Secrets To Cyber Crime Discussions. Ransomware Negotiations Unleashed. Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Secrets To Cyber Crime Discussions. Ransomware Negotiations Unleashed.

April 24, 2025 • Cyber Crime Junkies. Host David Mauro. • Season 6 • Episode 75

David Mauro interviews ransomware negotiator, George Just, a former VP at Oracle and current CRO at Digital Asset Redemption (https://www.digitalassetredemption.com/), about how to deal with online extortion, understanding ransomware payments, and we uncover secrets to cyber crime discussions you need to know.

Chapters

00:00 The Reality of Cybercrime
02:00 Introduction to Ransomware Negotiation
03:04 The Journey into Cybersecurity
06:13 Understanding Ransomware Attacks
09:00 The Art of Negotiation with Threat Actors
11:53 Case Studies in Ransomware Negotiation
16:00 The Role of Cyber Insurance
18:49 Incident Response Planning
21:57 How To Deal With Online Extortion
25:09 The Business of Ransomware
30:04 Secrets To Cyber Crime Discussions
33:19 Understanding Cybersecurity Threats
36:03 Understanding Ransomware Payments
39:09 Supply Chain Attacks and Data Exfiltration
43:28 Proactive Cyber Defense Strategies
47:05 The Importance of Threat Intelligence
51:52 Preparing for Cyber Incidents

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Secrets To Cyber Crime Discussions. 🎯How To Deal with Online Extortion
Keywords

How To Deal With Online Extortion, Secrets To Cyber Crime Discussions, Understanding Ransomware Payments, Mechanics Of Ransomware Payments, How To Handle Online Extortion, How To Negotiate With Cyber Criminals, What To Do If Ransomed, What To Do If You Are Being Extorted, What To Do If You Are Being Extorted, Ransomware Investigation, Negotiating With Cybercrime, Cybercrime, Ransomware, Negotiation, Cybersecurity, Threat Actors, Incident Response, Digital Forensics, Cyber Insurance, data recovery, business decisions, cybersecurity, negotiation, supply chain attack, dark web, threat intelligence, ransomware, operational security, business email compromise, incident response, cyber awareness

Summary

Chapters

00:00

Chapters

00:00 The Reality of Cybercrime

02:00 Introduction to Ransomware Negotiation

03:04 The Journey into Cybersecurity

06:13 Understanding Ransomware Attacks

09:00 The Art of Negotiation with Threat Actors

11:53 Case Studies in Ransomware Negotiation

16:00 The Role of Cyber Insurance

18:49 Incident Response Planning

21:57 How To Deal With Online Extortion

25:09 The Business of Ransomware

30:04 Secrets To Cyber Crime Discussions

33:19 Understanding Cybersecurity Threats

36:03 Understanding Ransomware Payments

39:09 Supply Chain Attacks and Data Exfiltration

43:28 Proactive Cyber Defense Strategies

47:05 The Importance of Threat Intelligence

51:52 Preparing for Cyber Incidents

Speaker 2 (00:06.318)
It's late in the evening on a weekend, your phone rings, your IT director's voice is shaking. Everything's down, all of it gone. Your entire company frozen. Your intellectual property, financials, private emails, customer info, even confidential employee health records stolen, encrypted, extorted. The hackers want $1.2 million and you've got only 72 hours

to decide. Are you ready? See, this time they're not just threatening to delete all of your data. They're threatening to expose it to your customers, to your employees, to your board, your competitors, and even to regulators. Learn why some businesses recover quietly and stay out of the news while others shut down forever.

This isn't theory, this is real. It's raw and it's happening right now here in the United States. So hit play, find out what really happens when your digital world is held hostage. Only on Cybercrime Junkies. Look, let's be real, cybercrime is everywhere. Data breaches are hitting headlines constantly. Ever wonder why? Or how criminal hackers are targeting you?

and your organization? I started cybercrime junkies for two reasons. Because true crime stories are addictive. And because leadership can be learned and great leaders need to understand cyber today without all the technical jargons. Just clarity that you can actually use. So do us a favor, smash that subscribe button. Join a community that's done with doing things the way they've always been done.

So let's get ahead of the threats and become the kind of leaders who actually stop them. These days being informed isn't optional. This is Cybercrime Junkies and now the show.

Speaker 2 (02:18.466)
Well, welcome everybody to cyber crime junkies. I am your host, David Morrow and in the studio today is George Just, former VP at Oracle and now serving as CRO at Digital Asset Redemption. What they do at Digital Asset Redemption is they're one of the leading players in the ransomware negotiation and payment solutions arena. So they work alongside incident response teams to help

hundreds of companies respond to ransomware, cyber extortion, those types of things. We'll get into it throughout the episode as well as address some true crime stories and hear what is trending and what the latest threats and tactics are. George, just welcome to the studio, sir.

Thank you, David. Happy to be here. Excited to talk to you for a few minutes here. So this is it.

I appreciate it.

Yeah, absolutely. So let's start from the beginning. You got an electrical engineering degree at U of I. How did you wind up into the ransomware negotiation business?

