The Ransomware War

Ransomware isn’t a lone hacker in a hoodie. It’s an entire criminal industry complete with developers, brokers, and money launderers working together like a dark tech startup. And while these groups constantly evolve, so do the tools and partnerships aimed at stopping them before they strike.

My guest today is Cynthia Kaiser, former Deputy Assistant Director of the FBI’s Cyber Division and now the Head of the Ransomware Research Center at Halcyon. After two decades investigating global cyber threats and briefing top government leaders, she’s now focused on prevention and building collaborations across government and industry to disrupt ransomware actors at their source.

We talk about how ransomware groups operate, why paying a ransom rarely solves the problem, and what layered defense really means for organizations and individuals. Cynthia also shares how AI is reshaping both sides of the cyber arms race and why she believes hope, not fear, is the most powerful tool for defenders.

Show Notes:

• [01:04] Cynthia Kaiser had a 20-year FBI career and has now transitioned from investigation to prevention at Halcyon.
• [03:58] The true scale of cyber threats is far larger than most people realize, even within the government.
• [04:19] Nation-state and criminal activity now overlap, making attribution increasingly difficult.
• [06:45] Cynthia outlines how ransomware spreads through phishing, credential theft, and unpatched systems.
• [08:08] Ransomware is an ecosystem of specialists including developers, access brokers, money launderers, and infrastructure providers.
• [09:55] Discussion of how many ransomware groups exist and the estimated cost of attacks worldwide.
• [11:37] Ransom payments dropped in 2023, but total business recovery costs remain enormous.
• [12:24] Paying a ransom can mark a company as an easy target and doesn’t guarantee full decryption.
• [13:11] Example of a decryptor that failed completely and how Halcyon helped a victim recover.
• [14:35] The so-called “criminal code of ethics” among ransomware gangs has largely disappeared.
• [16:48] Hospitals continue to be targeted despite claims of moral restraint among attackers.
• [18:44] Prevention basics still matter including strong passwords, multi-factor authentication, and timely patching.
• [19:18] Cynthia explains the value of layered defense and incident-response practice drills.
• [21:22] Even individuals need cyber hygiene like unique passwords, MFA, and updated antivirus protection.
• [23:32] Deepfakes are becoming a major threat vector, blurring trust in voice and video communications.
• [25:17] Always verify using a separate communication channel when asked to send money or change payment info.
• [27:40] Real-world example: credential-stuffing attack against MLB highlights the need for two-factor authentication.
• [29:55] What to do once ransomware hits includes containment, external counsel, and calling trusted law-enforcement contacts.
• [32:44] Cynthia recounts being impersonated online and how she responded to protect others from fraud.
• [34:28] Many victims feel ashamed to report cybercrime, especially among older adults.
• [36:45] Scams often succeed because they align with real-life timing or emotional triggers.
• [38:32] Children and everyday users are also at risk from deceptive links and push-fatigue attacks.
• [39:26] Overview of Halcyon’s Ransomware Research Center and its educational, collaborative goals.
• [42:15] The importance of public-private partnerships in defending hospitals and critical infrastructure.
• [43:38] How AI-driven behavioral detection gives defenders a new advantage.
• [44:48] Cynthia shares optimism that technology can reduce ransomware’s impact.
• [45:43] Closing advice includes practicing backups, building layered defenses, and staying hopeful.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Halcyon
• Cynthia Kaiser – LinkedIn

Transcript:

Cynthia, thank you so much for coming on the podcast today.

I'm so excited to be here.

Awesome. Can you give myself and the audience a little bit of background about who you are and what you do?

Of course. My name's Cynthia Kaiser. I was at the FBI for about 20 years, and I'd say about half of that was in cyber division, so not the internal FBI IT, but investigating all the different cyber crimes that are going on across the US. I, in particular, was over all of the cyber threat intelligence, the engagement with critical infrastructure, and the work with White House, Congress, et cetera. I recently moved.

