Ransomware. What, Me Worry? with John Shier
John Shier, Senior Security Advisor at Sophos, joins the podcast this week for a deep dive into today’s ransomware threats landscape and insights uncovered in the recent Sophos research reports, including the “2022 State of Ransomware Report” and “Active Adversary Playbook.”
We explore future state themes of ransomware such as the geopolitics of ransomware, simultaneous attack and dwell time trends, will we ever get to a ransomware ‘flat fee’, increasing the resilience requirement for companies seeking cyber insurance, and industries such as healthcare that are seeing sizable upticks in attacks (and how these can be mitigated ahead).
Ransomware. What, Me Worry? with John Shier
[2:04] I Dream About Ransomware Threats at Night
Rachael: We've got John Shier, a senior security advisor at Sophos. He's a researcher who brought all kinds of goodies in terms of research reports, Sophos Ransomware Report, Active Adversary Playbooks, and so many great things that we're going to dive into today.
Eric: John, I spent a good bit of time comparing to the Verizon Data Breach Reports. We talked a little bit about the IDC survey they did last summer or last in '21 and the data's all over the place. I'm really looking forward to this conversation because assuming the sample is accurate and representative of the globe. I think your data's scary as hell but outstanding.
John: With 5,600 respondents, 31 countries, and 100 to 5,000 employees, we had a pretty broad sampling base, so I think it's fairly representative of what's out there.
Eric: But it is scary. For instance, a little prelude, Rachael. I worked at an education organization right now. Ransomware would be what I dream about at night, not in a positive manner.
Rachael: What about healthcare?
Eric: Healthcare's better.
Rachael: I'm interested in this too. You've been talking so many great stats in the report, John. Ransomware is one of my favorite topics in the whole world. I saw that one of the things that you guys found, I think was an article. Was it TechRadar? No, maybe not, but it was 94% of healthcare attacks in 2022 and then 66% the year before.
To Pay or Not to Pay for Ransomware Threats
Rachael: Then 61% of healthcare pay and one got 2% of their data back after paying that ransomware. So, pay, don't pay, what do you guys see in there with all this swirling about? There doesn't seem to be a good answer, or do you have one?
John: Well, as far as paying the ransom goes, we always want to say, "Don't pay the ransom." You're directly funding criminals. In the beginning, when ransomware first came out, it was easy to say because it was the right thing to say. But then as the situation evolved and as ransomware shifted from hitting individuals and just individual computers within organizations to hitting massively within organizations, it was a little bit tougher to give that advice.
You don't know how paying that ransom or not will affect or impact that business. It could mean you have to lay off employees, it could mean you could close your business. Still on the side, if you can help it, don't pay the ransom. But again, the situations will always vary. If you look at the year-on-year comparisons of payment, I think a lot of surveys agree with ours.
Those five X increased almost over last year in terms of payment, and some have decreased in some surveys. But I think what we're seeing is the ransomware criminals, they've been testing the waters for years trying to figure out what can they get away with. They just keep upping the ransoms and eventually, we'll probably see some sort of a flatline and go, "Okay. This is what the market will bear and they'll kind of sit there." But this kind of thing is still a nascent industry if you'll pardon me for using that term.
Eric: Why do you think it would flatline?
John: Based on previous evidence, back in the old screen locker days. You'd have these police lockers where your screen would lock up.
What the Market Would Bear
John: They'd say, "We've seen some copyright materials or child sexual abuse material or something," just general pornography on a computer. They would have the FBI logo or if you're in the UK, it would have the UK e-Crimes Unit or in Canada, the RCMP. They'd say, "Well, to unlock your computer, you have to pay a fine of X dollars." We saw a $100 and we saw $200 and saw 300 and so on and so forth, and went as high as $800, and then it came back down to $300 because they were targeting individuals. That seemed to be what the market would bear at that point for that particular type.
Eric: It's almost like the airlines. We'll try to get as much as we can, but we want to fill every seat so it's an economic model essentially.
John: I think you're going to see that within the ransomware ecosystem as well. It'll actually stratify within industries, and it'll stratify within the scope of the size of the victim, so obviously, bigger companies.
Eric: So, finance may pay more than education.