Speaker 1 (03:25.294)
Yeah. So it's a long career arc, as you can tell by my hair here. So, you know, I started as, as an engineer, I ended up, I mean, if we go way back, I was doing fiber optic multiplexers, right? mean, this is how far back we go. Right. So, yeah. And, you know, slid into, you know, as kind of an original, you know, guy who programmed routers and stuff back when you actually had to hard code a whole bunch of stuff in to actually make the dang things work. So I was kind of Cisco certified before they.

before they certified people. And from there, I moved in, you know, as an SC for a long time doing, you know, networking, generalized networking, local area networking, wide area networking, moved through a few companies, ended up into sales, ended up managing teams, managed, I spent some time at Oracle. I was actually the manager of North American Channel Operation for Inter Networking, which was their kind of router division at the time. And moved through a couple of different things. I ended up more recently,

i was at a company called to larry networks to larry actually pioneered as the way and actually have a patent on a lot of the like things that s d when was the beginning as the on the next one of the oracle oracle actually acquired to larry so i ran the s d when business inside of oracle for a couple of years and then moved into cyber security at a start-up most recently a company called threat locker threader they became on many was

know, network security kind of in a holistic sense in order to block threats at scale from coming into networks or escaping networks if they already got an end. And that led me to digital asset redemption. I've been here for a little while now. And the interesting thing, and I think this is probably the relevant piece of the story is more how digital asset redemption became a thing and came into this business.

And the origin story here is pretty compelling and it's really interesting. It started literally with a call from a digital forensics incident response firm that said, client needs to pay a threat actor. Can you help us put together the crypto payment that we have to make? And by the way, we have to make it tomorrow. This was a Saturday. We have to make it before Monday morning.

Speaker 2 (05:44.174)
Unbelievable. And it was sizable and it was sizable. I imagine. So let's back up. Let's back up a little bit. Just really high level. Yeah. So organizations get breached, right? Either they buy credentials, they buy session cookies, whatever, and they log in as a user and then they escalate privileges and then launch, or they get socially and employees get socially engineered. They let them in and, or.

the attackers exploit vulnerabilities, right? And so they're inside a network almost uniformly undetected for a while, escalate privileges. They launch either ransomware or maybe they don't launch ransomware, but they just steal the data and then extort. They get a ransom demand and then they decide, Hey, FBI is telling us we shouldn't pay. And there's reasons for that, but they understand if that understands that luck.

there are business decisions that have to be made because oftentimes we need to keep functioning. And so they engaged you guys like that. You got a call on a Saturday that is like, help us pay these Russian ransomware gangs in crypto, you know, and just, just that concept is so foreign to a lot of American business owners and a lot of American business owners.

Yeah, and this was like 2018, so remember this was-

my, that's like lifetimes in terms of crypto and AI and everything. That's just crazy. Yeah, that's a long time ago.

Speaker 1 (07:20.142)
This was, mean, ransomware was thought of then as more of like, you know, trying to get a green light card, you know, a green spot card for 500 bucks, right? I'll turn your phone back on if you give me 500 bucks. Or that low level stuff, or I won't publish your camera roll if, you know, I

Exactly.

Speaker 2 (07:39.052)
More like, yeah, individual scams

This was the infancy of let's hit corporations, let's make it bigger dollars. So these guys were dealing with a multiple hundred thousand dollar payment that they had to make and it was real. mean, they had the network log. So here we are, right? Upstanding US company trying to pay God knows who, but he's got my network. How do I do this? How do I facilitate this? Problem one is how do I put together a couple hundred thousand dollars of crypto?

How do I put it into a wallet that is, well, I guess this is gonna work, right? So how do I ensure all of that is as business to business upstanding as it can be when you know you're dealing with a criminal on the other, probably the other side of the world, but certainly the other side of the web, the complete dark side of the web. So how do we make sure that that happens? so having crypto to lend,

doing those kind of things is how we facilitated that. But it pivoted very quickly into, need to build out threat intelligence operation to make sure that we're not paying the wrong person, the wrong person being somebody who's on a sanctions list, somebody who is, you know, a operative of one of the country's, you know, state sponsors.

Violate OFAC, right? Yeah, we're not allowed to fund these blacklisted state sponsors and a lot of the cyber crime groups are affiliated, sponsored or completely in bed with those entities, which is a challenge, right?

Speaker 1 (09:20.888)
Right, so the challenge is you can say, well, I look at the wallet address and I go to the OFAC list and I see it as this wallet address. It's never going to match because these guys aren't dumb. They're going to set up a new wallet every time they hit somebody. So you've got to get your way through that to have a reasonable call that you can make that says, okay, we're okay to do this. And we check with law enforcement, we do all that. We go beyond just checking the list, but we have an attribution process that is truly thorough.

in the threat intelligence space generically, right? So that allows us

My question to you is, how do you know? How do you verify for somebody that it's okay to pay this crypto wallet? That is somehow a lie. So you guys are on the dark web, you guys are connecting the dots for Zip?

That's specifically what it is, is connecting the dots, right? So there's two ways that we accomplish this. One is we have the historical data because we've been in thousands and thousands of these and there are thousands and thousands of threat actors but there's not thousands of threat actor groups, right? There's not all that many. So you start to know

Make sense.

Speaker 2 (10:38.606)
And the more they go away or disband, the more the same people tend to pop up. They come up with a new cool name like Drunk Panda or whatever, and then they brand themselves and set up their shops on the dark web. And it's really a lot of the same people over and over.

They just pop back up somewhere.

Speaker 1 (10:59.222)
Yeah, exactly. So the patterns are when do they hit the, when do they talk to you? What time of day, right? You can do a time of day track. Which translator are they using? You can back into figuring out what original language was this translated English coming from. There are things like that that you do. We enable AI to do some of that. enable, but what we do is really human-based and that's the key. So we don't run our script against their script.

because that isn't gonna get you anywhere. It's not really gonna tell you. And the key part of doing this this way is whether you're ultimately going to pay or not is not the relevant thing in the negotiation. You should always negotiate because the threat actor, if he has the illusion that he may get paid or probably get paid depending on how you're playing it,

Whether you're actually going to do it or not is not relevant. If he thinks that he's going to get paid, he's likely to give you more information because he believes he's making a business deal. I'm going to get paid as a salesperson would do. I'm going to answer your questions. What could be those questions, right? This is the key. You don't say who are you, where are you from, because what's relevant to the client you're dealing with is, do you have the data? You told me you stole. Do you actually have it? Is there proof of life here? So you're doing these kinds of things.