After 20 years, I decided to go to the private sector. I've joined a company called Halcyon, which is an anti-ransomware platform. What that means is I used to be on the after of ransomware incidents investigating them after they happened, and now I get to be part of the stop-ransomware part before it happens, hopefully, in the prevention zone, which is pretty exciting. It's a nice change.

Fun to be on the prevention side as opposed to the cleanup side.

Exactly. In particular here, I am building a ransomware research center, which is cyber threat intelligence, policy work, and all of that. I'm just so passionate about pulling information together, creating the stories that make sense to people, and then getting them out.

That's great. In your time at the FBI, did you initially go in focusing on cyber, or is that something that worked your way through the system?

I think cyber found all of us in the last 20 years. When I joined FBI, cyber division was really just starting out. A little bit of background, when you join the FBI: the FBI decides what you're going to do and where you're going to go.

I ended up going into counterintelligence, which is a counter spy work. It's really fun. I'd gone in with a lot of Korean language and some experience living in South Korea, so I ended up as most North Korea analysts do, moving to WMD pretty quickly. I did that for the bulk of my working-level career. I got to take down proliferation networks that involved trying to get parts from the US and ship them abroad. It's really rewarding, and I found that I really love the technical work associated with that.

As we're getting into 2014, 2015, you start seeing a lot more cyber threats from North Korea, the North Korean attack of Sony. I ended up in a position where I was responsible for all threats. I was an intelligence briefer at the White House. There was just so many cyber threats that were happening all at once. I had this front line to seeing really how the US was shaping its response and what we were trying to do. I just knew there was nothing I wanted to do more than come back and work cyber threats, and that's what I've been doing ever since.

Was there a sense of like, “Oh, my gosh, this is way bigger, or this is much smaller than what we see in the news”?

It's way bigger, not only than what we see in the news, but then what the government knows. I think we all know that we're seeing a very small window into a much larger problem because it's so easy to hide your tracks. Because technology's constantly changing and we're all playing catch-up with each other, there's a lot we don't know still. I think that's been consistent for the last decade.

Got you. Are most of the threat actors that you dealt with nation-states, criminal organizations, or one-offs, or you have no idea?

It's really hard to tell nowadays. It's a blurred line because you have a lot of cyber criminal threats. When I say cyber criminal, I'm sure most people aren’t even thinking about the business email compromises or the scams that are perpetrated against them.

One of my last jobs at the FBI, I had responsibility for the Internet Crime Complaint Center. They get over 3,000 reports a day, so just a huge number. A lot of them come in and you don't know. You don't know if it's cyber crime, if it's nation-state, or a little bit of both. Maybe it's a nation-state actor, but they want to make money in their free time, so they're moonlighting. Maybe it's a nation-state and they've contracted to cyber criminal group, task, or it's a nation's group and they're trying to look like cyber crime. There's so much overlap between all of this work that what you have to look at is, “Do I know this group? Do I know how they've targeted in the pas? How they've stayed on a network in the past?” It quickly gets to, “What are we going to do? How are we going to stop them?”

Got you. Let's do a little primer on ransomware. Everyone's probably heard of ransomware, but let's hear your take on what is ransomware, and how does it get on people's systems?

It gets on through a lot of different ways. You might click a link, or there might be even now, a zero day, which means a vulnerability that there's no patch for yet. There is a lot of buying of credentials online. You can go to sites. If you've reused those credentials, or you haven't changed them and there was a data breach, then just logging in using the same password. Really, multiple different ways actors use ransomware to get onto systems.

Once they get there, they’ve got to move around. It used to be a lot slower. Now it's a lot quicker. They have to find where they want to go, they try to bypass your security, and then ultimately they get to those data that they want to have.

