November 11, 2025 • 40 mins
Imagine a criminal enterprise so sophisticated it employs lawyers, creates flashy recruitment videos, and operates its own university. Welcome to the modern ransomware ecosystem, expertly decoded by threat intelligence researcher Tammy Harper in this eye-opening episode.
Harper pulls back the curtain on the surprisingly corporate structure of ransomware operations, revealing a three-tiered hierarchy ranging from invite-only "syndicates" managing millions in cryptocurrency to small "operators" struggling to recruit talent, down to inexperienced "script kiddies" with minimal operational security. The business models are equally fascinating – Ransomware-as-a-Service providers take a 20% cut while offering everything from malware payloads to secure communication channels and victim-shaming blogs.
What's truly alarming is how these criminal groups continue to innovate their extortion techniques. As fewer victims pay ransoms (just one in twenty pay significant amounts), gangs are escalating pressure tactics. Some offer affiliates legal counsel to identify regulatory pressure points, others implement AI-assisted negotiations to counter traditional stalling tactics, and some are even calling victims' clients directly to orchestrate supply chain attacks.
Harper dispels common misconceptions about attack vectors too. Modern ransomware rarely arrives as an email attachment – instead, attacks begin with phishing emails containing Trojans, followed by extensive reconnaissance lasting weeks or even months. "When you see your systems encrypted," she warns, "it's too late." The longest compromise she witnessed lasted a full year from initial infection to ransomware deployment, despite law enforcement warnings to the victim.
Whether you're a cybersecurity professional or simply curious about digital threats, this episode provides rare insights into a criminal ecosystem that continues to evolve despite increasing law enforcement pressure. Listen now to understand the tactics that make modern ransomware so persistent and how organizations can better protect themselves.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Tammy Harper (00:00):
How do we extort more money?
How do we put more pressure?
Rachael Tyrell (00:04):
Hello and welcome to Episode 19, season 1
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kertzman, will
(00:26):
chat with Tammy Harper, who is aseasoned threat intelligence
researcher, passionate aboutcybercriminal ecosystems and
shining light into theunderground.
She leads intelligence effortson ransomware, data leaks and
dark web threats, turningcomplex patterns into actionable
insights for defenders.
Her work spans from uncoveringaffiliate structures and malware
(00:47):
ecosystems to developingtraining and awareness tools for
the next generation of cyberprofessionals.
Over to you, pedro.
Pedro Kertzman (00:55):
Tammy, thank you so much for joining the show.
I really appreciate you cominghere.
Tammy Harper (01:00):
Thank you very much for having me.
Pedro Kertzman (01:01):
Usually we start asking the guests their journey
into CTI.
Would you mind walking usthrough that please?
Tammy Harper (01:08):
Yeah, absolutely.
So I don't think I have a veryconventional entry into the
world of CTI.
I originally went to school anduniversity for film studies and
I ended up dropping out aftertwo years.
I couldn't afford school.
It was too expensive.
You have to like pay for yourfilm, you have to pay for a lot
of things, so I just couldn'tafford it.
(01:30):
So I went into tech right away.
I started off with like help,desk stuff and IT support and
really like just troubleshooting.
I've always had a fascinationfor seeing how things worked and
I worked my way up.
It got to the point where I wasmanaging a small, like family
run office, like in terms of IT.
When the pandemic happened, Idecided to go back to school.
(01:53):
And I went back to school, notfor like a degree or anything
like that, but just to skill upand really focus on
cybersecurity.
And I took, like it was called,advanced Cybersecurity at York
University in Toronto, basicallywent through that program and
it was a certification and itwas fantastic.
It was split up into two partsand like fundamentals and
(02:15):
advanced, and when I got to theadvanced section I really
started to like hit my strideand to really like find like
concepts that I really likestarted to like hit my stride
and to really like, uh, findlike concepts that I really like
started to gravitate towardslike forensics and penetration
testing and things like that.
And I, uh, one of the teachersbasically uh, uh that was
(02:36):
teaching one of the classes, wasoffering students to like, uh,
go work at his company.
He had already hired likeanother one of, uh, my, like one
of another student that was inmy class, my classmates.
So basically he reached out tome and he's like, if you're
interested, you can definitelylike make an application.