How valuable is it, how valuable do you think it is versus how valuable do we think it is if there's data involved? If it's a decryption key, the network is locked up. Okay, prove that this thing you're trying to sell me is going to work. There's these kind of things that you do.

Do you think like a proof of life, George, do they like I've seen it in certain instances where they will encrypt a couple files showing you, look, I can do this a little bit. It's like a Ponzi scheme, right? Like here, this little one made you money. You're like, this one's good. So now give me the big nest egg that I'm looking at.

Speaker 1 (13:02.446)
And I have a couple of stories, I love stories like this, but there's a couple that are really interesting, right? So one is, I have this, the bad guy's saying I have this list of a thousand files, right? I've encrypted them all and you don't have access to them. The client on the R side, right? Cause we're sitting between this says, you know, I've got a paper copy. actually been in business a long time and I was, you

because I thought I should, I digitized everything and so whatever, but I can just go back to paper. So I don't really care, right? He's decrypted all those files. He can have them. There's nothing sensitive in there except for one. There's one file in there I don't have a paper copy of and it's really important to me. So what do we do? Well, this is pretty, it should be pretty obvious, but if you're running a script, it's not obvious, but because you're humanly involved in this, you tell the threat actor, I would like you to decrypt

these three files. And of course, one of the files we throw into that list is that one the client wants. Thread Actor sends back three files decrypted. We got what we wanted without paying a dime. Now we're safe. Now it ended up, we still don't really want the shame of that data being published, right? And the client said,

but it's not worth any money to me really because I've got to tell the clients anyway that it was gone and everything happened. We were able to get that threat actor to ultimately give us the files and the decrypter for everything for $500 and I'm talking about $500. He started at multiple, multiple tens of thousands of dollars. But at the end of the day, because we wore him out, we wore him out and he was like, all right, just give me 500 bucks and I'm going to.

Well, and each step in that negotiation lowers the value of what you're willing to pay. Like each one is a huge win. Those are all win battles for you. So that way when you ultimately decide do we pay and how much, there's a lot of steps and a lot of battles leading up to that.

Speaker 1 (15:05.806)
So what it became for the client, the business on our side of the world, was an actual business decision about how to handle the situation as opposed to, have a gun to my head, my business is going to go out.

Right. An emotional one, right. An emotional one, which can be, which can cause you to make bad decisions or one that's hyper technical and then they don't understand what decision they're making or they struggle.

Precisely. we say, mean, most of our clients, we meet on their worst professional day, right? In the world of technology. It's their worst technology day they could ever imagine, right? This is like, I can't believe this is happening and my business is being threatened because one of my employees clicked on the wrong email because somebody who's managing that firewall didn't have it set correctly and somebody got in. I forgot to patch something or I wasn't notified that I had to patch something.

people are still reusing passwords and those got sold on the dark web, right? Exactly. ridiculous.

So think of, think this through, right? So we're very experienced in negotiating. We're experienced talking to threat actors all day long. So how do we spin this into being able to actually do some positive stuff, right? I explained this one situation where we did it. We've had others where we wear a threat actor out and he ends up giving us what we're asking for, for no dollars, because we just box him in to where he has no out, but to just say, I give up.

Speaker 1 (16:33.388)
And that's great. That doesn't happen all the time. But most of the time we come to a better result. And I want to make sure everybody understands this. Probably 80 % of the time or better, there is no pain.

100 % of the time we're negotiating and we get valuable information to guide the restoration, to guide the protection going forward, to guide closing all the open doors that were left open. We get all that through the negotiation and four out of five times, there's never a payment, right? But five out of five times.

You guys engaged and I know there are groups like this, but when an organization gets breached, however, whatever type it is, and they contact their insurance carrier, their cyber insurance carrier, and they usually will pay for the forensics team teams that'll come in, put EDR and all the devices, et cetera. And then should there be a negotiation and lawsuits, et cetera, they, they will pay for that. Cause the duty to defend is broader than the duty to actually

pay out ultimately like and indemnify but what like are you do you guys get engaged through groups like that or the groups that get retained by the insurance or you guys work with cyber insurance carriers?

Yeah, there's several ways that we get involved in live incidents, right? And it is the insurance carrier brings us in. It is the breach counsel brings us in. The digital forensics is in a response. The D for firm brings us in. So it's one of that three headed monster that brings us in as the fourth party to this. We're most of the time, I mean, virtually all of the time we're under privilege because there's breach counsel involved.

Speaker 2 (18:00.984)
Council or

Speaker 1 (18:19.342)
I recommend anybody who's listening that should be, you know, that.

call one. That should be call one. Call one. Yeah. involve lawyers and stuff. Trust me. I know. But I'm telling you, there's some benefit to making that call one. Get your CISSP like your security leader and then your advisor, right? From the cybersecurity technical and policy end and get that lawyer involved. Right. So that way things are pretty.

Take care.

Speaker 1 (18:49.55)
And get us, mean, we have a machine, this could be available to anybody that comes to us, but we have a do's and don'ts of ransomware, right? Which, that literally is in there, is don't start talking to the threat actor, get a professional to talk to the threat actor, make sure the lawyer is there first in, right? Insurance company, lawyer, then, know, still the vast majority of small business and medium-sized businesses that we see in

the environment don't really have cyber insurance that covers something like this. mean, it's not.