One of two things happens, oftentimes it's two of two things happening. They steal the data and they lock it up. That's where you get that ransom where people think of the lockup part, but it's really based in—it’s extortion. Once they steal your data, once they lock up your data, they send you a note and say, “Here's how you get it back. You pay us this much bitcoin.” It's interesting because you might think that this is all one actor doing it, but it's an entire business ecosystem of developers making the malware, people called affiliates.

They basically borrow the malware and give feedback to the developers if they've done the attack. There's the initial access brokers, which are those people selling the usernames and passwords. I talked about money launderers, infrastructure providers, and just all these different hands trying to specialize and work together to scarily just target us more effectively.

Is it that these individuals actually are specialists and, “I'm really good at this; that's all I want to do,” or are they trying to pass off a little bit of the, “Well, I didn't do it. It’s really not my fault. I just facilitated moving some currency, or I just wrote a program. I didn't deploy it”?

I think it's a little of both. Especially on the malware developer side, they have a lot less exposure if they're not also going and targeting victims. That part of the equation is absolutely about trying to obscure who they are and then also just maximize. They can only target so many people. If they can get more people to target, they can earn more money.

Maybe you had the affiliates. They know how to conduct and execute the attack, but they don't know how to develop something from scratch. You have people who are good at money laundering, who are good at going across the blockchain using all the various and different types of cryptocurrency. People who are just going out and only finding credentials—that’s a totally different skill too. There's a lot of different skills. Could people do other things? Sure. It's like a startup. If they found where they thought there was a market share, they leaned in and did that effort to try to make money.

That's really scary. Are there lots and lots of people doing this, or is it a fairly small, loose affiliations of people? Of the people that are finding the credentials, is it tens of thousands, or is it 10 or 15 organizations?

It's somewhere in between that, I would say. I don't think I could give you an exact number. At any given time, one to 200 active ransomware groups, but there's an overlap between all of them. We used to do a lot of top 10 lists in the FBI. Who are the top 10 infrastructure providers, top 10 exchanges, and those top 10 groups? A group's not one person necessarily, but it's not a 10,000-person enterprise. Those are the largest. They had by far most of the market share across the criminal ecosystem.

Do you have an estimate of the amount of money that's lost either in paid ransom or in corporate and individual downtime?

Those are very different numbers. The blockchain analysis company, Chainalysis, they track this pretty closely every year. They'll come up with a figure of how much in ransoms was paid. Last year, I think it was 74-75 million. That sounds like a lot, but it was actually 35% down from the year prior, and there's a lot of reasons behind that. There were some law enforcement actions that had taken down the biggest players. There's a lot of scattering, closing down of some of the groups, which makes them a little specialized, trying to regroup, trying to vie for the top spots again.

It was down, but oftentimes, the actual ransoms paid is 15-20% of how much it actually costs to get back online. You have over 22 days of downtime. You are looking at millions in lost revenue, incident response, getting systems back online. All that together, that's the huge cost of ransomware.

Is that the challenge that at least corporate are faced with or maybe individuals as well is, “OK, I don't want to give money to bad people, but I have employees that I need to pay, and I need my business to run. I can't redo all this from scratch”?

It's an awful choice. It's a business choice. What I'd say is that if you pay, you are known as a company that pays. Those affiliates might target you again with a different variant later. If you pay and you get a decryptor, there's a lot of times where the decryptor doesn't work a hundred percent of the time. It shouldn't surprise us that people who create malware to break things don't put a lot of effort into fixing them again. It's slow, it's hard, and sometimes it doesn't work at all.

Recently, Halcyon, my company, we were with a victim. We're often brought into an incident if somebody needs really ransomware-specialized expertise. In this case, they bought the decryptor and it didn't work at all. Luckily, we were able to figure out a decryption solution for that victim and help them get back online.

In that case, RED Smart has been just outright jerks anyways. Even if they hadn't seized up or locked up the files, they're just going in renaming files, which makes it difficult to reconstitute. It makes it slower. I'm going to say it's 98% about making all the money they can, but there's also a culture of trying to stick it to the victims. You and I just don't even understand that.

