![No honor among thieves. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F69ccc7d0-a5f3-11f0-9c6f-774ee2ca4804%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)
CyberWire Daily – Research Saturday
Episode: "No honor among thieves."
Date: October 11, 2025
Host: Dave Bittner
Guest: John Fokker, Head of Threat Intelligence, Trellix
Research Discussed: "Gang Breaking Trust Among Cybercriminals"
Overview
This episode delves into recent changes within the ransomware ecosystem, focusing on mounting distrust and breakdowns among cybercriminal groups. John Fokker from Trellix joins Dave Bittner to unpack his research on how cybercriminal alliances are unraveling, what this means for defenders, the rise of splinter groups, and the future evolution of ransomware-as-a-service. The conversation explores why trust was central to these ‘criminal empires,’ how law enforcement and internal betrayals are disrupting the business model, and what defenders should learn from these shifts.
Key Discussion Points and Insights
1. The Fracturing of Cybercriminal Alliances
- Observation of Change: Large ransomware families are now less visible; the ecosystem is scattering.
- [01:43] "We kind of felt like the larger families were not as prevalent anymore... there's something happening in the underground." —John Fokker
- Key Finding: Rising internal distrust among cybercriminal crews, leading to instability and fragmentation.
- [02:23] "Cyber crew Mongols are starting to distrust each other... there were always strong alliances... now the trust goes out the door." —John Fokker
2. Evolution of Ransomware Operations
- Historical Phases:
- Early ransomware targeted consumers, focusing on wide, indiscriminate infection.
- [04:18] "...ransomware was targeted at consumers... a spray and pray mentality..." —John Fokker
- Shift to "big game hunting": Ransomware groups moved to targeting organizations, seeking higher payouts.
- [04:41] "Samsung was one of those ransomware versions... more pen testing related tasks... paralyzing the whole network..." —John Fokker
- Emergence of Ransomware-as-a-Service (RaaS): Criminal empires ran operations like businesses, with divisions of labor and reputational stakes.
- [05:51] "If we looked... at the Conti League chats... that was run like a business... you would see groups that would have people on payrolls or they would pay out a commission..." —John Fokker
- Early ransomware targeted consumers, focusing on wide, indiscriminate infection.
3. Why Trust is the Linchpin—and Why It’s Breaking Down
- Complexity Requires Collaboration: Multiple steps (from developing to distributing ransomware and laundering proceeds) mandate trust among cybercriminal teams.
- [03:13] "It's almost impossible to do everything yourself... so you're always in a partnership. And these partnerships take trust." —John Fokker
- Cracks Appear:
- Dishonest leadership (exit scams, not paying affiliates)
- Law enforcement reputational attacks (publicly tarnishing crime crews)
- Operational failures (faulty decryption, double extortion risks)
- [09:21] "Damaging their reputation... if you damage that reputation, you break their trust... it will have a ripple effect..." —John Fokker
Memorable Analogy
- [08:46] "It's just like the final scene of Reservoir Dogs where they're all pulling guns at each other... where they first started off as friends, now they can't trust each other." —John Fokker
4. Examples of Eroding Trust
- Law Enforcement Tactics:
- FBI and NCA's trolling and infiltration of LockBit destroyed their standing in the underground community.
- [11:00] "They trolled Lockbit... this really had an impact on the reputation for Lockbit. People scattered away." —John Fokker
- FBI and NCA's trolling and infiltration of LockBit destroyed their standing in the underground community.
- Exit Scams:
- Leadership absconding with funds, leaving affiliates unpaid.
- [11:44] "...if that happens often, then affiliates... are not really inclined to do a lot of work." —John Fokker
- Leadership absconding with funds, leaving affiliates unpaid.
- Product Failures:
- Use of unreliable encryption/decryption tools undermines group credibility.
- [12:20] "...the decryptor worked, but the decrypt... failed. So essentially they corrupted all the data..." —John Fokker
- Use of unreliable encryption/decryption tools undermines group credibility.
- Victims Revictimized:
- Data from a breach resold or reused by multiple groups; victims get extorted repeatedly.
- [13:20] "...data that was stolen from one victim ends up at multiple other families... you can get extorted again." —John Fokker
- Data from a breach resold or reused by multiple groups; victims get extorted repeatedly.
