it's a decent 79 00:04:52.210 --> 00:04:55.900 pay but it's not in balance to, or according to him, it was not 80 00:04:55.990 --> 00:05:01.720 balanced to the income or the profits the ringleaders made. So 81 00:05:01.720 --> 00:05:04.720 he decided, like, Oh, I'm not so happy with this. I'm doing all 82 00:05:04.720 --> 00:05:08.920 the heavy lifting. Why don't I just, like, dump the whole 83 00:05:08.920 --> 00:05:13.750 attack playbook, everything, how we do it on the internet, so we 84 00:05:13.750 --> 00:05:16.840 can explain how everything's done. And I'll, I'll spill the 85 00:05:16.840 --> 00:05:21.100 beans. So that to me is obviously a godsend because it's 86 00:05:21.100 --> 00:05:23.500 very handy for us from an intelligence perspective, 87 00:05:23.500 --> 00:05:26.950 learning from the adversary in this case. But it is a sign on 88 00:05:26.950 --> 00:05:29.170 the wall that people are not happy with the current way 89 00:05:29.170 --> 00:05:36.070 they're doing business. And this slowly progressed on to that 90 00:05:36.070 --> 00:05:42.130 you're seeing more autonomous groups that are well trained, 91 00:05:42.160 --> 00:05:45.640 they really, really know how to, like infiltrate, and do, 92 00:05:46.270 --> 00:05:50.560 basically a CNE into - like, a computer network exploitation 93 00:05:50.920 --> 00:05:56.050 tactic. And they're really good at breaking in and compromising 94 00:05:56.050 --> 00:05:58.390 the whole network, getting the domain admin credentials, 95 00:05:58.390 --> 00:06:03.490 basically doing 99% of the work, and they have access to these 96 00:06:03.490 --> 00:06:07.870 systems. And then the last 90% of the work or the last 1% of 97 00:06:07.870 --> 00:06:11.710 the work as they see it is installing the ransomware. So 98 00:06:11.710 --> 00:06:15.400 what we will see or what we think, is that, because the 99 00:06:15.400 --> 00:06:19.600 heavy lifting is done from these affiliate groups, that by the 100 00:06:19.600 --> 00:06:22.840 lack of visibility on the forums, these affiliate groups 101 00:06:22.840 --> 00:06:25.630 are still present there. Because the guys who are doing the, or 102 00:06:25.630 --> 00:06:28.150 the guys and girls, so the people doing the infiltrations, 103 00:06:28.390 --> 00:06:31.540 are still there, are going to play a more important role than 104 00:06:31.540 --> 00:06:35.170 the actual ransomware actors. That they're going to control 105 00:06:35.320 --> 00:06:38.590 who they are going to sell their access towards. And that could 106 00:06:38.590 --> 00:06:43.000 even be by a public auction, saying like, well, actually, we 107 00:06:43.000 --> 00:06:48.010 have access to top-tier organization X with a revenue of 108 00:06:48.400 --> 00:06:52.780 whatever, who's interested? What do you have to offer? Who makes 109 00:06:52.780 --> 00:06:56.650 us the best deal to work with us as a ransomware team with your 110 00:06:56.680 --> 00:07:00.430 code, in order to make a, well, which percentage-wise and all 111 00:07:00.430 --> 00:07:04.510 that stuff? Which is basically different from what we saw in 112 00:07:04.510 --> 00:07:08.710 the last years, where you had to apply for a job to get into the 113 00:07:08.710 --> 00:07:13.330 team to be, work hard, and then you get a part of the pay. The 114 00:07:13.330 --> 00:07:17.260 pay was good for a lot of folks and for some, less. But still, 115 00:07:17.350 --> 00:07:20.110 it was a different dynamic, you really had to apply for it. 116 00:07:20.110 --> 00:07:23.110 Whereas now it's the other way around, or we expect it to be 117 00:07:23.110 --> 00:07:24.580 the other way around, more often. 118 00:07:26.080 --> 00:07:30.250 Mathew Schwartz: Fascinating. So we've seen so many shifts in the 119 00:07:30.250 --> 00:07:34.570 ransomware ecosystem, like you said, it seems to have been this 120 00:07:34.600 --> 00:07:38.320 maybe mafia-esque sort of thing where you would have the 121 00:07:38.320 --> 00:07:41.260 developer, who was the don, calling the shots. 