John: Well, an enterprise will pay more than a small business. We've even seen the ransomware criminal operators diversify. So, we've got things like the old Dharma ransomware that stopped. There are a couple of other ones that were just basically going after the small fries. They were only charging small sums and that was what that market could bear. Yet, you've got the LockBits and the REvils and the Ryuks, the other big guys that we know about. Some of them are still around, and some of them are extinct, which would charge in the millions. I can't remember what the top one is, but we've seen tens of millions of dollars.
Ransomware Threats from Ransomware Actors
John: It really depends on who you're going after and you're going to price yourself accordingly. We've seen specifically some ransomware actors because they've got such a presence on your network. They're so deep inside your network. They've seen all your files, they've read your financial reports, and they know exactly what you can pay. Some of them will actually tailor the amount that they're going to ask for based on your financial results. When you go back and say, "Well, I can't pay that," they've actually come back and said,
"Well, no. We know exactly how much you made last year, so you're going to pay us the $3 million."
Eric: It'd be great if they'd have a consulting service where they could also advise you on how to improve your profitability or your revenue or something. "Hey, we've seen all of your data. We think if you made this one move strategically, you would double the size of your business in the next three years." Maybe it's too hard. That's the hard part of the business.
Rachael: It's the next phase of ransomware.
Eric: What about insurance? I've always thought we've read at some point insurance; we know insurance is getting more difficult. I would think that insurance, the policy cap would sometimes instruct. In fact, we know it has in some cases how much somebody will pay. Are you getting any data? Did you see anything on that?
John: Within this specific report, we didn't ask that specific question and then sort of the survey, which the report came out of. We asked some specific questions about whether you had cyber insurance, a policy, or some coverage.
Cyber Insurance Policy
John: In the case of an attack, whether the cyber insurance policy paid out for any or all costs, so we got a bit of a view there. In short, having cyber insurance coverage, having a cyber insurance policy does help. It does pay out in the vast majority of cases.
But I think what we saw in the last two years was that the insurance industry was not prepared for the onslaught of ransomware when they got into this market. There are no actuarial tables that can predict who will be a victim, our industry, this whole tech thing is too new from an insurance perspective.
If you think about it in terms of traditional industries, let's say you're recovering buildings against physical damage, fire, for example. Say two-thirds of your customers are going to have a claim and each claim's going to cost you a million dollars every time, your premiums are probably going to reflect that reality. This is what we're seeing right now.
Eric: You exit the business.
John: You could, and then a lot of them have indeed exited the business. A lot of them are just saying, "We're not touching this anymore." The ones that are, we're seeing a hardening of that market. Policies have either doubled or tripled to renew or secure the qualification standards for policy are much higher. The coverage is smaller and sometimes there are carve-outs for ransomware so that really has impacted that side of the business a lot.
Rachael: It seems like a lose-lose if you're trying to cyber insurance for ransomware. How can you make a profit if you're the insurance company?
Eric: Your premiums have to be ridiculous.
[09:39] There's an Opportunity That Covers Ransomware Threats
Rachael: What kind of business model is that if people can't afford your service?
John: I think there's an opportunity here if you look at the insurance business. They're in the business of making money and covering you in case of some sort of unforeseen circumstance, but I think the incentives have started to align.
Now that we are in this position where we need to have better security to qualify for a cyber insurance policy, it's elevating the security posture of a lot of organizations to a point where they have better cyber security. It makes you more resilient and therefore less of a victim. Therefore, cyber insurance companies are going to have to pay out less. I think these two incentives of covering you for something, but also making sure that you've got some incentive and some skin in the game to be less of a target, go well together.
Eric: I would agree with that. But I think that may make the people who don't have insurance or have insurance that isn't as demanding from a requirement's perspective more likely to be a target. They're easier. They don't have the same level of defenses that could go back to that payout rate again, that requested ransomware payment rate. You were saying that I think according to your report, in 2021, 46% of organizations that had data encrypted in a ransomware attack paid the ransom. That's a lot lower.
John: That's accurate and that number itself will fluctuate. I think when you were talking about the IDC report earlier, there was some divergence in those numbers, and we've seen some.
