Rise of Ransomware and Digital Hot Topics

Hi, this is Lindy Kyzer with ClearanceJobs.com and welcome. If you have read anything on the internet, or opened up an article, or have just clicked on anything recently, you’ve probably heard of the term ransomware. It seems to be the digital hot topic of 2023, among many digital hot topics.

Today I’m really pleased to be chatting with Kurtis Minder. Kurtis is the CEO and co-founder of GroupSense. GroupSense delivers fully-managed cyber intelligence and reconnaissance services. They have a lot of really innovative work that they’re doing in this space, from ransomware negotiation to digital risk protection monitoring.

And a lot of these cyber hot topics that we talk about across the defense and government space, obviously, we’re talking a ton about CMMC, compliance issues around cyber vulnerabilities across, not just the defense industrial space or federal government, but pretty much anybody that ever wants to do business with the federal government.

I got to see you, Kurtis, on a panel talking about this, and so that was what brought you to mind to come and share your expertise on this topic with our audience. So on that note, I’m just really pleased that you took the time to chat with me and were willing to be on the show today. Thank you so much.

Oh, well, thank you so much for having me.

So ransomware, is it the hot buzzword topic of 2023? When we’re thinking about cyber vulnerabilities, how important is it to consider this topic of ransomware, and how does maybe it tie into what we’re talking about more broadly with CMMC and digital vulnerabilities, compliance issues?

Well, yeah, unfortunately it is still a thing. It’s been going on… Actually, there’s been versions of this kind of cyber attack going back to the ’80s, believe it or not. Where it’s really picked up speed in the last, let’s say 10 to 15 years, is the advent of the dark web, where the threat actors can operate in anonymity. But then also, the proliferation of cryptocurrency.

So now they can ask us to transfer, as victims, seemingly endless amounts of capital across international borders with virtually no oversight. And so that really is what lit the flame under it over the last few years. The pandemic picked it up even further where people were doing remote work. That remote access wasn’t properly secured.

I think where it’s impacting things like CMMC and the federal government is, one, the threat actors are penetrating actual government networks. Not necessarily the federal government. They have on occasion, but more often municipalities, et cetera. But they’re also penetrating a lot of the suppliers to the government, whether they’re secondary or tertiary suppliers, and I think that is causing some risk for the federal government.

That’s definitely a big takeaway that we frequently hear and are talking about more and more with folks across the federal space is it is this notion of, if you want to do business with the federal government, you need to have your cyber house in order.

And I know your company has a whole host of different ways that you partner and work with companies. Because at a baseline, what do you see as some of the low-hanging fruit that makes individuals, organizations, et cetera, more vulnerable than others, maybe?

To oversimplify, just in the sake of time, I think that most of the threat actors are opportunistic in nature, and most of the success of those cyber attacks are a result of poor cyber hygiene on the part of the victim. And that manifests itself in a lot of different ways, but most of the cyber attacks that are successful against, let’s say mid-market businesses and a lot of the suppliers that we talked about, are because the threat actor, as we call them, has access to stuff they shouldn’t have access to.

And that might be corporate data credentials, encryption keys, information like proprietary documents, things like that. And so, one of the things that companies should be doing is monitoring for that to make sure they understand where that data is surfacing. Are there people on the dark web trading that data? Are there employees posting data to an open GitHub repo and not closing that, and it has their Amazon keys in it? Those kinds of things are happening pretty frequently. Completely avoidable, but you should monitor for that.

And then, when the threat actors do get access to those things, and specifically ransomware actors, they tend to break into the network using some of that information. And then they take as much information out of that network as they can before they actually execute the ransomware. And this is where a lot of the risk for suppliers come in is, they’re taking confidential documents. They’re taking plans for equipment that are being manufactured on behalf of the government. They’re taking building plans, maps, things like that are all being transferred overseas to some Russian threat actor’s home server. So that’s a real risk.

And I think at this point we can get pretty jaded about a lot of these topics. So just speaking to security clearance and security, part of the OPM data breach, I got my letter, everybody got their letter. I think there was news out earlier this week that there was another kind of data breach involving SOCOM and some of their data being compromised.

It doesn’t necessarily tie into the conversation with ransomware, but I like to throw everything together in a basket and see what comes out. Do we tend to just assume that our data is compromised at all times? And is that a part of the problem, getting past just this inertia around, breaches are going to happen, what can we do about it? Pretend I just asked a coherent question, Kurtis.

