A

Hey, everyone, and welcome to Seriously Risky Biz. This is, of course, our podcast, all about cyber security policy and intelligence. My name's Amberly Jack, and very shortly I will be chatting to Tom Uren, our policy and intelligence editor, all about his Seriously Risky Business newsletter that's been published today. And you can, of course, find that, read it and subscribe at our website, Risky Biz. First, though, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work, and also Lawfare, who syndicate his newsletter and publish it on the Lawfare Media website. And finally, we do have a corporate sponsor this week as well, which is Corelite, so massive thanks to them for that. G', day, Tom. Thanks for joining me.

B

G', day, Emberley. How are you?

A

I'm good, thanks, mate. And I'm really keen, actually, to chat to you about this first piece that you've got in the newsletter today. So, Klopp ransomware gang has been making headlines again with the recent mass exploitation campaign targeting users of Oracle's E Business suite. And you've got a really interesting take here, Tom, which is that there's going to be ransomware. So from a government perspective, it's kind of ideal if they all look like Klopp's campaigns. And so maybe there shouldn't be a target for hunting or stopping and I guess let Klopp be.

B

Yeah, yeah. So the story is that Clop is a really interesting group because they deliberately go out and find ODA's to exploit particular types of devices and they've got this playbook, which is we look for enterprise edge devices, we find oda, we go out and very rapidly exploit everything that we possibly can over a couple of days, all right? And they'll do things like they'll start on a public holiday or a weekend, so they get a head start on Defenders and they'll just get access, steal everything that's on those boxes, rinse and repeat, and then at some point they'll sort it all out and then they'll send out extortion emails saying, we've got your data, give us some money, else we'll publish it.

A

So, still not the nicest guys.

B

I mean, you know, they're criminals.

A

Yeah.

B

But in terms of the damage that they cause, it's actually remarkably little compared to other types of ransomware. So historically, Clop was just a normal, normal ransomware gang, where they would just lock systems up. And the coercion or the lever they've got is that if you pay us money, we'll give you the decryption key. Then they went to what's called double extortion, where they would lock systems up and then they would also steal data. And. But then they decided to just, let's not bother locking systems up. Let's just steal data and extort. And from a government point of view, this is the best kind of ransomware because it doesn't cause that operational disruption. And, you know, if all ransomware groups behave like this, we'd actually be better off. We'd still be. People would still be paying ransoms. That's bad. But it's not as if, like in the case of Jaguar Land Rover, factories have been shut for weeks. Businesses relying on those factories not operating people are hurting. It's having a systemic effect across the whole British economy. Now, to be clear, it's not 100% certain that encrypting ransomware has been deployed on Jaguar Land Rover, but it's pretty clear that the intent of the hackers was to cause disruption. And so you've got these two different camps. We're causing disruption, and typically they use encrypting ransomware for that, or we're just stealing data and trying to extort that. And so from a government perspective, is there a way we can encourage ransomware criminals to be more like Klopp? Unless, like the Jaguar Land Rover mob. So that was my thought process behind the piece is, is there anything we can do now? I'm not sure that there is, but I think for a start, it seems to me that Klopp gets an outsized public profile, like, okay, it's extortion. That's not good. But why give them any attention? Like, let's just move on. From a law enforcement point of view, if you're prioritizing operations, I would put clop down at the bottom. Like, you know, once you've gotten rid of all the bad ransomware that causes businesses to really suffer, then we can get to clop. So I guess that's the perspective I'm taking there.

A

Yeah, for sure. And I just want to jump back because you sort of mentioned there, you know, should. Should governments try and sort of sway ransomware gangs to be more like Klopp? Do you think they should? And if so, do you think it would make any difference?

B

I think it's an idea worth thinking about. So Grac and I have talked about it in the past. I think that certainly you should prioritize the most destructive groups first. So that is, in a way, trying to shape the environment. My feeling is that there's like different ecological niches that these groups operate in. And clop is in the, we won't, it's in the sort of large scale, not very. We're just stealing data and we're just threatening to publish it. That's not a very strong threat. But because we'll get a lot of reach by going through mass exploitation of particular devices that that's good enough. So that's one strategy. Another strategy, which is actually a lot more work is to burrow in deep into an organization and then really try and disrupt it. And so you need to do the work to understand how it operates, what parts you're going to encrypt or disrupt to actually have an operational impact that they'll care about. So that's like a high investment, potentially high return. So if you get into a, a large organization where there's a lot at stake, you can potentially get a big ransom. And so that's a very different type of strategy. And then there's like, you know, the commodity, you automated lock up consumer level systems and maybe charge 100 bucks per key or something like that. And that's a different strategy. Again, I think the people will fill these niches regardless of what governments do. But you want to try and shape as much as you can. So I guess for the really impactful ransomware it's like let's arrest these people, make sure they go to jail for as long as possible. And that's a form of deterrence and that will shape the market at least a little bit.

A

Yeah, for sure. And I mean it's pretty clear that Klopp, despite not being super disruptive, it's still making pretty good bank with their.

