BSidesSF 2026 - From $10 to $30M: Operating in the Data-Extortion Aftermath (Diego Matos)

All right, for everyone who's here in the IMAX theater, we're going to go ahead and get started with our next talk. And so we've got Diego M, who is a an incident response leader for Latin America with IBM. He's going to come and talk to us about from 10 to 30 million operating in the data extortion aftermath. Let's give him a big round of applause. Come on out, Diego.

Hey guys, thank you very much for coming to my presentation. Um, my name is Diego. Yeah, it's working. My name is Diego and I'm with IBM as the Latin American instant response leader. Um, I'm part of uh this global team which is basically a unit specialized on uh instant response um crisis management. Uh we also provide proactive services to clients um in terms of increasing their maturity level um and in several in several uh domains right and I have in my experience a background of more than 16 years um combining um defensive and offensive security. Uh my last role as uh the on the offensive security side was as the IMIA head of penetration testing and red

teaming for a company based in the UK. And um during that time um I saw um the attack of uh Wakry taking place and uh compromising some of the hospitals and health institutions in the UK. And probably that's um one of the reasons why I started to move it to to the defensive side. I also have um now uh I've been working on um this global incident that um I'll talk a little bit about in here and also that's why of the the title of the presentation right um so covering a little bit of uh evolution here. Um so I'll talk a little bit of uh the history of the mowers and uh the runswware groups um during the

years and the evolution of that. So at the beginning um and I've splitted that in in in phases just so uh it's clear for us to understand the changes. So at the beginning uh right in 1989 uh we had this co this m called aid trojan uh which would basically um encrypt um some some data of computers in general and then would uh request for people to send money to them uh through um a postal office mailbox that was based in in Panama which wouldn't work much right because uh it's uh it's a way that is traceable by by the law enforcement and also at the same time um it wasn't much effective right not

scalable after that um we had evolved the the mowers uh we saw some evolution of the mowers and the track groups uh and basically they evolved to um a way of using stronger encryption so they were starting to use RSA 2000 um 258 um and as also they would go and implement some extortions, right? So, uh this is this was um just one step of extortion that they would implement which was basically uh in terms of hey, I got your data encrypted and now you have to pay me so you can basically have your data unencrypted so you can have access to the um crypto um to crypto kids right? And during that time what we saw was um

this attack um one of the biggest attacks that we saw during that time was the one that uh took place on the national health insurance uh the national health health system of uh the UK which is the one that I've mentioned uh which basically impacted several hospitals in there plus uh forced the cancellation of 90,000 uh appointments of uh the national health insurance in the UK. Okay. Plus uh not only impacted um computers but also MIR devices um devices in general that were used by the health system health system in there. Um and with that also uh it cancelled several um appointments as well of potential clients, potential people that had cancer uh during that time, right?

and also generated some impacts on the lives of um it's clearly generating impact on the lives of people and then uh evolving a little bit to phase three uh what we saw was a more um a phase of professionalization of the attacks. Uh so we saw actors now evolving to basically a whole structure of um having affiliates having a whole program using uh runs as a service um and basically also using a whole um structure internally structured so they could uh do extortions pro uh in uh execute negotiations uh provide 24/7 support to victims uh so the victims could reach out to them and basically start discussing about how how they could pay uh them and receive um and

with that they would receive the encryption keys or they would pay to um potentially not have their data exposed or also um they would pay for uh for them to just um just uh have some help right in terms of uh um avoiding more critical stuffs and critical impacts to their business. And during that time what we saw uh of one of the most famous groups was Conti which has performed a attack against the Costa Rica's government um and basically has generated situation that's made the the government in Costa Rica to declare emergency national emergency. Now moving to uh the fourth phase. Uh this is a phase um very similar to what we have nowadays which is um related to

threat groups implementing much more uh their processes around um using RAS ranscy using um not just extortion one type of extortion but four types of extortion. So for example, if um a um a victim has their data encrypted, then they are going to extort for that. Uh if the the victim has some data that doesn't want to get exposed, they will extort for that. or uh also for example for lockbeat uh they would threat uh victims saying hey um if you don't pay me I'm going to start doing a DDoS attack against your infrastructure and also I'm going to reach out to uh your customers uh your partners and your employees so I can harass them and and with that uh

