ISMG Editors: Why Are Ransomware Profits Dipping?

Anna Delaney: Hello and welcome to the ISMG Editors' Panel, our weekly show where ISMG journalists share and analyze key cybersecurity stories of the moment. I am Anna Delaney and on this episode, I'm joined by my talented colleagues Mathew Schwartz, executive editor of DataBreachToday and Europe; Tony Morbin, executive news editor, the EU; and Michael Novinson, managing editor, ISMG business. A pleasure to see you, gentlemen.

Tony Morbin: Delighted to be here.

Mathew Schwartz: Great to be here, Anna.

Michael Novinson: Thanks for having us.

Delaney: Oh, it's a pleasure. So, Tony, you've brought some friends with you today. Have you not?

Morbin: Yes, artificial intelligence - flavor of the month and maybe the decade.

Delaney: More on that later. Mathew, we love this scene. Thank you for bringing that.

Schwartz: Yes, I know, bringing all the old hits, although I took this this week here in Scotland. Not a balmy day, as you can see. Perhaps even a little too cold for picnicking, but that didn't mean I didn't try.

Delaney: It's moody, it's atmospheric, poetic even.

Schwartz: Thank you. On the Burns Night week, I was trying for a little poetry.

Delaney: Cheers to that. And Michael, you're in the city of neon lights. Love it.

Novinson: Oh, thank you. I am in front of the Avon Cinema in the east side of Providence, Rhode Island. It's a movie theater dating back to 1938 which I realized for folks in the U.K. is not that open, in the U.S. it is. Art Deco movie theater is just a single screen with about 500 seats, they show all the ads from the 1950s. So it's a real walk back in time. And crazy thing is it's actually been owned by the same family for 85 years now. So they live long and prosper.

Delaney: Amazing! How gorgeous is Art Deco building and showing Wes Anderson there as well. Love it. Well, I do love a bit of cafe culture and watching the world go by so here I am, Lyon, France, soaking up the sweet life. Talking of sweetness and music to our ears, Matt, are you starting our discussion off with some good news this week?

Schwartz: I am, indeed, and I know it's shocking that there could be good news when it comes to cybercrime and ransomware. But we are getting some reports that efforts to blunt the scourge of ransomware is having an impact. This might be unexpected given that it seems to be dominating the news cycle. We keep seeing new victims, everything from schools to hospitals, continuing to fall victim. But ransomware incident response firm Coveware, which works with, it says, thousands of victims per quarter, has just issued some research, which is fascinating. And part of the research is a look at how many victims are paying a ransomware or paying a ransom, I should say. So if you look back to 2019, when it started keeping track of this, it said about four or five victims were paying on an annualized basis. So about 80% of victims were paying a few years back. In 2022, however, again, on an annualized basis, it said only 41% of victims paid. First, there's a couple of ways to look at that. That means by 60% of victims didn't pay. That's great, but 40% did. That is still quite a bit. But we have seen really good improvement there. And unexpectedly for me, Coveware said that one of the reasons it's seeing fewer victims pay is because of law enforcement. Now we think of law enforcement trying to disrupt ransomware wielding attackers. And this is complicated because a lot of them are based in Russia. And Russia doesn't extradite anyone who's attacking foreign nationals. So that strategy has been a little tough to enforce. We've seen some disruptions as well of infrastructure, but that doesn't put people behind bars. But what law enforcement has been retooling to do, especially in the last year or two - and I'll just pick the FBI as one of the big examples. They are not just trying to disrupt groups and track intelligence, but also to assist victims. We see that here in the U.K. as well with the National Cybersecurity Center. They have a national incident response team that helps victims. So Coveware is based in the States. It often works with the FBI. And it says that the FBI is rapidly deploying cyber specialists to organizations that are impacted. The FBI says that in the States, it can typically have somebody at an impacted organization within an hour. And it says abroad in 70 or 80 countries via its legal attache and local relationships, if there's a U.S. organization, it can typically have someone there within a day. Now this is fascinating, because the rapid response appears to be helping victims respond more quickly themselves to get an idea of what has happened and how they can best restore their systems whenever possible. So Coveware says a lot of times when victims are looking at the math behind all this, they find that paying a ransom isn't actually going to help them restore any more quickly, for example, if they have working backups, and at that point, why pay. So they're having a hard look at the numbers here. And whenever possible, always recommending that victims never pay. Obviously, it's a business decision. But when you have these experts being brought to bear as well, apparently, this is helping. So this was one of the nice findings for me, that we've been seeing is, again, the FBI stepping up. And we've got some interesting testimony from the head of the FBI cyber division talking about how they have been trying to do this, not just to get better intelligence on how victims are getting hit, but because having this victim-first mentality is really helping U.S. organizations. And it is leading to a decrease in ransoms being paid, wonderful stuff. And so just one more statistic on that. Blockchain intelligence firm Chainalysis recently released its look at known cryptocurrency flows to bad people, bad guys, threat actors, wallet addresses. So the wallets it knows to be run by bad people and ransomware funding. It's looked at how that's flowing. And it has seen a huge drop from 2021 to 2022. So last year dropped by 40%, 40%, less in the volume of ransoms in dollar - dollar value being paid to these attackers. So something's definitely having an impact here. That's all the good news. The very brief bad news is ransomware groups have a history of innovating. There's a lot of criminal profits, there's hundreds of millions of dollars at stake here. So I'm sure they'll respond. Will it be effective? We don't know. But hopefully not. And there's good signs here showing how all of this can be disrupted. And hopefully we can keep applying these lessons that have been learned.

