Proactive Security Through Historical Knowledge - Bob McArdle

So, hi folks. Uh, so welcome to to Bites Gway. Um, so we've got a lot of interesting talks that we're going to get through today. All that's standing between you and a whole bunch of interesting talks is me. So I'll get through this relatively uh okay and quickly. Just as a short introduction to myself for anyone who doesn't uh I don't know. Um, I head up two research teams in Trend Micro down in Cork. One is like an operational intelligence team. So they spend pretty much all day in the criminal underground monitoring what criminals are doing to try to figure out what the threats are today. And then the other team is a strategic threat

intelligence team that look at the kind of future evolution of crime. Right? So where is technology going? Where's user behavior evolving? Where's threats evolving? And then based on all that, where do we think the next level of cyber crime is getting to? So in short, what I actually I really love researching is the whole field of cyber crime, the motivations behind it, the people behind it, all that kind of stuff. So I will have some time hopefully at the end of the talk uh for uh some questions. Feel free to ask me any question on cyber crime that you're interested in not just stuff we've covered in the slides. Right. So in the talk what I'm going to talk about is a

bit on the current state of cyber crime. How we got to this point in terms of an evolution and a bit of a history lesson and then especially where it's going to go in the next one to two years or so. But rather than dive deep into kind of like technical details of like new exploits and things like that, I want to instead explain the business models of cyber crime like that actually make money and the human beings behind it and that how if you focus in on them that let you predict what's coming next much more than looking at like today's top 10 exploits or top 10 malware or whatever else, right? So we're going to go on a

bit of a history tour in this one, but we're going to if we ask the question, what is today's threat landscape? Then this presentation gets really short really quickly cuz we just say it's ransomware and then everybody goes home, right? Uh in reality, I could add some extra ones up here. There is other ones like, you know, business email compromise, merges to deep fakes and AI scams and things like that as well. But generally speaking, there's kind of one dominant platform at any given time. What I want to talk about more though is what is tomorrow's threat landscape going to look like and how do we get ahead of this? And to do that, this is

actually the wrong question. The right question is why is today's threat landscape which I appreciate is terrible grammar but it looks better for transition on the slide so let me wait right now. So the good news is we actually already have a pretty good understanding of what's coming next or at least we can predict with reasonable confidence what's coming and that comes down to studying the again the humans and how they've evolved to different technology shifts over time. So, what we're going to do is as a bit of a history tour, I've broken down cyber crime evolution into distinct eras, right? So, they don't all cut off really nicely at the dates that I show here.

They have a bit of overlap with each other, but in every case, there's a kind of uh what you call a major branching event, right? That jumps from one period to another one. We call them nexus events. Anyone here seen Loki, the Marvel show, right? That kind of thing. Something major that causes a major shift, right? So I'll be a bit more rapid fire obviously on the early ones because they're a bit ancient history but they are really important to understand the future and then we'll go into more detail as we kind of get closer to today and then even more detail when we talk about the the future right so let's go into start us all off

right so cyber crime started in the early to mid 2000s with the emergence of of kind of modern cyber crime and around that time uh cyber crime was really about two main things it was about carding, so stealing credit card details and about spam. Those were the two major business models at the time. Before this, there wasn't really a cyber crime scene. There was like a hacking scene with some people who were making money, by the way, but it wasn't like professionalized criminality that we kind of saw that evolved at this point. So, cyber crime was very much a hobby. Uh, and it changed in this time to what you did for your job like 9 to5 you did

cyber crime, right? So, there's a big shift. So and around this time then the volume of malware exploded because especially around developing of botn nets to send all the spam that was going around at the time and info stealers as well for stealing the credit card details, banking details and that kind of thing that criminals were monetizing at the time. So these were all generally quite manually triggered uh very ad hoc in targeting wasn't really industrialized at any sort of scale yet. What that ended up doing though, people suddenly had all of these like credentials and stuff that they' stolen. They needed places to go to actually sell them, right? So that necessitated the birth of kind of criminal forums,

criminal marketplaces. Telegram wasn't really a thing yet at that stage. So it was mostly like uh forums. Um and people could come and sell their different stolen goods, right, at different prices. And the prices started to standardize because there's just so much of this stuff online that people would start to standardize on like an American Express card from somebody in US would get a certain sort of pricing to it. One of the most famous forums at the time was one called Carter Planet um which was uh so successful that back in 2002 it was I think it was like 400 members of Carter Planet traveled to Odessa in the Ukraine and they held the world's

first Carter conference which is what they called it. They basically all got drunk for a couple of days and they planned out the next 10 years of how they were going to commit crime together. Very successful. And some of these are still cyber criminals today who are multi multi-millionaires at this point. Also, because the for the forums got bigger and bigger, they started to get to about 5 6 thousand people on these, they had to come up with like organizational structure to make that all work. And because they're not terribly innovative, they just copied the names out of the mafia. So the guy in charge of actually Carter the planet uh script who's since been arrested um

he gave himself the title of godfather and then his forum admins were dons and then you had constaries and you copy the kind of like Sicilian mafia naming convention right by the way they don't actually behave anything like a mafia I might get to that later on but they copied the naming convention from them so jumping forward a bit then to the late 2000s and early 20110s and just before I get into this I want to point out one small thing. Uh, who here is working in a company that has a marketing department? Right. Our marketing department get paid to update our slides every year with fancy new uh, like looks and feels to them. This year,

for some reason, they went with black backgrounds and red texts, which is impossible to see in any room. So, that's why I'm telling you what the titles are cuz you can't see them. Right. Anyway, so in uh late 2020, sorry, in late 2000s, we had the first Nexus event, which was the arrival of chip and technology, right? And around that time, the credit card companies who've been losing a fortune from all this stolen cards actually started putting like proper fraud detection and things in place when you go and bank and stuff or shop online. So the criminals as a result had to pivot a bit from caring and where they pivoted to now we're down to like intimate mood