generate more pressure against you and that's uh also the time that we saw um a very famous attack taking place against MGM resorts uh and generating a um basically stopping the operations of uh some of the casinos in Las Vegas. Now um more or less nowadays what we see in terms of path of attack and in terms of um um how they the track groups evolve to the extortion phase is something similar to this one. Right? So they will start with initial access uh or by exploiting even their bits or by uh stealing some credentials or buying some um credentials from a broker on the dark web. Then after that they uh get access to the to the internal uh environment

and proceed on doing the initial recon lateral movement and then uh establishing the persistence and to reaching the point of um excfilutrating information. So they can extrude trade information or through proprietary tools but nowadays what we see is that they're extrating data based on uh tools that are in place. uh so wing SCP or um a few others but tools that are in place uh so they can basically not generate much alerts uh to the security teams of the companies of the V team companies and then after that um or they can detonate a runswware and encrypt the whole thing u or they can just go and proceed with the uh the extortion itself. And when

they proceed with the extortion, what we see is that uh it all starts with um a potential impact on the operations. So it's stopping everything from uh from working and to proceeding on the uh leakage of the of the information. Sometimes you have uh intellectual property involved on the leakage of uh on on on that data that is leaked. Uh also the the dos and then the harassment, right? And this is also they can generate some financial impacts that's um in then results to um some gains um throughout the year that if you combine throughout the 2020 2020 to 2025 you see a variation a range of around 600 million to 1 billion uh $1 billion a

little bit more than $1 billion right so you see a little bit of a variation on that from uh cyber criminals and the the amount of money that they collect uh throughout the the attacks that they perform. And um that's something that's uh now we see as a reduction during the the past two years. uh we saw a stagnation in terms of the number of uh the amount of money that they are being able to collect and this is um this is due to a reason of um um not just uh improvements on the cyber security controls that the companies have uh but also in terms of um I I think that the keynote spoke a little bit about this of

um companies now having better processes companies now um are being able to uh protect better their environments uh protect better identities and etc in general, right? Um but also one thing that we see is um now the track groups they have increased. Uh we saw during the past from 2024 to 2025. We saw increase of 49% on the number of threat groups active threat groups performing globally attacks. Uh and then with that we have more leak events taking place. uh and we saw a increase of uh 50% on the leak leak events taking place and um that's uh is basically a result of uh you know um more groups attacking uh more information they are

collecting more information they are exposing but that doesn't doesn't mean that um people are paying companies are paying uh so companies um for several reasons are deciding to not pay u there is a reduction in terms of number of companies that are paying for ransoms But when they pay uh you see that uh they will pay much more that they used to pay before. So from 2024 uh to 2025 we saw increase of uh around 400% in terms of uh the amount of uh ransom that they will pay for each attack uh the companies and this is all to finance um this whole structure of cyber crime that is uh taking place for several years now.

uh and you know uh cyber criminals uh have uh identified that uh hey this is um a place where we can collect money and let's structure for that right and then um that's um one of the things that we saw right through some uh leakage that's uh took place of um some track groups and the structure the internal structure that they have. So basically for some more organized track groups you see that they have a structure similar to this one where they basically have uh the executive level uh the strategic the tactical level and the operational level. And basically uh here is uh a combination of uh having someone managing uh who we are going to hire,

who are we are going to pay to be our insider, uh who we are going to hire to have uh to develop some tools or you know the things that we are going to use to exploit um companies and then how we are going to excfiltrate. Uh so the mechanisms for us to do that who is going to do the uh money money laundering as well uh and basically how they're going to proceed in terms of uh using um the moving uh cryptocurrencies from here to there on through the throughout the wallets uh so they can basically um launder the money and then um also uh who is going to basically lead the whole thing the whole strategy right uh

and for quantity for example temple. Uh fortunately because of um um because of this leakage that uh some some guys from the UK Ukraine uh decided to do against coni which was a Russian uh threat group uh bas because of the the war that initiated uh against Russia and and Ukraine. So basically um based on this leakage what we see is that uh they had a panel they had a whole structure around affiliates they had a whole structure around um the rows that they would use um during their operations. Uh and plus there was there were a little bit of source code in there, right? Um where you could see more or less how they would work and also the revenue