122 00:07:41.260 --> 00:07:41.320 John Fokker: Yeah. 123 00:07:41.510 --> 00:07:42.620 Mathew Schwartz: Yeah, recruiting the business 124 00:07:42.620 --> 00:07:46.670 partners, you know, the muscle, basically. And then we've spoken 125 00:07:46.670 --> 00:07:49.340 about this before, you saw the rise of much more skilled 126 00:07:49.430 --> 00:07:54.800 affiliates, who were very good at getting in, and then 127 00:07:54.800 --> 00:07:57.110 deploying ransomware. And I've heard that different affiliates 128 00:07:57.110 --> 00:07:59.510 would sometimes work with multiple ransomware operations 129 00:07:59.540 --> 00:08:02.720 at once, depending on the cut, maybe they were getting, you 130 00:08:02.720 --> 00:08:07.010 know, 70% for the affiliate, 30% for the operator not being 131 00:08:07.010 --> 00:08:11.960 unusual, which might be what angered the Conti employee. So, 132 00:08:12.020 --> 00:08:15.290 but now that ransomware has lost, lost its platform, as you 133 00:08:15.290 --> 00:08:20.990 say, you see affiliates becoming likely, much more powerful. How 134 00:08:20.990 --> 00:08:23.510 exactly do you think they might be working with these ransomware 135 00:08:23.510 --> 00:08:25.850 operations though? Because, I mean, they'll still be 136 00:08:25.850 --> 00:08:28.550 developing the crypto-locking malware. I mean, that was always 137 00:08:28.550 --> 00:08:31.730 their not secret sauce, but, you know, the thing they brought to 138 00:08:31.730 --> 00:08:32.450 the equation? 139 00:08:33.100 --> 00:08:33.430 John Fokker: Yep. 140 00:08:34.000 --> 00:08:35.980 Mathew Schwartz: Are affiliates just going to be demanding more 141 00:08:35.980 --> 00:08:38.800 and more money to work with these operators, do you think? 142 00:08:40.900 --> 00:08:43.600 John Fokker: Well I think they'll probably be in a 143 00:08:43.600 --> 00:08:46.750 situation where they could pick and choose which one they want 144 00:08:46.750 --> 00:08:50.680 to work with. So who do they trust the most? And that trust 145 00:08:50.680 --> 00:08:54.130 can be built up of, OK, what kind of reputation do you have? 146 00:08:54.520 --> 00:08:58.240 That could be like, how they're perceived by other criminals? Do 147 00:08:58.240 --> 00:09:00.310 they have a track record? Basically, you're applying for a 148 00:09:00.310 --> 00:09:04.720 job and the ransomware actor has to overhand his resume or give 149 00:09:04.720 --> 00:09:07.960 his resume. But it could also be like, Okay, if I go and work 150 00:09:07.960 --> 00:09:10.210 with this person, how can I trust him that he's not double 151 00:09:10.210 --> 00:09:13.750 crossing me? How can I trust that his systems are safe? How 152 00:09:13.750 --> 00:09:18.340 can I trust that his ransomware is actually foolproof, as we 153 00:09:18.340 --> 00:09:22.690 currently saw with BlackMatter, where Emsisoft was able to break 154 00:09:22.690 --> 00:09:25.960 the encryption and secretly handed out decryptors and 155 00:09:25.990 --> 00:09:29.140 alerted a network including us as well of this is great news, 156 00:09:29.140 --> 00:09:32.590 and you can kind of circumvent the effect. Because the last 157 00:09:32.590 --> 00:09:37.060 thing you want as a powerful affiliate or hacking team is 158 00:09:37.060 --> 00:09:40.330 that yeah, you have worked really hard to get this access 159 00:09:40.330 --> 00:09:43.090 and then you go do business with a ransom actor that doesn't 160 00:09:43.090 --> 00:09:47.920 really know how to do their business. So and yeah, lastly, 161 00:09:47.920 --> 00:09:51.280 with the payout that's a that's a large portion. So what's in it 162 00:09:51.280 --> 00:09:55.060 for them? What can I expect because it's the way I see it 163 00:09:55.060 --> 00:09:57.130 more I think the ransomware actors are going to shift 164 00:09:57.130 --> 00:10:01.090 towards more that platform. So it's the the, the binary, the 165 00:10:01.090 --> 00:10:06.460 negotiation, the payment structure, all that stuff, all 166 00:10:06.490 --> 00:10:11.020 post-encryption, that is going to be part of the the ransomware 167 00:10:11.920 --> 00:10:17.800 core, as we might say. But we saw it with with Groove gang, 168 00:10:18.730 --> 00:10:23.980 that that was an offshoot of Babuk ransomware, that