lighting. Right. Okay. So what they pivoted to was to the banking industry. So genuinely, believe it or not, up in the top left is what an actual financial site looked like back then. This is not like something that like a teenager put together. And then down the bottom they would inject extra fields. So they would do all that kind of like what is your mother's maiden name, what's your pet's name, whatever security questions that you happen to have at the time, right? So uh one of the most popular malware for that at the time and this is going to be still important even in today's world in a minute was one called Zurus and that was the one generating these

extra fields in there, right? A key reminder though at the time the banks were getting hit for a lot of money because people were stealing money out of them but they weren't actually the target of the crime. All cyber crime at the time targeted individuals not companies. So it was like my bank account or your bank account. It wasn't like AIB or Bank of Ireland that was being targeted. Right. Also during this time we saw the emergence of some key cyber criminals who would go on to revolutionize the entire industry and are still major players today. So the first I want to talk about is the guy on the left Kenny Bogachef. He was the author of that

extremely uh popular Zeus banking trojan I mentioned. And what set Zeus apart wasn't just that it was really really good at stealing banking details, but was also how he actually built it. So rather than building it and then just using it himself, he actually made it available for a monthly fee. So you subscribe to to ZUS, you pay a certain amount per month. There's different tiers depending on the level of features you wanted. You had like ser um you had like customer service, you would fix things if they broke, all that kind of thing. And that really drastically dropped the barrier for entry for cyber crime. So now you didn't need to know how the actual stuff worked. You just

pay a fee, you get a product, you deploy it, game on, you start making money. Right on the right hand side, joining Bogf in this Hall of Fame is one of his key customers, Maxim Yakabitz. Remember that name. It's going to come up a bunch later on. And Maxim um was one of the largest users of Zeus and very made a lot of money out of it. And the way he ended up doing that was he realized he wanted to get this this software onto as many machines as he possibly could so that he could make money from that. So to do that he had to come up with really innovative ways to make massive botn

nets that he could deploy this on. Problem was he ended up compromising so many millions of machines that he actually didn't need them all. So he started a whole separate business where he would sub rent out infected machines to people. So he might like deploy zeus on some of them for other people who wanted to send spam. He'd be like, "Sure, I'll give you a,000 machines today. You pay me this much per machine. Oh, you want ones in Ireland? I can give you Irish ones. I can give you French ones, whatever you want." Right? So both that really then changed again how easy it was to get access to infected uh things. To give you an idea of how

successful these two were and people like them, the FBI have um accused Boachef of stealing 100 million dollars from the United States alone. That doesn't count anybody in the rest of the world. That's only from the United States. And both of these individuals have um wanted notices on them. As you can see here, if you can have any information that will lead to the arrest of one of these two, you will get paid about 5 million by uh the FBI. assuming that Elon hasn't actually scrapped the FBI by the time you actually talked to them. Right. Um, but as you will see, for reasons later, neither of these are ever getting arrested. So, what Whoa.

Okay. Right. Now, we're really down to Maybe we can probably put the lights on in the back room, let's say. Right. So, what is most important here is that what they ultimately created was something called cyber crime as a service. So they've broken the link between people who actually developed all of this stuff and actually your ability to commit it at at scale and over time a whole ecosystem to support this exploded. So we had exploit kits, we had spam, we had botn nets, we had everything. Essentially all that would stand in the way between you and building a criminal enterprise which you just to up the idea you went to the individual people and

you just paid for the different services, stick them all together and hey presto, you've got cyber crime. And if you want to know how why this is as successful as it is, this is the same sort of like microervices model that cloud computing is based on and like the Amazon where you just stitch all these things together and hit presto, you've got a cloud app, right? So very very successful. Fast forwarding then to uh 2013 20 up to about 2015 and what you'll see here is the gaps between these major nexus events get shorter and shorter. Used to be about five six years now it's every about two years something major happens. So in this period two things

kicked in at the same time. You had uh encryption and you had bitcoin right uh which both arrived on the scene. So around this time let me just put this on the screen light up the room again a little bit. Um so around this time at the start of it one of the most successful types of criminal approach was something called police scareware. So effectively this was a locker. If you know what a locker is, h when you try to log into the machine, you can't because this thing would pop up and you can't do anything apart from this, right? So, they would always impersonate a local police. This is the Met Police in the

UK. There's ones for every country. They just took the logos of the individual ones. Uh, interestingly, there's one for Gardishia. And because the Russians had no idea, they put all the text in Irish, which meant that unless you were like some granny and spittle, there was no chance in hell that anybody was going to pay this, right? Um but the problem with this police or squareware is it's actually really easy to stop if you have a security solution. Security solution and like caring a level you just kill this and problem solved right. So what they had to do was they evolved and in 2013 the major change happened with something called crypto locker. So crypto locker was your first classic

ransomware right? So it actually encrypted the files genuinely if you didn't have the key doesn't matter what security software you have you couldn't actually you know get the files back right so from a business model point of view much harder to recover uh it was actually developed by bogfev the guy on the left from earlier who built Zeus he realized at this time the pivot from banking to ransomware would make him much more money effectively one other thing is that it's they charge $300 if you got infected by which was laughable by today's terms in terms of ransomware, right? But remember at the time this was a consumer volume business that the criminals were doing.

Hit as many people around the world as possible, get $300 from each of them and hey press you make a lot of money and it did make them a lot of money. Bogachef in the first two months from crypto locker alone made 27 million. So he made 27 million in two months where had he made a h 100red million in the previous about 8 years just to give you idea of how much more profitable this is than banking malware right and that marked a noticeable change that shifted today. So people might realize this but this is a completely different crime than stealing credit cards. Stealing credit cards is theft. This is extortion. It's a very

it's actually literally different sets of crimes, different penalties, different everything in the books. The catch with this is there's one big problem holding back commodity ransomware from making your fortune and that's getting paid. So at the time the way to get paid where all these like things like pay safe card, Ukash and so on. They're effectively like vouchers you can buy in whatever country you're in. So in Ireland you pay you buy a UAS card and then somebody in Russia, Ukraine, wherever they were could cash out the card, right? So that's how the thing worked at the time. The problem was there's limits because they're basically just vouchers. So you can't like put million through this or you you

