Shopify (13:35)

This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify, the global commerce platform that supercharges your selling. Wherever you sell with Shopify, you'll harness the same intuitive features, trusted apps and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at shopify.com tech. All lowercase, that's shopify.com tech.

Zscaler (14:07)

And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust AI stops attackers by hiding your attack surface, making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI powered automation and detecting threats. Using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.

Dave Bittner (15:26)

Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know.

Zscaler (15:59)

Exactly what's been done.

Dave Bittner (16:01)

Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com n2k and use promo code n2k at checkout. The only way to get 20% off is to go to JoinDeleteMe.com N2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. John Miller is CEO and co founder of Halcyon. I sat down with him to discuss trends in ransomware along with his insights on brain cipher. Can we start off with some high level stuff here? I mean, as, as we're kicking off 2025, can you give us a little bit of level setting? Like where do we find ourselves when it comes to ransomware in the worst.

John Miller (17:09)

State we've ever been. The techniques of the groups are on the rise. They're starting to use more zero day vulnerabilities than phishing and compromised passwords, which were previously the most common ways for them to get access. I think the biggest impact has really been the success of ransomware as a service.

Unknown (17:39)

Right.

John Miller (17:39)

The birth of the ransomware economy that we've seen over the last 12 and 24 months has started to spread out and we're seeing attackers come online that historically have never been cyber actors on the Internet before. Foreign countries where previously we've just really experienced nation state kind of level attacks, specifically with Russia, have really given birth to this sophistication in these tools and they franchised it out. So now you have these systems administrators, right? People that understand how to administer endpoints on a network are becoming incredibly successful at ransomware by just joining these macro groups or using their tools and then using initial access brokers to actually get them inside of the company. Where for a very small amount of both time and cash, essentially anyone can become a ransomware actor now. And then you combine that with the fact that there's essentially zero criminal prosecution or threat of criminal prosecution, and the fact that people actually get to keep the millions or tens of millions of dollars from these ransoms, it's starting to grow out of control.

Dave Bittner (19:23)

Well, I want to talk about a specific group that you and your colleagues at Halcyon have had your eye on. And they're called Brain Cipher. What can you tell us about them?

John Miller (19:34)

So it's a fairly new group, they're 6ish months old and they're part of that ransomware economy. They're not one of those top tier groups where they're building their own ransomware. They're part of the Lock Bit affiliate network.

Unknown (19:53)

Right.

John Miller (19:53)

So it's Lock Bit is probably one of the oldest, most sophisticated advanced ransomware groups that exist. And you know, every day new groups like Brain Cipher are essentially coming online, leveraging their tooling to carry out these hyper sophisticated attacks that, you know, previously were only capable by apts.

Dave Bittner (20:27)

Do you have any sense for the sophistication of the Brain Cipher group themselves versus the tools that they're buying? You know, how much of this is ready to go that anybody could use?

John Miller (20:40)

So here's the interesting thing. You don't buy these tools, you join the group and they give them to you for a profit share of washing the cryptocurrency for you.

Unknown (20:52)

Right?

John Miller (20:53)

So any of us could join this Lock Bit group. They don't. It doesn't cost anything. The only cash you really have to outlay is from another kind of group called an initial access broker. Where there are groups out there where they do these giant campaigns and, you know, penetrate companies and then sell access to like an initial loader to, you know, groups like Brain Cipher. And that allows them to get into a network without having to hack their way in, if that makes sense.

Dave Bittner (21:30)

It does. Who does Brain Cipher seem to be targeting here? Are there any organizations or verticals that they seem to focus their attention on?

John Miller (21:43)

So they seem to be pretty widely spread across the different targets that they're going after. Government, law enforcement.

Unknown (21:53)

Right.

John Miller (21:55)

Critical industries, medical education and manufacturing.

Dave Bittner (22:01)

And when it comes to the ransomware itself, I Mean, we've seen some groups pivoting of some of them not even bothering with the encryption part of just grabbing the data and then going for extortion. What's the operational mode of this group? Are they encrypting things? Are they stealing data? Is it a mix of both?

