CyberWire Daily – Live from Black Hat: Ransomware, Responsible Disclosure, and the Rise of AI

Episode: Microsoft Threat Intelligence Podcast
Date: September 1, 2025
Host: Shara de Grippo, Director of Threat Intelligence Strategy, Microsoft

Overview

This special live episode, recorded at Black Hat 2025, delivers a trio of expert conversations focusing on the cutting edge of cybersecurity threats and defense. The show dives into Microsoft’s bug bounty and Zero Day Quest programs, the rapid evolution of ransomware and extortion, and the current state of phishing and social engineering. Across these segments, the rising impact of AI in both attack and defense takes center stage, with practical insights for security professionals at every level.

Segment 1: Microsoft Security Response Center (MSRC), Bug Bounties, and Zero Day Quest

Guests: Tom Gallagher (VP Engineering, Head of MSRC)
Timestamps: 00:05 – 15:36

Mission and Operations of MSRC

• MSRC’s Core Role

  • Handles all externally-reported security vulnerabilities for Microsoft products, coordinating the full lifecycle: triage, technical assessment, remediation, and coordinated disclosure.

    "Any security vulnerability that's found by somebody outside of the company gets reported through the MSRC. We triage, assess, and work with the product teams to fix it, and then we coordinate public disclosure."
    — Tom Gallagher [01:24]

• On Coordinated Vulnerability Disclosure

  • Disclosure is collaborative, ensuring customers are protected before research goes public.

    "The person that finds it reports it to the vendor ... the issue is mitigated, the researcher is free to go and talk about it."
    — Tom Gallagher [01:58]

• Diversity and Motivation in the Research Community

  • Submissions come from 59 countries, with contributors ranging from high schoolers to PhDs.
  • Full-time and hobbyist bug hunters both play key roles.

    "You have people from 59 different countries ... people still in high school to well-experienced, close with PhDs."
    — Tom Gallagher [02:41] "Some ... get up and look for bugs all day long ... that's the way that they make their money."
    — Tom Gallagher [03:37]

• Scope and Triage

  • Microsoft accepts bugs for all products but only incentivizes select areas via bounty.
  • AI and automation assist with triaging the flood of submissions.

    "We're using a lot of AI now to triage things and prioritize ... not every submission that we get is like a critical issue."
    — Tom Gallagher [07:39]

Zero Day Quest: Encouraging Next-Generation Research

• Program Structure and Impact

  • Focused on cloud and AI vulnerabilities; top researchers get invited to live events at Microsoft's Redmond campus.
  • Hands-on collaboration accelerates bug discovery and fixes, compressing what might be months into days.

    "It compresses that timeline from bug finds, a bug fix into what, a day?"
    — Shara de Grippo [06:29] "The mitigation of an issue is going to vary ... but certainly our time to mitigate is very important."
    — Tom Gallagher [06:40]

• Ethics and Responsible Disclosure in Practice

  • Flash Challenges allow researchers to safely explore systems deeper, within controlled ethical boundaries.

    “People could go a little bit further than they normally would, but it’s all within a contained boundary.”
    — Tom Gallagher [08:44]

Feedback Loop Between Research and Engineering

• Security Starts Early, But Research Is Key Feedback

  • Security issues revealed by researchers drive systemic improvements—new tools, static analysis rules, and expanding threat modeling for future products.

    "That's the feedback channel that we use to change the way we think about things."
    — Tom Gallagher [10:16]

• Building Security Culture Across Development and Response Teams

  • Emphasizes strong partnerships between builders (developers) and breakers (security researchers).

    "They’re going to be well-equipped to address the issue if they're aware of how to do that."
    — Tom Gallagher [11:55]

Looking Ahead: Zero Day Quest and Research Opportunities

• Call to Action

  • The next phase of Zero Day Quest is open (now through October 4); emphasis remains on cloud and AI.

    "Find a vulnerability in cloud and AI products. Submit those—you're going to get paid for them ... the top people get that in-person experience."
    — Tom Gallagher [12:30]

• Expanding Global Engagement

  • Blue Hat Asia is launching in Duluth Deja, with other events in Israel and India—Microsoft aims to involve more regions and perspectives.

• What’s Needed from the Community?

  • More AI research, especially by those with traditional AppSec mindsets.

    "We’d like to see more people pivot to the AI problem ... apply that same mindset to AI."
    — Tom Gallagher [13:56]

  • Social engineers are encouraged to use their skills in the AI context, where natural language interfaces lower the barrier to entry.