Delaney: Yeah, that's fascinating, the stance or the shift from criminals to victims supporting them. And if you think about it, there was so much disruption on many fronts last year, because we had insurance policies changing, making it hard for the ransoms to be paid out. And then we had various sanctions being introduced against cryptocurrency firms. Going back to organizations and their response plans, are they getting better at building up their backups and preparing and responding to ransomware, do you think? Or there's other factors that I've mentioned?

Schwartz: Definitely. I mean, the FBI's head of cyber testifying before Congress last year, he just said very clearly, "You will not be, well, you will be amazed to see the difference that having an incident response plan that's been practiced makes." So he said, "It's night and day in terms of how an organization can respond." So in the past year or more, I've been hearing business resiliency experts saying that more organizations are asking, demanding, seeking, refining their incident response plans, more organizations are running tabletop exercises, so that when disaster strikes, they've rehearsed how and who they're going to respond, who's going to be involved. And that's never something you want to do in the midst of a crisis. So I think we've been hearing from the likes of the FBI and from ransomware response firms and from cyber insurers about everything you need to have in place before you get hit. Because despite your best efforts, you could still get hit. And as you say, cyber insurers are restricting policies now to organizations that only have relatively good procedures and defenses in place. All of this has been having a great effect. This is what we need. We need to improve the base ability of organizations to respond not just to ransomware, but any type of online attack because if ransomware falls out of favor, something else is going to be wielded by criminals. So all of this is good. Obviously, it's been a painful lesson, but lessons do appear to get to be getting learned, which is great.

Morbin: I was quite interested, Matt, to see your other piece where you quoted Ciaran Martin, former head of the U.K. NCSC, calling for a ban on paying ransoms. Do you think fact that fewer people are paying ransoms make that more likely to happen or we're not going to see it?

Schwartz: So, Ciaran has been clear that while he thinks this would be a great idea, he acknowledges that it's probably not what everybody thinks is a great idea. So I think in theory, it's an excellent idea because as we saw with Britain and kidnapping and ransoms back in the 80s. Banning that led to many fewer Brits being kidnapped for ransom. Unfortunately, we're not seeing a similar thing happened now. I think because banning ransom payments can drive more organizations out of business. So it is seen unfortunately, as sometimes unnecessary step to take. And having this kind of blunt one-size-all ban isn't going to help. And thus, I don't think we're ever going to see it.

Delaney: Great insight. And, Matt, thank you very much. Obviously, you say the criminals innovate and we know that's what's happening next, but at least for now, good progress.