we we can 169 00:10:23.980 --> 00:10:26.830 attribute to like the Metropolitan Police hacks, I 170 00:10:26.830 --> 00:10:30.040 think the Houston Rockets and some other ones. And and they 171 00:10:30.040 --> 00:10:33.760 basically set Ramp, a forum. It's now questionable what the 172 00:10:33.760 --> 00:10:36.580 status is of RAMP. But that's more of like what's happening at 173 00:10:36.580 --> 00:10:40.030 the last moment. But still, what they envisioned was a place for 174 00:10:40.030 --> 00:10:43.630 their own, where ransomware actors and powerful affiliates 175 00:10:43.630 --> 00:10:47.290 could mingle and then work together to make something nice. 176 00:10:47.350 --> 00:10:52.390 But we saw that funny enough that Groove, they they worked in 177 00:10:52.390 --> 00:10:55.390 the past with Babuk, and now we saw with BlackMatter, and then 178 00:10:55.390 --> 00:10:58.570 we saw something posted on their own website. So it is a very 179 00:10:58.570 --> 00:11:02.200 interesting dynamic going on. And I would not be surprised in 180 00:11:02.200 --> 00:11:05.260 the future that we can see that affiliate groups will work with, 181 00:11:05.260 --> 00:11:08.830 like you said, with multiple ransomware teams. And then 182 00:11:09.370 --> 00:11:13.870 historically, yeah, the pyramid structure is easy to 183 00:11:13.870 --> 00:11:16.960 investigate. It's, uh, it makes it a lot easier, also, for law 184 00:11:16.960 --> 00:11:19.990 enforcement, for instance, it's like, OK, we got this is the 185 00:11:19.990 --> 00:11:23.410 ransomware name, and we have to figure everyone is below that, 186 00:11:23.410 --> 00:11:27.700 or all the affiliates are affiliated with this. OK, that's 187 00:11:27.700 --> 00:11:30.850 the whole group. Whereas now it's not, it's just an element. 188 00:11:30.970 --> 00:11:34.750 And it's more like an opportunistic network type of 189 00:11:36.970 --> 00:11:41.710 collaboration, where, yeah, for this attack, this affiliate 190 00:11:41.740 --> 00:11:43.870 group might actually work with this ransomware and for the 191 00:11:43.870 --> 00:11:47.620 other attack something else. So it's, it's not making it easier, 192 00:11:47.650 --> 00:11:48.250 per se. 193 00:11:49.450 --> 00:11:50.680 Mathew Schwartz: It is a lot more difficult if they're 194 00:11:50.680 --> 00:11:55.990 working with self-motivated contractors, basically, who will 195 00:11:55.990 --> 00:11:59.890 take their accesses and like you say, perhaps sell to the highest 196 00:11:59.950 --> 00:12:04.360 bidder. One thing that we saw with RAMP, it sounded from the 197 00:12:04.360 --> 00:12:09.310 communications, like they were envisioning a non-ransomware 198 00:12:09.340 --> 00:12:14.020 exclusive sort of environment, maybe looking at other ways of 199 00:12:14.020 --> 00:12:18.310 monetizing attacks, like you said, maybe stealing data. It 200 00:12:18.310 --> 00:12:21.370 seemed like, I don't know if they were envisioning the 201 00:12:21.370 --> 00:12:24.430 future, but if ransomware attacks should become less 202 00:12:24.430 --> 00:12:28.510 lucrative, what are some of the other paths that we can pursue, 203 00:12:28.540 --> 00:12:31.360 which I think is a really pertinent question these days, 204 00:12:31.510 --> 00:12:34.510 when governments might be involved in disrupting some of 205 00:12:34.510 --> 00:12:36.010 these operations more directly. 206 00:12:37.030 --> 00:12:40.570 John Fokker: Correct. In all honesty, ransomware is shifting 207 00:12:40.570 --> 00:12:45.010 in a way that it's, I think it's, maybe it's basically we no 208 00:12:45.010 --> 00:12:47.830 longer call it ransomware, but extortion, because that's 209 00:12:48.010 --> 00:12:52.000 basically what it is. The fact that we saw the double extortion 210 00:12:52.000 --> 00:12:54.820 with the data exfiltration and trying to leak sensitive data. 211 00:12:55.210 --> 00:12:57.580 There's no ransomware involved in that. That's basically 212 00:12:57.580 --> 00:13:01.450 extortion. So I think we can expect - and I don't know what 213 00:13:01.480 --> 00:13:05.710 is going to be across the horizon - but we'll try to do 214 00:13:05.710 --> 00:13:09.580 our best to figure out. But yeah, they will come up with new 215 00:13:09.580 --> 00:13:13.330 ways to extort folk. And that could be, we see it already: 216 00:13:13.330 --> 00:13:17.200 direct calling of high individuals within the companies 217 00:13:17.200 --> 00:13:20.770 like the C-level suite, because you have all that data already. 