    "Combining your social engineering experience with natural language capabilities, getting into AI systems, you can hit bugs ... you maybe could not have hit otherwise."
    — Shara de Grippo [14:36]

Segment 2: The State of Ransomware—Speed, Specialization, and the Rise of Artificial Intelligence

Guests: Eric Oldman (Principal Security Researcher), Eric Lawler (Senior Security Researcher)
Timestamps: 15:37 – 28:43

Ransomware Today: Faster, Smarter, and Ruthlessly Efficient

• Acceleration of Attacks

  • Modern ransomware operators act quickly, often fully compromising organizations in under an hour.

    "It was about 30 to 40 minutes from first VPN log to hitting the backups."
    — Eric Oldman [18:10]

  • Dwell time—a metric historically tracked in days—is now measured in hours or even less.

• Operational Intelligence of Threat Actors

  • Attackers know the internal landscape, targeting servers, backups, and business-critical systems with surgical precision.

    "They have a better chance of getting the ransom payment rather than just encrypting a few workstations."
    — Eric Lawler [17:02]

• Trends in Access and Persistence

  • Ransomware groups increasingly use credentials acquired through access brokers; privilege escalation is less common, as initial access is already privileged.

    "They have the accounts when they come in; they don't need to do a lot of privilege escalation."
    — Eric Lawler [17:02]

• Evolution of Extortion

  • It’s no longer just encryption: double and multiple extortion tactics abound (data theft, public shaming, etc.).

    "They have kind of two options, right? We'll release your data to the public and you're going to sit there with everything encrypted."
    — Eric Lawler [20:45]

AI’s Emergent Role in Ransomware

• AI-Accelerated Reconnaissance

  • Threat actors use archived breach data, process it with LLMs/SLMs to map weaknesses, pivot targets, and even identify extortion opportunities within communications (e.g., mergers, sensitive internal issues).

    “Ransomware actors going, pulling down old data breach archives ... help me figure out their weaknesses. ...help me figure out, based on these data breaches, where I could potentially do a ransomware event.”
    — Shara de Grippo [21:05]

• Attack Playbook Replay and Supply Chain Risks

  • AI enables rapid review of historical vulnerabilities to see if new versions of software or supply chain partners remain susceptible.

    "They can go back and play back that—you know, repeat that playbook."
    — Eric Oldman [23:15]

Supply Chain Attacks and Ecosystem Complexity

• Targeting Service Providers for Maximum Impact

  • Compromising managed service providers (MSPs) offers threat actors a multi-customer attack vector; vendor/partner vulnerabilities propagate risk.

    "If the company's using a third-party MSP and they compromise that, sometimes ... that's who they go after."
    — Eric Lawler [22:16] "Your vendors of providers are just as much of a target as you are, if not more."
    — Shara de Grippo [23:38]

• Ransomware as an Ecosystem

  • Group infighting (“no honor among thieves”) and specialization among access brokers, affiliates, and developers drive rapid evolution.

    "We have disagreements between ransomware groups and they break off, form their own ... introduce some changes ... and hit it that way."
    — Eric Oldman [25:36]

Defensive Takeaways

• Proactive Defenses

  • Disconnect backups from main systems; robust logging is critical (VPN and firewall logs especially).

    "Having a plan to disconnect critical systems ... backups not connected to your normal production environment ... proper logging ... are so key."
    — Eric Lawler [26:45]

• Know Your Crucial Data and Vendor Hygiene

  • Many organizations are unaware of data exfiltration until ransom proof appears. Vendor risk management remains unglamorous but essential.

    "Making sure your vendors are doing the boring parts of security ... have a P3 of visibility into those vendors."
    — Shara de Grippo [24:25]

Segment 3: Phishing and Social Engineering—Scale, Technology, and the Human Factor

Guests: Travis Shack (Principal Security Researcher), Eric Olson (Principal Security Researcher)
Timestamps: 28:43 – 42:24

Social Engineering and Credential Phishing 101

• Defining Social Engineering

  • Tactics used by attackers to manipulate victims into providing information or access, via channels such as email, SMS, and phone.

    "Social engineering is just a tactic that threat actors use to get you to do something, to provide something."
    — Travis Shack [29:41]

• Everyday Examples

  • Texts or emails about fake tolls, packages, etc.—ubiquitous, profitable, and designed to exploit human trust.

    "Everyone who's got a text message that says, hey, you have a toll due, click this link ... everyone’s got that."
    — Eric Olson [30:15]

Scale and Success of Phishing

• Massive Volume and High Effectiveness

  • Phishing remains highly profitable due to the sheer volume and inevitable click-through rates, even among aware users.

    “Very much so profitable and probably way too many to count.”
    — Eric Olson [31:28]

• AI Supercharges Social Engineering

  • LLMs and generative AI erase traditional phish "tells" (poor language or formatting). Tailored, believable content is now accessible to low-skilled actors.

    “Now through the use of AI ... this is kind of believable if you’re not looking for other indicators.”
    — Eric Olson [32:16]

Credential Phishing Attack Flow

• What Happens Post-Compromise?