And so I did and that was how Igot my first job.
(02:59):
I was very, very, very lucky.
I started from the bottom.
I was an associate, I basicallyworked my way up and I did
forensics, I touched penetrationtesting, incident response.
Then it came to the point whereI was doing a little bit more
CTI because they, when we weredoing incident response, we
needed someone to basically gocheck on the dark web to see,
(03:20):
like, if the threat actors hadleaked or anything or if they
were talking about the victim inspecific ways.
I had a collection like I had myown like internal database of
like onions and stuff, and so Iwas like basically the one to
always volunteer to be like, hey, I'm gonna, I have it, I can do
this.
Like let's show, like let me doit, and uh.
(03:40):
So I basically became the onelike responsible for a lot of
that stuff, like keeping up todate with the latest locations
and this sort of like intersectswith another one of my projects
, ransom Look, and we candiscuss that after and after
that I basically started reallylike falling in love with Threat
Intelligence because I saw whatthe field was going into and
(04:03):
how much demand there was for it.
So then I ended up in mycurrent position because I
currently work at Flare.
I essentially started when Isaw that they had an opening for
a researcher position in threatintelligence.
I applied for it.
The rest is history.
I absolutely love threatintelligence.
Pedro Kertzman (04:20):
That's so nice.
Maybe we can just, you know, gostraight to the ransomware
story as well.
If you want to share with us,that would be awesome.
That's so nice.
Maybe we can just, you know, gostraight to the Ransom Look
story as well.
If you want to share with us,that would be awesome.
Tammy Harper (04:28):
That's a funny story.
So Ransom Look is an opensource project and I've been
volunteering with them for alittle over two years now.
So my collaboration with themstarted back in 2023 when Conti
was starting to publish Move itVictims.
So back then I had a Twitteraccount and I was X and I was
(04:53):
basically like posting updateson there and I was interacting
with a lot of the CTI communitybecause back then, like Twitter
actually had a quite a decentlike CTI community.
So I was, I had this like noname account and I was just into
, I was just posting updates.
One day my my twitter accountgot banned, so I was a little
frustrated.
So I reached out to one of theuh maintainers and admin of
(05:16):
ransom look and I was like hey,I have a bunch of onions.
I can give them to you if youwant.
They were like sure, I'll takethem, I just continue.
And this was done over like umdiscord at the time and I was
just like sending them like abunch of onions, onions, onions.
And at the point and he waslike, okay, so look, uh, can you
, uh, do you want to like sendit to me over signal?
(05:39):
And I was like sure, I'll sendthem over to you over signal.
And then from there like, uh, wemade it a formal introduction,
like, hey, my name is like Tammyand he gave me his name.
And then we were like, okay, socan we follow each other on
LinkedIn?
He's like, yeah, sure.
I was like Do you have a GitHubaccount?
I was like, sure, I do.
And so then I started likemaking commits, like, or like
(06:02):
opening like issues on more,more so, opening issues on
GitHub.
And then I started likebasically making more
recommendations.
And to the point where it waslike a year later he was like
okay, so like like, most ofthese new onions are yours, like
they're thanks to you, so I'mgoing to make you like an
official member of the team.
(06:23):
That would be fantastic.
And yeah, it's, it's beenmember of the team.
That would be fantastic.
And yeah, it's been one of thebest teams to work with, for
sure.
Pedro Kertzman (06:29):
That's amazing.
That's an awesome project forsure.
So you know you trackransomware gangs, cybercrime,
any like particular I would saymaybe aha moments.
Oh, that's how those guys aremoving on the.
You know the other siderecently or at any point in time
.
Tammy Harper (06:47):
Yeah, so how these guys move is there's different
variations of how they moveRight.
So there's because there'sdifferent types of groups.
So there's the groups that areestablished, that are highly
sophisticated.
I classify these more like on asyndicate level.
So these are very, veryprofessional.
They operate as a business.
It's basically a vetted inviteonly process to getting into
(07:11):
them and they don't really needto advertise.
They do advertise on, like someof the forums, but like they
keep it very to a very, veryminimal.
Recently there was a story, anarticle.