Organizations Experiencing Ransomware Threats and Attacks
Eric: It said only 13% of organizations reported experiencing a ransomware attack breach and not paying a ransom. I'll flip that on its end for our listeners, 87% experienced an attack or breach and paid the ransom is what they're insinuating. It’s a lot higher, which is more than what I've seen in the industry. Most people pay it, from what I'm seeing.
John: A lot of people do. I think we discussed prior to the recording that there is some sampling bias with all these surveys. If I'm sampling a hundred companies, maybe I just sampled a hundred companies that got hit by ransomware versus the ones that didn't. Stuff like that does happen.
But I think that there is definitely some variance there within paying the ransom. But what I think is in what we're not seeing in the data sometimes is the way in which ransomware criminals are getting around some of our collective defenses. And I know we'll get to that a little bit later, but let me dive a little bit deeper into that 46% of paid ransom.
Eric: Because 46% or 87% is a horrible number.
John: Anything bigger than zero is too big a number.
Eric: You're still failing, that's where you want to have 2% paying. We're still failing at either number.
John: Of all the organizations that got hit, almost 199% of organizations got some data back. Backups were the number one method. With three-quarters of the people who got hit, backups, that's the way to go. I think most people would probably agree that is the way to go.
Eric: Just to translate, they had legitimate backups in their business onsite offsite that they were able to restore from that the ransomware was not able to encrypt and prevent them from using.
John: I will circle back to that point because I think there are a couple of little nuggets in there that we need to pull out that are important for your listeners. Now, in the ones that paid, only 4% got all their data back. So paying the ransom doesn't guarantee that you're going to get it, I believe the figure of those that paid, only 61% got some data back so there's missing data somewhere. In a quarter of those organizations, we're throwing so many numbers around, that was able to restore from backups. A quarter also paid the ransom. You're seeing organizations that are paying the ransom as well as using other means to restore, in this case, backups.
Eric: Why is that?
John: There's probably more than a couple of reasons. But incomplete backups, you go and restore your backups and you're missing some files, so now you go and pay the criminals. We've seen this, I think all too often now, the prevention of stolen data from being published on leak sites. It's hush money.
At this point, maybe you're saying, "Well, okay. We've got the data on backup but we don't want to be publicly outed on these sites, and so we're just going to pay it as hush money." I listened to the Congressional and Senate testimony of the Colonial Pipeline CEO. In their case, they said they just wanted to use every means necessary to get the data back. That included just grabbing the key just in case.
What the Cyber Criminals Took
Eric: You're just doing whatever you can to get up and running again.
John: Circling back to what you're saying a little earlier. I don't think it gets discussed enough when talking about paying the ransom that you don't always know what the criminals took or left behind. Are there backdoors, beacons, or web shells that are still on your network? Did they steal some passwords that they can use later on to log onto your VPN and get back in? Without any kind of chicanery at that point, there are no exploits, there's nothing else.
You still need to do all the recovery work regardless of whether you pay or not, because you can't trust a system that's been touched by an attacker. And so to the topic of backups, the 3-2-1 principle. Three copies of your data, at least two of them on different media and one of them offline, preferably offsite. But you have to test them back to why would you potentially pay because you've got an incomplete backup or you've got a corrupted backup.
You want to test them and you want to test them on a schedule that is commensurate with how much data loss you can stand. If you can only lose one day's worth of data, maybe you want to test your backups on some sort of random basis, at least once every couple of days. If you've got reliable backups, then we're back to why I pay the ransom at that point.
Eric: Interesting because a backup isn't much used if you can't recover from it. We learned that years ago before ransomware even.
A Real Data Loss
Eric: If you have a system, a drive fails, or an array goes offline and you can't recover, you've got a real data loss, data unavailability problem. I've found over my 25-year career at this point, that is one of the muscles that most businesses don't exercise on a regularly scheduled basis. Let's run that scenario like we had a data loss.
John: We're talking about backups and I'm holding up a box to Rachael and Eric here. There are a couple of hard drives in here because I've got one of my RAID drives that failed on my server. It's been admittedly a couple of months, but I still haven't gotten around to rebuilding the RAID array and installing these drives. It happens, this is the kind of stuff that organizations go through. I think that's where you’re segueing to. These things can happen, and it doesn't mean that you're necessarily being negligent when you're not testing these things. It means other priorities sometimes get in the way.
