A (2:19)

Like, is it gonna. Are they gonna be like axis middlemen then? Like someone who's like, look, you can get up to 8% of the payout from.

B (2:29)

I stumbled across this story yesterday, which is only slightly relevant, but it was a Chinese person, Chinese businessman hired a hitman to eliminate a rival. And he hired. Hired him for, I think it was quarter of a million dollars. And so the story is that hitman then hired another hitman and it went.

A (2:52)

Five layers deep until there was someone who was getting paid so little, he just went to the cops, pretty much like someone's giving me, like, $200 to go and kill someone. Screw these guys.

B (3:03)

Yeah, exactly. Back to the tweet, I thought, okay, that sounds reasonable enough. But that's the sort of thing that only happens if you don't have any better alternative. Like, why bother getting an insider? And so optimistic. Me putting on my optimistic hat was okay, that tells us that security is actually getting better.

A (3:30)

Yeah. It's now so good that they're forced to pay 25% of their ransom to insiders who give them access. I don't.

B (3:38)

Yeah, I'm not convinced either.

A (3:40)

Yeah, I don't think that that's true.

B (3:42)

But the other thing that occurred to me is, for Scattered Spider, it seemed that hacking was a sport and not a job.

A (3:53)

It's sort of like a social. It's going down to the pub. It's not even a sport. It's hanging out with your friends and playing darts. And whoever wins or loses, like, that's not necessarily the point of going down to the pub. Like, you're not. You're not there to play darts. You're there to hang with your friends and you play darts. And these guys, it's. Yeah, it's like you have a few beers, maybe you play some pool, you throw some darts, whatever, but you're there with your mates. I think that's sort of the same thing here, right? Like, it's. You're stealing a few million dollars. It's like, whether you get it or not, like, whatever.

B (4:26)

Yeah, yeah. Bloomberg had a story on Noah Urban, who seems like he was one of the key people in Scattered Spider. He's been jailed or sentenced to, I can't remember, decades in prison. And Bloomberg talks about times when he's trying to socially engineer help desks, and it's essentially a group call where he's got a whole lot of people listening in, laughing when he makes mistakes. And it's a social activity, not a.

A (4:58)

Right.

B (4:59)

Like, exactly as you describe.

A (5:01)

And, yeah, it's a criminal enterprise in the loosest possible sense. It's a bunch of annoying teenagers being annoying. Rather than leaving flaming bags of poop on someone's doorstep, they're calling help desk and trying to get credentials.

B (5:17)

Yeah. And so it seems that to just get in contact with an insider and say, we'll give you 10%, that's not fun. There's. There's not a communal activity.

A (5:29)

I think it's like playing darts in your garage by yourself instead of at the pub with your friends. Like, it's you can still do the same activity, but it's. You're missing the point in a way.

B (5:41)

Yeah. It's kind of like fishing with dynamite instead of just fishing.

A (5:45)

Right. With, with a case of beers and like a good mate, which is.

B (5:51)

Yeah. So this struck me as the sort of thing that you might do if you wanted to be professional.

A (5:57)

Yeah.

B (5:58)

I think last week, maybe the week before, Joe Tidy, who's the cyber correspondent for the BBC, he wrote up this story about getting approached. I think he was approached on signal by someone claiming to be a criminal who said, if you give us your logon credentials and help us log on to the BBC, we'll give you, what was it, 10, 10% of any ransom that we get.

A (6:25)

Yeah. I'll gladly pay you Tuesday for a hamburger today, like it seems. Yeah. So that's kind of interesting, actually.

B (6:36)

Offer 25% of the final.

A (6:39)

You could offer 150% of, like, I will pay you 150% of whatever I'm going to get if you just do the work for me.

B (6:47)

Right.