Recently there was a story, anarticle, a research paper
(07:49):
published by Talos, from Cisco,saying that chaos ransomware is
a Texas to help them seize andbasically liquidate a
cryptocurrency account that isworth $2.4 million and that just
came out that that was actuallyrelated to the April seizure of
like and disruption of blacksuit infrastructure back in
April of 2025.
And so this is like connectedto like chaos now and the threat
(08:09):
actor behind that wallet iscalled Horse H-O-R-S.
So this is like the syndicatelevel.
These guys are making millions.
They use like large, large,large networks and
infrastructure to obfuscate andto move their money around and
to do the conductor clandestineoperations.
But then there's like the othertier.
(08:29):
And the other tier is like Icall them, not necessarily at
the syndicate level, but they'remore like operators.
They usually run smaller teams,they rely heavily on forum
advertisements and they operateon Telegram, they operate on
other types of networks and theybasically are online 24-7.
(08:54):
And they're trying to managetheir infrastructure.
They're trying to advertisetheir infrastructure.
It's getting harder and harderto recruit red teamers like good
red teamers, like the hackersthat actually conduct the
attacks on behalf of theseransomware gangs, because that's
how the affiliate model works.
So a lot of these guys aretrying to get creative with
(09:17):
their advertising.
So that's like the operatorlevel.
And then you have the scriptkitty or the skid level, and
this is where the other level is.
Like these, again, they'retalking everywhere, but this
you'll see like skids or scriptkitties talking on the open
forums like reddit, or they'regoing to be talking on open
forums like tiktok, instagram,like this, and there's there's
(09:43):
the, the level, um, the level oflike, uh, opsec is just not
there, right?
Um, it's not that becausethey're they're worried is they
don't really care, right, causea lot of these script kitties
are usually younger and um, sothat goes into the, into playing
into like uh, their inexpertiseand their inexperience on the
(10:04):
subject.
Pedro Kertzman (10:05):
No, that's awesome.
And you mentioned a few things,let's say on this higher
syndicate level.
You mentioned theinfrastructure aspect and also
the ransomware as a service.
Do you see those guys on theERP level per se of operation
kind of also doing theransomware as a service kind of
offerings, or have you seen anyat any point?
(10:25):
They're kind of also doing theransomware as a service kind of
offerings, or have you seen anyat any point?
They're kind of uh, jealous no,not my stuff, because when I
hate somebody I only want to beknown as that person and not
like generic script kitty thatpaid for that payload or
something like that yeah,absolutely.
Tammy Harper (10:42):
So I can take.
Uh like lock bit was asyndicate level and they were
ras and like chaos.
Uh, chaos is actively beingadvertised on a forum right now.
Um, they, they require a tenthousand dollar deposit to get
into the to pass like verify,like a verification, like to,
because this is to weed out lawenforcement, or, more
(11:04):
specifically, it's mostly doneto weed out uh like researchers,
um, like myself, uh, so theymake the the entry bar really
really high.
Now, there's always ways aroundthis, but, uh, it just makes
the things a little morechallenging to get around the.
When they're they, they likethey're advertising their
ransomware as a service.
Let me explain to you what thatactually means.
(11:27):
These guys are usually runningan operation where they're going
to offer a payload, which isthe malware, which is also
called a locker or an encryptor,and that is actually the
ransomware that will be deployedand detonated on a network of,
like an enterprise level or acompany or a business, and that
(11:48):
is what actually is going to gothroughout the entire network
finding files and encryptingthem so that they cannot be
accessed anymore.
So they're essentially held atransom.
That little locker is going todrop a readme text file or
sometimes change the wallpaperbehind a desktop and say, like
please contact me here, you needto pay in Bitcoin.
(12:11):
This is an emergency right,really playing on that urgency
of like trying to get yourattention.
So that's one of the thingsthat they offer.
The other thing that they offeris the ability to communicate
safely outside of networks thatcould be monitored.
So they're going to be usuallyusing their own hosted version
(12:33):
of a chat system, or they'regoing to be using a special type
of privacy-forward emails likeOnion Mail or Proton or Tuta or
Tuta Nota emails like onion mailor proton or tuta or like tuta
nota.