have limits of a couple of thousand that could go through these type of cards. The other things here were centralized platforms. So law enforcement did shut down some of these and all the money went. So Bitcoin comes along and changes all that pretty drastically. So Bitcoin actually was invented in 2008. I think it uh got more popular in cyber crime around 2012 and then really like 2013 onwards it got used massively. Right. And to say it had a massive impact on cyber crime is a vast understatement. So the reason why Bitcoin single-handedly it solved five major issues the criminals were having at the time all in one go. So first of all, it provides a

really good layer of anonymity. As long as you keep your wallet separate from your real identity, you basically can't trace who you are, right? Second thing was it's not so easy to seize. So as long as the criminals keep their private keys, some are normally offline, ideally not in a major crypto exchange, then again nobody can take the money off the blockchain. Third thing was it bypasses borders. And this is really important. So at the time there was next to no regulation on Bitcoin. There still is not great regulation on Bitcoin, but it meant that somebody who got infected ransomware here in Ireland or United States or whatever could now wire money directly to Bogachefs and his friends

over in Russia through this system, right? Cash out was another thing that became really easy to do. So, if you have a whole bunch of Bitcoin and you go to one of the exchanges who will turn it into like, you know, cash for your like wire to your bank account, they'll take a fee of a couple of percent. was not too much. Whereas at the time, how it used to work with carding was they would have whole networks of money mules who would receive things like iPads and expensive like laptops and cameras. They then reshipped them and resell them. And genuinely, you would lose about 50% of your profits going through the money mule networks. So if you made a million,

you got you ended up with half a million by the time it was done. Whereas with Bitcoin, you end up at 950,000, right, of that money. And most importantly, it can handle really large transfers. So, as the blockchain got more popular and all the crypto bros kind of piled on top of it, suddenly you could transfer hundreds of thousands or even millions through the actual system. Um, as you can see uh from the picture, the stock uh image here, Bitcoin is also very um associated with disembodied spirits and hoodies. If anybody's interested, this is what all the Nazco went on to do after Frodo put them out of a job at the end of the learning. Right. So the end

result though is the payments for ransomware keep going up and up and up and up as a result of the scalability of Bitcoin and that leads to a class divide in cyber crime which is really important uh to this day. So on one side over here on the kind of right hand side right you have the original like carder elite class who'd made literally millions right from doing carding. They were now joined by these people who'd come along and done the commodity ransomware and become millionaires and so on in their own right. On the other side, you have a kind of workingclass criminal, the people supplying all those different services, the botnetss, the spam, the

exploit kits, that kind of stuff, right? And because they're not as directly touching the final victim, their job is not as risky from being caught by law enforcement and so on, but they just don't get paid as much money as the the kind of more elite class over here do. Now, they're still getting, don't feel sorry for them. They're still getting paid much more money than like a normal wage in the country that they're in. But there is this kind of class divide that's starting to happen between the two and that gets really important as we go into today's world. So, jumping up to uh the next period uh where we start seeing ransomware evolve. So, the

biggest problem was there is a limit when you're targeting individuals and you want to steal money from them at ransomware. there's a limit to the amount of money you can get from it because people have a limit to the amount of savings they have. I don't know about you, but I don't have millions in my bank account, right? So, what do you who do you target if you want to get even more money? And the answer is pretty obvious. You target companies. They have millions, right? But that changes things completely. When you start to target companies, not individuals, the entire landscape changes. Because if you're targeting an individual, you send maybe some spam emails, you get them to click an ad or

like a drive by download on a website or something. When you target a company, you have to get in initially, laterally move around the network, take over like admin rights, disable the security software, all of that sort of stuff. And it's a completely different ecosystem to support that than a whole bunch of botnet sending spam every day for you, right? So, it's also at the time at least a lot more manual in nature. So, we entered a world of very human-driven ransomware but getting paid way more money in one go than the like $300 that they were getting off individuals. So, we moved from a world where uh it was cyber crime as a service to one that was

really ransomware as a service. The entire ecosystem changes to uh support and prop up this kind of emerging um setup. One of the most important roles in this ecosystem was what were called initial access brokers. So essentially people who would compromise a company or organization and then they would go into their marketplace and say hey I've got a company for sale and they would sell it on and the ransomware guys would buy that. Guys or girls would buy that and then monetize it and do the ransomware site. The problem is the initial access brokers are charging maybe thousands for access to a company but the ransomware groups are later making hundreds of thousands from ransoming it and the

initial access brokers don't like that much for obvious reasons right because they feel like we've done all the hard work you just deployed ransomware in the network like who cares right so what ended up happening was rather than going for a flat fee some of these initial access brokers evolved and had an agreement with the ransomware groups where they became what we now call affiliate So they would split the money effectively. They would say, you know what, we will do everything. We will get into the network. We will disable security software. We'll have admin rights. We will do everything up to the step where we just deploy your ransomware. But we're taking more money out of this. We did way more work than

you did. So it ended up being normally like about a 7030 split. It's pretty common. It depends on the affiliate. Some affiliates may be 8020. Uh but generally like 70 in favor of the affiliate, not the ransomware group. And that might seem weird, like if you're a ransomware group, why would you give up 70% of your profits to some fellow? The reason is because it scales it up massively. The ransomware groups just build a decent ransomware that works and then they just sit there and they let the affiliates do all the work for them and they're essentially taking 30% of everything while they have to do very little work. They actually by doing this, the ones that embraced it made far

more money than they ever did when they were individually targeting people themselves. So ransomware had switched from a malware type very much to a service with a very good ecosystem around it and it broke this traditional link again between the developer of the core like malware ransomware whatever and the people who are actually making the most money out of it which was the affiliates in this case. So the whole ecosystem pivots again around this whole ransomware as a service. Um and it was actually really less common to see theftbased services as a result. So even like info stealers nowadays info steelers can of course you know steal credit cards and banking details but it's not uncommon to find people who run

