A

You're listening to the Cyberwire Network, powered by N2K.

B

There's a much shorter just patch to exploit window, like when a patch is announced versus when adversaries can exploit, and that's aided by AI. And now with Mythos really being able to identify unknown vulnerabilities, especially I would say, at the edge of networks like the way in, that's another data point where you just have to almost assume breach at this point. This isn't new, but I think it's a like re emphasis on you can't just look at preventing. You can't just put up an electric fence, but leave all the doors unlocked inside.

A

Hello and welcome to Data Security Decoded, where we deliver actionable insights to reduce data security risks and improve cyber resilience outcomes. I'm your host, Caleb Tolle. And in this episode, I sat down with Cynthia Kaiser, SVP of Halcyon's Ransomware Research Center. We spoke about how ransomware attacks have evolved over the past several years, how emerging technologies are manifesting in cybercrime groups, and what defenders can do to best prepare for modern ransomware attacks. Let's get into it. Well, Cynthia, thank you so much for joining us. I'm really excited to speak with you today, especially because you recently testified before the House Homeland Security Committee advocating that ransomware groups that target large hospitals should be designated as terrorist organizations. Now, some critics would say that this would make it illegal for victims to pay, effectively sentencing those hospitals to permanent downtime if they don't have the perfect backups. What would this shift in designation mean for healthcare organizations? Would they get more resources to maintain continuity? And what would that really look like for the practitioner who's working in a hospital right now?

B

Well, so let me back it up a little bit for what I was advocating for on the Hill. So really, one of the things I'm passionate about is figuring out how to stop the worst of the worst of cybercrime from happening. And even since my time I was at the FBI, now I'm at Halcyon looking at like when ransomware actors choose to target hospitals. And it's something they're they, they used to have some kind of unwritten code that they didn't do this. Now they are actively choosing to target these hospitals because they believe they that the threat against human lives is going to get them a bigger payout in the end. But, like they're not naive to the consequences that if a hospital's down, if someone has to go for a longer ambulance ride to a hospital nearby that patient outcomes deteriorate, that people die, they know that. They've just chosen to believe that it's somebody else's problem and as long as they're getting their financial win, it's okay. So they're actively choosing to put people's lives on the line. I don't know what you call that, other than murder, other than terrorism. And I think we need to come up with ways in which the actual consequences of these types of ultra heinous crimes actually match. Right. What the consequences are. Now I'm going to actually answer your real question, which is, you know, does this create an effective ban for hospitals to pay? You know, in the end, no. It could, right? If you go much farther down the line where there are lots of actors designated as terrorists and you're kind of going through these processes behind the scenes to figure out what you can do if you're a hospital under attack. But what I will say is we've convened groups and tables of various major insurers in the space for cyber insurance to talk through this. Would it be an act of terrorism to pay, like act of terrorism when there's an attack, therefore rendering insurance unable to pay? Right. Or like, unwilling to pay, like to trigger some kind of items within insurance policies? I think the answer is, like, probably not right, but like, we have to shape insurance a little bit differently if we want to move forward with that. But in terms of an effective pay ban, ultimately you might get to this place where all of these actors are designated that you, a hospital can't necessarily pay, but it's not a punishment on that hospital. If an actor knows for ransomware, gangster knows, I target this hospital, they can't pay. What other choice are they, what choices are they going to make? They're going to go to a different target. If an actor is kind of looking and saying, well, if I target this site, this, you know, network and it's got hospital in the, you know, site address, I'm going to be labeled a terrorist, what choices are they going to make? Maybe they'll choose a different target. Right. It's about influencing the target selection and like putting red lines down that says, no, you can't do this, and I guarantee you there's going to be massive amounts of federal support for any hospital that's under attack. That needs to be able to wade through that. That already happens now. So I think kind of throwing up this one flag about, but what if this. Well, like, let's talk about how we mitigate that. Then let's not throw out the ideas that enable us to really shape adversary behavior, Right?

