China's chatbot sends tech stocks into tailspin. - CyberWire Daily

Summary7 min read

CyberWire Daily: "China's Chatbot Sends Tech Stocks into Tailspin"
Release Date: January 27, 2025
Host: Dave Bittner, N2K Networks

Introduction

In this episode of CyberWire Daily, host Dave Bittner delves into the seismic shift in the cybersecurity and technology landscape triggered by China's Deepseek chatbot, explores significant policy changes impacting US-EU data relations, examines recent high-profile cyberattacks, and features an insightful interview with John Miller, CEO and co-founder of Halcyon, on the evolving ransomware ecosystem.

China's Deepseek Chatbot Shakes US Tech Markets

Timestamp: [02:08]

The episode opens with a major market reaction following the unveiling of Deepseek's R1 model, a cost-effective competitor to OpenAI's ChatGPT. Deepseek's announcement has raised concerns over US tech giants' sustainability and dominance in the AI sector.

Market Impact:
"The announcement sent shockwaves through markets, with Nvidia shares dropping 12% and the Nasdaq falling 2.3%."
(Dave Bittner, [02:08])
Cost Efficiency vs. Capability:
Analysts debate whether Deepseek's $5.6 million training cost for R1 can rival the $5 billion US investments in AI. Critics argue that while cost-effective, R1 may not yet match the industrial-grade capabilities of American models.
China's AI Progress:
Despite US chip restrictions, Deepseek's advancements underscore China's growing prowess in AI technology, potentially altering the competitive landscape and fueling further market volatility.

US Policy Shifts: Cyber Diplomacy Funding and US-EU Data Sharing at Risk

Timestamp: [02:08]

The episode highlights critical policy changes under the Trump administration that threaten US-EU data-sharing frameworks and cyber diplomacy efforts.

Privacy and Civil Liberties Oversight Board:
The removal of Democratic members undermines the Transatlantic Data Privacy Framework, essential for aligning US intelligence operations with European privacy standards. This could disrupt transatlantic business operations and force US companies to adopt less feasible GDPR-compliant mechanisms.

"A weakened or non-functional agreement could undermine trust in the Transatlantic Data Privacy Framework."
(Dave Bittner, [02:08])
Freeze on Cyber Diplomacy Funding:
President Trump’s executive order has frozen nearly all foreign aid, including funding for the Bureau of Cyberspace and Digital Policy. This freeze jeopardizes initiatives such as cyber response efforts in Costa Rica and digital infrastructure projects, potentially weakening US credibility in international cyber cooperation.

"Critics warn these moves weaken US credibility on privacy and cyber diplomacy."
(Dave Bittner, [02:08])

Rampant Cyberattacks and Data Breaches

Timestamp: [02:08]

The podcast covers a series of alarming cyber incidents affecting major organizations worldwide:

Trojanized Exworm RAT Infects 18,000 Devices:
- Targets novice users via platforms like GitHub and Telegram.
- Exfiltrates sensitive data including browser credentials and Discord tokens.
- “Researchers disrupted the botnet using its own kill switch.”
  (Dave Bittner, [02:08])
UnitedHealth Group's Massive Ransomware Breach:
- Affected nearly 190 million customers with compromised health and financial data.
- Ransom paid: $22 million to the Black Cat Ransomware Group.
- Claims no current evidence of data misuse.
“This breach surpasses the 2015 Anthem incident as the largest healthcare data breach in US history.”
(Dave Bittner, [02:08])
TalkTalk Data Breach Investigation:
- Hacker claims theft of personal data for over 18.8 million customers.
- TalkTalk disputes the figures, citing only 2.4 million customers affected.
- Involves the Ascendon platform, but no financial data was stored.
“TalkTalk previously faced scrutiny for weak cybersecurity after a 2015 breach.”
(Dave Bittner, [02:08])

AI Vulnerabilities and Threats

Timestamp: [02:08]

The discussion moves to emerging vulnerabilities within AI frameworks:

Critical Flaw in Meta's Llama Stack:
- Enables remote code execution on AI server-hosted applications.
- Linked to misuse of the PI ZMQ library, allowing untrusted data processing.
- Meta swiftly patched the issue post-discovery.
“Meta quickly patched the issue and PizMQ improved its documentation.”
(Dave Bittner, [02:08])
Hidden Text Salting in Emails:
- Attackers use CSS and HTML techniques to embed invisible text, evading detection.
- Targets brands like Wells Fargo and Norton through sophisticated phishing campaigns.
- Recommendations include advanced filtering systems to detect suspicious patterns.
“Experts recommend advanced filtering systems to detect suspicious CSS usage and abnormal HTML structures.”
(Dave Bittner, [02:08])