Schwartz: Every event is to be celebrated. Definitely.

Delaney: Tony, ChatGPT is your topic and it's obviously been the subject of many conversations since the end of last year. We've reported at ISMG about the possible ways criminals could use this technology for nefarious reasons. But I think you're taking a different angle today.

Morbin: Well, I'm looking both at the criminals and the defenders and society, if you like. I mean, just as the introduction of personal computers, mobile phones and the internet itself, just like those, consumer use of AI, thanks to ChatGPT, is a game changer. It's not because it's a superior AI to the others. It's just because of its accessibility. I mean, OpenAI released ChatGPT 3, the new interface for its large language model the end of November 2022. Less than two months later, Microsoft has now announced a 10 billion investment in OpenAI. And that's been accompanied by rumored plans that they might introduce ChatGPT in the MS Office suite in the future, which would really make it ubiquitous. I mean, yes, as we mentioned, the early adopters' friends, the cyber criminals, are already using ChatGPT, whether that's to write phishing lures, code malware, we've got researchers at Checkpoint research reporting Russian cyber criminals bypassing restrictions like geofencing and getting past bans on its use for illegal purposes, in some cases, simply by saying that the work is for cyber defense or pentesting. By the end of December, an underground hacking forum published a thread called ChatGPT: Benefits of malware, which included using ChatGPT to create an encryption tool and information stealer, create dark web marketplace scripts, is a team of researchers at the Center for Security and Emerging Technology at Georgetown University and Stanford Internet Observatory, currently investigating the threat of chatbots being used, this particular chatbot being used to spread misinformation and fake news at scale. So all these threats are real. But, as you said, I want to also cover the fact that it's equally useful for defenders. Now, I can't personally verify the claims that I've seen being made by bug bounty hunters boasting all over Twitter about the thousands of dollars that they've made using ChatGPT to locate vulnerabilities and conduct low-level vulnerability scanning, but it does appear to be happening, it does seem to be real. Now some of us even suggested this is the end of pentesters. Okay, is likely that much of the lower-level work will indeed now be conducted in house, often by less skilled operators, but it will also be used to reduce workloads for stretch teams. It will be used alongside humans, making them more efficient so that the average capability and speed of work is increased. Whilst the most talented will be able to achieve even more. Certainly a recent video 'Hacking With OpenAI GPT, Hacking Without Humans, by Ron Chen, on the ethical hacking platform Intigriti describes the activities that ChatGPT can be used for by defenders. That includes writing bug bounty reports, identifying spam reports, spotting false positives, and spotting security logic flaws from documentation. I mean, training was needed to refine the results. And again, it's not working without a human, it's working with a human and enhancing their capabilities. Another use case described in a fascinating blog this week by Thomas Rid, professor of Strategic Studies and founding director of The Alperovitch Institute of Cybersecurity Studies at John Hopkins University. In it, he describes how he attended a course on malware analysis and reverse engineering with Juan Andres Guerrero-Saade Hopkins, and that was conducted using ChatGPT in the classroom on all of the participants' computers. And while he acknowledged the limitations of the current iteration of ChatGPT and the concerns that it could be used by some students to cover subpar performance, he also describes how it enabled all the participants who were at different tech levels to keep up in a really technically advanced class and use it to address the questions that might otherwise have slowed the class and the ads that the most inspiring conversation around the use of ChatGPT is how can the most creative, the most ambitious, the most brilliant students achieve even better results faster. So while AI can work faster, it can condense huge volumes of information. It is primarily utilizing what's currently known, reflecting common knowledge, like a giant version of "ask the audience", and we've all the pitfalls that that entails. However, it can provide new combinations of existing knowledge and learning models based on that knowledge can create or suggest new approaches, even if the AI itself is not really having an original thought. Outside the original sphere, the education sphere, organizations, they're quite happy for they're less able to achieve exceptional results, they're not going to worry about, you know, poor students. And they're just as happy to see an improved output. And also, obviously, the fact that they're most capable are going to work even faster and tackle more difficult workloads and bring their productivity to the next level. Now, we all know the technology itself is morally neutral. And so as mentioned, it's going to be used by attackers and defenders alike. But just as you wouldn't ban cars to prevent their misuse, we're likely to face huge difficulties when it comes to preventing AI being used by adversaries, as mentioned, geolocation or bans on illegality are easily bypassed. But if AI truly becomes as powerful as its potential suggests, it may be that governments will want to restrict its usage in the same way that in the 1990s, the U.S. put export restrictions on some crypto encryption algorithms. Back in 2013, the U.K. government plan to charge a yearly internet access license, and with all the issues around subsequent ability to then revoke a license, he ended up backing down. But it's certainly conceivable that this kind of approach could be revisited and applied to AI. In 2020, China banned or restricted export of some data-driven algorithms, specifically saying that they would apply to TikTok, indicating governments are concerned about who uses what they perceive to be their AI. And just this month, ChatGPT did introduce a $42 per month professional plan. Theoretically, users can still use the tool for free as they have been so far. And the new professional plan says that it's going to let users expand the capabilities of the AI chat bot with faster response speeds and priority access to new features. Now, in reality, the free version is now often unavailable due to excess user demand. So we're quickly going to be seeing how the paid model pans out. But a paid model immediately puts restrictions on who can use it, making it that much easier to introduce further restrictions for more advanced versions, including licenses and export restrictions, which could hit its current prime advantage of availability. And just because previous attempts to restrict knowledge haven't worked, that's unlikely to stop politicians trying. So in the meantime, I would just suggest that any cybersecurity professionals who haven't already got on board with ChatGPT should do so now. Take advantage of the opportunities to automate routine tasks, and also get a better understanding of the potential uses by attackers, so that you can take appropriate precautions to protect against misuse and abuse.