A (6:47)

Like it's, I promise I'll pay you, but. Okay, so here's the interesting thing, right, Is as you know, one of my areas of interest is like old time professional thieves and stuff. This is exactly what they used to do. There's a lot of cases where having some helpful assistance was very, very useful. So for example, if you were robbing a bank and someone came to you and said, hey, look, Every Tuesday at 11:05am the truck comes to deposit $250,000 in cash. If you hit us, then you're guaranteed to get whatever they'd say, okay, we'll pay you 10% of that. Whatever our take is, we'll pay you 10%. That was the standard insider fee payment was 10% and it's being mirrored here. Similarly, if you were running a big con, like at a big con shop back then, moving money was very difficult. Like you'd have your local bank in Sydney and there'd be a local bank in Adelaide. And what you'd have to do is call up like you'd be in Adelaide getting scammed and you'd call up your bank in Sydney and say, please transfer $20,000 to this bank so I can get the cash. And then the bank manager at that bank would have to sort of arrange with your local bank and get the cash sent over. So the thing is, if you're running a big con, you're taking people to get huge sums of money from this local bank all the time and the bank Manager is probably going to think it's a bit weird that the same two or three guys keep showing up with new out of towners to get like 50,000, 70,000, $20,000, you know, multiple times a day. And they're probably going to go, this is hinky. Like this is, this is not right. Like sir, you're being scammed. I'm going to call the police, we'll have these been arrested, I'll save you your money. So the way that they get around that is like the criminals will basically take the bank manager aside and be like, look, we're running a business sort of very cash flow heavy, you know, as part of a goodwill gesture, we'll offer you a 5% of whatever comes through. And if that doesn't work, they're willing to go up to 10%.

B (9:04)

Right.

A (9:05)

So it's sort of the same sort of ballpark thing. Of course the, like, the funny thing about paying off an insider is that it means that the police have someone they can nab. Right. So if you go back to sort of like the bank robbery thing, you have three masked men who show up with foreign, you know, with out of town accents who leave with the money and then you've got the one clerk that shows up the next day in a brand new car and you know, you're looking at this and the cops go like, well fighting those guys is going to be hard. They've got guns and they're probably hardened criminals and they'll shoot it out. And this guy is so dumb that he just spent his money immediately. So let's get him. Similarly, when it came to like sentencing time, often the professional thieves would have a fixer who would make sure that like the judge is paid off or the police are paid off or a politician is paid off to make sure that, you know, the problem goes away. Yeah. Like actually one of the ways that one of them did it was he had this huge bankroll in his pocket and he'd sit in front of the jury pool and it pull out the bankroll and he just start making eye contact and going, yeah, yeah, yeah. And the first juror that would not back at him, he tell us, tell his lawyer, wrap it up, the fix is in. So anyway, like the thing is that the judge would be like, they have to sentence someone because they've just let the real criminal off. Like the real criminal has been the case got fixed. But here's this local boy who didn't, didn't have a fixer who did do a crime. So you throw the book at him to show that like you're, you're tough on crime, that you're doing your job.

B (10:50)

Well, justice has been served.

A (10:52)

Right?

B (10:54)

Yeah, I think that dynamic still applies here in the giving police someone to arrest who's like easy to find. I mean, I don't think it eliminates the risk entirely, but it probably helps a little bit. So in Joe Tidey's case, the person who contacted him claimed to be part of the Medusa gang, which I believe operates out of Russia. So they've got some other kind of protection in that they're just in a jurisdiction that's not amenable to law enforcement.

A (11:27)

Yeah, I mean you got to look at it from the police point of view as well. Right. Like you can capture a 17 year old in Uzbekistan and haul him before a judge and say this is the kid that stole $25 million from BBC. Or you could get the guy in London who is old enough to actually serve time and throw him in jail instead. And it like, it just, it seems a hell of a lot easier. Although I guess to be fair, a lot of these sort of, these Scattered Spider guys turned out to be from the UK anyway.

B (12:00)

So Tidy talks about that Medusa. Whoever's contacting him claims to be the only English speaking person in the group.

A (12:09)

And so that seems like a bit of a problem for a ransomware group targeting the West.