Phishing Frameworks and Zero-Day Vulnerabilities

Timestamp: [02:08]

Flower Storm Phishing Framework:
- Active since June 2024, targeting multiple brands to steal customer credentials.
- Utilizes customized URLs and obfuscated JavaScript to evade detection.
- Correlates with a 692% increase in phishing attacks during the 2024 holiday season.
“Flower Storm's rise coincides with a surge in phishing, including a 692% increase during the 2024 holiday season.”
(Dave Bittner, [02:08])
SonicWall VPN Appliances Zero-Day Vulnerability:
- A critical flaw rated 9.8 in severity is actively exploited.
- Affects over 2,300 Internet-exposed devices across the US, Germany, and Hong Kong.
- Immediate hotfix application recommended by Sonicwall and Microsoft.
“A critical zero day vulnerability affecting SonicWall's Secure Mobile Access 1000 series VPN appliances is being actively exploited by hackers.”
(Dave Bittner, [02:08])

Geopolitical Cyber Incidents: Swedish Cargo Ship and Fiber Optic Cable Damage

Timestamp: [02:08]

Swedish authorities have seized the cargo ship Vezhin, suspected of damaging a key fiber optic cable between Sweden and Latvia. This incident follows other cable disruptions in the Baltic Sea, raising alarms over potential sabotage linked to Russia's shadow fleet.

Regional Tensions and NATO Response:
NATO and EU nations have heightened their surveillance and protective measures, deploying warships and submarine drones to monitor and safeguard undersea infrastructure.

“NATO is advancing plans to deploy submarine drones for cable monitoring, while the UK recently intercepted a suspected Russian spy ship near its waters.”
(Dave Bittner, [02:08])

Interview with John Miller: Ransomware Trends and Brain Cipher Insights

Timestamp: [16:01]

The spotlight shifts to an in-depth conversation with John Miller, CEO and co-founder of Halcyon, discussing the current state and future of ransomware.

Evolving Ransomware Tactics:
- Zero-Day Exploits Over Phishing:
  "The techniques of the groups are on the rise. They're starting to use more zero day vulnerabilities than phishing and compromised passwords."
  (John Miller, [17:09])
- Ransomware as a Service (RaaS):
  "The birth of the ransomware economy... attackers come online that historically have never been cyber actors... making it easier for anyone to become a ransomware actor."
  (John Miller, [17:30])
Brain Cipher Group Analysis:
- Affiliation and Operations:
  "Brain Cipher... part of the Lock Bit affiliate network. They're leveraging sophisticated tools to conduct hyper-sophisticated attacks previously reserved for advanced persistent threats (APTs)."
  (John Miller, [19:34])
- Target Spectrum:
  Targets include government, law enforcement, critical industries, medical, education, and manufacturing sectors.
  
  "They seem to be pretty widely spread across the different targets that they're going after."
  (John Miller, [21:43])
- Operational Modes:
  Utilizes a mix of data encryption and data exfiltration for double and even triple extortion, ensuring multiple leverage points to demand ransoms.
  
  "99 times out of 100, you're going to see components in both encryption and data exfiltration in every ransomware attack."
  (John Miller, [22:23])
Protective Measures Against Ransomware:
- Education and Awareness:
  Emphasizes the importance of understanding current ransomware groups and their tactics.
- Proactive Defense Strategies:
  Recommends utilizing Halcyon's solutions for isolating and restoring data without negotiating with attackers.
  
  "We can isolate it to a single host and then bring back all the data in a very quick way that was encrypted without anyone having to interact with the attackers."
  (John Miller, [24:20])

British Museum's IT Meltdown

Timestamp: [27:20]

The British Museum experienced an unexpected IT breach when a disgruntled contractor allegedly shut down parts of its network, causing temporary closures of galleries and exhibits. The incident prompted the museum to offer refunds and rescheduling options to affected visitors while striving to restore normal operations swiftly.

“Visitors with tickets were prioritized, but temporary exhibitions like Silk Roads and Picasso Printmaker were put on pause.”
(Dave Bittner, [27:20])

Conclusion

Dave Bittner wraps up the episode by emphasizing the rapid evolution of cyber threats and the necessity for continuous vigilance and adaptive security measures. The episode underscores the interconnectedness of technology advancements, geopolitical tensions, and evolving cybercrime tactics, highlighting the critical need for robust cybersecurity frameworks and proactive defense strategies.

“Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity.”
(Dave Bittner, [15:26])

Key Takeaways

Market Sensitivity to AI Developments:
Deepseek's cost-effective AI model has the potential to disrupt US tech dominance, leading to significant market volatility.
Policy Implications on Data Privacy:
US policy changes under the Trump administration pose risks to transatlantic data-sharing agreements, potentially impacting international business operations.
Ransomware Evolution:
The rise of ransomware-as-a-service and sophisticated groups like Brain Cipher necessitate enhanced preventive measures and proactive defense strategies.
Importance of AI Security:
Vulnerabilities in AI frameworks and emerging email threats highlight the need for advanced security protocols in AI and communication platforms.
Geopolitical Cybersecurity Concerns:
Incidents like the Swedish cargo ship seizure indicate increasing geopolitical tensions and the significance of protecting critical infrastructure.

Further Resources

For more detailed insights and the latest updates on cybersecurity threats, visit CyberWire Daily.

This summary provides a comprehensive overview of the CyberWire Daily episode titled "China's Chatbot Sends Tech Stocks into Tailspin," capturing the essential discussions, expert insights, and critical developments in the cybersecurity landscape.

Loading summary

Transcript38 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network, powered by N2K. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com Chinese AI startup Deepseek shakes up the market Trump freezes cyber diplomacy funding and puts a vital US EU data sharing agreement at risk A Trojanized rat targets script kiddies UK Telecom giant Talk Talk investigates a data breach. Researchers uncover a critical flaw in Meta's Llama stack AI framework. Attackers leverage hidden text salting in emails. The Flower Storm phishing framework targets multiple brands to steal customer credentials. A crit critical zero day hits SonicWall VPN appliances. Swedish authorities seize a cargo ship suspected of damaging a key fiber optic cable, breezing out crypto kidnappers. Our guest is John Miller, CEO and co founder from Halcyon, sharing trends in ransomware and insights on brain cipher and the British Museum defends its artifacts from it attacks.
[02:04]
John Miller
Foreign.
[02:09]
Dave Bittner
January 27, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us. It is great to have you with us. U.S. tech stocks took a hit Monday after Chinese AI startup deepseek unveiled its R1 model, a ChatGPT competitor developed at a fraction of the cost of American AI models. While US companies like Meta and OpenAI spend billions on AI development. Deepsea claim to have trained R1 for just $5.6 million, sparking investor concerns about the sustainability of US tech spending and dominance in AI. The announcement sent shockwaves through markets, with Nvidia shares dropping 12% and the Nasdaq falling 2.3%. Analysts questioned whether Deepseek's breakthrough is as transformative as it appears, or if the market overreacted. Critics noted that the model, while cost effective, hasn't proven it can match the industrial grade capabilities of American AI. DeepSeek's rise also highlights China's AI progress despite US chip restrictions as earnings reports loom tech companies responses to Deepsea's challenge could fuel further market volatility. Investors remain cautious but intrigued. Deepseek's platform reportedly strained under the load of its newfound popularity with outages, reported the Trump administration's move to remove Democratic members from the Privacy and Civil Liberties Oversight Board threatens the Transatlantic Data Privacy framework, a vital U.S. eU data sharing agreement. The EU relies on the agreement to ensure U.S. intelligence agencies data collection aligns with European privacy standards. A weakened or non functional agreement could undermine trust in the Transatlantic Data Privacy Framework, forcing US Companies to adopt alternative, less feasible mechanisms under gdpr, potentially disrupting transatlantic business operations. Meanwhile, the US State Department froze nearly all foreign aid, including cyber diplomacy funding, following an executive order from President Trump. This halt affects the Bureau of Cyberspace and Digital Policy, established to advance US Tech diplomacy. The freeze jeopardizes initiatives like cyber response efforts in Costa Rica and digital infrastructure projects. Critics warn these moves weaken US Credibility on privacy and cyber diplomacy, raising concerns about long term consequences for international cooperation and commerce. A Trojanized version of the Exworm remote access Trojan builder has infected over 18,000 devices globally, targeting novice users through GitHub, Telegram and other platforms. The malware exfiltrates browser credentials, discord tokens and system data while maintaining persistence via registry manipulation and antidetection features. Researchers disrupted the botnet using its own kill switch. Though many devices remain infected, experts emphasize proactive defenses like endpoint detection and response, blocking known indicators of compromise and educating users to Prevent future attacks. UnitedHealth Group has confirmed that a ransomware attack on Change