info steelers in a company network do genuinely get some credit cards that might have been lying on the machine toss them away just don't care about them they're relevant they just want the VPN details details the things that get you into the actual company itself so ransomemer also helped get around one of the biggest issues with targeting a company so if you go and you hack a company tomorrow. And by the way, don't go and hack the company tomorrow, right? But if you did, you end up with, let's say, terabytes of data you've pulled off your network. Cool. Great. And that's full of things like, I don't know, customer list and source code and documents and everything else. What was

how do you make money out of that, right? So, yeah, of course, you can rip through it and you get banking details and stuff like that and sell them on, but it's all the other stuff. Like, maybe you could sell it to a dodgy competitor of the company, but that really doesn't scale well and there's no guarantee you're getting paid. So the nice thing about ransomware and the beauty is they found the one person always willing to pay for your data that thinks your data is worthwhile and that is you yourself right simple as all that they just charge you to give it back to you. So it's very much moved from that extortion model again on the human side

of things bring up our good friend again uh the lives of some of these individuals like Maxim Yakabits are now playing out like a bit of a soap opera. So if you remember uh Maxim was the one of the main customers of Zeus back in the day, right? Um wrote a lot of botn nets and things around that. So he's born in 1987. Uh he already had about 15 years of experience in cyber crime. Uh at this point he'd also successfully pivoted from the banking days into the ransomware days into the ransome service days. He's actually he's quite a good business person. He set up a criminal group which is known as evil corp which

is not subtle at all. I mean that like tells you what they actually think of themselves. And if you remember a ransomware called Bit Paymer or Doppel Pamemer, this was Maxine Yakubist who's the guy behind behind that. Here is a kind of fuzzy picture. That's Maxim standing chatting to a local police officer who is probably corrupt in St. Petersburg uh with one of his many Lamborghini. Um this one's a Lamborghini Hurricane. He owns about eight of them. Uh this is his favorite one because I don't know if you can make it out there but uh these three letters spell out thief in Russian which again not subtle right um this type of person. So these

are the type of cars people like him are driving around. More importantly here's a picture of his luxury wedding. His wedding cost of a million and it is to uh the lovely lady here whose name actually you know what she didn't do anything wrong. I'm not going to tell you her name, but uh she is the daughter of a four-star general in the uh Russian FSB. If you don't know who the FSB are, the FSB were one of the intelligence agencies that grew out of what we know as the KGB, which probably everybody's seen from James Bond movies and so on, right? So around that time, Yakobitz himself also started working for the FSB. So he had a day job working as a

spy for the the nation state of Russia and on the side was running a criminal business which by the way the Russians were completely aware he was doing and just didn't care. Right? So he would kind of do these two together. So if you think about for a minute these type of actors this is an actor with about two decades of experience in cyber crime. Right? So, some of you here in the room have maybe two decades of experience in like cyber security and you know, egos aside, you're probably pretty good at your job. You know what you're doing. So, do these people. They're really, really good at what they do at this point. Also, what you're seeing here as

well is the top tiers of cyber crime are now enjoying very close connections to the Russian state. So, like some of the attendees at this wedding were the the who's who of like politicians and all of that kind of stuff, right? So we started to see this ecosystem change a bit. At the top we had these like old guard criminals, right? We had uh the people with the who could attend parties at the Kremlin and things along those lines and actually meet and greet these people. We also had a kind of upper up and cominging upper middle class. So some of those affiliates we mentioned were now millionaires. They had made a ton of money, right? But they no matter how

much money they made, they couldn't quite hang out at parties like this. they just didn't have their like social connections to to meet these people. And then you had essentially a workingclass criminal, a kind of gig economy of the people supporting all of that. Still making good money, but just not in the millionaire kind of status, right? And that's all going to become really important later because obviously the kind of working-class criminal wants to become the middle class. The middle class want to become this old guard and go to the fancy cocktails with the the you know the fancy cocktails, fancy parties with the cocktails, right? So, bring it up to 2020 and we get to

the Nexus event to end all Nexus events. And of course, I'm referring to the arrival of Tiger King on Netflix. Uh, no, uh, co, right? Obviously, uh, was the change here. So, sorry to any Carl Baskin fans in the room. We're not going to have more stuff on that one. Um, so the pandemic ultimately completely upended security, right? So all these ransomware groups have been targeting companies with nice perimeters and people sitting in offices and now suddenly everybody's working at home and that completely changes how you target them because if you compromise the home that gives you a back door effectively into the business, right? So anybody who's had to secure any company in the

last couple of years with like working from home knows how all of this changes, right? But from an criminal attacker point of view, there's a couple of things they have benefits of. People when they're at home tend to be more susceptible for clicking on things than when they're in the office. Loads of studies on this, right, that just you don't feel you're in an office environment. The other thing is there's a lot more focus by criminals on network intrusion. So things like compromising VPN credentials, RDB credentials, hacking routters, all of that stuff like targeting the people in their home. And that is still one of the main ways into companies today that even though we've

kind of moved on from the working from home model a little bit. The other two other major shifts happened at the same time. The first is that we saw an explosion in the number of different ransomware groups uh that were out there. So this kind of Russian the Russian kind of speaking ecosystem of as a service makes it super easy to spin up a criminal business. It's a little bit like Silicon Valley right in in US right it's really easy to stitch these things together. Um, and we've also seen that within this world, you've got these Yakabits and Bogachefs who behave who almost work a little bit like the Steve Jobs and Elon Musks in Silicon Valley

that like they create new uh business models and then everybody else copies them and moves around and follows them. Right? The second thing that happened around this time is that ransomware and GDPR got together and basically had a baby and we call that baby double extortion man. Right? Um, that's not exactly what happened, but I've been told that any good story should have some element of romance. So, in a cyber crime talk, this is as close as you're going to get, right? Um, but genuinely, what happened, GDPR came out a little bit earlier than that, but it was really just like it you couldn't ignore it in this time period. It's all over the news, people talking about like if you