That was beautiful. So, yes, I think that it’s safe to assume that our personal information is out there. I was not in the OPM breach, but I’ve been in many others. And just like everybody else, I’ve gotten my free credit monitoring as a result. That is quite a consolation prize. Thank you for that.

But I think from an organizational standpoint, understanding that every time any of that data is available to threat actors, they can be used in campaigns: phishing campaigns, social engineering campaigns. And sometimes the actual credentials are leaked, so they can just log into systems. So as an organization, ransomware is not a typical cyber attack where, 10 years ago a cyber attack was really annoying. Somebody broke in, they took something, it was embarrassing. Maybe you had to pay a fine if you were regulated. But it was annoying.

Ransomware is a complete operational interruption. It’s your business stops working. And so, you have to look at the fact that this data is out there, not with apathy and say, “Well, everybody has it.” You have to look at, “What can I do from an organizational perspective to, one, understand what my digital risk is, what information is out there that pertains to my organization? And two, what can I do to mitigate that or make it harder for the threat actors to leverage that data to get inside my systems?”

And part of the reason I wanted to talk to you is, I think this conversation around ransomware, it’s very interesting all of the nuance behind it. Because I was having a conversation on a panel with someone from another country and they were talking about ransomware stats. And specifically highlighting how their company had paid out less in ransomware ransoms in the course of their cyber breaches and touted that as a good sign.

Now, I thought it was interesting about the panel that I heard you on and some other folks talking about, and a lot of times companies don’t necessarily have a choice when it comes to that. So maybe can you even talk about that process? What does proactivity around ransomware attacks look like? I know you do a ton of that with your company. And is it necessarily “good” or “bad” sometimes for these companies to be paying those ransoms?

Yeah. I mean, obviously, the most efficient and cost-effective way to handle ransomware is to not get it. And so, the prevention component is key. And so those investments would include things like the monitoring that I talked about, but also just general good cyber hygiene, good password and credential policy, two-factor authentication, et cetera, just to avoid being that low-hanging fruit, since most of those attacks are opportunistic in nature.

But having a plan for when and if it does occur, what to do. So that’s an incident response plan that has ransomware-specific components to it, because it is different than a typical cyber attack with the operational interruption components. But then also having a plan for restoring. Now, you’re right, many companies get into a position where, like I said at the beginning of the interview, the threat actors will actually gain access and they won’t execute the ransomware right away. They will sit inside the network. They will learn everything they can about what the systems are and how you communicate with the systems.

And as part of that, they will learn how you do your backups. And they will, to the best of their ability, disrupt that too. And so, many companies end up in a position where they are either going to have to pay the threat actor something or they’re going to go out of business. And so, there’s a whole process around ransomware response that includes things like business impact assessment, and determining whether you can, from a OFAC compliance or a Treasury department compliance perspective, pay a ransom.

And then, if you should, how much does it cost to restore and can you afford that, or should you start negotiating with these threat actors to determine a smaller number? It is nuanced and it’s complicated. And it’s really not a fair fight.

And I think it’s definitely interesting to see how, as you mentioned, the proactivity piece of it is big. So for a company’s perspective, do you think most companies, especially those working with the federal government, realize what they have to protect? Or maybe what are some of those missed opportunities when it comes to being prepared for ransomware or any other kind of cyber attack that might come their way?

Yeah, I’m sympathetic to the victims, even the ones that haven’t checked all of the proactivity boxes, because technology is fairly complex. And when you’re talking about very large organizations, we use the term attack surface in our industry, their attack surface is quite large. They have lots of systems to secure. So the likelihood that they’re going to button down and secure every single one of those perfectly is pretty low. That’s going to be hard for them to do. So that is hard to defend against, and that’s where you have to have that complex response plan.

For the companies that are smaller, I don’t think that they’re ready. I don’t think that they’re doing all of the right things, just because I’m witnessing it in my day-to-day work, the same mistakes being made over, and over, and over again. And so, part of it is just education and making sure they understand, “Look, there are a handful of things that every company should be doing here. And if you do those things, it reduces your risk significantly.”

And you touch on the education and the apathy piece. I think that’s so big. So when you’re talking to companies, who are the major muscle movements when it comes to understanding this risk? We talked to a ton of security professionals. Obviously, anytime you’re talking cyber, it hits so many different sectors. You need management involved, you need security involved.