I think there was a period of time where there's this weird criminal ethics, in a sense. “If we are a ransomware gang and we don't honor the ransom, when someone pays their ransom, if we don't honor it, then no one's ever going to give us the money, but I'm still going to be evil enough that I'm going to steal the ransom.”

Yes. You used to see some that would say, “Oh, we don't target hospitals.” The problem is when you have affiliates who are loosely aligned to you, they don't follow all the rules all the time. You see a lot of hospitals being targeted, which I think is just the lowest of the low. That's, to me, terrorism. You're endangering people's lives at a massive scale. It is interesting. I think you saw in 2021 when we all started hearing more about ransomware, different groups having those ethical codes coming out. I don't feel like you see that as much anymore.

Yeah. It sounds like what you're saying is, “Once we get the money, we've moved off to another target. If you can't figure out how to use our decryptor, that's your problem, not ours. Oh, well.”

Yeah. Some of these ransomware groups will have a help desk almost. You're paying and how to do the bitcoin. There are some that if they want to be big enough, they want to make sure that they're not known as somebody, you just don't pay them at all. That doesn't mean it has to work a hundred percent. If it works 75%, I'm sure they feel satisfied.

Do you have a sense of how the decision-making process is for the ransomware gang on, “OK, we've encrypted someone's stuff, they can pay to decrypt,” but then there's also the, “Now we also have valuable data. What can we do with that data?” How much of it is about, “Pay us and you could just be back up and running,” and how much of it is, “If you don't pay us, we're going to make this other stuff public,” like Sony?

The Sony case was all about revenge. Initially, when we were seeing ransomware, it was all about locking up the systems, paying to get back online. Where you saw more of the data theft is people started having better cybersecurity. They started creating backups, and they were able to get back online without the ransomware actors.

The data really serves as an additional incentive to pay. “You might be able to get back online. You might have backups, but if you don't pay us, we're going to release your data.” What they'll claim is, “But if you pay us, we'll delete your data.” The FBI was getting on the backend of some of those ransomware groups through some of our takedowns. They were not deleting the data.

They were just waiting for a more opportune time to re-solicit for more money.

Or just didn't care about going back in time and deleting, or believed they might be able to use that for credential harvesting, which means getting usernames and passwords and reselling that, lots of different things.

Yeah, or just, “Maybe we'll actually find something in here that we can sell to somebody. Trade secrets. It won't be public, but we'll sell off this trade secret to a competitor or some other entity, and we'll make money from that.”

Right, and it used to take a long time to go through data, but think about with large language models. Nowadays, I assume a lot of these ransomware groups are using those types of GenAI tools to go through the data a lot faster and find what's valuable.

“ChatGPT, find me something interesting in this big pile over here.”

I'd hope they use ChatGPT, then we all might get a notice about it.

No. Oversimplification on my part. I guess there are two aspects of this. There's the prevention side, and then there's what-do-you-do-if-it-happens-to-you side. Let's start on the prevention side. What can individuals and corporations or entities do on the prevention side?

The basics still really matter. The majority of cyber incidents, so not just ransomware, anything gets in because of easily guessed or forced passwords, no multi-factor authentication, that secondary ping you get to put in a code, et cetera, or not patching vulnerabilities. Why would actors use hard tools and expensive tools if the easy things work? Doing all those basics really matter.

Second, as we see some advanced ransomware groups really start to be able to target things in a more refined way, we find them doing things like being able to get around Endpoint Detection Response, EDR systems, because they work, that's why they target them. You need defense in depth. You need multiple different solutions. That's where Halcyon comes to play, work under that secondary check, identifying for the ransomware activity that may be evaded, different tool. Having different things along the way, segmenting networks, making sure your administrators can't have access to every single thing.