Eric: Yes, but they're costly.
Rachael: The other thing too though, it's geopolitical. Ransomware's geopolitical incidence. I think there was an article where it was the CEO of the UK National Cyber Security Centre said that it's the most immediate danger to the UK. It’s really interesting. Are people really talking about ransomware as a geopolitical attack vector?
John: I don't think so.
Eric: Colonial Pipeline was probably an example.
Rachael: Was that on purpose? I don't think they knew what they got.
John: That's a good point you bring up. I think that was from what we know, it seems to be, that was a Darkside affiliate. If you want to talk about how these people get hit, targeting is random for the most part.
[18:16] The Colonial Pipeline Network
John: I think one of these affiliates got into the Colonial Pipeline network and did what they did. You saw a lot of back peddling from the Darkside HQ later saying, "No, we didn't need to hit you." Back to your question about geopolitical, I think that because there is a lot of this does come from CIS countries, countries that have been traditionally antagonistic to Western powers. There is that kind of geopolitical thing in there. Can they absolutely hit critical infrastructure? Yes.
I think that Russia's war in Ukraine right now has exacerbated some of these feelings around geopolitics. We are seeing some evidence that maybe the gloves are off when it comes to the Russian government's incentives for punishing their cybercriminals in-house. Is there some geopolitical angle that can be made? Possibly, but as far as I'm concerned and from what I've seen, it is a financial enterprise more or less. Anything else that you get out of this, is just gravy, I guess.
Rachael: That's how I was thinking about it as well. If it's geopolitical, they just want disruption, not necessarily to get cash on the back end, cash me outside kind of thing.
Eric: John, in the report, your team talks about the average cost to recover from their most recent ransomware attack in '21 was $1.4 million. That's a lot of backup disks and tape.
John: That's a lot of money.
Eric: That's a lot of time to practice and drill and ensure you can recover.
John: But there's some good news.
Eric: Don't link the two. What's the good news?
Some Good News Amidst the Ransomware Threats
John: There's some good news in that, and I'll touch on that as well. If we look at the last three reporting periods for this, we've seen the cost to remediate in our 2020 report went from $760,000 to $1.8 million, $5 million.
Eric: That's not good news so far but go on.
John: No. But in this year's report, it went down to $1.4 million. Now, we're seeing actually a decrease in the cost to remediate, which I think was good news. Maybe it's not, maybe it's one of these backhanded compliments. We've gotten better at recovery I think is what's going on in a lot of this in these numbers. The reason we've gotten good at recovery is that we've gotten hit so much. We have a lot of practice.
Now, when you have a ransomware incident and you call your cyber insurance provider or whomever you call first, there's a playbook. The ransomware guys have playbooks, and so do the cyber insurance people and the incident response people. They're like, "Call Jeff and Sally." They're going to come over and you do everything they say in exactly the same order. While you're doing that, do these 10 things right now.
That just starts to limit the scope of the attacks, it starts to limit the damage and it helps get you back on your feet a lot quicker. There are also some bundle incentives sometimes in terms of some of the products that they bring in with them that then elevate your cyber security, which is a net positive. But I think that cost to remediate has gone down in part, unfortunately, because we've gotten good at it.
Better Than We Used to Be
Eric: Well, that is good news though. If we don't have as many cities burning down anymore because we're building them differently, we're more aware. But we're good at putting fires out, we're better than we used to be. That's a good thing.
John: Back to what we're talking about earlier about paying the ransom. If we're better at recovery and we're better at maybe being less of a target because of some of the technology we're putting in place. We're testing our backups, we're taking the backups, and then now it becomes a little bit easier to give that don't pay the ransom advice. We do have some tried and true methods to protect you as well as get you out of trouble if you do get into trouble.
It's not going to cover everybody. Again, it's not a blanket statement. I think we're getting closer to that reality of being able to say, "Okay, we've got some good playbooks here around how to deal with this stuff, both from a prevention and deduction and remediation side. Let's use those and for the outliers and everybody else, we'll do what we can to help protect you. If you have to pay, you have to pay."