A

Absolutely. You have to propose the big ideas to make a really big difference. I totally, totally understand that. And I want to ask you a little bit. You've already talked a bit about extortion as it relates to hospitals and ransomware, but I want to ask you a little bit about some creative extortion tactics that you're kind of observing. So, for example, I know we watched the North Korean IT worker scandal kind of shift a little bit away from, or not away from, but just in addition to it originally started as laptop farms fueling the economy of a notorious nation state to an extortion machine. And we see that they're infiltrating Western companies as IT remote IT workers. And they then can exfiltrate data based off the permissions that they have as remote IT employees, and then they can hold that data for ransom for the businesses that ultimately discover them and then fire them. So that's just a very interesting model shift that we watched in that particular case study. What are some of the other unique stories or emerging trends in the world of cybercrime that you're keeping a really close eye on and that are, you know, particularly like unexpected techniques to extort organizations?

B

So you bring up such a great point. Because what I like to tell people a lot of times when you're thinking about a cyber operation, it's a why choose adventure? So, yeah, maybe you have these IT workers and they're doing the laptop farms. But I think for a while we were saying, but if you have access to the network, you can do other things. You can steal, you can attack, you can hold hostage. Same thing with espionage operations. We've seen multiple different nation state espionage operations turn around and become cyber attacks operations. Great example is when Iran targeted Albania a few years ago. They'd had espionage access for 14 months to government networks. When they were angry at Albania for something that we would consider like a perceived, like political slight, then they turned that to an attack group and said, here, right, go attack. They used ransomware, they did wiper activities, took the emails that had been stolen, use them for information operations. And so we can never look at these operations in a silo and IT expect them to stay within that lane. Adversaries are going to use the access they have to the benefit of what they need at the time. And so when thinking about, like, then what's creative? Like, what are we seeing now? A few elements. One is, I'm just going to talk about how fast ransomware is like it used to be, we worked out, we saw like, you know, weeks of dwell time. But when we reviewed last year's data at Halcyon, we identified one of the main groups, Akira. They had conducted attacks about an average four hours from the time they got onto a network to the time they encrypted a network. Some of them were in under one hour. That's crazy, right? Like, that's the time in which it takes to have dinner with your family. And like, to that point, what's the most common time for a ransomware actor to actually conduct their attack? It's Wednesday evenings. So like you are looking at groups that like in one weekday night can enter and encrypt your entire system. So, you know, it's almost a creativeness, less so in the technical and more so in the application. How do they create the most pain? How do they do the most damage in the shortest amount of time possible?

A

Those are both very interesting case studies in particular and especially on that piece about like the dwell time and the time it takes from entrance to executing an attack being so short. I'm sure, you know, AI, especially with technologies like Mythos, that's just going to get accelerated even more. But I don't want to get ahead of myself because I want to ask you about that a little in a little bit, but I want to shift gears a little bit and talk specifically about ransomware attacks that are focused in the cloud. Now we know that threat actors are targeting cloud environments and it's becoming increasingly more common as more organizations adopt multi and hybrid cloud environments. And, and it's easier, I get it. Once in, they can kind of hop around cloud apps and escalate their privileges much easier than an on prem environment. But what I want to talk about is that recovery piece of a cyber attack. So why is it that cyber recovery from ransomware targeting cloud environments is so different than recovering from an on prem environment? Especially like I said, knowing that organizations are operating in hybrid and multi cloud environments.

B

Well, I think focusing on just the interconnectedness in general of our networks, that's actually what's fueling some of these, like the shorter timeframes of attacks. So being like the ransom reactors, getting on, being able to target hypervisors, which is like allowing a lot of the virtualization across all of our connected devices and the like, enables them to then rapidly grow across and do rapid encryption. But in particular with cloud based infrastructure, when you're doing recovery, what's the most difficult part of a recovery operation is making sure the actors are actually kicked off, right? And I think what this really shows is there, there's a much higher rate of re attack of victims. So if you're a victim once, you're much more likely to become a victim again. If you pay, you're even more likely to become a victim again. But when I was at the FBI, we would see that in, you know, 10 day, under 10 days, being victims twice, under 48 hours, becoming victims twice. And really it's, you know, these actors, they're lying in wait. They're finding different places across a network to hide. And so then they are re pivoting, becoming an affiliate, right, A subcontractor for a different ransomware group, and then going again, doing the same activity all over again. We've seen where we've kicked off certain threat groups from networks. Them try to come back, you know, in a different way, and then try to come back and pivot using a different vector and come back again and again, like trying their different ways. And so being able to really identify and eradicate and evict the actors in the network just becomes harder and harder with all of this kind of connectivity, privileged access across the board.