itself uh which was in 2021 of uh 108 million for this group in specific. But also another group uh great example that we have is for lock bits and uh also this is a leak that we saw taking place due to the coronos operation uh handled by the law enforcement and also um a leak uh a leak of the structure that's um lock bit suffered during 2025 and here what we see is since the structure of the panel that they have how much they would charge uh for the affiliate eight. So they would charge 777 uh for the access to their panel, access to their tools, to their processes and etc. How much uh also how much they

would um charge uh the affiliates in terms of their revenue. So if um for example a um affiliate uh successful successfully uh executed a attack against a company then they would stay with 80% of the revenue and the administrators of the lock beach portal uh would stay with 20%. And um more or less as well um you don't need you don't need of the leaks for that but uh if you consult uh the chats and if you look for the chats um from lock bits to some of their victims you'll see that um the way that they proceed is something like this right so they normally start with um a discussion around hey we compromised your

environment and this is the amount of money that you need to give to us uh so we can give you the um encryption key uh not leak your data and also at the same time uh not execute a US attack against your infrastructure and then um during the discussion uh someone from the lock beats team will go and share uh the the crypto wallets um with the victim so they can receive the amount of money uh for the attack and then if uh the negotiation doesn't evolve then um they start uh to execute a DDS attack against the infrastructure. Right now talking about this uh specific crypto wallet, what we see because uh the whole

investigation of the law enforcement, what we see is that these crypto wallets uh is related to several others um regarding um you know lock bits and uh that are under the name of these um fine gentleman called Ian Condor Condorf which is a guy that's suffered some sanctions from the along with um the whole lock bit team uh got jail. U and also we can see that um only on these specific crypto wallets they move it 52 bitcoins which is more or less um a little bit less than $4 million. But if you check the others you'll see that the amount that they've they've moved is much bigger. Now in terms of um how the attackers

proceed uh and uh the playbook that they use for the negotiations and the discussions what do you see is that there is a good variation in terms of um how uh some track groups for example Aira uh proceed on the negotiations in terms of saying hey uh if you pay us you receive um a report from us uh talking about how we executed the attack uh you receive as well some some additional information and plus we are not going to leak your data. But um then uh depending on how the negotiation goes uh they will receive uh the the victim is going to receive some discount uh on the amount of uh money that they have to pay to the

group and uh the discount here variates from 40 to 60% but you can see that for other groups uh is different as well on the name of the amount of discount that they were going to offer for the ransom and for lock beat you can see that they are a little bit a little bit more aggressive um in terms of uh if the negotiation doesn't involve then there is the DDS and for killing uh is about if the negotiation doesn't evolve then they're going to u leak the information in a shorter period or uh if the negotiation evolves then they're going to basically provide a big discount to the company. Now in specific talking about um the

case of uh $10 to 30 million right so this is a case that's uh we've responded in um um globally through to through one of our clients which initiated uh on the same way as other uh incidents right so it initiated with um basically a leakage of information a sample of the information that the th actor was able to collect uh and this th actor has exposed that on uh at that time bridge forums and then uh distractor basically reach out to the VP of IT of that company saying hey um I got your data um I've dumped your data in this specific place this specific URL uh but it's password protected um so if

you don't want me to go and expose the password so I'm going to expose the whole data uh then pay me or in initiate a negotiation with me and then uh to the clients to the company they've shared uh the sample of uh of the data showing more or less the scheme of uh of what they had right uh which allowed us to basically start identifying from where uh they have collected that information but one thing that the track actor did was uh they they've leaked as well the script that they were using for the attack uh and um on that script um by mistake he licked at that he did that and on on by mistake uh with that

mistake we saw that he was using a specific API key uh that's um we use it for the investigation it was very quick for us to based on that um proceed on uh doing the containment but for sure you know um when we are I don't know if um you guys have responded to to incidents but at this time you are already investigating the whole thing. So since uh the whole security tools in place uh doing forensic analysis basically investigating logs and etc and then um somehow when you see something like this you you it's the aha moment and basically you say okay so now I understand more or less how was the path of attack.