Um, sometimes they'll even use,uh more like unregulated email
services, uh like that arehosted in countries that like
(12:53):
don't respect any form of likedcma takedowns or any like type
of like law enforcement requests, or they're going to be using
something like talks, which islike a decentralized, like
instant messenger.
They're going to be using likeso then the, the ransomware as a
service, provides thatinfrastructure as well.
They're also going to providethe infrastructure of like
hosting the victims, like actualdata, which is really expensive
(13:15):
, and they're going to behosting the website, that the
blog, so that they can shameeach victim on there.
So, um, there's actually a lotthat these ransomware as a
service provide and they have tokeep updating these tools
constantly so that they don'tget detected by antiviruses or
(13:35):
EDR solutions.
So, like the exfiltrators, thestealers, the payloads, all this
stuff needs to constantly betweaked so that it doesn't get
detected and hopefully there'sno vulnerability in them for
them, hopefully for them there'sno vulnerability so that it can
be exploited.
And so then there's avulnerability in the decryption
(13:58):
and then all the data can bedecrypted for free.
This is the responsibility ofthe ransomware as a service,
decrypted for free.
This is the responsibility ofthe ransomware as a service and
as an affiliate, I basicallyforego a cut of the ransom.
So let's say, like, a ransom is$100,000.
And so usually the model is an80-20 split.
(14:21):
What that means is 80% will goto the affiliate, so as the
affiliate, I will retain $80,000.
And then $20,000 will go to theransom.
So, as the affiliate, I willretain eighty thousand dollars
and then twenty thousand dollarswill go to the ransomware as a
service.
Um, now you have to launch thatmoney and you have to move that
money around, so, and you haveto pay off your team, you have
to pay off your intern initialaccess broker.
You have to pay off a lot ofpeople.
Everybody has to pay off a lotof people to make this work, so
(14:43):
your cut is going to get onlygoing to keep going down as
things go on, but that'sessentially how the whole
operation works, yeah that'sperfect, and we were talking
about infrastructure as well.
Pedro Kertzman (14:57):
I know it's more common to see, you know, gangs
sharing tools, for example, butwhat about infrastructure and or
operations?
Have you seen it as well?
Tammy Harper (15:08):
absolutely so.
There's recently been a gangcalled dragon force.
Uh, so dragon force is tryingto start something, um, that
they're calling a cartel, is it?
This hasn't is not new.
Like this has actually beentried many times before, and
they're really taking a page outof the playbook of, like, the
(15:29):
mexican cartels in trying tounionize, like union, like
bringing things together so thatit's easier to manage and then,
hopefully, you are the onemanaging that's.
That's the play they want to do.
What they're trying to doessentially is saying like, hey,
you come to us, we will whitelabel a ransomware as a service
(15:51):
for you.
So let's say, you have an ideaof a group, let's call it I
don't know Black Star, that'syour ransomware gang.
And I go to Dragonforce and I'mlike hey, I want to start this
gang, but I have no expertise inanything.
I have money, I have, like aninitial investment that I can
(16:12):
give to you, that I can actuallyget this started, but I don't
have a locker, I don't haveinitial access brokers, I don't
have a team, I have nothing.
So then what they're going todo is they're going to say like
OK, so it's actually prettyexpensive if you think about it.
But what they're going toessentially do is they're going
to give you a website, they'regoing to give you access to
their builder, which is whatcreates the encryptors and the
(16:35):
decryptors, and they'rebasically going to give you
access to all of this stuff.
They're going to use your logo,your brand, they're going to
host the infrastructure, they'regoing to basically protect you
against DDoS attacks and allthat stuff, and then they're
going to basically say we want a20% cut of all of your ransom.
So it's an 80-20 split still,but now it's on the like.
(16:57):
So then so if I make $100,000,like as an affiliate, one of my
affiliates makes $120,000, sorry, $100,000.
I have to give them.
It's like, let's say, I do an80-20 split myself, so they keep
$80,000.
I have $20,000.
I have to give 20% of that$20,000 now to Dragonforce for
(17:20):
hosting my infrastructure andfor creating all of my tools and
for me to use all their tools.
So I'm going to give them$5,000.
So essentially, that's how a lotof these gangs now are not just
only trying to get creative inhow they're shipping off their
platforms, but really they'realso getting really creative in
(17:43):
terms of marketing.