Rachael: I'm really interested in this whole IAB thing.
Eric: I had a couple of questions around some of the data that came out of this fascinating and almost ring in some ways with the Verizon Data Breach Report from might have been '18 or '19 now. One of the things you saw I should say is that 47% of attacks started with an exploited vulnerability. That means a system that wasn't patched, is unknown.
Vulnerability to Ransomware Threats
Eric: Actually, I guess it may not have been an unknown vulnerability. It was a vulnerability though, that's how they get in.
John: Now you're talking about the Active Adversary Playbook.
Eric: Let me sell for you for a second, you have an Active Adversary Playbook that's good on data. You can get it at sophos.com, you just search for it on Google. It was interesting to me that 47% started with the exploited vulnerability and then 82% used RDP for lateral movement, which is crazy to me like lock it down. I know it's hard.
John: I've got some more good news for you, you'll like this. So, 47% exploitive vulnerability and we saw a few of them last year, the data reporting period was a calendar of 2021. Just for your listeners to know where this data came from, I analyzed every single one of our instant response investigations over that period. I just tried to pull out as much data as possible and see what falls out.
Things like the types of attacks, root causes, dwell time, and initial access. I look at the MITRE framework and I try to map that as well, a little bit, but 47%. We saw things like ProxyLogon and ProxyShell, Log4j, all fell into that period. The ProxyShell and ProxyLogon had a fairly substantial showing within the report.
Eric: Those are Exchange Server vulnerabilities, I think.
John: They are both Exchange Server vulnerabilities. There are chains of vulnerabilities. Like in the ProxyShell example, I believe it's three vulnerabilities that are chained together to create the ProxyShell attack itself. That set of vulnerabilities was abused to get into organizations now. Some of them were from 2021 within the reporting period.
Vulnerabilities Present on Systems that Have Been Attacked
John: I saw data that I think some of the oldest ones were from 2012, and 2013. Some of these vulnerabilities were at least present on systems that had been attacked, whether or not that vulnerability was used.
Sometimes it can be a little hard to tease out because there was one server that, I think had 20 something, some odd vulnerabilities on it that just dated back that far. They just hadn't patched it in forever, and so who knows which one they used to get in. That can be tough because in concert with the 47% where we know that's what happened, there's 36% where we just don't know what the root cause is.
We have no idea. For some reason or another, either the attackers cleaned up after themselves, the systems were wiped before we got there, or the logs rolled over. This is all sorts of reasons for that, so the unknown is still a big part of this as well.
Eric: Coming out of that though, the attacker gets in. The average dwell time is the piece that really scared me, 34 days on average. You break it down by company size, somewhat by industry. You're 52 days if you're in a 1-to-100-person company, SMB law firm, whatever, it could be any small company. It's 19 days on average on 5,000-plus employee companies, which should have an enterprise IT shop. They should have more capability, more awareness, and more ability. Then, when you look at the types of organizations, healthcare is 8 and a half days, and education is 34, right on average. That is crazy to me.
[27:19]The Adversary is in Your Building
Eric: The adversary is in your building. Let's go to a physical world, somebody breached your physical security. They went through the fences, through the turn styles, came in the window, hung out, went to the cafeteria for lunch and dinner to eat, then went to the gym to work out, shower, and do what they needed to do. 34 days’ worth of time there, just going through your files.
John: It's a bit shocking. So, the dwell time for 2021, as you say, was fairly high. The problem with a lot of this is there are some externalities there with respect to IABs. There's some variability there because of the presence of IABs. If we look at ransomware specifically within the dwell time statistic, we find that the dwell time statistic is lower.
So, ransomware crews get in and get out a lot faster versus just a generic you were breached type of attack that we couldn't determine. There wasn't an end goal that was obvious to us. It could have been ransomware and we just happened to get called into the middle of these invest of attacks. Then we were able to neutralize it and evict the attackers and get the network back into shape, but those were a lot longer.
I think that when you look at the way the ransomware crews operate, they want to get in and get out for the most part as quickly as possible. It's ROI. If I can just do this in three days and get the maximum payment, then great. Whereas with the IABs, where you've got maybe inventory sitting on the shelf when you've got smaller companies, we see the dwell times are bigger.