218 00:13:20.980 --> 00:13:23.890 It's already in your possession. So you know exactly who to 219 00:13:23.890 --> 00:13:27.580 approach by combining not only the business information or 220 00:13:27.580 --> 00:13:30.700 personal information of a CEO, but also doing some open source 221 00:13:30.700 --> 00:13:34.570 research on the CEO, you might actually get a very interesting 222 00:13:34.570 --> 00:13:40.330 social profile. And, yeah, that almost comes into a realm that 223 00:13:40.330 --> 00:13:44.830 was usually used by also organized crime, the mobsters, 224 00:13:44.830 --> 00:13:47.560 but also by nation states, just to put pressure on people, 225 00:13:47.620 --> 00:13:49.840 because you try to blackmail folks with sensitive 226 00:13:49.840 --> 00:13:54.070 information. So we can see, I think, a whole scale of things: 227 00:13:54.070 --> 00:13:56.950 we saw the DDoS attacks happening. That's one of the 228 00:13:56.950 --> 00:14:01.390 things. Yeah, I wouldn't be surprised if some business email 229 00:14:01.390 --> 00:14:04.240 compromise comes around the corner, because that's also a 230 00:14:04.240 --> 00:14:06.820 very lucrative thing, even though that's not extortion, but 231 00:14:06.820 --> 00:14:10.510 you still have the same level of access to all that data. And 232 00:14:10.660 --> 00:14:12.880 let's face it, a lot of the victims that are hit with 233 00:14:12.880 --> 00:14:17.110 ransomware are finding out because either their name is on 234 00:14:17.110 --> 00:14:20.590 the internet, or their computers don't work, and they get a 235 00:14:20.590 --> 00:14:26.110 splash screen. So it's not often that they won't, if they notice 236 00:14:26.110 --> 00:14:28.450 it and notice it early on, they will probably not become a 237 00:14:28.450 --> 00:14:31.120 victim because they can mitigate the risk or they mitigate the 238 00:14:31.120 --> 00:14:35.080 threat. But a lot of these organizations find out the hard 239 00:14:35.080 --> 00:14:35.410 way. 240 00:14:36.760 --> 00:14:39.190 Mathew Schwartz: Ransomware is really noisy, I know that it 241 00:14:39.310 --> 00:14:42.190 definitely lowers the average for the time it takes a victim 242 00:14:42.190 --> 00:14:44.860 to discover an intrusion. Because if you can't use your 243 00:14:44.860 --> 00:14:48.490 system, obviously something has gone wrong. So - 244 00:14:48.490 --> 00:14:50.980 John Fokker: Yeah the 90 days from the old days, it's it's now 245 00:14:51.790 --> 00:14:53.590 back to a couple of hours sometimes. 246 00:14:55.360 --> 00:14:58.000 Mathew Schwartz: Pros and cons I suppose, fascinating what you 247 00:14:58.000 --> 00:15:00.850 say about business email compromise because I think if 248 00:15:00.850 --> 00:15:05.140 you look at FBI statistics, that's actually more damaging 249 00:15:05.260 --> 00:15:08.680 than ransomware in the aggregate. But I think if you're 250 00:15:08.680 --> 00:15:11.290 an individual business that gets hit with ransomware, obviously, 251 00:15:11.290 --> 00:15:14.440 that can be a business, business-disrupting or 252 00:15:14.530 --> 00:15:16.720 business-stopping sort of event. 253 00:15:17.950 --> 00:15:20.290 John Fokker: Yeah, that's an interesting point, I was looking 254 00:15:20.290 --> 00:15:23.530 at the same statistics. One of the things is that I think 255 00:15:23.530 --> 00:15:27.520 there's less of a threshold for organizations to report business 256 00:15:27.520 --> 00:15:31.720 email compromise. That's one of the things, because there's not 257 00:15:31.720 --> 00:15:35.350 necessarily a data breach, you got scammed out of money. So 258 00:15:35.710 --> 00:15:38.380 what business email compromise could be, it could be a data 259 00:15:38.380 --> 00:15:41.500 breach or not, or you