5. What This Means for Defenders
- From Big Sharks to Piranhas: The landscape has shifted from a few dominant actors to many small, hungry, and often less competent operators.
- [19:03]
- Dave: "Instead of having these alpha predators... it's more like having a river full of piranha..."
- John: "That's a great analogy... it's more like piranhas now."
- [19:03]
- Defensive Implications:
- Reputation among criminals is harder to maintain; increased group fragmentation.
- [16:30] "There's a saying like, reputation of years can be damaged in seconds... there's a lot of these splintered groups..." —John Fokker
- Rise in data-focused extortion; less emphasis on encryption.
- [17:45] "A lot of these smaller groups... focus on the data extortion. Because that's the skill set..." —John Fokker
- Emergence of specialized 'service providers' in the ransomware supply chain.
- Reputation among criminals is harder to maintain; increased group fragmentation.
6. Takeaways for Security Teams
- Don’t Mythologize Threat Actors:
- [19:55] "We don't like to mythologize threat actors... they're criminals. For organizations... understand they're human, and as soon as you understand the threat, you're not fearing it, you can act upon it." —John Fokker
- Foster Distrust Among Threat Actors:
- Security teams (and researchers) can undermine cybercriminals by exposing their mistakes and helping disrupt their trust-based networks.
- [21:00] "...I'm a big advocate for sowing distrust and breaking the trust among cybercriminals... it helps break that trust cycle and that will slow down solid product." —John Fokker
- Example: Trellix's "dark web roast," publicizing criminal errors to erode their underground reputation.
- Security teams (and researchers) can undermine cybercriminals by exposing their mistakes and helping disrupt their trust-based networks.
7. The Future of Ransomware
- Likely Trajectory:
- Ongoing law enforcement pressure and internal fractures may permanently splinter large, hierarchical ransomware organizations.
- [22:47] "Maybe ransomware... those empires of partnerships... wasn't supposed to happen in the first place... ransomware is evolving to a structure that is more aligned with how the cybercriminal underground operates." —John Fokker
- Expect further industry fragmentation, with more freelance or boutique criminal services and less centralized control.
- Ongoing law enforcement pressure and internal fractures may permanently splinter large, hierarchical ransomware organizations.
Notable Quotes & Memorable Moments (with Timestamps)
- [01:43] "It was like it was getting scattered..." —John Fokker
- [02:23] "When cyber criminals trust each other, that's when innovation happens... now the trust goes out the door." —John Fokker
- [08:46] "...just like the final scene of Reservoir Dogs, where they're all pulling the guns at each other..." —John Fokker
- [11:00] "They trolled Lockbit... this really had an impact on the reputation for Lockbit." —John Fokker
- [13:20] "A victim can get extorted twice... Do not pay because... you can get extorted again." —John Fokker
- [16:30] "There's a lot of these splintered groups... every week there's a new family." —John Fokker
- [19:03] Dave: "Instead of having these alpha predators... it's more like having a river full of piranha..."
- [21:00] "I'm a big advocate for sowing distrust and breaking the trust among cybercriminals... it helps break that trust cycle..." —John Fokker
- [22:47] "Maybe ransomware... is evolving to a structure more aligned with... the cybercriminal underground." —John Fokker
Segment Timestamps
| Timestamp | Segment Summary | |-----------|------------------------------------------------------------| | 01:43 | Noticing fragmentation of major ransomware groups | | 04:18 | Evolution of ransomware: from consumer targets to enterprises and empires | | 09:10 | How trust breaks down, signs of ecosystem disruption | | 13:20 | Real-world cases: repeated extortion, exit scams | | 16:30 | The challenge of maintaining criminal reputation today | | 19:03 | "Piranha effect": many small players replace big predators | | 19:55 | Takeaways for defenders: Don't mythologize criminals, sow discord | | 22:47 | Ransomware's future: from empire to fragmented freelancers |
Conclusion
Through both technical analysis and sharp anecdotes, John Fokker illustrates how the cybercriminal world is suffering a crisis of trust—triggered by law enforcement disruption, greed, incompetence, and the complex, interdependent nature of criminal enterprises. For defenders, these fractures mean both continued vigilance (as new threats multiply) and a unique opportunity: make things even harder for the adversary by publicizing their mistakes and dividing their ranks. While ransomware remains a major threat, its future may be as fractured and distrustful as the gangs that run it.