get breached, you will get fined much money and so on. So, what happens is the criminals evolve and they take this societal change that's happening with all people terrified of breaches. they have the ransomware thing that they've got going on and to stick the two of them together, right? And they were actually quite slow to this. We put this in our like 2017 predictions, I think, uh, that this would happen. And it wasn't really for 2020 that this kind of took off. So, the thing is ransomware has a fatal flaw, which is backups. If you back up stuff, ransomware is less a problem. You just basically pay people say like, "Haha, you can't have your

files back." And you're like, "Go away." And you restore your network. It's a pain, but it's not like a company ending event. But when you take that information, as anybody here probably knows at this stage, and you decide to add a third crime, so not theft or extortion, but blackmail into the mix, then you have a whole extra way of hitting up different companies. So companies might not pay to get their data back cuz they can restore it, but they will pay to make sure that their customers don't realize it's all been breached or the friendly people at the data protection authority come along and knock on their door. Right? So the result of those changes had a knock-on

effect into cyber crime and the power in the cyber crime ecosystem shifts drastically because there's so many different ransomware groups. Now all the power arrests with the affiliates cuz they can go to any ransomware group they want. There's dozens they can pick from. And what would regularly happen was you'd have some ransomware affiliates that would partner with two or three different groups. So, you know, if they hit like a, you know, a major school in America, they may might be like, "Oh, the Conte Group like those type of victims. I'll sell to them." Or another time they hit something in Ireland and they sell to the club group or whatever. So, they have different like rates and

everything with the individuals. Um, so we really saw like that kind of change where the affiliates became the most powerful members here. The second thing is when you have this double extortion ransomware, right, you get paid more money by going after bigger brands because the whole point of double extortion is that it's brand damage, right? Like you don't you pay to avoid your brand being damaged. Bigger the brand, more money at risk. So criminals started going after bigger and bigger targets, including even like government level targets, right? Um, and that's going to import be important in a minute because all of that means these stories become household names and they make it onto the BBC's and the skies and the

Ortiz and everything else. And everybody knows that ransomware is a problem including politicians who in turn are going to put pressure on the law enforcement to actually do something about it, right? Which is going to come up in a second. So, as an aside, um, super dark, sorry, please don't fall asleep for a minute. Right. Um, as an aside, it was around this time that a concept of big game hunting started being uh talked about, which is the idea that these criminals were targeting individual big companies and then double extorting them. And that's a really big misconception in ransomware is around targeting. So any like report you see in ransomware and attacks like that will

have breakdowns by like industry or breakdowns by region and of course one of them is going to be higher than the others. So people read these and they mistakenly think, "Oh, they're targeting the banking and technology industry and North America. That's what they're targeting." That's not the case at all. Ransomware does not target anything. Never has. Just doesn't work that way. What you're seeing here is if you take any volume of data and you start breaking it down, you will have one industry that's bigger than the other ones or one region that's bigger than the other ones. That's just how the world works, right? So we already know that there's this like marketplace, right, where criminals can go and trade

stuff with each other. But what's happening is those marketplaces are not like a marketplace like Amazon. They're not where you can go in and go, I want to have access to University of Gold or I want to have access to Trend Micro or I want to have access to whatever. They're much more a marketplace like a farmers market where you go and you turn up in the day and there's one person who's like I've got some fresh fish for sale. Somebody else has some fresh bread. Somebody else has got I don't know creines or what did they eat in double codle right? Something like that right? Uh and you just basically go in as a ransomware person and go okay I'll

take some of that and I'll take some of this and I really hope to have some fresh pineapple but you don't have any. I'll get mangoes. Right? So they just take whatever's available and type. So it's not big game hunting. It's more like big game triage. They're going in and just out of everything that's been caught by the people who are like gaining access to companies, they're taking the most interesting ones for them if that makes sense. Right? But they're not targeting them as such. So also at this stage all important is our class structure that we started seeing, right? So the it really strengthened more over this time in a couple of ways. So at the top we still

had our super wealthy old guard, right? That were there. We then um like uh so what was I gonna say here? Oh yeah. So then you had the this like emergence of a new class of rich people. We'd call them the new reach, right? This is like the affiliates who made all this money and made a ton of money out of it, right? And then under them you had kind of a supporting class. So middle class trying to become that and so on. The interesting shift here happens is some of these like nuvo rich people that were like the affiliates and ransomware people they they were actually making more money than the original old guard

who were sitting drinking brandy with the like the highowered people in the base and they were actually starting to look down a little bit. They remembered when they were asking hey can we come to the cool party and we're told go away. So there was actually a split happening. So you have this like old super wealthy people who had the money from the card in and stuff like that but they weren't allowed to play anymore with the new kids who were making loads of money. It's a bit like actually you see this in the tech industry as well in like Silicon Valley and stuff right so that split is going to be really important because it means some of those people

can't get involved in ransomware anymore. The other thing then this finally brings us to the current era last two years or so and then we're going to jump ahead to the future. So this is a really interesting period for a couple of reasons because there's a couple of changes ongoing at the moment and a good way to look at this is looking at some of the payment data around ransomware. So I've pulled some data from chain analysis. They're a blockchain um analysis company and they effectively have really good visibility because they can see all the payments that are going through. So ransomware had its highest every year every year in 2013 1.25 billion at least minimum right

that they actually made. Um and a lot of that was brought around by some technical innovations they were doing and so on. Also some business innovations. One of the things they realized was that if you're going to start charging millions to companies uh for extortion, you have to behave like professionals. You can't behave like like the street thugs. You can't just like turn up with that. So they would actually be very professional and talking to people because the seale people they were extorting, if they were going to send millions to somebody, the people they normally send millions to is another business. So they taught business language. So that got them like just more professional, more money. But

over time, Rams has become a victim of his own success. And as you can see, it's dropped down pretty substantially uh for last year. So what happened was it actually stagnated. In all previous times of uh um cyber crime, it would keep evolving, keep evolving, something new would show up. But ransomware is so profitable, nobody bothered to even think about doing any evasion because why would you? You're making so much money. So a couple of things happened in the last year that really hurt their business models and means that we're going to actually have an evolution happening in the next couple of months most likely. So it was also during this time period that AI came out in a big