Healthcare in 2024 impacted 90 million more customers than initially reported, bringing the total to nearly 190 million. Compromised data includes health insurance billing, Social Security numbers and banking details accessed via a Citrix portal lacking multi factor authentication. The attack, led by the Black Cat Ransomware Group, resulted in a $22 million ransom payment. UnitedHealth Group claims no evidence of data misuse so far, with breach notifications largely completed. This breach surpasses the 2015 Anthem incident as the largest healthcare data breach in US history. UK telecom giant TalkTalk is investigating a data breach after a hacker bond claimed to have stolen personal data of over 18.8 million customers, including names, emails, IPs, phone numbers and pins. Toktoc disputes the figure, stating it is significantly overstated, as they currently have only 2.4 million customers. The breach reportedly involves CSG's Ascendon platform, used for subscription management, but no financial data was stored there. TalkTalk previously faced scrutiny for weak cybersecurity after a 2015 breach. Investigations continue. Researchers at Oligo uncovered a critical flaw in Meta's Llama Stack AI framework, enabling attackers to execute remote code on servers hosting AI apps. The vulnerability tied to misuse of the PI ZMQ library for message handling allowed untrusted data to be processed without validation, exposing systems to malware deployment. The bug received a critical severity score of 9.3 but was rated lower by Meta. Meta quickly patched the issue and PizMQ improved its documentation. Cisco Talos observed a rise in email threats leveraging hidden text salting, a technique used to evade email parsers, spam filters and detection engines. By embedding invisible text in email, HTML threat actors misuse CSS and HTML features to conceal content, making it difficult for detection systems to parse. Techniques include inserting zero width characters, hiding text with CSS properties, or adding misleading content to confuse language. Detection and file parsers. These methods have been used in phishing campaigns, impersonating brands like Wells Fargo, Norton, Lifelock and Harbor Freight. Experts recommend advanced filtering systems to detect suspicious CSS usage and abnormal HTML structures. The Flower Storm phishing framework, active since June 2024, targets multiple brands to steal customer credentials uncovered by CloudSec. This phishing as a service platform enables large scale adversary in the middle attacks by dynamically adapting phishing pages with customized URLs and realistic backgrounds based on victims. Email domains hosted on Cloudflare's Workers.dev platform, Flowerstorm enhances legitimacy and employs obfuscated JavaScript to evade detection. Victims are lured to generic webmail pages that impersonate brands, exfiltrating credentials to remote servers. Flower Storm's rise coincides with a surge in phishing, including a 692% increase during the 2024 holiday season. A critical zero day vulnerability affecting SonicWall's Secure Mobile Access 1000 series VPN appliances is being actively exploited by hackers, prompting urgent warnings. The flaw, rated 9.8 in severity, impacts over 2,300 Internet exposed devices, mainly in the US, Germany and Hong Kong. Sonicwall and Microsoft urge users to apply a hotfix immediately. Swedish authorities have seized the cargo ship Vezin, suspected in its involvement in damaging a key fiber optic cable between Sweden and Latvia. The cable, owned by the Latvian State Radio and Television center, was damaged yesterday. While Vezhin's proximity to the site raises suspicion, involvement is unconfirmed. This incident follows several recent cable disruptions in the Baltic Sea, raising fears of sabotage potentially linked to Russia's shadow fleet. NATO and EU nations already on high alert, have deployed warships and surveillance to safeguard undersea infrastructure. Investigations into similar incidents, including Finland's Christmas Day cable damage allegedly caused by a tanker dragging its anchor, remain ongoing. NATO is advancing plans to deploy submarine drones for cable monitoring, while the UK recently intercepted a suspected Russian spy ship near its waters, heightening regional tensions. David Balland is co founder of Ledger, a prominent French company specializing in secure hardware Wallets for cryptocurrencies When Balland and his wife were kidnapped and held for ransom, Nicholas Baca, co founder and former CTO of Ledger, knew he had to act. As the ransom demanded was in cryptocurrency, Baca saw an opportunity to help authorities neutralize the financial aspect of the crime. I thought about how I could contribute, he explained, and decided to focus on freezing the funds quickly. Once the hostages were freed, Baca assembled a specialized team, including legal expert Sarah Compagni, with strong ties to platforms like Tether and Kucoin and Seal911, a group skilled in rapid cryptocurrency interventions. Together they created a system capable of sending freeze requests to multiple platforms within minutes. Coordination was key. Every move had to be perfectly timed. When the moment came, the plan worked. A significant portion of the funds was frozen, denying the kidnappers access. This groundbreaking effort, Baca said, could become a model for future cases, creating a new standard for tackling crypto related crimes. Despite challenges like managing decentralized mixers, Baca remains optimistic. Every effort counts, he said, confident that such coordinated responses can reshape how authorities handle these complex situations. Coming up after the break, I'm joined by Halcyon CEO and co founder John Miller to talk about trends in ransomware and some background on Brain Cipher. Also, the British Museum experiences an unexpected shutdown by a former IT worker. Stay with us.