B

Yeah, so there's a ransomware incident response firm called Coveware and they get data from the firms that they've helped deal with incidents and they produce statistics every quarter. And they estimated that KLOPP would make somewhere in the order of 75 to 100 million US dollars from a previous campaign which they ran, I think it was two years ago. So that was a particularly successful campaign. That's good money. Yeah, I've got to say. So I don't see them stopping. It seems like they've settled on a place where they're happy and they, in the sense of, I think they do these campaigns, it seems like their current pace has been one or two a year where they find a particular target system that they like. So they've gone through half a dozen at this point different types of enterprise file transfer software or devices or appliances. And you know, if you're making, let's say in the order of 10 million to 50 million once or twice a year, that's pretty good. Seems like a good living. And they also do things that I think appear to me to be deliberately designed to reduce their profile in terms of government and law enforcement attention. So they'll say things to media like ah, yeah, we, if it's government or military or state scientific research, we just delete the data. And they'll say that to media apropos of nothing, just out of the blue. And by the way, we delete all the important data that governments might care about.

A

So they're playing the game.

B

Well, yeah, that to me seems like this is the strategy we'll pursue a low profile, broad based, get a bit of money from lots of companies. And it's according to Coveware, the actual size of their payday is driven by a small number of companies that are willing to pay a lot. So for whatever reason, those companies find the data that's been stolen is particularly sensitive and they want to keep it under wraps. And so that seems to me to be a good low profile strategy that works for everyone in the sense that it works for the criminals, but it's also the least bad type of ransomware from a government, a victim. Government perspective.

A

Yeah. So if you're going to be a criminal, be a Klopp style criminal, I guess.

B

Yeah, that's the message.

A

Hey, moving on Tom, to the second piece that you've written about today. And state backed influence campaigns seem to kind of be all the rage at the moment, but the US has its head stuck in the sand, I guess you could say, and pretending they don't really exist. And you're saying it's time to change that. Wake up, pay attention.

B

Yeah, so pretty much as soon as the Trump administration came into power, the Attorney General, Pam Bondi, she shut down an FBI foreign interference task force, I think like the first day she was in the office. And then in April, Marco Rubio, Secretary of State, shut down the State Departments office that countered foreign influence operations. So basically they both shut them down. And my, my take is that it was driven by their sort of party political biases about influence operations. Now since then there's been this regular stream more than ever, I think of the media reporting about different countries running influence operations. So in the piece I talk about a Israeli operation against Iran. That one was particularly interesting because they actually timed some of the campaign's activity to coincide with airstrikes. So this was When Israel was bombing Iran, they actually tried to develop greater, it seems to be intended to incite action against the Iranian government. And so it was time to coincide with those airstrikes on a notorious prison. I guess the point is that countries are trying to use it as a tool of statecraft all the time.

A

Yeah, yeah.

B

There's. There was a Chinese operation that was outed recently. The Chinese. Chinese embassy in the Philippines was paying a Chinese company to do social media work. And then there's, in fact, the US has even done these operations. So these things exist and they're ongoing. There's Russian operations going on all the time. And basically the US Sort of stuck its head in the sand and we're not going to pay any attention to them. And I think that's just a mistake. So there was a report in the last couple of weeks that the State Department was considering reinvigorating these officers, reinstating them, restarting them. I'm not sure what the right term is. It seems to me like these operations go on all the time. Just ignoring them and pretending them. Pretending they don't exist is just like, foolish.

A

And these operations are detrimental and effective as well, aren't they? They're not just, you know, so I.

B

Wonder how effective they are. So there's a lot of them that go on. People are trying all the time. It just seems like whether they're super effective or not, it seems like a bad idea to take your eye off the ball.

A

Yeah.

B

And I think there's a lot of value in just calling them out and saying, this is what went on. And you allow people to make up their own minds about what. What it actually means. But I think the best reports are the ones that dive into the mechanics of the operation and say, here are the moving pieces behind what you see on social media. And that transparency, I think, is good. One argument you could take if you had done that for an amount of time is you could say these operations typically amount to nothing, so we're not going to care about them. I think that would be a. That's a reasonable argument to actually shut down that kind of State Department office. But unless you're tracking them in the first place, and that's not the argument that Marco Rubio mounted either. Unless you're tracking them in the first place and saying, you know, these ones are important, or these ones made no difference, or they all made no difference. Like, what basis do you have? I think you've got to at least observe them and track them, and then you can decide what you want to really do about them and what the right response is. I don't think the right response is to ignore other countries trying things all the time.

A

Yeah, for sure. And that's the thing. If there's. I mean, if there's. If there's enough of them, you throw enough mud, something's going to stick. So surely you need to, you know, pay attention to at least what they're doing.

B

Yeah, I think so. I think if it was, you know, China, Iran, Russia, North Korea, they're building a new type of warship, you wouldn't go, oh, well, the first one's amounted to nothing. Let's just ignore it all. Let's not pay attention whatsoever. And I think it's a bit analogous to that in that they're all trying this new way of manipulating the world. Yeah, they're all trying it. That makes you think that they all think it might work. So let's just ignore it. This is the current approach.

A

And I mean, you mentioned, Tom, that there was reporting that the State Department is sort of thinking about reinstating these. Do you have high hopes for that?

B

I'm not sure. I think it depends entirely upon how it's framed politically. So that's a political answer and not a what makes sense answer. I think raising the question is the, you know, that's logical and makes sense. What should we do about this? I think the politics of how those operations are perceived is entirely what will decide whether they get spun up again. Maybe we'll see them under a different name.

A

Fingers crossed. Wake up. All right, Tom. Hey, we might actually leave it there, but thank you so much for joining me again today. And of course, you can read Tom's newsletter, Seriously Risky Business over at our website, Risky Biz. And, Tom, I will catch you the same time next week.

B

Thanks, Amberly.