Or it's limited, right? Or they'll send them notice that they're going to decline because there's a lot of, I see a lot of organizations that are covered under CGL policies. They're not covered under specific cyber policies or they are, but they're not really covered because when they applied, they said yes to a bunch of things that don't count. Like, yeah, we have MFA because I have MFA on one thing, right?

Well, that's not what the insurance company is really requiring. They're requiring everything, right? And most organizations don't have that or a lot of them don't. And so they're going to decline. So you're going to have to engage these groups on your own, but it is still money well spent upfront in an emergency. But then again, if an organization tell me like, George, wouldn't you agree? I'm sure you see the benefit right off the, right off the jump.

is when an organization has an incident response plan and they've tested it and they've run tabletop exercises, they're ready more so than the vast majority that don't.

Speaker 1 (20:29.366)
Yeah, and it has to be real. You have to internalize this as an organization. Having, you know, we see people that have a consultant come in, they write an incident response plan, it ends up in a binder and it ends up collecting dust somewhere.

Yeah, that's a strategic five-year plan. That's not what it's designed to be.

You have to say this morning, right, you went into the office this morning, you didn't have access to anything.

What or you picked up that phone, right? You got that call and it's from somebody, whoever in your organization and everything is down. Nobody can access anything. Right. Who does what? Our one who does what? Our two, like literally like it's like a living, breathing racy document, right? Who's responsible? Who's accountable? Who's needs to be consulted? Who needs to be informed? Racy RACI and then boom, our two, our three day one.

day two, like you the landscape will shift as things happen. And that's exactly right.

Speaker 1 (21:28.792)
Things happen and you get a professional negotiator, somebody like us in place, they're figuring out in this real time, what does the threat actor really have? What does the threat actor think they have? Are they bluffing? All that stuff. But that's going to inform your restore process. So you're standing up backups, you're looking at infrastructure, you're doing all this stuff internally in the network. You at a minimum have to start talking to the threat actor just to buy time to get your you know what together on your side. So you have to.

Where are these for listeners and viewers that haven't been involved in one? Where are these negotiations held? Like I know, but I just want you to share. they held on a, like I've talked to business owners and they're like, yeah, I got ransomed. got a text file that said, read me or ransom note. And I read it and it's like, download the Tor browser and I've got to get on a talks channel. What the hell is that? And I have to explain it.

It's usually in these forums or in these channels and it's usually done in writing, right?

Yeah, it is almost, you know, 100 % of the time, very close to 100 % the time done in writing. It's usually run through a translator, their side to our side. But yeah, it is a Torchette. That is what it looks like. Sometimes it would be in Telegram or in Signal or something like that, but that's not usually what it is. And here's the reason why. The hosting infrastructure of the threat actor side of things is pretty regimented. It's actually, you know,

We hate to say it, but let's just accept it for what it is. It is a legit business where they are running it and they have partners, have affiliates, they have agreements, they have everything we have on our side. And so to protect their, know, compadres who are, who are actually hitting a victim, they have it all very structured. So you're dealing with, you know, you're signing into the platform with your unique identifier. That's how it, you know, you're dealing with this case.

Speaker 1 (23:31.426)
The person on the other side of that might have 500 of these things going on. They're like a customer service operation at some point in a lot of ways. And once you get to the right person, that's when you start talking about what's going on and they have all their information. And it's usually then, you know, on their side, they give it the same way. On their side, they're assigning a negotiator on their side. We've assigned a negotiator on their side, and then we know who.

talking to, we can figure out who we're talking to fairly readily. And that's kind of part and parcel to what we do. And then all of that guides the point to where we make a business decision about whether to make a payment or not. But in order to make that decision, all of this information we've gleaned through negotiation, all of the information gleaned from the digital forensics about the attack come to bear.

with an attestation about we're relatively confident in your original question from a couple minutes ago, then we're reasonably confident, we have a high degree of confidence that we're dealing with a non-sanctioned threat actor and therefore, should you want to make a payment, we feel comfortable making the payment. What our clients have to understand and everybody involved in this is the way the law works here.

anybody, David, you and I, if we're talking to a threat actor and I say something and I say, let's go pay him, because you were involved in it, you're liable too. And so the breach counsel is liable, the insurance company is liable, the client's liable, and we're liable. There's no escaping that. So it's really important. We've had to say no. Customer says, I don't care. Let's just pay him and be done. We have to tap out and say, we can't do this. We advise you.

Because it would violate OFAC.

Speaker 1 (25:12.576)
Yeah, exactly. And we're reasonably confident it's going to up and usually the breach counsel walks with us because they're saying the same thing. Hey, you know, we're out. We're not doing this.

Makes perfect sense. mean, we'd love our jobs, but we don't want to go to prison for treason. Yeah. To do our jobs, guys.

That's what we're messing with. this is not, I mean, you can think of this a lot of different ways. There's a lot of analogies that you can bring, but you know, it's not, at the basic point is, you know, you're meeting somebody in a dark alley with a bag full of cash. you really, or do you want somebody who's, who has gone into a dark alley yesterday with a bag full of cash and made sure that the thing happened correctly? Would you rather have him carry in that bag? And that's.

doing.

Speaker 2 (25:56.918)
You know, and the sad thing is today there's not a lot of people that have ever walked down a dark alley before in real life. Yeah, you and I like you and I have growing up around Chicago like, yeah, you do that once you won't do it again. You're going to bring somebody with you.

you find people who are comfortable there and that's

Yeah, exactly. Like this way shorter, guys. Let's go this way. And then you do that once in your life and you.