The ROI of Encrypting Ransomware Threats
John: Maybe the ROI from a smaller company isn't as and to your point, Eric, of enterprise organizations have IT shops. They're probably able to detect this stuff a lot faster. If an IAB gets into an organization that is let's say 3000 people, they can resell that quickly to a ransomware operator because the ROI of encrypting those guys will be higher.
But they also have to act faster because the detection rate is probably going to be a lot faster as well, a lot quicker. Whereas if you look at smaller organizations or under-resourced sectors such as education, where we know they struggle. They struggle with budgets and budgets translate to their struggle with having the proper technologies and the right people, and the right amount of people.
These folks are working so hard. that I've talked to them. They work tirelessly to protect their constituents, the students, and the staff, but they just don't have the resources to do that. So, dwell time, because they don't have the resources to be able to go and hunt and use EDR and XDR, they might not be able to find these adversaries hiding in the network.
Now I said, I promise you some good news. I just want to go back to that 82% statistic about RDP. What we did see is while a lot of RDPs get used internally for lateral movement, we saw a fairly dramatic drop in RDP usage from the outside. I think we've gotten the message that RDP on the internet equals bad. A lot of companies are starting to heed that message and moving the RDP of the exposed internet. That's a good piece of news, I think.
Eric: RDP is Remote Desktop Protocol.
Remote Desktop Software
John: So, remote desktop software specifically gets used a lot within organizations for lateral movement. The bad guys will bring their own if they can sometimes, and they just use commercial off-the-shelf software. They'll use, not to pick on any in particular. I'll use a whole bunch of them, AnyDesk, TeamViewers, ScreenConnect, and Splashtop. There's a whole bunch of these that get used, I should say, abused by ransomware criminals to maintain persistence, remote access, and lateral movement within companies.
Eric: Let's go to IABs.
Rachael: There were some really interesting things about reading all of this. You've got your initial access brokers, which are really fascinating. In my head, I imagine a godfather-type movie where all the heads of the crime families meet together. So, you've got your IABs, you've got your ransomware games, you've got your crypto miners. They all meet and kind of coordinate. The IABs are like, "Guys, here's what we're looking at next quarter. Who wants to get in?"
Everybody just jumps in it together, like simultaneous attacks. I just think this is a really fascinating development. Is this something new as there getting more organized together, John? Or is this just kind of something that's just naturally happening over time?
John: Crime's been organized for years. It's no surprise that it's happening in the digital sphere as well. IAB is the initial access broker. Are they new? Yes, you could say they're new. This sort of job function and I do use that term specifically because for some people, this is their job, this is what they do, is not necessarily new.
Diversification of Duty
John: We've seen this kind of diversification of duty within the crime ecosystem for a long time. Back in the old days of having exploit kits and you had to exploit kit brokers, and then they would talk to traffic direction services, and they would have exploit merchants. This whole thing exists.
Now, IAB specifically, its job as the name would suggest is to get initial access into a company and maintain some sort of persistence. So, the way that they make their money is by selling that access to another criminal to do something else, and that something else could be ransomware. The price that they charge for the access is determined by a bunch of different factors. It could be the type of organization, the size of the organization, the depth to which they've penetrated, and the persistence that they have.
If they've got domain admin access on a corporate network, that's going to be worth more than just simply having log onto credentials to the VPN, for example. That's what these guys do. To your point the criminal cabal, they have their sphere of influence and area of expertise, that's what they do. Then other criminals come along and buy access from those guys.
Eric: I can see the appreciation for the whole beauty of the way this criminal enterprise works.
Rachael: I just want to see an org chart or something because as a business, they would have to promote their services to set ransomware gangs or crypto miners. Just the idea of cooperation is really fascinating to me, all boats rise when we work together. I don't know, it's playing out in my head like in a movie. It's really fascinating to me how this has evolved.
[35:49] Coordinating Our Defenses Against Ransomware Threats
John: It's the kind of thing that if we were to maybe take a tip from them is that we also have to get coordinated and organized. We have to coordinate our defenses and organize ourselves so that we're battling this stuff together. This is why things like ISACs, and Information Sharing organizations are so important. There are industry-specific, ISACs, but there are other groups as well.