B (12:17)

Well, I guess, I guess Google translates probably good enough for many things for phishing certainly.

A (12:22)

But you wouldn't be able to call up help desk and sort of chatgpt your way through it, right?

B (12:26)

Yeah, right. Yeah. So that makes sense to me. If you don't speak English, social engineering is probably not your jam. Certainly social engineering of English speaking help desk is not your jam. And so that is why this story makes sense. And conversely, the opposite story of Scattered Spider trying to buy insider access didn't really make sense because where's the fun in that?

A (12:50)

I mean, I think they would do it, but it would be done in the same sort of way. It wouldn't be like this Joe Tighty thing. Seems to me like it's, it's a targeted campaign that's sort of going through candidates one by one maybe. Or if you've got a lot of time. Yeah, like you're just doing that. Whereas I think that the Scattered Spider guys, when they were doing it was, it was much more of the call up help desk and be like, hey, how do you like to make some real money? It was like it was just a variation of the existing social dynamics that they had on that call, that sort of the same sort of plays that they were doing, the same sort of entertainment thing, it would just be like, it didn't work. Pretending that we were unable to log in. Let's just offer them $10,000 because we've got several million. And that's.

B (13:40)

So that can still be a game is what you're saying, right? Yeah, yeah.

A (13:44)

But it's not going to be reaching out in private to one person and saying, hey, why don't you do this.

B (13:53)

Call may be recorded for quality and coaching purposes. Hey, how would you like to earn some money?

A (14:04)

This doesn't seem like a fun thing to do. Whereas I think that the calling out people and offering them money, you can still, you can find a game with that. Like, you could still make it fun.

B (14:15)

Right.

A (14:15)

If you're a teenager who enjoys that sort of thing, it's still a social activity.

B (14:21)

Right. I actually think it might be less successful than just trying to, you know, socially engineering them.

A (14:27)

I mean, how do they pay these people? Like, if you're someone on help desk, you probably don't have your bitcoin wallet handy.

B (14:34)

Yep. So in Joe Tidy's case, they offered to give him half a bitcoin, which is about $55,000, he says, as a gesture of good faith. And I suppose if you're Medusa, actually that's like, fine. I think, like you probably could justify $55,000 to each insider as a cost of doing business, regardless of whether you got a good ransom or not. Because if it pays off, it'll pay off many.

A (15:04)

It will more than pay off. Right? Yeah.

B (15:07)

And if it doesn't, then, well, whatever.

A (15:09)

Yeah. I mean, look, it's a sales funnel. Like if you have a promising client and they're down your sales funnel away and you're a salesman and it's a promising lead. They've got like a lot of budget. It's going to pay off really well for your business. If they buy whatever, you're going to have budget to take them out to lunch. You're going to have budget to like, you know, buy them football tickets. Right. You can. There will be a sales budget allocated for you to do things to entice them to make the purchase. And I think it falls into the exact same category. Right. I wonder if they've got expense accounts for the guys, like filling, you know, syndicate. You haven't sent in your TPS report.

B (15:55)

Yeah. So the thought that occurred to me is, okay, so Medusa Russian doesn't speak English that well is buying or trying to buy insider access. Because they can't do social engineering now. Why don't they just somehow get in touch with the Scattered Spider kids and say you do the social engineering. The more I thought about it, the less it made sense, though.

A (16:21)

I'm like, you couldn't pay me half a bitcoin to hang out with the Spider. Scattered Spider kids.

B (16:28)

Yeah, I agree. I think that's the real problem.

A (16:31)

Right, Right. Oh, my God. Can you imagine having to work with those people? It's a bunch of edgy teenagers who are very online. Right. They're like the worst kind of humans you can imagine in every way. Plus, they're teenagers. Like, it's.

B (16:51)

Yeah. So you get this strong sense that the Medusa Gang, they're air quotes. Professional cyber criminals. Like, there's this guy, he's trying to move Joe Tidy down the sales funnel. He's. He's got milestones and key expected results and. I don't know, he's probably got a family he wants to get back to, or at least a yacht.