Delaney: That was excellent, Tony. And you've certainly got us thinking. There's so many angles and directions we could take this. But I think we're going to revisit ChatGPT right at the end. And I think a lot of what you said sounds hopeful, we talk about the skill shortage year on year getting worse. If this can be a tool to help teams support them, not replace them. But you know, there's obviously a need, but that was excellent. So we'll come back to ChatGPT in just a moment. Michael, moving on to you, good news, as again. I mean, it's good news week, is it for Microsoft, at least, or those who invest in Microsoft?

Novinson: Absolutely. And certainly in the world of Microsoft, they really are the elephant in the room when it comes to security. They, two years ago, shocked the world when they came out and disclosed in January of 2021 that they had $10 billion in security revenue. People knew they obviously had a robust business around Active Directory, people were aware that they provide an email protection or an Office365. But everybody was shocked when they said 10 billion - that's significantly larger than any other security company in the world, including those who only do cybersecurity. So two years ago was 10 billion. Last year in January, they came out and said it was 15 billion. And then just yesterday, Tuesday, during the company's earnings call, they said they'd hit the $20 billion revenue threshold over the past 12 months, meaning that over the past year, they've added $5 billion in security revenue. That's more security revenue than any other company does in a year with the exception of Palo Alto Networks. So it really speaks to the breadth of their portfolio, they have plays in identity, of course, as well as compliance, privacy, security, device management. And it speaks to some of the challenges that fairplay security companies face from going up against Microsoft. I mean, first and foremost is tossed out that Microsoft essentially is able to bundle their security capabilities with either an E3 or an E5 license. So really, what Microsoft's focused on is trying to get customers to pay for their office productivity or their email tools. And then they can essentially throw in some security capabilities and limited cost. Obviously, as a company that only makes money off of security cannot match that because they need to make money off the actual security technology. So historically, the sense was essentially for cost conscious customers, for small businesses, for midsize businesses that sure, they would use Microsoft for security was good enough, maybe not top of the line, but good enough, and the price was unbeatable. So they'll go that direction. Something that Microsoft really emphasized during yesterday's earnings call, not explicitly, but if you look at the examples of the wins they point out, is that large enterprises have also adopted Microsoft security technology. They talked about customer wins with companies like IKEA, like Roku, like NTT communications, like the University of Toronto, which has tens of thousands of students. So these are not mom and pop businesses just looking for a good deal. And the efficacy of their technology is something that's also been recognized by analysts, their identity, they are top of the line, and they have their market shares, but also in spaces like EDR and XDR, where Forrester sees them as a category leader alongside CrowdStrike and Trend Micro. And then most notably in this, in the SIEM, the security information and event management space, which Microsoft really entered in 2019 with a product called Sentinel. And this most recent year back in October, Gartner named them as the top product at SIEM. They had the highest score in their SIEM Magic Quadrant, which is really remarkable. Typically, if you look at the Magic Quadrant to the Forrester waves, it takes a decade or more for a company to really move into that leadership role. Because what happens is when a company starts a product that they're focused on, a particular use case or narrow issue, and they do a very good job with that. But there's essentially this whole broad other range of issues that the product doesn't address yet, which makes it hard for it to fit the full range of customer needs. So to make it for Microsoft to essentially go from entering the market in 2019 to being the category leader, especially in a category like SIEM that's been around for two decades, it's really something, at least in my observations, that's unprecedented. But obviously the benefit Microsoft has is resources that any other company can dream of, that if they decide they want to roll in one direction, the amount of labor, the amount of capital that they can put behind that is simply a match. So this is really Microsoft's presence. And Microsoft's approach is really going to be something everyone in the industry is going to have to grapple with, especially those focused on serving small and midsized, cost conscious customers.

