Ransomware Not Welcome – Welcome to the Brave New World
Where we’re going, we don’t need roads Medium, or ransomware payments
CyBeer of the Week: Beavertown Bloody’ Ell
Metal Artist of the Week: Static-X
Kept you waiting, huh? As a legendary master of stealth may say. I’ve had a busy lockdown and slowly been working on moving away from Medium’s blogging service to a website I own and control. I’ve done this for the money a few reasons, which I’ll explain below.
However, as is tradition (we’re five posts into this blogging career now, so I can call it a tradition!). We need to open a beer and crank up the metal. To commemorate the fact it is actually August, and therefore summer. I’ve elected this week to suggest that Bloody’ Ell by Beavertown would be a suitable accomplice. This is an IPA with a heavy dose of blood orange to give you a really fruity explosion in the mouth. At 5.5% it’s enough to get the party started without sending you to bed too. It’s a delightful tipple and highly recommended in the days of a heatwave and uncomfortable humidity we’re fluctuating between at the moment.
To go along with the beer, I’m saying you must check out the new album from Static-X. This is the first album by the band following the tragic death of Wayne Static in 2014. But it features a lot of tracks he had worked on and not finished, with the bands’ new vocalist ‘Xero’ filling in the rest. It’s the classic evil disco sound you’ll know and love, and this is a band I feel has been underrated. I saw them in London last year, and this drove home that point. They’re bloody wicked. Listen to it; it’s full of bangers. Thank me later.
The New Direction
So having moved away from Medium, I’m hoping over time to develop more than just a blog. Given the limited functionality of Medium (it’s blog posts, and that’s it), I’d like to be able to host more types of content. I’m thinking useful resources for intel professionals, maybe some tutorials/training courses etc. down the road.
I’m currently writing a book on how I think CTI should be done and the concepts behind doing it successfully. Something which I’d also like to sell through my own website in due course. No date or promises on that front, for now. It’s been a slow burn for a while, but I’m enjoying the process. I hope you’ll enjoy it when it’s released. Also, if you know any publishers who might be willing to talk to a professional idiot, please let me know!!
Consistency is key
I plan on being more consistent with posting too. I started well on Medium but faded away with different work/lockdown/GTA Online commitments (sorry, not sorry). With it being something I own and can be proud of, I think this will spur me on to write more and be more creative with the format and the platform. I will be writing a follow-up blog over the next few days about my processes and methods for doing OSINT during the (now monthly!) Trace Labs OSINT Search Party CTF events.
My first post on competing was easily my most read work, and I think a follow up on how we’ve changed and adapted our approach will be useful to a lot of people. It will hopefully demonstrate the power of some of the things I mentioned I’d like to do in the original post, so please check back next week!
I’m also going to start doing more tactical level posts about OSINT techniques with some examples. There’s a lot of very talented people in the community. Still, I find a lot of the information is disparate, so over time, I hope I can provide some consistency in identifying and finding useful information online. I’ll be adding to the resources section of this site as I do that too.
I’m also very keen on suggestions or questions from within the CTI and OSINT communities for topics. I’m really looking forward to building this site moving forward, and I hope it can become a go-to resource for anyone interested in the field. I’ll still be writing posts about topics I feel strongly about, and providing my usual levels of fantastic banter, so please do check in regularly.
One thing that spurred me on to making the leap to a new site and setting it up was something I keep seeing happening – Organisations paying for decryption keys after ransomware attacks.
I beg you.
You’re not making anything better.
You are making it worse.
I completely understand where the decision comes from, your critical systems or data are locked, and you need to restore them as soon as possible. However, by paying the ransom (which is increasingly in the MILLIONS of dollars range), you’re only encouraging the ransomware actors to continue extorting innocent victims. This is a vicious circle and time, and again we see the same result.
The threat isn’t going away
It grates on me that there are a lot of excellent people working in the cybersecurity business. When their organisations fall, they’re more likely to cough up ransom money than provide the infosec team with the tools and resources they need to stop it happening.
In a lot of cases, these incidents could have been avoided by just following good practice and patching systems as recommended. Over the last five years, ransomware has become a bigger and more significant threat to everyone, and for me, paying out millions to decrypt it is not the answer.
No More Ransomware
As a society, we have excellent schemes like No More Ransom and an active community of infosec professionals contributing IOCs and TTPs to help fight against this never-ending ransomware battle. But I urge every CISO in every boardroom everywhere, please support your people and fight for them to have the tools to stop this happening in the first place.
It’s incredible in the last few weeks how many organisations have paid millions to criminals (Garmin, CWT, Travelex, Canon etc.). Nobody wants to be the next victim of course, but this habit of just paying for the decryptor must stop. It’s not just about the ransomware. These organisations are most likely involved in other criminal activity too. Be that drugs, guns, human trafficking, child exploitation the list goes on. Every time we pay a ransom, we are contributing to supporting these activities. It might sound dramatic, but it’s true.
Offline backups, please?
Of course, every company should be ensuring it has appropriate backups and offline backups as resilience in the case of these incidents to avoid disaster. It’s also a worrying trend that threat actors are now stealing data before encrypting it. Data theft potentially giving themselves a double payday. In the case of EU member countries, it’s likely that the ransom payment is less than a GDPR fine. Which helps to show that GDPR is a double-edged sword. Its intentions are noble and it should encourage companies to put appropriate protections and remediation in place. But at the end of the day, if you’re better off funding criminals than paying the regulatory fine then maybe something needs to change at the top level? It’s an interesting philosophical position for sure. But it surely makes sense to empower organisations to not pay cybercriminals because they’re better value for money?!
This must stop
I understand it’s often not easy to stop, and that the methods used to deploy ransomware get more advanced year-on-year. But as a society, as a community of professionals, we must endeavour to stop paying these sums out. If we don’t, we will only see more and more victims, and the cycle repeats. At the top of these chains are not your average bedroom-bound bored teenager. These are mature organisations run like a business. We must cut off their revenue stream from ransomware. Of course, we’ll never be perfect, and I don’t expect this to be an issue that disappears overnight, but it feels like it’s a weekly event now that a large company gets hit, pays their bill and moves on. Even during the weirdest year of all our lives, this cannot be the new normal, for everyone’s sake. Stop paying the bloody ransom.
It’s not all bad, though. Right?
Undoubtedly, this year has been weird. We’ve seen a shift in how we all work and how we communicate. It’s nearly six months since I had a decent pint of IPA in a pub. The urge to restart homebrewing is getting bigger, and bigger let me tell you.
What we are, however seeing from the doom and gloom of 2020, is the opportunity to learn, grow & develop while stuck in lockdown. I’ve taken advantage of this to focus on several new skills I hope to improve as time goes (learning how to use WordPress, set this site up and run it being one of them). The big one for me is finally trying to tackle Python. I’m going to do it, I promise. I’ve started using Python scripts with work (made by others), and I can see how useful it can be, so it’s time to start this one and finally become more well-rounded as an analyst. Maybe one day even knocking up some tools for the community, wouldn’t that be nice? I’ll let you know how it goes!
That just about wraps up this post. I will be back next week with the overview of my TraceLabs approach and how I’m finding it after a couple more CTF events. I’m looking forward to the event this Saturday and doing more OSINT for good. If you’re interested in the CTF, I highly recommend it. They have been offering free OSINT training for the first 300 signups for the monthly events too, which is well worth your time. Until that next post, I bid you well.