I don't know how many times we were in an incident in the FBI, you'd hear about an admin account. It had access to a hundred thousand different internal accounts or the like, and then that one account is compromised. It's a big problem, so being able to segment and practicing incident response, like playbook. Most people have incident response plans. Maybe it sits on a shelf. Hopefully it's hard copy because it's just electronic. You might be able to get it.

If it's not practiced, it's also just a PDF. You have to practice it. You have to know, you have to think about who you need to talk to. The sooner you can do incident response, minutes matter, hours matter. Being able to enact that early, things happen. People are targeted. Adversaries are crafty. They're going to find a way to get around things some of the time. But if you can stop them when they’ve got that initial access, that's a lot better. If you can do that quicker, it's a lot better than if you are fining them because your files were stolen.

Yeah. That's pretty corporate-focused. Clearly the passwords and two-factor authentication for individuals. When you don't have an incident response team and you don't have an IT department at home, what do you do there?

Individuals, I think maybe early in the ransomware epidemic, were being targeted. You don't see that as much anymore. You see it more in the traditional scams, crimes, and stealing money. Yeah, sure, ransoms might be in the millions to organizations, but if someone stole $10,000 from me, that's a very big deal in Cynthia's world.

What you can do there is do all the things I said. Don't repeat your passwords. Have multi-factor authentication. I like authenticator apps. I think those are probably the best for personal use. Even the text messages that give you a code, those are better than having nothing at all. Also making sure that your systems are up to date. You just are running some antivirus. You're implementing updates when you need to.

The best thing is we talked about zero trust in organizations. You want to have zero trust. That's what I meant by not having an admin account with a hundred thousand users. You need to zero trust your brain. If you're a person, what might be happening is somebody's trying to call you. They are saying that you've been a victim of crime and they need your account information, or they are with a sick family member in the hospital and they need some type of information.

Whenever there's this urgency behind an ask, it's incredibly important to take a step, take a beat, and really figure out if there's a way for you to verify this before moving forward, especially in the age of deepfakes. I'm sure most of the people listening here know what deepfakes are, but it's basically you use AI to create fake videos, fake audio. They're really believable now.

There was a case at the FBI where a person received a call from their CEO. It was through their regular, whatever messaging app they normally used. It looked like it was at the CEO's vacation house where they'd seen them before. They said, “Hey, I need you to get on this urgent call. I'm going to send you the link right now.” I would've clicked that link. That was a deepfake. It was a fraud situation, where they were trying to either gain access to a corporate network, or they would urgently have the CEO trying to tell someone in finance to wire this much money somewhere.

We've talked to organizations about having that secondary check, like in-person multi-factor, just call another person, figure it out. It's the same thing. If you're personally being targeted, these people are crafty, they're lying. The lies are really believable now. How do you have your secondary verification check?

Yeah. That's what I do with all of my vendors that I work with for my business. If I get a phone call asking me to change any payment method or anything, it's like, “Hey, we need you to change and do this differently.” I always verify back on a different communication method. If I got a phone call, I don't call back. If I got an email, I don't email back. If I got a text message, I don't text message back. I always change the method of communication. Let's just assume that's been compromised, someone got their SIM card. “OK, I can't call or text them. Let me email them and try to at least have that one level of, like you said, zero trust.” Let me just assume it's a scam. How would I detect if this is a scam and play that out in my head before doing anything?

Exactly.

It's funny, you were talking about the credential stuffing. I was watching a news report last night that there is a class-action lawsuit against MLB, Major League Baseball, because right when the World Series hit, someone did a whole bunch of credential stuffing attack on MLB's app, got into people's accounts, and transferred out their tickets for the World Series.

So they couldn't go to the game?

So they couldn't go to the game. MLB doesn't have two-factor authentication for their app. Tickets were getting sold out to other people. The class-action lawsuit is you didn't have enough security. You should have known that someone would do a credential stuffing attack, and you should have protected us against our own mistakes.