No, you start running halfway through.

It's a different world, man. There's no law. It is like Lord of the Flies. So, hey, I got a question. So what percentage of organizations, and then I want to get your take on Power School or some of the recent breaches that have been out there, because there's some of the stories just, I'm like scratching my head. like, got to ask George when I talked to him. So what percentage of organizations that pay a ransom, get their data back?

Speaker 2 (26:52.492)
Let's start there. And then I want to ask you like, what percentage have a guarantee that they actually won't expose it and won't publicize that data?

So we, as part of negotiation, always asked, you know, there's always a list of things that we expect. If we send numbers, you know, you're committing to this. By and large, and by by and large, I mean the numbers like a 95 % number. It's not guaranteed. It's maybe in a little higher, you know, you have really good professional negotiators, but the numbers is above 90. Where you get the data back and you don't see it come back and rebound in, you know, as far as the data set is concerned that you're buying back.

But what does happen, I mean, you're dealing with criminals on the other side. And a lot of times there's a middle level person. actually saw this very recently with, one of the things that happened that there was a administrator, right? So think of it just like we think of admins that jumped into the chat and put their wallet address in like right as a payment was about to be made. But it wasn't the person that held the data. And because there was professional negotiators involved, they knew from the way that.

information came through that wasn't the person they were dealing with.

I see you're able to catch that.

Speaker 1 (28:06.53)
There are times that they're like, this is not right. I'm waiting for, you know, who I was talking to, which was probably Igor, right? And now Yuri is in. All of a sudden, I'm waiting for Igor to come back because I know how he's been talking to me for two days. And this person is not, not that person. So, so we do things like that. But for the most part, there is a bit of honor among thieves. This is a

business.

They're never going to get another dollar, right? mean, it's going to be, you, you, you screwed over somebody else and I know it and I know it's you and I'm not going to deal with you. Right.

But on the, yeah, but on the other side of the coin, we have a couple of circumstances. So the first one that comes to my mind anyway is change healthcare, right? Where they were dealing with black cat. They paid 20, 25, whatever the amount was million dollars to black cat. They said, fine. They closed up shop, right? They did essentially an exit scam. But meanwhile, the threat actor who had the data was like, it's great that you paid the parent company, but I'm the one.

with the data. And so, and so he went back joined after black hat ripped him off and didn't pay him his cut for, actually doing the work. Then he created what ransom hub or joined ransom hub. And then he went back to change, right. And said, you still have to pay me. I still have your data. All your data is still going to be released.

Speaker 1 (29:53.96)
Right. you know, I'd like to say we weren't involved in that, first of all, but I'd like to say that a better negotiator might have gotten better proof of performance.

Yeah, proof of payment. Like, hey, you know, the guy who did this was this person. And I know he's affiliated with you, but we need to include them in that, like loop them in. Right. Yeah. They need to be. Yeah. So that way both of you. Right. That's a good example, right. Of, don't know who, I don't know who the people were that negotiated that, but it really leaves a lot of questions. Right. Well, I think from that better.

Yeah, and you know, there's simple things that we do, right? Like we will send an incremental test payment. I mean, we'll send, I'm quite literally $10 just to make sure that the same person answers and says, yes, I confirm a receipt. And then we reconfirm, okay, when I send you this, you know, $19,990,000, know, $999, you know, are you going to perform? And then we know that's the same person answering and that's the right wallet.

Those are the kind of things that you have to do. It seems maybe simple, but it's not something that everybody does. We're very disciplined on that stuff. It's true if you think about it from their perspective and our perspective, right? We have network security on our side. We have operational security on our side. You and I are very confident that we're the only two people in this room right now because we're counting on all the internet, interwebs here that

You know, we don't see a third person popping up. We're very confident in that. So, you know, that's operational security and network security that we're relying on. They're doing the same thing, right? So how do you actually infiltrate their network? And this is where it gets even more interesting on some of the stuff we're doing is how do you actually get to where George can talk to David in a private channel where one of us is a bad guy and one of us is pretending we're a bad

Speaker 1 (31:58.616)
How do we get there? Because once you get there, you're behind their network security, right? They've invited you in, you haven't hacked your way in, you've been invited in. You're also behind their operational security because now it's a friendly business relationship. It's a trust. The trust has been built. Once the trust has been built, we're going to have an open conversation. Bad guy to bad guy, he's going to tell us stuff. We're going to tell him stuff. Half our stuff is false or just meant to...

increase our credibility, but now we're hearing all sorts of things. So if you deploy, you know, a small army of people doing this, it takes time, but once you've gained that credibility, you're able to get front-ended information about what's about to happen. You might get briefed on a

upcoming breach upcoming attack

Target list, a target list, right? We've seen things where we get a... Here's 6,000 email boxes that we've compromised. We don't have time. We bad guys don't have time to hit them all. Do you guys want any of them? Give me a few bucks for them. And then we look through the list, we see the whole list. We see our customers on this list and we go, well, give me these 200, right? Of course ours are buried in this because we got to keep our cover.

Absolutely.

Speaker 1 (33:19.116)
We'll take 200 off here, we'll take a thousand or whatever it is, give me a price for that. it's, at that point, the price is kind of irrelevant when you look at the potential threat of a compromised email box, right? This is what people don't, still don't understand. And we really, in our community, on our side of things, really need to have people understand this. It is not cyber awareness training, it's all of these things, certainly.