way and our technology industry really heavily adopted AI but the criminals because they were more lazy didn't do much with it really. So far we've only really seen criminals they've used AI to write better code like just like anybody right so everybody knows how hands up here who knows how to code right so as we all know the way you code is you go to stack overflow you go cut paste you put it in it doesn't work and then you cut it right nowadays you go to chat GPT you go cut paste and it also doesn't work so it's it's you know substantially better than it used to um the other thing they used to use it for is fishing

emails this does actually get better because you can have really realistic take in any language you want and chat GPT and and or Deep Seeker MLS are really good at this. They also embraced deep fakes and they did this in two ways. So using deep fakes for either volume scams where in this case they're impersonating the CEO of Binance and this is a crypto scam like he's telling you invest money in this coin and of course you're going to cash it out or they would have it in very like targeted uh deep fakes. There's a famous example of a company getting hit in Hong Kong and it was a I think it was either a

team or a zooms call but uh everybody on the call apart from the victim who was in the finance department was a deep fake version of one of the executives and they basically convinced the person to wire 25 million there and then right so this type of thing but honestly none of this is particularly air chattering so it's like it's not like revolutionizing what's going on it's just a little bit better at what they were doing already and there's a very good reason for that and that is criminal. So when it comes to criminals, criminals rarely evolve unless they have to. And internally in trend we have three rules we always use when we think

about getting into a criminal's head. The first and simplest is criminals want an easy life. That is the entire point of being a criminal. Otherwise you would do a real job and get paid you know less for it. Right? So second one is that for criminals to adopt any new attack, the return of investment off that attack has to make more than what they're currently doing. Otherwise, what's the point, right? And ransomware, remember, is insanely profitable. And the third one is cyber crime is an evolution, not a revolution. Criminals make small increments to what they're doing. They don't innovate unless they really have to. And that's when those like those nexus events come in where they just

have to change, right? because the world has moved on in some way. All of this is happening where you've got these lazy, admittedly wealthy criminals in a time where in our world technologies exploding like the the rate of change of AI is insane. Every couple of months like models jump ahead massively and that's putting them at a major disadvantage. The second thing is that during this time period over the last year, law enforcement started taking attention and really zooming in and damaging these groups because remember all those big breaches, they had to do something. Politicians were asking them. So I'm going to there's dozens in the last year. I'm going to call out three in particular

that are interesting. Uh trend were involved in two of them. The first was Lockbit. Lockbit was the biggest ransomer in the world at the time. What law enforcement did was really nice. They seized the leak servers of the ransomemer and then leaked details about the group themselves on their own leak servers. So they put up their Bitcoin wallets, their code, uh who they were, all sorts of details actually about the group themselves. Um they also named the author um who still wanted he also made 100 million as it happens. A guy called Dmitri Kurichef. So he's a massive bounty in his head. Interestingly Apple also want to talk to Dmitri. Apple want to explain to the B3 the correct way to

wear AirPods. Um so the second major one uh that was from last year was operation endgame. Endgame took down all these botnets you see over here in the left quite successfully. Now why does that matter? If you remember ransomware is part of a big ecosystem, right? So when you get ransomware in your network, it's not just that you clicked on an email and pay presto ransomware. It's generally there is botnets that get deployed. They then resell the access uh to your information. And this six here were by far the biggest botn net loaders and enablers for ransomware that really crippled a lot of how they would get on the networks. And the third one that

made a big impact was operation star groupoup. This was the takedown of lab host. Lab host is a fishing as a service. Uh quick show of hand fans. Anybody got an SMS saying that your e tool data is needed or uh what are the other ones they do? um you've got something stuck in customs and you pay all them that's labels right 90% certain it's going to be labels that was hitting you with those messages but they would also be one of the main enablers of fishing in general for just getting people in companies and then selling onto the ransomware groups so we actually helped in this one uh in the we managed to not we but the NCA managed to

arrest uh one of the authors of one of the two admins of lab host um personally I think it's a good thing they saved him just before he got on a RER flight. So, um you know, that's they also kicked in a whole bunch of doors. This is up in Dublin and got a lot of money from a lot of the users at the Lab Host platform. But the problem with LabHost was there's 2,000 users of LabHost and uh they ultimately uh we knew we couldn't arrest them all and there's a second admin who we couldn't actually get. So, how do you damage the service so much that it can't come back? Well, quick question. Who

here has a Spotify account? Show hands. Cool. So, you know your Spotify rap where it tells you like your favorite artists and things of the year. For me, I know it doesn't look like it was all like metal and like Bambi fog and stuff, right? But we came up with the same idea. So, let me just play this true. And this is what law enforcement sent to every single person on Lab Host. Welcome to your lab host rap, your recap of all the data we have about you. This recap has been made in partnership with international law enforcement. We valued you as a customer ever since the day you joined. We've been collecting your data that whole time and

now we've served it to police on a platter. You've paid a high premium for our services. I hope you didn't think anonymity was included in the price. We've been watching you every time you visited us. So many IP addresses. Honestly, I don't know why we kept them all. Remember these domains you've used on our site? Such creativity. I wonder if the company's legal teams will be as impressed. You've targeted victims all around the world. The police there may not be too happy with you. Think carefully about where you go on holiday next. That was your 2023 Lab Host Rat. Lab Host is dead now. Maybe we'll come back. Maybe we'll collaborate with police again. They've certainly enjoyed

going through our data and I'm sure they're looking forward to seeing you soon.

that song sticks in your head after you've heard of it a thousand time, which we did when we were putting videos together. But anyway, uh what they also did was they contacted and Telegram all of the users of the platform because it's a it takes a long time to wrest people. So they were like for full confession, please press one, press two if you'd like to go to your nearest police station and this type of thing, just trolling all of them. Um I got to see the replies to this. There's a lot of just really offensive language, please. Um, but the whole thing worked because 24 hours later, the other admin shut the service down. They just went,