Delaney: Yeah, it's an incredible story, actually, to think at the start of the pandemic when CISOs in our roundtable used to say, "Well, we're relying solely on Microsoft cybersecurity services." And there was sort of like a surprise reaction from peers in the room, but maybe not so now.

Novinson: So definitely a surprising thing to hear and definitely something that investors are raising when they're talking to the central ones in the CrowdStrikes of the world. They want to hear what impact is Microsoft having on their business?

Delaney: Well, excellent. I think this won't be the last year we're talking about Microsoft cybersecurity services, for sure. But there's a great input for today, Michael. So finally, speaking of ChatGPT, we know it's revolutionizing the way we search for information. And of course, we have many use cases. But what for you is the most interesting angle of this technology that you'll be following as it evolves? Matt?

Schwartz: Oh, yeah, I'll just pick up on what Tony was talking about, which was a fascinating analysis that came out from Thomas Rid and instructor as well, in the last week about the malware analysis course they were teaching, and I loved the insight the ChatGPT was wonderful for letting people in the class ask what they might have thought were stupid questions, or just trying to get details for things that they didn't want to stop the flow of the instructor necessarily, but they wanted to check their knowledge. And I think in engineering environments like that, so computer science, or if you're doing anything in a security and operations center, anything where you need some technical detail if it's a refresh, or if it's to find the best answer, or how you format a certain type of coding, or the coding language and the nuances of that, I think there's some really interesting ways that that helps people become more productive, again, in this classroom environment as well without disrupting the rest of the class, but empowering themselves with any information they need.

Morbin: I just saw a great tweet today. And it said, "English is the new programming language." And I just thought, "Yeah, I can go along with that." So I think as a result, we're going to have to assume that ChatGPT is being used in any communication we receive.

Novinson: World of Cybersecurity, the intercept put out a very interesting information rather, put out a very interesting story that this week, talking about the use of the ChatGPT technology and in the world of GitHub, and particularly, they called out working with Copilot, which is a collaboration between GitHub and OpenAI to better detect security vulnerabilities, whether it's in the code of developers written or in the code that Copilot has suggested. So definitely something I want to keep an eye on.

Schwartz: And that's a great point I mentioned that as well. Just if you're coding and you have ChatGPT to help you write more secure code. How cool is that?

Delaney: To think we weren't really talking about ChatGPT three months ago, and here it is revolutionizing everybody's lives. So well, that's what's exciting about the future, I guess. Well, thank you so much, everybody. This has been great. As always, Tony, Matt and Michael, thank you.

Schwartz: Thanks for having us, Anna.

Novinson: Thanks.

Morbin: Thank you, Anna.

Delaney: Thank you so much for watching. Until next time.