It's not having an MDR, it's not having a seam, it's not having a sock, it's not, it's having all of that plus good threat intelligence from the other side of the world. That's going to be a more complete defense and that we preach this defense and depth, all of us in cybersecurity space on our side, defense and depth, right? Multi-layer security. You can't just rely on one little thing. You've trained all your people, you know, there's still business email compromise. And here's the interesting thing. This is where I,

really get a little bit animated. Think about this for your organization. Everybody is 100 % compliant, doing everything the right way. Are all your suppliers doing the same thing?

Right. The third party threat, it just exponentially increases the risk.

Right, so we had one case, this is, you know, it's really illustrative of what I'm talking about. The email boxes that were compromised, it was one email box inside the network. Then they left it alone. They didn't do anything, but then Fish,

Speaker 1 (34:54.292)
into the email boxes of the people that this person was dealing with that was sending money to. Then they impersonated the people that she was sending money to. And then they just changed the routing numbers of their banking information as if it was normal course of business. There was one email that was false in a string of 20 emails between these two people. That one email that was false was, hey, by the way, we changed our banking relationship. We're now here.

So change your information so the checks go this way, right? The ACH.

We see it all the time. see it all the time. Like people compromise. They log in as a user, right? Through in M365. It's undetected. Because a lot of organizations don't have threat hunting within M365. And they're able to have that suspicious login not be detected and then to watch the exchange between, right? And then to interject something from that legit user.

to that vendor, change the wiring instructions and get it done. Exactly. All the time.

And now until this organization had set hundreds of thousands of dollars to the wrong person and then the right people called and said, hey, where are those payments? I never saw them.

Speaker 2 (36:11.246)
Oh yeah, we have examples. mean, school districts have been hit like that. Banks, healthcare, it's all over the place.

And it's if you think about it, because we have to always keep our mindset in what the threat actor is looking at. You know, we get very sensitive about what we believe to be the sensitive email boxes, right? Or, you know, who are we focusing our cybersecurity training on? We internally, our operational security is that, you know, some of these people maybe don't get the cybersecurity focus that we would give.

people running the firewall, people running the cybersecurity posture, right? You know, they're all locked down and really good, but there's exposure everywhere. And when you look at some of these organizations, your supply chain is, you know, 20, 30, 40 different organizations that you're counting on to do business today. If any one of them gets compromised, what are you going to do?

Well, I mean, the target breach, right? The famous target breach from eons ago wasn't Target. It was their HVAC vendor. Right. I mean, like some of the biggest breaches that were in the news weren't even them. It was the friggin vendor.

Exactly. we look at breaches where was the smart thermostats in the office.

Speaker 2 (37:29.87)
The Internet of

You have this exposure, we talk about threat exposure, surface management threat, know, exposure management. When we consider that the only exposure we have is the four walls of our network, if you want to think of it that way, and we have, you know, all sorts of analogies and built your castle little higher and everything else, you should do that. Of course, you should be watching your perimeter, but we know this militarily with what, you know, over time, what we've done.

You also want to do espionage of what the enemy is planning. And if you have indications of what the enemy is planning, you can tune your defenses better. We take that further. We're talking to the enemy as a potential partner in the attack. We can dissuade them from doing things a certain way. We can inform defenses on what we think is a better defense for what this guy is planning without ever really blowing our cover. We could say, no, we want to carry out that attack.

given the case with the business email compromise. No, we want to take carry out the attack on those 200 email boxes. Let us have it. You think they check in with us a week later and say how did that go?

They don't. They don't. That's exactly right. They got their couple thousand bucks. And that undercover, going undercover into a cybercrime gang is just, critical to do because having that information and having that intel is so, so important. There's numerous stories, several guests like John DiMaggio with Analyst One, he was on here and he's done that. He did that. He was talking directly, you know, with the Lockbit head back in the day when Lockbit was really good.

Speaker 2 (39:09.536)
And it led to a lot of Intel for national security as well as for the organizations that it's going with. I wanted to get your take on Power School. So Power School, because that's a supply chain attack, right? Power School gets breached into their portal. They're using some tool in there, the power tool, whatever it's called. And then they are able to gather up an exfiltrate. It wasn't a ransomware attack. appears from what I've read.

but it looks like they were able to attack and gain very sensitive information on medical, educational, et cetera, on bunch of children, teachers, et cetera, for thousands of districts all over the US, because so many of them use Power School. It has like a 70 % market share in the K-12 space. And when I read this, the one thing I wanted to ask you is,

They said before they paid and they didn't disclose how much they paid, but you know, it was, it was a big number. You know, was because they're so large and the millions and millions of records that have been reportedly been reported as being exfiltrated and stolen. But before they paid, apparently got the attacker, the cyber crime came to do a video of them deleting the data.

And that's their guarantee that they're not going to release the data later. And I was like, you've got to be kidding me. Like, right. Really? Like I'm like, here's me videotaping, doing a FaceTime of me typing some random crap and showing you something on my screen that shows something got deleted. Like what? doesn't prove anything.

No,

Speaker 2 (40:58.306)
Your experience like did you when you read that or you heard about that? Were you like just scratching your head? Like are you kidding me?

What clicked with me is every one of those school districts better be watching for that data to get published or threatened to be published or something like that. And that's one of the reasons we kind of built a solution around this, not just for Power School, but we have our solution set called Dark MDR. So it is true MDR on the dark web.

But what indicators do you get? That's the thing. We're comfortable in the cybersecurity space talking about what MDR does inside of the network. We're checking logs. We're checking access. We're checking all

for anomalies, Threat hunting for anomalies, looking for bad behavior, right?

inside right so what what we're doing is and you know moving that outside of the network the problem outside of the network is you what is your signals intelligence outside the right you're you're not i can't look at dark web logs that there's no

Speaker 2 (42:00.142)
Exactly. That'd be great if somebody can figure that out.