What are some of those key stakeholders that if you’re having a conversation with a company around this, you’re like, “Hey, these are the minds that need to be sitting at the table and talking about solutions, and figuring this out.”? Is there one belly button making it all happen, or who’s involved?

Well, for large organizations, it should be a board-level discussion. And we do a lot of board briefings for companies to explain, “Look, this is what’s happening. This is what happened to your peer.” So we can tell a real-life anecdote. We don’t have to name names, but we can tell them, “Look, these people thought they had this buttoned down and this is what happened. So here’s some things you guys need to think about from a budget perspective.” And taking that ball and running with it is typically the chief information security officer, or sometimes it’s the chief risk officer, depending on the organization.

When you get down to smaller organizations, it’s usually the founding team or the president of the company. And the problems we run into when having these discussions with them, and we typically have it in a larger forum, like at a Chamber of Commerce meeting in a city, we’ll sit all of these companies down and say, “Here are the things that you need to be doing.”

And I always get asked the question, “They’re not coming after me, right? I don’t have to worry about this.” And the thing is is, “No, you’re right. They’re not coming after you specifically. But they are opportunistic in nature and you are absolutely a candidate for this.” And a lot of companies don’t make changes because they think that they’re not going to get hit. And the fact is is, thousands a day are being hit.

Yes, you mentioned that low-hanging fruit aspect of it. And obviously, ransomware attacks are going after specific companies or specific people. But how do you think they’re establishing who they go after? It seems like everyone, but maybe what are some of those… Are they looking for people to compromise? Are they looking specifically for companies? Is it technologies at play?

Yeah. The best way to look at it, and this is a little bit funny, but the best way to look at it is, the ransomware groups or actors are organizations functioning like a business. Like a business, many of them have go-to-market strategies. And I will say the bulk of them are opportunistic, meaning they’re not really targeting any particular industry or any particular company. It’s a volume play for them. It’s mass market.

There are other ransomware groups who are targeting specific industries because they know it’ll pay. It’s harder for them to do. So they might, for example, target pharmaceuticals. Well, those pharmaceuticals have a lot more money to spend on their security programs. They’re a lot harder to penetrate and they’re a lot harder to execute ransomware on, but when you do, the payout is bigger. So they’re big game hunting, if you will.

There’s another category that I would put them in, which is the nation-state backed one. So we’ve seen Iran and North Korea actually using ransomware to target financial organizations, et cetera, to finance things like their nuclear programs. So the best way to look at it is, from their perspective is, it’s business and they’re trying to generate revenue, and they have sort of a go-to-market plan.

You bring up the finance piece. I think that’s a thing I always like to highlight is, I think security clearance process, obviously tied to national security. We’re talking a ton about the defense industry and all of that. But when it comes to nation-state actors or even individuals who are trying to profit from ransomware, they are going after everyone. And there is a reason the major financial institutions actually have security personnel often that are working for them, like cleared personnel, is because there’s an intersection with all of this stuff going on when it comes to the national security threats and the ones that are attacking commercial sector.

Can you speak to that at all? Do you feel like there is adequate information sharing when it comes to things like this? I know the defense industry, there’s a lot of push to get industry to share information back to the government when it comes to what their risks are. Obviously, federal government doesn’t necessarily always share that back down in terms of what they’re seeing as risks. Do you see that information sharing when it comes to the kind of risks that companies are facing and that the federal government is facing?

It’s getting better, but there’s a lot of room for improvement. I do think CISA is doing the best they can. They’re spread very thin too. Their mandate is huge. In the commercial sector, there’s this concept of ISACs. That’s an information-sharing organization that’s usually vertical focused. There’s a financial ISAC, there’s a healthcare ISAC, there’s a retail ISAC. And they are sharing information.

Now, the challenge really is, and it does get down to personnel, is the large financials can afford to hire those people. But once you start getting below the Fortune, let’s say 2000, the available talent pool of computer security or information security professionals starts to dwindle quickly. And there’s a supply and demand. So the salaries on the top end are very high, and anybody who’s any good is going to go command those salaries at the larger companies. And that leaves less and less talent for everyone else, and I think that is a big challenge.

You’re hitting on one of our bread and butter topics there, Kurtis, when you talk about the supply-demand with the workforce. So you do have that. So, yeah, maybe speak to that. This cybersecurity workforce shortage, how does that play into this? Is there a solution to that? What do those companies do who just, quite frankly, cannot find enough or adequate personnel to fill those key cybersecurity roles that they have?