John Miller (22:23)

It's normally a mix of both with everyone now, right. Early on it was encryption based, and then we saw the data exfil and the double extortion kind of come into play. And then there were a couple groups where they just do data exfil and extortion. But, you know, 99 times out of 100, you're going to see components in both in every ransomware, and you should expect them both. And the reason why is they figured out that it gives them a double chance of getting paid.

Unknown (23:00)

Right?

John Miller (23:01)

Everyone came out and said the answer to ransomware is backups, right? And people have built better backup infrastructure. And when you have backups, even though it takes weeks and weeks to recover from them, you'd much rather spend that time than give money to a ransomware group for it.

Unknown (23:22)

Right.

John Miller (23:23)

And so as they started to lose out on that revenue, you know, the double extortion and the data leakage has really kind of filled that gap. And it gives them the ability to ensure that there's always some sort of leverage to get paid. And we've even seen it. This sounds a bit much, but triple extortion, where they'll actually look into the data and not just use the threat of I'm going to release this or whatever, but actually profit off of what was inside.

Dave Bittner (24:05)

Well, given that it seems like ransomware is here to stay, at least for the immediate future, what are your recommendations then? I mean, what should folks be doing out there to protect themselves?

John Miller (24:19)

Education.

Unknown (24:20)

Right.

John Miller (24:21)

I talk to CISOs all the time, and what I like to recommend is everyone knows what type of business they're responsible for. Do some investigation and figure out what are the actual ransomware groups that are targeting us right now? We have a bunch of resources on our website, Halcyon AI that go into that are ransomware maliciousness. Portile is fantastic. We keep it updated every quarter with essentially that information. Who are the, the top ransomware groups? Who are they attacking, what type of verticals, what type of companies, what makes them unique, what are their ttps? And once you get an understanding of, you know, what are the grips that are targeting me, look at some of the other breaches that they've done and, you know, tabletop it, right? Look at if they Pulled out this attack on me, how would we fare? And, you know, start to make some changes. Definitely have a plan, right? So many companies, once they get ransomwared, the response is, and if you're big enough, you have a cyber insurance company to call and you call them up and they've done this so many times that they'll walk you through a process. But by walking through that process, you very much lose control of the situation.

Unknown (25:52)

Right?

John Miller (25:54)

And it goes to IRA companies and lawyers where they walk you through the steps of what needs to get done. And that's not always getting your business up and running as quickly as possible. So if you're in healthcare, if you're in manufacturing, critical infrastructure, you, when uptime is that important, where 21, 22 days would cause some sort of catastrophic damage, you need to have a plan to address not only in the event of a ransomware attack, how can we restore access to our critical systems quickly and, you know, to shamelessly plug Halcyon. That's what Halcyon is all about, right? Like we give another layer of resiliency in, in addition to a layer of ransomware protection, where if a ransomware attack does go through, we can isolate it to a single host and then bring back all the data in a very quick way that was encrypted without anyone having to interact with the attackers.

Dave Bittner (27:15)

That's John Miller from Halcyon.

John Miller (27:20)

Foreign.

Dave Bittner (27:31)

Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. Get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000. And finally, the British Museum had an unexpected plot twist when a disgruntled IT contractor allegedly trespassed, shutting down parts of its network and forcing some galleries and exhibits to close. Think of it as the museum's own version of a heist movie, minus the daring escape. Police swooped in to arrest the man who's now out on bail, leaving the museum scrambling to reboot both its systems and its schedule. Visitors with tickets were prioritized, but temporary exhibitions like Silk Roads and Picasso Printmaker were put on pause. The museum apologized to ticket holders, offering refunds or rescheduling options. It's not every day the Rosetta Stone takes a back seat to an IT meltdown, but the British Museum is working hard to get back to its regularly scheduled program, minus the surprise IT Dr. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.