I got to give CISA a shout-out here because I think Jen Easterly and her organization have been doing phenomenal work of giving people timely, contextual information that they can actually act upon.
Back in the old days, DHS would release a bulletin and it was for IOCs that were 13 years old and not relevant. But now we're actually getting a little bit more, there's more meat to these bulletins that are coming out. They're more actionable, they're giving advice of what to do. I think that's part of that organization of let's get together and fight this together because we're not going to win if we go at it alone. So, let's organize ourselves and go after these guys.
Eric: Why is it so hard to get together and organize? The Adversary's doing it, obviously, they're doing it for treasure, monetary in most cases. Why don't we have shared incentives? We really should.
John: I think we do.
Eric: We do, we just don't execute well against them.
John: There are lots of reasons. There are competitive reasons when it comes to certain industries. Maybe they don't want to tell their neighboring competitor what they've experienced for fear of, I don't know. Maybe, there's a competitive advantage or disadvantage in that or maybe it's a public relations kind of thing.
The Old School AV Industry
John: I don't know if a lot of your listeners know this, but the AV industry, the old school AV industry, is now the new school because we've actually moved through the decades and improved and innovated and done lots of new things. But we meet every year at a conference and it's all researchers, it's all people that work all for competitors. We share our research with each other and there are plenary talks. There are the ones at the conference, but then there's the beer you're having at the pub afterward.
We're talking about, "We're seeing BlackCat doing this. What are you guys seeing or doing to combat that?" We don't share trade secrets, but we also give each other a little tip, "If you want to detect, check this out. Try that technique to detect this stuff." It's happening in pockets here and there, which is good. I wish I had an answer for you, but I think that there are just some industries that are the first to share. They're averse to being open, whereas others aren't. The banking industry is a good example, the financial services, ISACs, do communicate. I used to work for a bank.
I've been at Sophos for 15 years now as of last month, but I was at the bank 20 years ago and we were doing this. We had a call every week where we talked about the things we were seeing on our networks and shared that information as a heads up from all our competitors so that we would be safer together. Now, it's like you're walking down that dark street, you better be a bunch of you than just one.
The First Place to Go If There Are Ransomware Threats
Eric: I don't know why. We're getting together as competitors on the podcast. There's sporadic, there are groups. Plug for CISA quickly as we're wrapping up though, cisa.gov/stopransomware. The good first place to go, if you're thinking about it. Hopefully, you're looking there before you are actually attacked.
Rachael: John, this is wonderful. Thanks for sharing all these great insights from these research reports. What a fun job you must have, I can only imagine.
John: It's great. I appreciate you guys having me on, and it was a great conversation. Unfortunately, there's just no end to these reports because the bad guys are going to keep attacking us. We're going to keep generating data. Hopefully, what we do though, is we look at this, the results, we look at the data. We look at the context of that data and we try to instrument ourselves to be better next time.
Hopefully, that's for people. When they read these reports, they learn something about how to better protect themselves next year so they don't become part of that negative statistics. They're part of the good side. Then maybe next time we chat, we'll have more good news to report.
Eric: That would be good. We can't get ahead of the adversaries necessarily, but we can get pretty darn close. We need to shrink that window.
Rachael: Thank you so much, John. Thanks to our listeners again for joining us this week. If you haven't smashed that subscription button, you know what to do. Smash it because you get John right to your inbox on Tuesdays. Until next time folks. Stay safe.
About Our Guest
John Shier is a Senior Security Advisor at Sophos with more than two decades of cybersecurity experience. He’s passionate about protecting consumers and organizations from advanced ransomware threats and has researched everything from costly ransomware to illicit dark web activity, uncovering insights needed to strengthen proactive cybersecurity defenses.
John is often consulted by the press and has been quoted in publications like Reuters, WIRED, Fortune, CNN, The Hill, Fast Co, Yahoo, and more. He’s also a frequent speaker at industry events like RSA Conference, Infosec, Cebit, Gitex, and more.
Listen and subscribe on your favorite platform