"Our brand is toxic. Nobody ever wants to work with us again." And they actually left it. So, we enter but interestingly was with all these law enforcement arrests and take downs and forums and so on, we enter this kind of post trust era where criminals no longer could trust anybody. They couldn't trust the platforms they were using. They couldn't trust each other. And that really breaks things. So, we go back to our class system. We had the old guard and all these, but we also had these like disruptors in the site. So with those forums and criminal communities came a whole bunch of different rules of what you were where and weren't allowed to do like you couldn't target Russian

speaking countries, you couldn't target hospitals or things like that. But when people stopped trusting those central platforms that have all the rules based in them, suddenly anything goes. And we have all these other groups who come along and will just do anything. They will do really nasty stuff. So, especially in the English-speaking cyber crime community, uh there's a bunch of kind of toxic, angry, mostly young males coming out of the gaming community that started doing really sophisticated social engineering and hacking attacks. So, PE groups like the comm or scattered spider, if you've heard of any of those, and they started mixing in violence as a service as well. So, we've seen many cases, including in Ireland, where some

of these groups, they had to get cryptocurrencies off some of their rivals, would work with a local criminal gang, send somebody around to torture the person until they gave the passwords for their crypto wallets, and then empty their accounts out. So, this sort of violence and mafia type stuff is starting to come into cyber crime as a result. And it's not a big leap to think that when these groups start doing things like ransomware, they would also do similar extortions on the actual CEOs of the companies they're targeting. Like we know where your daughter or son goes to school. If you don't want us to pick them up and do horrible things to them, then you're going to pay for this. And

by the way, here's a picture of them going into the school. That type of thing. So to recap, we've covered a lot of the different changes over different times, right? And how they actually build up. But as you're hopefully seeing here, the business models and the human motivations are really what drives each of these changes, right? So there, by the way, I know I focus on ransomware, but it just tends to be the dominant model in any one of these periods. Of course, there's like crypto mining, cloud attacks, there's BC, there's other things as well, right? But we're getting up to the point of 2025. Um, and like what will happen next in that space? If

you are interested in any of the old space, by the way, we have loads of free papers. There's like 50 of them um over the last 15 years that I've got a chance to work on that deep dive into all of these in more detail and I go through today. So just literally Google like trend migraine vision underground and you'll find a link to all of them. Right. So 2025 onwards we're now at the point where we have another one of these major nexus events happening because there's four things happening simultaneously that are not great for criminals. First ransomware is on the way right. Secondly, law enforcement are more successful than ever before. And the security industry's embraced AI in a

big way which makes just it's much easier to detect this stuff. And then you have this whole like current class system they have. So how can they jump forward once again as criminals? And the answer is pretty obvious. You embrace AI, right? Uh for the simple reason that you don't have a choice. The entire world there's like a gravitational effect in the tech industry of AI where you have to embrace it. But it won't be like large language models like chat GPT that are going to deliver the future for criminals or even the gen AI that makes like things like deep fakes and so on possible. That honor is going to go to what's called agentic AI, right? So

agentic AI, this is something uh that we've studied in detail already. There's a whole bunch of free papers that you can go and and read up on if you want. So, if you've ever seen a demo of something like OpenAI's operator or Google's Gemini um 2.0 and some of those or heard the phrase large action models, that's kind of the direction that Agentic AI is going. I'm going to take a bit of an educated bet, but by early 2026 or certainly by the end of 2026, each of us will have an AI powered coworker in our normal businesses. That will just be a standard thing. And large language models don't do this in their own because if anybody's ever used large

language model you know you have to QA the results coming out the back of it right but unlike that and unlike this kind of goal of creating like a super intelligence that's not the goal of agentic AI the goal of aentic AI is just replace a knowledge worker from the pre AI era with somebody does the job pretty much as well and the way that generally works is instead of having one all powerful AI you have an army of kind of AI agents each with one specialtity that they are better at than any human who's ever lived. But that's all they do. That's all they know how to do. So like in a business context, you could have

one agent that specializes in finding free meeting times for people to meet up. Another one that's really good at ripping the notes out of the transcript, another one that makes action items out of it and so on, right? And then at its core, you have a kind of an agent core or an orchestrator that cries out actions in your behalf. So you give it an assignment like hey set up some meetings with those people and could you record all the notes and like take care of the the action plans for us and it will assign the tasks out. It has the autonomy to do that and it also has the memory of everything it's done before

for you. So it can kind of bake that all in right. So thing is all of this exists right now like we have agents to do this we have orchestrator this we have the promps and so on. It's just really an engineering challenge at the moment and just how do you make this like costefficient and actually scale a little bit better and that is really good for criminals because it helps every single one of these models for them. First of all, obviously it makes their life easier if you've got an agent that does a lot of stuff for you. It has the one it will generate the one thing better for a criminal than money and

that is time. Time is the most important thing you can buy when they're already wealthy, right? And it also allows many evolutions to happen at a rate that will look like uh revolutions. So in short, we're going to um allow criminals or it will allow criminals to move from a model of cyber crime as a service to cyber crime as a servant, right? Where they have one working for them and letting them scale up massively as a result. So just for imagine for a minute all the data that ransomware has stolen, right? Imagine now you have a criminal who has a bunch of different uh let's say it's a leak from a hospital that they ransomed, right? And they have one

agent that is really good at ripping through record, finding medical records, another one that gets the corresponding like person that belongs to, another one that can uh send and return emails and another one is really good at writing like social engineering threatening emails. Then they have an AI digital assistant which just they basically say, "Okay, I want you to rip through those terabytes that I stole yesterday. Pull out all the uh the medical records, especially things like cancer and so on. Uh extort them for me. Send them to the Bitcoin address that you haven't filed for me. And if you wouldn't mind sending me a telegram, just message at 12 every day to let me know how much money you

made. That'll be awesome." Right? So that gets a criminal a much better return per victim. The other thing from criminals is it lets them scale up. So we make the mistake with cyber crime of showing um charts like this to represent like all the infected people and we say like this is the cyber crime market. The reality is cyber crime has only ever infected a tiny percentage of all the actual companies out there. But when you put them in a pie chart it makes it feel like lock bit had taken over 33% of everything. It took over like 33% of 1% of the entire addressable people on the planet. But when you have AI to scale