It's really hard to know. These are enemies, they're criminals. They're doing all these, this targeting, but you have to look at making sure you don't leave all your doors and windows unlocked too. It's so hard to figure out where you need to get better, make sure people are getting better so that they put up better walls against this, but also targeting the actors themselves.

As a consumer, yes, you’ve got to use unique passwords and two-factor authentication where it's available. If you're a vendor for critical things that could cost people money, you need to have two-factor authentication turned on. You can't assume that your customer's passwords didn't get compromised. There are systems out there to look for compromised password, username and password combinations. Use those.

There are, yes. Constantly look. There's a whole industry for that. Absolutely.

Yeah. We've talked about prevention now. Once a company has been compromised and they've got ransomware on their platform, or an individual, let's talk corporate-wise first. A company, you're victim of ransomware, what the heck do you do?

Hopefully you have practiced this. Hopefully you have an incident response plan, and you know who you're going to call. I used to talk about this with the FBI. You know the FBI person that you need to call, not the 1-800 number, the actual number. You get a notice in. Hopefully you have a really good endpoint detection or other cyber company that's noticed it for you. They send you an alert, you have to verify, and then you're going to look to contain quickly. Just contain it, make sure that it doesn't spread.

That's when you can start doing this like, “OK, who do we call? Who do we notify? Do we have to tell customers? How are we going to ensure this hasn't gone on further? Who do we need to involve so that we can investigate our networks? Do we need to bring in somebody external?” Probably. Answer's probably, yes. “Do we need to go to a different site?”

Sometimes people have to go off. If your computer's all seized up, if your network's all seized up, you have to go to your backup site, and then you start that process that you contain it, eradicate it, analyze it, figure out what you need to be able to get back online, and do the notifications you have to do too.

Yeah. I've always heard it say, “You want to find your lawyer when you don't need a lawyer. You want to find your anti-ransomware vendor when you don't need your anti-ransomware vendor.”

You want to have an external lawyer. You want to have an outside counsel, not just your internal. We always found that they just know the breach landscape so much better.

You don't have time to get referrals from, “Hey, I had this buddy who was compromised. Let me…oh, they're on vacation. Oh, I can't figure out who they used.” You don't want to be figuring it out in the moment.

Yeah, like, “I don't know who to call.” Exactly. We had this where you want FBI to be able to do everything and be there. That's what the FBI wants to do. They want to help victims, but you don't want to be subject to having to call the person that is routing all calls on a Saturday morning at 3:00 AM. You want to have the name of the cyber squad who is going to actually investigate. Common sense-wise, that's going to be faster.

Yeah. It's tying in with the story that you were telling me before we started recording. Someone was spoofing you on LinkedIn. This is like, hey, “Who do I know who might be a part of the FBI who I could contact?”

That's right. I'll correct you. I think I talked about this on LinkedIn. It was actually Facebook where I was spoofed. Someone created this fake profile. It wasn't even me, it was some other FBI person as they put the face. They misspelled my title. They didn't spell vice right. It's almost quaint to see that in the age of AI. A regular misspelled scam, spoof Facebook page, but I know from experience that can be a big deal. Someone's not doing it just because they feel like it, because they woke up that day. It's because they're likely going to try to defraud people in my name.

As a person, you can take a few steps, and it depends on why. It depends on why you think someone might be doing this. In my case, because it obviously alluded to my FBI time, I was really worried it would reach out to people saying they're from the FBI. People are going to trust that and give more information.

There's a trust when you believe someone who's an authority contacts you.

Exactly. What I did is first notified Facebook. I flagged it and I had a few other people flag it too, just to give it a little more extra oomph. They were impersonating FBI, which is actually a federal crime. I put a report in to the FBI's Internet Crime Complaint Center, IC3.

I gave all the information I could. I screenshot everything I could—when was this created, who were its followers, what are the aged followers that it probably is going back to, et cetera. I gave all that information over to the FBI, and then I went public about it. You put it to your friends and family on Facebook. I put it out on LinkedIn because I have a much broader reach there. You tell people about it, like, “This isn't me.”