[13:35]
Shopify
This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify, the global commerce platform that supercharges your selling. Wherever you sell with Shopify, you'll harness the same intuitive features, trusted apps and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com tech. All lowercase, that's shopify.com tech.
[14:07]
Zscaler
And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust AI stops attackers by hiding your attack surface, making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI powered automation and detecting threats. Using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.
[15:27]
Dave Bittner
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know.
[15:59]
Zscaler
Exactly what's been done.
[16:01]
Dave Bittner
Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com n2k and use promo code n2k at checkout. The only way to get 20% off is to go to JoinDeleteMe.com N2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. John Miller is CEO and co founder of Halcyon. I sat down with him to discuss trends in ransomware along with his insights on brain cipher. Can we start off with some high level stuff here? I mean, as, as we're kicking off 2025, can you give us a little bit of level setting? Like where do we find ourselves when it comes to ransomware in the worst.
[17:10]
John Miller
State we've ever been. The techniques of the groups are on the rise. They're starting to use more zero day vulnerabilities than phishing and compromised passwords, which were previously the most common ways for them to get access. I think the biggest impact has really been the success of ransomware as a service.
[17:39]
Unknown
Right.
[17:40]
John Miller
The birth of the ransomware economy that we've seen over the last 12 and 24 months has started to spread out and we're seeing attackers come online that historically have never been cyber actors on the Internet before. Foreign countries where previously we've just really experienced nation state kind of level attacks, specifically with Russia, have really given birth to this sophistication in these tools and they franchised it out. So now you have these systems administrators, right? People that understand how to administer endpoints on a network are becoming incredibly successful at ransomware by just joining these macro groups or using their tools and then using initial access brokers to actually get them inside of the company. Where for a very small amount of both time and cash, essentially anyone can become a ransomware actor now. And then you combine that with the fact that there's essentially zero criminal prosecution or threat of criminal prosecution, and the fact that people actually get to keep the millions or tens of millions of dollars from these ransoms, it's starting to grow out of control.
[19:24]
Dave Bittner
Well, I want to talk about a specific group that you and your colleagues at Halcyon have had your eye on. And they're called Brain Cipher. What can you tell us about them?
[19:34]
John Miller
So it's a fairly new group, they're 6ish months old and they're part of that ransomware economy. They're not one of those top tier groups where they're building their own ransomware. They're part of the Lock Bit affiliate network.
[19:53]
Unknown
Right.
[19:54]
John Miller
So it's Lock Bit is probably one of the oldest, most sophisticated advanced ransomware groups that exist. And you know, every day new groups like Brain Cipher are essentially coming online, leveraging their tooling to carry out these hyper sophisticated attacks that, you know, previously were only capable by apts.
[20:28]
Dave Bittner
Do you have any sense for the sophistication of the Brain Cipher group themselves versus the tools that they're buying? You know, how much of this is ready to go that anybody could use?
[20:41]
John Miller
So here's the interesting thing. You don't buy these tools, you join the group and they give them to you for a profit share of washing the cryptocurrency for you.
[20:53]
Unknown
Right?
[20:53]
John Miller
So any of us could join this Lock Bit group. They don't. It doesn't cost anything. The only cash you really have to outlay is from another kind of group called an initial access broker. Where there are groups out there where they do these giant campaigns and, you know, penetrate companies and then sell access to like an initial loader to, you know, groups like Brain Cipher. And that allows them to get into a network without having to hack their way in, if that makes sense.
[21:31]
Dave Bittner
It does. Who does Brain Cipher seem to be targeting here? Are there any organizations or verticals that they seem to focus their attention on?
[21:43]
John Miller
So they seem to be pretty widely spread across the different targets that they're going after. Government, law enforcement.