So what we've done is created a log of dark web activity. We're having, and I'm not kidding about this David, we're having hundreds of conversations with threat actors every single day. We track every one of those. We put it into a data lake. That is our log that we're analyzing. And we're analyzing that for patterns. We're analyzing that for target patterns, for malware.

Think of the Intel that you're able to catch.

And think about that. you know, are we, you know, is the the bad guy community targeting Microsoft healthcare Fortinet, right? They have they figured something out of they cracked the code there somewhere where if that little tech stack is in place, we've got the end. That is informative then to say, on our side of things, maybe that patch you had, which was number 70 on your list to get to someday.

Maybe that that needs to be number one if the other ones bumped out that can.

Speaker 2 (43:02.894)
That needs to be a priority one.

Speaker 2 (43:07.468)
That's exactly right. That's exactly right. And given that they operate as businesses, right, they run campaigns. And if they are running a campaign, right, with hundreds of attackers kind of exploiting something, then that needs to get out there into the community and to those individual organizations.

So I just, and I don't want to run out of time, but I want to tell this kind of story because I think it'd make perfect sense, especially talking about, about Power School and everything else. So Power School was a data exfiltration play. No doubt. This data is valuable. I'm going to hold the data and you're going to buy the data back for me. For Power School, it was a vulnerability issue, right? I need to close my vulnerability and that, but for every school district, you just had data exfiltration, even though nobody went into your network and stole it.

So your operational security was good, school district, but your suppliers was not. That's what happened, right? So now you've got to deal with the fact that your data, your health records, that your students, all this other stuff is valuable. You have a fiduciary responsibility to make sure you take care of that. And now you're on the hook, right? Through essentially no fault of your own, other than choosing a vendor. So when you look at that,

holistically, what does that mean? It means you have to be aware of what's going on on the dark web as it relates to you personally. We're all very familiar with so and so that you're doing business with T-Mobile, AT &T, Target, it's a good example. Your stuff's been released on the dark web. Here's LifeLock for a year. Don't sue us. I mean, that's what happens.

We don't seem to have the same appreciation for the fact that every single organization has that same exposure, whether they did it or not, whether Power School did it on their behalf, oops.

Speaker 1 (45:03.062)
or not, you have that same exposure. So you do have a responsibility to pay attention to what's going on in the dark web. And you should be aware of it. If nothing else to do things of tuning your defenses and doing everything else in the interior of the network. If we could actually accomplish something on the dark web, that's even better. Right? So you don't think about it in a sense of our cybersecurity side, we talk about kill chain, right? So inside of a network, I found this anomalous behavior and

you know, where in this kill chain, where can I catch him? How fast can I catch him and stop it before he goes horizontal and increases privileges and everything else, right? How fast can I do it? If we could extend the kill chain out into the dark web before it lands inside.

Well then we'll make a significant dent in cybercrime.

And that's the other thing too is what these guys like you're talking about a vulnerability. So I have enough of vulnerability. I'm a bad guy. I have a vulnerability. I'm going to exploit that. I'm going to use AI. I'm going to use all my tools. I'm going to do everything else. I'm going to blast this vulnerability. And I might nail 10,000 people in every one of those 10,000 logs. So the inside of their logs, there was one bit of data that they had to catch.

Because now I went completely silent. I planted something and I'm going to give you no more wave. There's no more breadcrumbs. There was that one if you didn't catch it, tough. I'm now going to gauge my attack. So think of it from a business. I now have these 10,000. They're in a stack.

Speaker 1 (46:36.46)
These look most valuable to me, right? The outcome is going to be most valuable. They're my key customers. I want to think of it that way. I'm going to put my A team on those. I have a bunch in the middle. I'm going to put my B team on those. And here's the bottom of the barrel. I'm going to just farm those out. I'm going to sell those leads to somebody else. That's how it works. So if you can catch them in that kill chain when they're deciding who they're going to attack, that's even better, right? And that's what we're

Yeah.

Speaker 2 (47:05.184)
Absolutely. And if you could steer off some, and I love the being undercover and negotiating with them and saying, Hey, I'll take, I'll handle these 300. I'll handle these 500. Can you just save those 500 organizations from being breached? Yeah. Right. Like it's, that's a, that's a phenomenal value to the community. Yeah. And that's really good.

Yeah, and think about it, you know, if we're bad guy to bad guy and you're selling me something, I'm going to say, well, how did you get in? Right? No, I know. I know. We're pointing to compromise. I'm going to say, what did you plant? I'm going to have.

Sometimes you may buy it just from an IAB. If you just buy it from an initial access broker, they weren't even planning on going in. They were just going to sell it to somebody else that was going to go in. They found the vulnerability. They found the data. They're just selling it and they're done. not going to be, they're not part of a ransomware game. They could be, but the point is, their role in that transaction is we're just, we've got the data. We're just selling them. And so for them, for you to take some, for them to think that you're,

a bad guy and then to sell you 500 US businesses accounts and them believing you're going to go after them. That's great. Like that is a huge benefit.

Exactly. it truly, truly is. that's the biggest difference in this to what we've done. Everything I've suggested, by the way, is additive to what you're doing. I'm not suggesting that anything you're already doing in the inside of the network is worthy of the garbage bin.

Speaker 2 (48:39.688)
Also, are they doing enough? Like why is detection like I keep reading all of these breaches and they're like they were inside for a month They were inside for three months They were inside for seven months and I'm like, are you kidding me? Like there's I'm just curious like are a lot of organizations still just not doing the basics like Threat hunting looking at logs in real time having a having some sock within their internalization

You know, it's in, you know, being in the business, right? mean, there's the highly sophisticated enterprise that is doing everything.