Well, it’s going to vary from industry to industry. And also, when you start talking about regulated industries, it gets a little bit nuanced. But the future of cybersecurity programs is as a service. It’s a utility. There’s no reason the local candy manufacturer should try to run their own security programs. That’s not their core competency. They make toffee. Let’s outsource that to a company that can hire the talent, has an economies of scale, like a managed security provider.

And I think that is the case for the broader industry, it’s as a service because of this talent shortage. I will also say that there’s a lot of effort being made at the university level to accelerate programs and get people out. These are people just entering the industry. They don’t have the hands-on experience of the folks at the top of the stack like we were talking about earlier. So it’s going to take time for that to fix itself, and it absolutely is part of the problem.

So for example, I do a lot of pro bono talks, like I mentioned, at Chambers of Commerce, stuff like that, and I can tell these companies exactly what they need to do. And some of those things aren’t terribly complex and they don’t involve buying products. They’re just some process-oriented things or policy-oriented things. And many of those companies don’t do those things because they don’t understand it well enough. And so that’s part of the problem is the talent gap.

A small dose of education can go a long way. And so, the purpose of this conversation is, I keep hearing about some of these topics and ransomware comes up. And you can’t seem to go anywhere without getting, I think Bleeping Computer does a weekly update on ransomware attacks and highlighting them. And is it because this is such a growing phenomenon? Or why is this interest in ransomware specifically hitting a lot of companies now and becoming this news update?

If you’d asked me that question a year or two ago, I think you probably wouldn’t have even asked it because companies didn’t think that this was something that was going to happen to them. But now, especially in the larger, upper mid-market and large enterprise space, the number of companies that don’t know another company that is a peer of theirs or in their space that hasn’t been hit is basically not a thing. They all know someone who has. So it’s becoming very real for them that this could actually occur, so they’re starting to take it seriously.

And you mentioned Bleeping Computer. I mean, they do report a lot of stuff, and they’ve actually been the channel for a lot of the threat actors to announce who they’ve been hitting. So the actual ransomware actors will call up Bleeping Computer and tell them what they’re doing so that they scare everybody into paying the ransom so they don’t dump their data, et cetera. So the media plays a dual role here. When they do amplify these attacks, sometimes they put some additional leverage into the threat actors’ hands.

Oh man, Kurtis, it’s like WikiLeaks in the IC.

Yes.

It’s like you have, for me, it’s a hate/hate relationship, but maybe for some folks it’s a love/hate relationship. Because yeah, that is that tough dynamic is you cannot hide this kind of stuff now. And I know I’m a big proponent for government transparency, but also a huge proponent for security. That’s a tough conundrum to be in when this information is getting out into the wild and there’s really not a whole lot you can do about it because there’s going to be some online outlet that reports it. Is there anything I did not ask about that you wanted to touch on or that we should highlight?

I think we want to just reinforce the importance of basic cyber hygiene, and I mentioned some of those things. And for the people who are in the cybersecurity industry, you’ll probably roll your eyes and that’s fair, because we have been talking about these things for a very long time. But I’m telling you, they are the source and the cause of a lot of the cyber attacks and the ransomware attacks. Still, people are not doing these basic things, and those are password and credential policy.

And what I mean by credential policy, I should specify. That is, don’t use your organizational email to sign up for anything unrelated to the organization. Because if you use it to sign up for some hobbyist website or something like that, that hobbyist website does not have the security controls that your organization does. They’re probably not caring as much about it as your organization.

That will get hacked and that credential will up in a breach. Threat actors will use that against the organization. And password reuse is a major issue. Not having two-factor authentication is a major issue. Of course, we all need to stop clicking on things. I know these phishing campaigns are getting smarter and smarter, but we should also be getting smarter about what not to click on.

At this point, you’d think we’d learned our lesson. But we’re still clicking, and that’s an issue. And then of course, just basic cyber hygiene from a systems perspective. Having endpoint detection and response, managed detection and response in place. For when the attack occurs, having a containment and response plan is just critical.

Yeah. Well, this topic is not one that’s going away. I know that we’re talking a lot more about CMMC and those compliance issues across the defense industrial base. So I’m sure this is something that we’ll keep hitting on over at ClearanceJobs.com. And I appreciate your time, Kurtis, to chat with us more today. Thank you.