A

If you like what you're hearing so far from Cynthia, check out our recent episode with John Focker, VP of Threat Intelligence at Trellix, where we break down their healthcare report, analyzing attacks on hospitals and clinics in 2025, along with his recommendations on what healthcare organizations can do to improve their resilience. Now, let's get back to the interview. The industrialization of cybercrime and how it's actually become like these strategic jobs is truly, truly mindboggling to watch. And I know I mentioned it a little bit earlier. I promised I would come back to the, to the Mythos and the AI conversation. But recently you spoke about ransomware wannabes is kind of what you labeled them. Groups like the Sakari group using AI to ugly chain attacks together, those are some of the terms you used. And I just love that, which is just increasing the volume of messy and destructive attacks rather than improving the quality of their code. And the industry's, you know, terrified of Mythos and its ability to autonomously outpace edr. So I kind of want to sift through the noise on AI. So what are your biggest concerns that are on the horizon when it comes to cybercriminals leveraging AI? Is it prompt injection for agents? Is it threat actors identifying zero days for Mythos? Is it groups like Zakari haphazardly using AI for their ransomware? All of these. Something else entirely. What's kind of on your mind?

B

So I would put it in what are my short term concerns versus long term concerns. Right. I think in that short term area, I am really worried about the wannabes, the amateurs who couldn't do an attack today if they wanted to. Right. But now have the most powerful tools humans ever had in their hands and can get to 5% effectiveness, 7% effectiveness, and that's really good for them. But I think what that's going to manifest, and we're already seeing this across networks, is the number of incidents and attacks are going up even if they're known. Right. Even if you're able to identify them, security teams are finding them, they're doing the right incident response, they're kicking them off. That's a lot of time. Right. And we're going to fatigue all these internal teams if we don't have more automated ways in which to stop these attacks before they start. Because while you're looking at the most noisy types of operations, quiet ones have an easier time slipping through. So I think that's the biggest short term problem. Long term, though, like, let's go 12 months. Looking at the next year, especially as Mythos has come out and we've been having a lot of these conversations with industry. What is most concerning about new tools like Mythos as well as the existing AI capabilities we now know, is that it is so much easier to get onto a network. The operations still look relatively the same once that initial access is established, but getting on is just much easier than it was even a year ago. Think about it. It's easier to lie with AI, Right. So you have better spear phishing. You can do spear phishing at scale. You have better deepfakes. We've seen actors use deepfakes to conduct operations against help desks where they pretend they're in the employee, they're doing the help desk reset. There's a much shorter just patch to exploit window, like when a patch is announced versus when adversaries can exploit. And that's aided by AI. And now with Mythos really being able to identify unknown vulnerabilities, especially I would say at the edge of networks like the way in, that's another data point where you just have to almost assume breach at this point. So if you assume breach, the kind of. We've been talking about this a little bit, right. With zero trust and how do you segment your networks? This isn't new, but I think it's a like re emphasis on you can't Just look at preventing. You can't just put up an electric fence, but leave all the doors unlocked inside. You have to create a lot of defense in depth. You have to create alerts, ways to identify actors if they get on, inevitably, probably get on some way to your network, be able to contain them quickly remove their access from your network. All of that's going to be critical moving forward to be able to mitigate the attacks of the future. Because there just isn't a way, I think, to stem the human threat vector of just being able to be tricked or finding zero days and being able to utilize those at scale. It's going to be really an issue for the next few years. It's a long process, and that's a long decade plus of vulnerability along the way.