A (17:15)

But. Exactly. If you're doing this as a business, if you're trying to make money, you're probably showing up, you're doing your eight hours, your 12 hours, whatever it is, and then you're done and you go and do something else. But if you're Scattered Spider, your business and your life is the exact same thing. You're spending your entire day hanging on this Discord chat and just talking and sometimes making phone calls like, it's. Here you are. You're the Medusa rep sent to go and, you know, liaise with Scattered spider. And after 12 hours of dick jokes, one of them finally decides to try and call someone and it doesn't go through. And they go, oh, we'll try again tomorrow. Right. Like that. But forever. Just on. I mean, intermixed with things. Like they decide to start harassing someone instead of actually doing work where they're like, hey, we found the address of one of our rivals. Let's send pizza to his house. Or like a plumber. Like, that'll be funny. They just do all the stuff that's just. It's not revenue generating. I guess if you do have that skill set, though, like, if you had access to Scattered Spider and you had like the. The ruthless business mind of a proper criminal, right? Like, he could probably clean up. Like, they're very effective at what they do.

B (18:43)

Well, I mean, they have cleaned up. I think the story was $100 million in ransom or something. Like that the group overall over time. But it's just that they seem to not have any purpose.

A (18:57)

They don't take it seriously, I think. Which I guess should actually be a massive indictment of security as it is like a bunch of people with deep voices as their skill set. That's their core competency is the one guy that sounds like an adult and they speak English, which there's a fair few people. A lot of people can claim that, but despite them just sort of dicking around and doing this for sh. Ts and giggles when the mood takes them, they still made $100 million.

B (19:39)

I was thinking that the Scattered Spider kids have gone the other way in that they've used ransomware as a service gangs. But that seems like, let's grab this tool because it adds to what we can do. It's additive rather than replacing the fun with. With something else. That is not fun.

A (19:57)

Yeah. And coding a ransomware tool is probably not as much fun as calling people up and lying to them in group chat. Like it's.

B (20:07)

Yeah.

A (20:09)

Dealing with compiler errors and being caught by an EDR and trying to find new evasion techniques like that. That seems to me like that's fun for a certain type of person, but probably not the same type of person that is going to spend 16 hours on Discord making very offensive jokes and.

B (20:30)

Yeah.

A (20:30)

Trying to scam people. I get this. Probably the Venn diagram is two separate circles.

B (20:37)

So I guess what we see then is that Russian ransomware crews have the business now and the. I guess, professionalism, for lack of a better word, they're driven by the money, they're financially motivated.

A (20:54)

Right.

B (20:55)

And then because it's a job, you want to do it efficiently and get to where you.

A (21:01)

You want to do the bare minimum to get the maximum payout.

B (21:05)

Whereas with the Scattered Spider kids, it's the opposite. It's like the journey is the destination. The money is just a side effect of having fun online.

A (21:17)

Yes, very much. Yeah.

B (21:20)

Like, imagine we can expect never to see the Kaiser Soze of Scattered Spider, because.

A (21:27)

Kaiser Spider.

B (21:30)

They'Re not out to make money, they're just out to have fun. And so everything is a side effect of chaos.

A (21:37)

Right. It's just. It's part of keeping score of. It's exactly like keeping score in darts in a way. Like, who made the most money out of scamming is. Oh, remember when, you know, Jake got a triple bullseye that one time? That was pretty amazing. I think in a way, calling Scattered Spider a financially motivated threat actor is a complete misnomer.

B (22:01)

Right.

A (22:02)

Like they're a sh t and giggles motivated threat actor that happens to make a lot of money. You know, like they're a around and find out threat actor who doesn't have a find out phase most of the time.

B (22:20)

There you go. A new entire new category of threat actor.

A (22:24)

Thanks a lot, Brad. Thanks a lot, Tom.