The thing with that is uh during the investigation what we saw is that uh the threat actor has used a credential that was exposed on the dark web uh and that's uh was sold on the dark web uh by for for $10 uh and that was one of the credentials one of the privileged credentials that's uh uh was exposed and enough for the attacker to go and get in the environment and then compromise the environment. Right. And this is um this whole thing initiated with the compromise uh through info stealer through a info stealer called Hakon. Uh and with that um basically the threat actor was able to execute this whole flow of attack. Uh which generated

an impact reputation impact to the company generated a exciltration of four terabytes. uh the initial access and plus several extortion attempts that uh he tried to do but uh didn't successfully uh do that. So he didn't receive his money uh which um made him uh very um p you know become pissed off with um um with the company internally. When you are responding to a situation like this uh then again you need to per execute the whole investigation the whole process of uh containment uh recovery uh and basically post incident. So the whole thing right you need to do here and then you need to discuss stuffs with uh the actor right uh and you need to go through for for

example discussions you need to do this professionally and I will say why afterwards but you well for sure you need to do that professionally uh but um in this in this case the actor was basically saying hey at initially he said hey I have 2.5 terabytes but actually he had more I have insider uh but if you pay me I'm going to expose that insider to you. Um, and and basically if you don't pay me uh or if you don't evolve on the negotiations very quickly with me, I'm going to increase the price uh and I'm going to increase the price per day uh until we reach uh 30 million uh $30 million, right? And that's uh basically something

that generated a whole discussion with a crisis team uh of the company. Um so basically in this kind of situation you need to have a whole team of uh exceptives and uh uh basically the crisis team establish some process some playbooks in place and a few things so you can be sure that um you don't complicate even more the situation or for example overcommunicate to uh internal employees external folks and then with that generate more impacts to the business. talking about uh impacts and financial impacts. Uh you know what we see what we have uh and what we saw on the news are famous cases like like these ones of colonial pipeline uh change healthcare

and some of them paid for uh for their ransom right paid like 22 million paid 75 million but after paying uh they have to always remember that um you have the financial impacts of uh your reputation of improving your processes of hiring people of buying solutions, tools, uh losing um losing basically value on the stock market. So it it generates a whole uh level of impacts and we got these four client four um four cases in here but we have much more uh globally uh that took place and um this is just this is just what we see on the news what we saw on the news but actually we you know there are much more depending on the

country depending on uh where the incident took place if there are regulations legislations that require for them to expose that's uh the incident took place uh and uh the impacts around uh this the cyber security incident. Right? So we have the problematics in here uh and which is we have several types of extortions. uh we have a situation where uh it's not about just having backups and uh then you are going to basically cover the whole thing but uh you you receive extortions around um having your service not working anymore because uh they are attacking your services uh having uh your information expo being exposed um or uh also having the tractors reaching out directly to uh

your clients customer in general right and also So uh these communications uh evolve very quickly. Um and then what you have to do in this case uh is to map all the types of uh extortions the type of negotiations that you are proceeding executing and then after that uh you have to have reaction from um three here I suggest three uh work streams uh from involving as activives uh and to operational level and tactical level. So first um for you to map um the type of extortion right so you need to basically understand the situation that you have which is going to change the actions that you're going to execute. So in a for example in a single extortion then

you have um some data that was uh encrypted and with that you need to understand isolate basically understand where where is the malware that is is securing the compromise and the whole thing and at the same time reach out to the council to the legal council so you can understand that um if um those that data get exposed then what are the impacts so they can react to the regulators right and you have different reactions for the other types of extortions but I've mapped in here uh and I suggest uh for us to map in here on based on Mitri uh so you can basically understand the whole process and procedures that you have to execute.

After that what you have to do is uh you have to basically have an alignment uh with um the communications level uh executive level uh technical level technical level in terms of uh okay so if this takes place uh at the at the first time at at the beginning of uh the whole discussion uh with the tractor then what we have to do uh as a parallel work stream is uh declare incident uh activate our uh crisis management team uh proceed with um the whole um um contain blackout of communications internal and external. Right? So there are whole procedure in here which I detail on the next the next slide which is basically for example for uh the

beginning. Um then what you have to do is um basically on the technical level proceed with the standard one right so investigation forensic analysis uh basically hunting hunting uh for the executive level the executive level has to be prepared uh for communications for discussions discussions with reporters uh the whole pressure from the uh from the media uh and on on communications as well we have to have statements already prepared uh in case everything uh complicates And then for uh the next 24 hours uh you have a little bit of more more complicated a more complicated situation because the tractor will reach out to you and say hey uh so let's proceed on the negotiations or no let's