A

Right. Well, speaking of kind of technology ahead of us. So as somebody who's kind of a newly obsessed ransomware fanatic, I know you spent a lot of your career focusing on espionage. How concerned are you about quantum technology making its way into cybercrime circles? And how concerned are you about the concept of harvest now, decrypt later?

B

I think those are two separate items. The ransom reactors typically understand that the information collected today is disposable. Is it disposable? The ransomware actors, what they collect today, it has an expiration date, right? It's only. It's most useful when you first collect it. It's probably not like for the ransom reactors, you know, making a reputational problem with a company with their clients being upset that their, you know, latest information is out there. There's a lot more utility in that being fresh and current than down the road. Espionage is totally different. Espionage, like learning secrets today to be able to use them later down the road is something that's really scary, especially if you think about, like, who they might be collecting on what type of information operations could be conducted, et cetera. So I'd kind of view it in these two different tracks, but quantum overall, it's interesting because, you know, we want to look towards this, you know, next big technological advancement. But the ransomware does are really good with the technology they have now. Like, even among the sophisticated groups, we see them using AI, but like, in the same way you and I are using AI, like, oh, hey, I want to check my code, right? Hey, this might save me a few minutes in writing this if it already knows me and I give it some really good prompts and some really good sources. It's not. They're not using it wholesale for doing their operations because it has A much lower success rate than their actual operations do. I think it's the same thing when you're approaching quantum. We've seen even, I think recently there was an article that came out about a ransomware group that claimed to be using certain types of quantum technology. It was more or less a marketing ploy. Like when we peeled it back and looked into it, where they really weren't enabling and using that type of technology in the way in which they said they were. And so you're going to see a lot of these false claims out there about like, look at, we're able to do so much, right? They're trying to build themselves up, make themselves the boogeyman. But like even with, you know, I think we're still waiting on wider adoption of AI across the actor sets. Given that they're just so good and have so much repetition and really have refined their operations using just using native tools like across a network, hiding among the noise, they're still very successful. Ransomware attacks are still up 20% from 2023.

A

Right. And so I want to kind of pose a difficult question towards you. So manufacturing, healthcare, financial services, any critical infrastructure kind of sector, they're all some of the biggest targets for ransomware. And I know it extends to pretty much all industries too, but. And so I know we don't want to, you know, it's hard to paint in broad strokes and make generalizations, especially when every industry kind of has its own unique use case, if you will. But what would you say are three actionable steps that you would like to see defenders take across the board to best prepare for ransomware and be able to respond when they eventually are targeted?

B

Yeah, that's a great question. I mean the three ways that I would really advise any defender to best protect their network include phishing resistant multi factor authentication, ensuring that like any check's better than no check. Right. So even the text message multi factor authentications that I of course have, you know, on certain sites is better than nothing. But phishing resistant, right? Using codes, using apps, some, you know, hard tokens, some way so that there can't be anyone that gets in between you and the multifactor authentication code that you're receiving is really the best way to protect identity like based attacks, which is still the primary way we see adversaries going in. So I would absolutely prioritize that as number one. Number two, I would ensure that I'm focusing. I mean zero trust is a large thing, but just having defense in depth. And by that I mean if you can build a wall. That's great. But some people figure out how to scale a wall. You need barbed wire at the top, right? If you have a crossed your street, there's three houses with walls with barbed wire and one without. Which ones, which one's going to be, you know, broken into first. And so really ensuring you have the double checks because nothing's perfect, it can be. You can misfigure, you know, certain areas. So making sure that you have some additional security in place is also critical. And finally, I'd make sure that all organizations and defenders understand that they are going to be targeted, they are going to be attacked. And to my point on AI, they're going to get in somewhere, probably onto your network. And I'd say this for an organization, but I'd say this for a grandparent that was just targeted. With the elder care fraud calls that we see go rampant or the cryptocurrency fraud and other types of crimes related to that too is the most important thing to know is you're not alone. And to really you're not alone. You're also, you're a target no matter who you are, what organization you are. Which means you need to practice incident response. You need an incident response plan. You need to take it off the shelf, make sure it's accessible even if your networks go down. And you need to incorporate all the right people into an incident response plan. Not just it, but executive leadership, marketing, pr, so you know how transparent you want to be, especially if an actor's lying about what they did to you. Right in public, figuring that out. So really, these aren't going to sound new to any defender, but they work and they're critical and important to being able to rebuff but also be resilient from ransomware attacks.