[21:54]
Unknown
Right.
[21:55]
John Miller
Critical industries, medical education and manufacturing.
[22:02]
Dave Bittner
And when it comes to the ransomware itself, I Mean, we've seen some groups pivoting of some of them not even bothering with the encryption part of just grabbing the data and then going for extortion. What's the operational mode of this group? Are they encrypting things? Are they stealing data? Is it a mix of both?
[22:23]
John Miller
It's normally a mix of both with everyone now, right. Early on it was encryption based, and then we saw the data exfil and the double extortion kind of come into play. And then there were a couple groups where they just do data exfil and extortion. But, you know, 99 times out of 100, you're going to see components in both in every ransomware, and you should expect them both. And the reason why is they figured out that it gives them a double chance of getting paid.
[23:01]
Unknown
Right?
[23:01]
John Miller
Everyone came out and said the answer to ransomware is backups, right? And people have built better backup infrastructure. And when you have backups, even though it takes weeks and weeks to recover from them, you'd much rather spend that time than give money to a ransomware group for it.
[23:23]
Unknown
Right.
[23:24]
John Miller
And so as they started to lose out on that revenue, you know, the double extortion and the data leakage has really kind of filled that gap. And it gives them the ability to ensure that there's always some sort of leverage to get paid. And we've even seen it. This sounds a bit much, but triple extortion, where they'll actually look into the data and not just use the threat of I'm going to release this or whatever, but actually profit off of what was inside.
[24:05]
Dave Bittner
Well, given that it seems like ransomware is here to stay, at least for the immediate future, what are your recommendations then? I mean, what should folks be doing out there to protect themselves?
[24:19]
John Miller
Education.
[24:20]
Unknown
Right.
[24:22]
John Miller
I talk to CISOs all the time, and what I like to recommend is everyone knows what type of business they're responsible for. Do some investigation and figure out what are the actual ransomware groups that are targeting us right now? We have a bunch of resources on our website, Halcyon AI that go into that are ransomware maliciousness. Portile is fantastic. We keep it updated every quarter with essentially that information. Who are the, the top ransomware groups? Who are they attacking, what type of verticals, what type of companies, what makes them unique, what are their ttps? And once you get an understanding of, you know, what are the grips that are targeting me, look at some of the other breaches that they've done and, you know, tabletop it, right? Look at if they Pulled out this attack on me, how would we fare? And, you know, start to make some changes. Definitely have a plan, right? So many companies, once they get ransomwared, the response is, and if you're big enough, you have a cyber insurance company to call and you call them up and they've done this so many times that they'll walk you through a process. But by walking through that process, you very much lose control of the situation.
[25:53]
Unknown
Right?
[25:54]
John Miller
And it goes to IRA companies and lawyers where they walk you through the steps of what needs to get done. And that's not always getting your business up and running as quickly as possible. So if you're in healthcare, if you're in manufacturing, critical infrastructure, you, when uptime is that important, where 21, 22 days would cause some sort of catastrophic damage, you need to have a plan to address not only in the event of a ransomware attack, how can we restore access to our critical systems quickly and, you know, to shamelessly plug Halcyon. That's what Halcyon is all about, right? Like we give another layer of resiliency in, in addition to a layer of ransomware protection, where if a ransomware attack does go through, we can isolate it to a single host and then bring back all the data in a very quick way that was encrypted without anyone having to interact with the attackers.
[27:15]
Dave Bittner
That's John Miller from Halcyon.
[27:20]
John Miller
Foreign.
[27:32]
Dave Bittner
Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. Get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000. And finally, the British Museum had an unexpected plot twist when a disgruntled IT contractor allegedly trespassed, shutting down parts of its network and forcing some galleries and exhibits to close. Think of it as the museum's own version of a heist movie, minus the daring escape. Police swooped in to arrest the man who's now out on bail, leaving the museum scrambling to reboot both its systems and its schedule. Visitors with tickets were prioritized, but temporary exhibitions like Silk Roads and Picasso Printmaker were put on pause. The museum apologized to ticket holders, offering refunds or rescheduling options. It's not every day the Rosetta Stone takes a back seat to an IT meltdown, but the British Museum is working hard to get back to its regularly scheduled program, minus the surprise IT Dr. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.