um basically start to um discuss about uh me leaking your data or generating impact on your infrastructure right and if they proceed to that then um depending on how they are going to generate those impacts or through data leakage or through DDoS attacks or through the harass harassment of uh employees and um you know the whole um the whole ecosystem of uh clients that you have then uh you need to have a wellestablished um processes in place uh in terms of um how you're going to escalate uh the situation, how you're going to deal on the technical side, how you're going to deal in terms of the communication side, making sure that employees doesn't expose stuffs and also

on this level uh is required for you also to basically have a discussion with to the executive level to have a discussion if they're going to pay or not for the ransom because that's uh that's a discussion that takes time. Uh that's something that's um um if they decide to pay or not depending on uh the country depending on the how they you know there are very nuances involving in here in terms of uh paying or not financing stuffs um or not. But if they have to they have to discuss they have to discuss how to proceed how to move money to a crypto wallet so they can basically execute uh payment but if not

then how they're going to protect themselves. um through you know um for the for the exposure of the information for the impacts that this going to generate and this is very important because um you know there are some um communications that's took place with um some some track groups where basically the track group are saying hey um if I get your information expose it then u based on the contract that I saw here that I have ex excfiltrated from your infrastructure then you are going to basically uh have impacts uh and have going to lose clients, right? So that's um basically a few things that um you know you got to be careful. You got to

always remember that um you know you need to hire the proper people to establish this kind of communication with track drag groups and um if basically you have to establish this kind of uh discussion with them do that professionally because this is probably a type of communication that is going to get exposed uh on the media. Right. Right. Thank you very much. That's it guys.

All right, everyone. A round of applause once more time for Diego. Before we get into any Q&A here, I have a few housekeeping announcements to do. Uh, so first of all, lunch is happening right now up on the City View level. So, please go and get some lunch. Um, we will be resuming talks here at 1:45 p.m. And please note, it does take some time to get up to the City View level and back. As you're exiting, please. Not too bad. But please exit to my left, your right if you can. Okay. Uh we are also have a raffle running upstairs. Thank you to our lovely sponsors. You can get a sponsored passport and uh get the

stamps and then you can do drawings there. Also very good service. We have head shot all day today. Go get your head shot. I got my head shot. You'll see it uh on social media somewhere there. Recommend you all do the same. And uh as always, thanks again for attending this presentation. We would also like to take some time to thank all our sponsors, especially the gold sponsors Aikido Arjet Clover Data Dog, Socket, and Sublime. And I think Diego will be willing to take uh two questions from the room. Any questions from the room? We got one. We got one right here. Yes, sir. >> Hey, what would you think about liabilities? So uh big thing is uh you put anywhere

called like there's a lot of talk uh there's a lot of examples of CEOs or Caesar getting into big problems going to jail because they didn't take into account the liability of the oppressor. So I don't see anywhere. >> Yeah. Okay. So just to repeat the question a little bit. It's all about liabilities. Diego, what do you got for us? >> Yeah. Um um depending on the country um well actually the best the best option is always to get law enforcement involved, right? Uh and also the legal council as well involved because you know uh this is a a kind of situation that is you're going to to deal with a criminal and sometimes companies just

decide to not deal with criminals or reach out to them or even to get in on the sheds uh with to establish a communication with them because they will they will know that that their actor will know that they got access to to the sheds, right? Uh but if you have to do that there are companies that specific companies that uh you need to you need to hire I suggest you to hire uh to to basically proceed on that. Uh you also need to activate your cyber insurance as well. Um but for sure in a situation like this uh legal council um law enforcement um and u cyber insurance uh have to be involved because um it's a

kind of situation as you said that's u can get people in jail uh or can basically generate a exposure of the company and people will say like hey um you you know that's how you treat your data our data that's how you treat uh your clients or even um they will basically do something something wrong that's on my gut then in trouble. Yeah, and I agree with you. That's critical. >> All right, I'm actually getting a message here that we need to clear the theater. So, I'd say find Diego up on the city view. Catch him during lunch if you have some more questions. Once again, round of applause for Diego. Thank you guys all so much for

attending. We'll be back here at 1:45.