People can just create a profile with anything. You wish there was more verification behind it. I think LinkedIn actually probably does a little bit better job of some of that. With their verification on professional emails like on Facebook you just say you're so-and-so, you create that. It's a lot harder because they're doing it for a personal context, not a professional one. Just by nature of it, it's going to be a little harder.

I'm sure people have had this happen to them and have it not be pretending to be the FBI that's contacting people to scam them. People have their profile spoofed, and then the criminals target their friends and their family. That feels really personal. Worse isn't the right word, but when you know who might be being targeted, that feels pretty awful. This isn't just because Cynthia was in the FBI, this happens to her. It happens to everybody.

We were always really worried in the FBI that people weren't reporting because they were embarrassed. I think especially among elder fraud, people might be worried that if they report, if they say they were scammed, they might lose independence. I always felt like that's why it's so important to get things like the IC3 annual report out that talked about the billions and billions of losses for elder fraud, or for all these other different types of fraud and crimes, because it tells people they're not alone.

Yeah. Let's take a tangible step in destigmatizing being a victim of cyber crime, fraud, or a scam. Has that ever happened to you?

I remember being in college and getting one of those ridiculous viruses. That happened a long time ago, where it put a spirally circle on your device. I haven't been actually defrauded of funds, but I've had family members who have been. It's because the criminals called and they created a lot of that urgency behind, put an urgency behind some action. They were able to either steal funds.

In one instance, I remember the family member, we caught it halfway, but that meant still we had to redo all the passwords, take a couple days off to just redo someone's digital life because we're worried. Everybody's targeted is the answer here. No one isn't going to be targeted. That's where people need to forgive themselves if something happens, but also know what we were talking about before. Just be skeptical.

Yeah. One of the consistent themes from my guests have been not so much of like, “Oh, I can analyze everything and I can be objective about everything,” but it was they were in a rush. It was something that in the moment seemed plausible in the moment. They were having something shipped to them. When they got that text message saying, “Hey, this package has been held up,” their mind does what the mind does. It connected those two things to say, “Oh, it must have been that package, or my daughter told me that she was going to get ahold of me.” That scam Facebook account got ahold of them.

In any other circumstances, they wouldn't have trusted those things, but it just happened to coincide with events in their life, which that particular scam just seemed to be perfectly targeted. It wasn't, but you send out millions and millions of those, and someone's going to be waiting for a package. Someone's going to be expecting a family member to reach out to them.

Yeah, or you have kids. It's hard for kids to click that tiny X in an advertisement that's probably malware, they're gaming, or they're having fun with friends and they don't know. It is about all that. We talk a lot on push fatigue as well, where actors will constantly send, like, multi-factor authentication-like texts, like “push here,” “click here.” You're not supposed to click, but at some point sometimes people go like, “Ah,” and they click.

Just go away.

Yes. That's the way people get scammed as well. The world is fraught with a lot of bad people. It's really difficult to dodge all of them.

Yeah. I know that you guys are working on a resource center for ransomware. Where can people find it, and what are you guys going to be doing with that resource center?

Yes. We're just starting out and we're building it. As we're building it out, people can go to www.halcyon.ai/ransomware-research.com. It can find all that. If you just go to www.halon.ai.com, there's a button at the top for the research center.

I'm a cyber threat analyst. I love to geek out and go really deep on some niche topic and find the new thing. We're totally going to do that. It's going to be great. We're going to be collaborating with other different industry partners, think other startups in the space who have some niche information. We can all pull that together.

While I was at the FBI, I oversaw the transition from FBI doing its own cyber threat notification, DHS doing its own, NSA doing its own into the joint advisories that they do now. I'd love to see that in the industry, like how many people can we get together on this to really put something out. That's going to be on the really advanced side.