  • Stolen credentials grant system access—without MFA, attackers quickly pivot to sensitive systems (personal, work, banking, social media).

    "If you don’t have multifactor authentication ... they're going to gain access to whatever systems where you use those credentials."
    — Travis Shack [32:37]

• Why User Education Alone Isn’t Enough

  • Security awareness is crucial, but errors will occur—technical controls must backstop human fallibility.

    "Besides the user education ... that's where multifactor authentication is going to help ... technology side of the house."
    — Travis Shack [34:02]

Defensive Strategies

• Top Recommendations

  • MFA everywhere (“one of the biggest protections we can have” – [34:02]), email security solutions, microlearning/simulation for training, and rapid reporting mechanisms.
  • Trust is repeatedly identified as the target—social engineering attacks break person-to-person or person-to-brand trust, requiring both technical and cultural remedies.

• AI Risks and the Future

  • AI enables tailored attacks using breach data and personalization.

    "Download a bunch of BREIS data ... run those through an LLM ... trick someone from this company, how could I do that?"
    — Shara de Grippo [35:00]

Notable Examples and Tactics

• Abuse of Context, Emotion, and Habit

  • Emails/Fakes exploiting urgency, fear, or curiosity (e.g., “Your spouse has begun divorce proceedings—click here”) or personalized job scams during economic uncertainty.

    "A really Good example ... a law firm ... Divorce papers—click here ... there are so many reasons for people to click on things like that.”
    — Shara de Grippo [38:26]

• Deepfake-Aided Vishing and Help Desk Scams

  • Deepfaked audio of politicians used for social engineering; attackers now easily bypass human intuition, especially targeting internal help desks.

    "You're starting to see the phishing becoming more successful ... lot of help desks being targeted ... now with voice generation and AI ... it's harder to decipher."
    — Travis Shack [37:42]

• Range from Targeted to Spray Attacks

  • Highly-personalized attacks coexist with “spray and pray” strategies—both remain effective at scale.

Memorable Quotes by Segment

On Global Research Community and Diversity:

"We have people from 59 different countries... people that are still in high school all the way to people with PhDs."
— Tom Gallagher [02:41]

On the Impact of AI in Triage and Security Response:

"We're using a lot of AI now to triage things and prioritize and work through all of the issues."
— Tom Gallagher [07:39]

On the Acceleration of Ransomware Attacks:

"It was about 30 to 40 minutes from when they came in ... to when they started hitting the backups."
— Eric Oldman [18:10]

On Threat Actors Knowing Organizational Processes:

"They're able to really understand... will we get a pay, will we get paid, do they have the capability, and how exactly would we get that access?”
— Shara de Grippo [18:57]

On Defensive Priorities Against Ransomware:

"Having a plan to disconnect critical systems ... proper logging, I think, is so key."
— Eric Lawler [26:45]

On AI Increasing Attacker Sophistication:

"The use of AI... now you can go back, repeat that playbook, and see if the customer is vulnerable this time."
— Eric Oldman [23:15]

On the Human Element of Security:

"Everybody can do a little bit of security ... be like, hey, this is no good. And then report it and ... not clicking it."
— Eric Olson [33:57]

On AI’s Role as an Accelerator:

"AI really...the A can very easily stand for acceleration—just making things a lot faster that we used to do manually."
— Shara de Grippo [35:54]

Key Takeaways

1. Responsible Disclosure at Scale

• Microsoft’s coordinated vulnerability disclosure process, global bug bounty outreach, and innovative programs like Zero Day Quest accelerate mitigation while fostering researcher collaboration.

2. Ransomware: Faster, Smarter, and More Sophisticated

• Modern ransomware operations are powered by intelligence, specialization, and—now—AI. Supply chain vulnerabilities, rapid compromise, and multifaceted extortion demand holistic defense.

3. Phishing and Social Engineering Remain Entry Points

• Threat actors exploit emotion, context, and habit. AI-generated lures and deepfakes up the ante. Human error is inevitable—technical controls (especially MFA) and continual awareness are vital.

4. AI Is a Game-Changer—For Both Sides

• AI accelerates both attacks and defenses, from triaging bug reports to crafting tailored extortion and phishing campaigns. The community is called to adapt and focus research on AI's cybersecurity implications.

Additional Resources

• Zero Day Quest program: [Microsoft Security Blog]
• Blue Hat Asia & global events: Check Microsoft events pages
• Recommended defenses: MFA everywhere, strong vendor assessments, regular backups, log retention, security awareness with modern simulation practices

Closing Thought:
As threat actors rapidly innovate, especially with AI at their disposal, defensive strategies must evolve just as quickly—melding cutting-edge technology, global collaboration, and a perpetual focus on human factors.