Right, they've got everything. But most SMBs, I still don't.

in mid-market, they have the IT person. They don't have a threat hunter on staff. They don't have a cybersecurity analyst on staff.

Right.

Speaker 2 (49:32.078)
The IT person is doing everything they can, but they know what they know, they don't know what they don't know, they don't know 24 seven. And by the way, they're on the network knock side. If you think of the industry, they're on the MSP side. They're not on the MSSP side with CISSP and security plus and all the other threat hunting and, those like, they're not a security analyst. They're a tech person. Right.

Exactly. And they're conversant, right? They know the terms.

bright and they're really good. just they're not they can't do what an organization or what a sock can do that's operating 24 seven with eyes on glass. Right? Exactly. It's just

And that's the key to kind of enabling that defense in depth. If you don't have a SOC, well, then you should have a SOC service, right?

Yeah, they have them everywhere.

Speaker 1 (50:26.962)
seems, you know, it's counterintuitive to not at least have some security that is looking at this stuff 24 seven, you have to have it. Yeah, it can be formed about dark web intelligence even better.

yeah. That's the next, I mean, that to me makes, as good of a package as you can. Right. Yeah. If I was, if I was a CISO for an organization, I would want all of the standard things, the EDR on the devices, the vulnerability scanning, the sock is a service size on glass, but then I would want to be proactive and be looking ahead of time at threats on the dark web. And then, mean, there's literally, I don't know what else.

Humanly possible you can do but to me that is really that's the that's a mature

Think about it and if you do all of what you just suggested which I'm also suggesting to do if you do all of that you become a harder target right and else

And it's like, yeah, it's it's the story of the bear in the woods, right? Like if the bear is the hacker and bears can literally, you know, outrun us, they can climb trees like we're never out running the bear if they want to get us. But the point is, is you don't have to. You just have to do better than the other hiker. Right. Like you see that bear, the first thing you do is tie up those laces and run. And they're like, why are you tying your laces? And we're like, because I don't have to beat the bear. I have to beat you.

Speaker 2 (51:52.406)
Like in just go right? It's exactly it.

Speaker 2 (52:06.638)
Exactly right. I'm my other dive buddies oxygen so that he's struggling and that this trucks going after him. I'm getting out

But then, you have to say, that's it. So be a harder target and enable all of these things. And the other thing I want to make sure I encourage everybody, it doesn't mean you have to be a threat expert. It doesn't mean you have to know the latest between Dragonforce and Ransom Hub, right? There's, know, threat actor stuff that goes on and consolidation and dispersion and changing faces and changing labels like we talked about at the beginning. You don't have to always be up to date on that.

But make sure you're working with somebody who is. That's the key. And if you're not, you're not as hard a target as the next guy. And that's what...

And to me from a business owner perspective, it's very similar to engaging a CPA because you don't know all of the tax codes, all the new benefits, the tax havens, the safe havens, like all that. don't, your job is to grow your business, build a good culture, represent your brand, get out there. Like that's your role. Like not to understand, wow, the new clause in the new tax code means that we could depreciate these assets now. Like,

Why would you know that if you're the CEO? Like you don't need to. You have a team. You have a team, right? For an engagement, right? It's just like the law, like, the Supreme Court has a new rule. why do you care? You've got counsel, right? And it's really the it's really the same thing. Yeah. So.

Speaker 1 (53:26.574)
and would be a

Speaker 1 (53:39.594)
And so, you know, think of it in the same way and you're right on with that, David. I mean, that is a really good analogy. And you know, having a breach plan, having it tested, having an incident response team, whoever that is, you know, sole proprietorship, okay, you're the incident response team. Who are your partners in this? You should know. What's your first call? You can't get to your email. You can't go back in your email and look for your first call is. You better know who your first call is and what you're going to do. Because these are...

you know, become existential threats that don't need to be, right? I mean, it doesn't need to be. If you're prepared for it, it's not going to be an extinction event for you. If you're not prepared for it, it might be an extinction event.

Well, and that's the difference between those that have a cost and have a little bit of downtime and those who wind up in the news down for a really long time. Yeah. Those that prepare. mean, it's like a fire drill in school. Like we all had fire drills in school. Why? Because on day of fire, we don't want it to end up terminal. So I mean, it's very similar. Hey, George, thank you so much for your time today. We will have a seriously. It was a great conversation.

I could have, if we didn't have hard stops, I could have talked to you for hours. and we will follow up again. We definitely talk.

And offer some of our, you know, we have some of our actual threat analysts who dig into this stuff like really deep. If you want to do another session with that, I would like to. One thing out there, we're doing a series now. It's insights from us. So it's totally no cost, just available. anybody can go to dark-mdr.com slash PAA. PAA standing for people are asking. So.

Speaker 2 (55:07.18)
So interesting.

Speaker 2 (55:20.931)
Yeah.

Speaker 1 (55:24.972)
We're publishing this as it becomes.

me the links to those. Will you send me the links to those by email? And what I'll do is I'll put them right in the show notes. So I encourage everybody to check it out. I'll have your LinkedIn in the show notes as well as a link to to the company as well. Fantastic. Great stuff, George. Hey, great. Go go get a man. We

You bet. You bet. I'll, will, put my dark hat back on in a minute. Yeah.

Yeah. Just grab a mask when you work. You know what I It gets you in the mood. all right, buddy. Thanks. Have a great day.

Thank you, David. You,

Speaker 2 (56:04.568)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award-winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.

People on this episode

David Mauro

Host

Cyber Crime Junkies