I'm a big believer in getting out the basics and in education. We'll also be a one-stop shop for what is ransomware. How do they get in? Those are all coming, like, what does the ecosystem look like? We'll get a little more nitty gritty as we go on.

Even now, people can go on to the site and find a page about almost every ransomware actor that is active today. It starts off at the top and it's like, this is a Russian speaking, it was connected with this. You keep going down. They exploit this specific vulnerability and do this thing during security bypass. From beginners to the really advanced net defenders, you can find information on all these threat actors there. Make it easy to find just having all these resources available. Finally, we're really interested in identifying smart policy solutions and working with folks in the policy arena to think about what else can we do against ransomware actors to stop them.

Is that mostly corporate action needs to be taken, government action, or a little bit of both?

I'd say both, public, private partnerships. We talked earlier on ransomware actors targeting hospitals. We'd love to work with government partners on how do we stop ransomware against hospitals. It won't mean less ransomware; they'll go to other targets. I think that's OK. I think we would all be OK with a world in which we had the same amount of ransomware. We want less ransomware, but it's a good goal to say, “First, let's make sure there's no ransomware against hospitals. Let's make sure no one dies from a computer attack today.”

Yeah. I'd much rather have my personal computer be down for two weeks or me have to get rid of it and start from scratch than a hospital have to ditch all their hardware and start from scratch. That's a much bigger problem.

Yeah, it is.

Not that I'm inviting. Please don't attack me.

I was going to say, my kids might not feel the same way about their phones. I think academically, they'd understand.

Academically, I think we all agree. Yeah. It's not going to be a problem that's going to go away. As long as there are computers and as long as there are vulnerabilities, there will be people who will try to exploit that for their own advantage.

There will be, but what I will say is I've felt like it was an arms race forever. Net defenders, they put up a different defense, and then the cyber adversaries are constantly figuring out ways to go around that. I do think AI as a defender advantage is going to be really great. I think being able to do things like AI-based behavioral detection for threats, not just signatures. Not just they use this program, but like, “Hey, this is acting funny.” I think that's pretty cool.

I like that.

Yeah. I think that's a pretty cool way to think about being able to reduce the threat. I think that we can get there. I believe we can reduce the threat from ransomware of the right kind of technology.

Yeah. I love that concept of something that watches over the network, watches over the operations, and says, “That's not normal.” It might be intentional. It might be a hundred percent real, but something that goes, “This user never does that. We should stop that.” Or, “The company just doesn't do things that way. Let's stop it and force a little bit more verification into the mechanism.”

Exactly, yeah. A lot of people might have heard the term living off the land. We talked about it in the China context. What that effectively means is you have an actor who's on your system, but they're using tools that are already on your system. They're not raising any flags. Maybe they're using it in a weird way. That's where that detection really helps.

“We only run these types of scans in this way, in this environment, and what's going on over this other place, again, that's not normal.”

Yup, exactly. Exactly.

I love it. As we wrap up here, do you have any parting advice, both for corporations and for individuals?

Yes. I would say to anybody out there, doing the basics matters. It's so important to ensure you have the right protections in place, but then also know that things might happen, so you need layered defense. You need to put in lots of checks to make sure you don't end up the victim of 25 days of downtime and losing all your customer data. That's actually a terrible way to end. I can't let that be my last thing. That's so negative.

Practice your backups.

Yeah. I think what I would say is you’ve got to do all those things that I just said. Adversaries are going to target us again and again, but I actually am hopeful. I am hopeful that there are some really cool technology now that can help a lot, and it doesn't have to be this never-ending battle.

I like ending on the positive note. We'll go with that. Cynthia, if people want to connect with you, where can they find you most easily?

LinkedIn, yup. I'm there, active and available.

Awesome. We will link to your LinkedIn profile, no pun intended.

That'd be great, yes.

We'll include links for the listeners to the Ransomware Research Center and to Halcyon along in the show notes. Cynthia, thank you so much for coming on the podcast today.

Thank you so much for having me. This was really fun.