that up, you can hit way more companies than ever before. And criminal groups don't really compete with each other. They're rivals, sure, right? But they are happy to share their approaches with everybody because there's so many companies to hit that everybody's going to be profitable as a result. And all that is going to need the ability to scale, which means they need microservices to do this sort of like agent-based approach. So you're going to see much more compromise of cloud services because that's where you have the agents and that's where you have the GPUs and all that kind of stuff. So they will hack people's cloud services and genuinely use it for like what the cloud

is meant for not just deploying crypto miners but use it to build these agentic AI at scale and most importantly then the human element. So accessibility to this ecosystem is going to be much easier which is going to let these kind of disruptors we talked about the more English speaking folks have a much wider influence uh than they used to in the past compared to Russian speakers but we're going to see some shifts. So the new vu reach and the old guard are going to merge into like a top 1% of the cyber crime society. You're also going to have an upper middle class. These are the people who are running all this kind of

agentic AI setup, right? And are really kind of skilled at doing that. And there's going to be a bit of a gulf between them and this top rich people. The top rich people just the rate of change is so fast that it's only the young, interesting, upand cominging criminal entrepreneurs that are going to keep up with it. And at a certain point, the top 1% will just turn into investors. They will be basically like, you know what, I've got a yacht. I could care less. I'm not doing this 9 to5 anymore. I'll give you seed money of a million to set up your business and I want five million return. So you'll have this like investor class. The working

class will essentially go because they get replaced with automation and AI and then you have this gulf where you have a kind of lower middle class who are using all these AI tools but have no idea how they actually work. And then you have the middle the upper ones who actually genuinely know how it all works. And that gap between those two of knowledge is what stops you moving up the ladder to the next level. Right? So how do we proactively get ahead of all of this uh in this world? Well, as it happens, the security industry is in the best position of anybody in my opinion to take advantage of all of this AI

changes. So for the first reason is technology always comes first and crime comes second. Crime never innovates ahead of technology. Remember it always reacts. Do you remember those three rules? They only follow when they really have to, right? and in AI and the rate the rate that that's coming in that's a major disadvantage for them. The second one is industry can use this technology better and no industry is better than that than the security industry. So at the end of the day what does a security product do? security product generates logs, right? It's got a whole bunch of sensors, generates tons of different logs. We then look through the logs and we go, there's a bad thing that

happened. We tell you what the bad thing is. People get paid a load of money, everybody wins, right? So that's how security works. But Gen AI is better than anything at ripping through logs at a crazy scale and showing you that stuff like genuinely. I've seen the stuff that we actually have in our products and the stuff we test internally and sometimes it looks like magic when we do this kind of thing. And the third thing we all need to do to get ahead of that um is knowing the actual enemy. So we have lots of study on how criminals work, behave and think at a psychological level going back as I said 15 years. We

know and so if you want to know how criminals and that are behaving today for each of you, you're doing exactly the right thing. You come to an event like besides go away, you soak up every piece of information you can and you learn that. And then in terms of thinking about the future, the future becomes way more predictable when you're predicting what humans are going to do next and not some piece of code or piece of model. You put all that together and you end up with proactive security. So to wrap it up, thanks everybody for coming along to the talk, listening to me. I'm personally looking forward to listening to the other ones later on.

And I think we've got like three minutes for questions. That took longer than I thought it would. And let's turn lights on.

There you go. Burn your retinas. Anybody got any questions before we Yeah.

So the first decline in 2022 was that because in the last two years that's where people got it and then companies were proactively working towards stop that particular problem or is that because they got sten and they stop? It's a it's a combination of all of them. Right. So at the same they basically all happened at the same time. So companies got better at detecting stuff right uh like AI genuinely does help me sort of stuff. Companies are better policies around it as well. Law enforcement started really cracking down hurting their ecosystem and then like they just hadn't innovated really. So when you put all that together, it just and that's why we're coming to this next

like explosion nexus event where they have [Music] to [Music] use it. It doesn't is a short answer. Uh at the end of the day like cyber crime is just crime on the internet and we haven't stopped crime in all of human history and we're not going to anytime soon. So at the end of the day there will always be periods where the good guys law enforcement us and security industry are ahead then they jump a little bit ahead and catize cat. So it never ever ends. After a while is just basically AI going against it and then humans sitting on the sidelines. Genuinely it will come down to then uh it will be mostly let's

say AI versus AI to a certain degree but it will be how innovative can you be at using that against each other. So for anyone else I will be yeah one more question and then yeah go for it. So we looked at

[Music] Yeah. So for the the average user like for protecting yourself obviously there's things like security software and so on right but but honestly what it's all about is like if you think about again the criminal point of view right the criminals want to target millions of people right if they're going for the consumer model but what they'll do is they go after the easiest ones they don't have time to like deal with the person they half infected and didn't quite get to eat them just toss that to the side. So, you just want to make yourself uh it's like that whole, you know, you probably heard the joke before about like if you and your friend

are running away from a lion, you just have to run faster than the other guy, right? It's that you just raise yourself a little bit above the baseline level of everybody and the chances of you getting hit by criminals is substantially lower because you just be like, I just go if a crime occurred honestly uh in today's ecosystem anywhere in the world, there is not a good setup for you. who just isn't, right? And the thing is, nobody reports it either. Like just I'll finish in this one, right? But quick show of hands. Who here has ever had a malware infection on your machine? Any machine you ever had, right? You got a pop-up. Great. Did you go to the

police station or the garbage station and go, "Look, my laptop." And you know, Sergeant Joe or whatever his name is like, "Oh, great. I know exactly what to do in this scenario." It doesn't happen. Nobody reports this stuff, right? Because we don't see it as a crime, which is a problem in itself. So it gets underfunded because the guards don't have anybody saying we had a thousand people this week coming into guard station saying they got a banking. So it's something we need to fix. But I'll be around later on for the party. Shindig and Yeah.