A

Absolutely. Anybody who's been listening to the show for a while is going to note this. But I've said this anecdote a couple of times, but it goes back to the conversation of eat your vegetables, eat your fruits and vegetables. All of the basics of security hygiene still matter for the vast majority of organizations. So I absolutely resonate with that, with that sentiment that you shared. And so I know you spent decades in the public sector and now you're making a massive impact in the private sector. And I want to ask you for two inconvenient truths. One that governments need to accept to address ransomware, and then one that private sector needs to face to become better prepared for.

B

Ransomware attacks do eventually happen on the government side. And this is something that I used to really beat the drum for. So it's almost a confession at this point. But one item that government really needs to readjust its thinking on is the conversation on information sharing. It's important I get it right. More information, bringing it all together, it can't be siloed. But the private sector has so much data. And even coming from my point, vantage point of knowing what I want to tell FBI and like talk to them about and provide over to them, I don't understand fully what would be most useful. And if I don't understand, I can't imagine anybody else understands exactly what would be useful over into government because I can't just send all of my data over. They don't even have the tools to be able to parse through it. Right. They're a little behind on AI and that kind of data analysis capabilities overall. And so what, like being more specific, what kind of information do you want? Why? How do we get it to you? Like kind of stopping. Having this more generalized conversation around it and getting into much more specifics with private industry really matters here. I see on the private sector side, it's interesting. Halcyon did a study of talking to CISOs and we asked a lot of questions. One is, you know, how prepared do you think you are to be able to rebuff a ransomware attack? And, you know, I think it was about 70% said, yeah, I'm really prepared, right? I could, I could rebuff ransomware attack. And we asked a similar question. How many of you think that you would pass like a red team target? How many of you would pass kind of that pen testing that testing people do of your network, right? And about 70% said, oh, I don't think we'd pass. The ransomware actors act just like a red team. They act just like you're going to see companies that come in and are testing your network and they're trying to use your native tools against you and go across surreptitiously and really find, you know, what's most valuable. All those things, the same tools that we would see them use, we see the ransomware actors use. So I think there's this overestimation in the private sector about how prepared they are to rebuff an attack and stop it. And I think there needs to be more of like an honest accounting for how sophisticated cybercrime is. It's so, so much more sophisticated, different than it was just two years ago. Kind of understanding that and knowing you have to do things differently than two years ago as well is critical to being able to protect your network.

A

Right? Right. Absolutely. That's a very interesting juxtaposition there of those two responses. And I would have a couple of questions for that CISO who maybe gave those exact answers on that survey. But Cynthia, it has been wonderful having this conversation with you. What is the most important message you want to leave with our listeners today?

B

I'm going to leave two One is ransomware is so different than it was two years ago. Right. So make sure you're keeping up to date and re looking at how you're protecting. But the last one is that we should all be a lot more angry about ransomware than we are. We should be honest about what the impact it's causing and we should be honest about getting together and needing to work together to do something about it.

A

Absolutely. I think that is a very refreshing take to end on and I think it's a very realistic take to too. So again, Cynthia, thank you so much for joining us today. This is a really, really wonderful conversation. And until next time, thank you. That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. You Feedback Feedback helps me understand what you want to hear more about and is the best way to support the show. If you want to reach out to me about the show, email me directly at data-security decoded2k.com thank you to Rubrik for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Ivan. Content strategy by Mayan Plout Sound designed by Elliot Peltzman Audio mixing by Elliot Peltzman and Trey Hester Video production support by Richard Kirkey Wild and Sorrel Joppy until next time, stay resilient.

B

Sam.