could just be tricked out with CEO fraud, 260 00:15:41.590 --> 00:15:44.620 they kind of put those things together. So it doesn't 261 00:15:44.620 --> 00:15:47.620 necessarily mean that you have sensitive data being leaked, or 262 00:15:47.620 --> 00:15:50.380 all these things. You transferred money to a foreign 263 00:15:50.380 --> 00:15:56.350 account, and a large sum. And that is also the loss. That's 264 00:15:56.350 --> 00:15:59.560 the exact loss limited to that. Whereas if you look at 265 00:15:59.560 --> 00:16:02.320 ransomware, the only thing that the FBI could actually 266 00:16:02.320 --> 00:16:05.980 accumulate, or the Treasury Department, was the, the amount 267 00:16:05.980 --> 00:16:09.610 of payments they could have 100% attribute ransomware. There's a 268 00:16:09.610 --> 00:16:12.370 lot of payments they could not have, or they haven't attributed 269 00:16:12.370 --> 00:16:17.770 yet, or they they weren't able to attribute. And in addition, 270 00:16:18.460 --> 00:16:22.510 the ransom amount is only one part of the damage. The damage 271 00:16:22.510 --> 00:16:25.810 is much faster, it's much greater. Because even if a 272 00:16:25.810 --> 00:16:28.810 company pays for the ransom - which we discourage, but if they 273 00:16:28.810 --> 00:16:32.200 have no other choice, they'll do it - they still need to fix the 274 00:16:32.200 --> 00:16:35.440 root cause, they still need to overhaul their complete IT 275 00:16:35.440 --> 00:16:37.720 systems. And that's only the technical solution. They have 276 00:16:37.720 --> 00:16:42.130 need to invest a lot of time and money in decent security to make 277 00:16:42.130 --> 00:16:46.600 sure it doesn't happen again. And then there's the media 278 00:16:46.600 --> 00:16:52.600 attention, the how that impacts, there's customers that might go 279 00:16:52.600 --> 00:16:55.480 away, loss of business, all these things factor in, there's 280 00:16:55.480 --> 00:16:59.710 a lot of indirect costs, that are not attributed obviously in 281 00:16:59.710 --> 00:17:01.420 the Treasury Department's calculations, because that's 282 00:17:01.420 --> 00:17:07.090 fairly hard to attribute that have almost like an afterburner 283 00:17:07.090 --> 00:17:10.540 effect or like an extra kick that you get with ransomware, 284 00:17:10.540 --> 00:17:12.910 which you don't have with this business email compromise. But 285 00:17:12.910 --> 00:17:15.460 yeah, I agree. If you look at the absolute numbers that they 286 00:17:15.460 --> 00:17:20.350 present, like on two pieces of paper, then the BEC fraud is 287 00:17:20.350 --> 00:17:22.180 bigger in numbers. 288 00:17:23.470 --> 00:17:25.870 Mathew Schwartz: But obviously, you've got ransomware as this 289 00:17:26.110 --> 00:17:30.250 - not only noisy but messy - in terms of the incident and the 290 00:17:30.250 --> 00:17:33.700 response sort of thing, which obviously likely we won't be 291 00:17:33.700 --> 00:17:36.640 seeing change anytime soon, despite these other trends that 292 00:17:36.640 --> 00:17:39.880 you've been articulating, which we will we will likely see. 293 00:17:40.540 --> 00:17:42.160 John Fokker: Yes, yeah. 294 00:17:43.090 --> 00:17:46.570 Mathew Schwartz: WonderfulWell, always fascinating to 295 00:17:46.570 --> 00:17:49.660 speak ransomware. Thank you so much, John, for sharing your 296 00:17:49.660 --> 00:17:51.310 insights about where things are headed. 297 00:17:52.540 --> 00:17:55.720 John Fokker: My pleasure, Mathew. It's uh, I'd like to be 298 00:17:55.720 --> 00:18:00.730 the bearer of good news, but it's not always the case. But 299 00:18:00.730 --> 00:18:04.000 we'll stay vigilant and we'll we'll keep a close eye on what's 300 00:18:04.000 --> 00:18:04.570 going on. 301 00:18:05.710 --> 00:18:08.020 Mathew Schwartz: That's it: Stay, yes, stay tuned, stay 302 00:18:08.020 --> 00:18:11.680 alert. I think the message is, is clear here. So thank you very 303 00:18:11.680 --> 00:18:14.350 much. I've been speaking with John Fokker of McAfee 304 00:18:14.380 --> 00:18:18.400 Enterprise. I'm Mathew Schwartz with ISMG. Thanks for joining 305 00:18:18.400 --> 00:18:18.910 us.