We've seen some groups likeGlobal and Black lock and van
helsing essentially like startcreating commercials, like video
commercials, like flashygraphics and things like that,
trying to attract talent andtrying to uh get them to to sign
up, and it really plays reallyhard on, like you want to be a
(18:05):
millionaire, you want to drivethat Lamborghini, like Lockbid
was saying a lot of that stuffas well.
So it's like it's really tryingto twist on that and then prey
on that idea of like amillionaire like Maverick,
driving around in a Lamborghiniwith all the hot babes, like
that's really the image thatthey're trying to sell, jeez.
Pedro Kertzman (18:26):
Yeah, it feels sometimes that we ended up
seeing like a DragonforceUniversity coming down the pipe,
I guess.
Tammy Harper (18:33):
Well, you're seeing that already a little bit
with a group called Quillen orKillen, and again this is going
through the issue of not havingenough, like not having a lot of
like good red teamers.
There's a dime, a dozen redteamers, but I'm talking about
like the good ones that can pulloff like an enterprise level
(18:54):
attack, like by themselves orwith three other people, right
like the good ones.
Um, so like those ones, thoseare much rarer now, um, and
because a lot of them retired,like they made their millions
and now they're not, they don'twant to heat anymore, they don't
need it anymore and they'reretired for the time being or
for forever.
So the next generation is goingto come in.
(19:16):
And so you see, like groupslike quillen, essentially
training on forums, liketeaching techniques and tactics
and procedures, like TTPs toanyone who's willing to learn on
these like exclusive, likeforums, saying hey, this is how
you're going to do it, this ishow you, you like, create a
(19:38):
payload.
We're seeing groups likeHellcat come out with manuals.
Lockbit had their two manualversions come out like actual,
like PDF manuals and how totrain affiliates to conduct
these attacks.
Yeah, so it's actually like theschool or the university of
right.
Like ransomware is actually athing.
Um, it's not in the clear web,but this is absolutely happening
(20:02):
yeah, that's, um, you know, asad part of uh so much knowledge
available.
I guess if you get people thatdoesn't have the, the core
principles and all that, theycan steer away from the bright
side and maybe go to the nottalking star wars but go to the
to the dark side a little bitand um, but how you from a you
(20:23):
know on the not on the dark side, but on the like learning this
particular niche and get intolike a ransomware uh tracking
type of role and and all that,any like learnings throughout
your path that you could share,people also getting interested
in uh studying or tracking thosegangs and all that could, could
(20:47):
follow or best practices aroundthat yeah.
So there's so much happeningright now and it could really
feel intimidating to get startedin learning like threat
intelligence or specificallylike ransomware absolutely, but
the way I treat it is reallylearning about the lore, and
it's no different than likestudying the lore of like or the
(21:12):
rings or dungeons and dragons,or like pokemon or whatever like
.
It's very like that.
Or even like learning thestatistics of sports teams like
um.
If you have a passion for it,you can learn anything and um,
but definitely you need apassion for this Um, and if it's
this is not your thing, there'sno point in going into it.
(21:34):
Um, like threat intelligence isnot necessarily like an entry
level position Like um.
It is definitely something thatum requires, uh, you to have
various different skills.
You need to understand a littlebit of coding, you need to
understand a little bit aboutnetwork security, a little bit
about psychology, a little bitabout a lot of different things,
(21:55):
and so it's definitely a rolethat you work your way into, but
it is not far off from likeanother entry level position,
like, but definitely it'ssomething that you can work your
way into.
Um, like I did um, and whenyou're like learning the lore, I
recommend starting off with,like, for example, wanna cry uh,
(22:19):
which was very, very popular.
It's very well documented and itreally is gonna like.
If you go down the rabbit holea little bit on on wanna cry,
you'll start to see like how,like, shadow brokers had a
little bit of a play in thereand like how they weaponized
like, uh, blue keep and internalblue, um, and then, like,
you're gonna see like how it waslike basically weaponized as a
(22:42):
worm and, um, how it disruptedand how it spread and how it was
stopped and um, so there's alot of really cool lore that can
you can start from there.
And then this is since ithappened in 2017.
This is right before the adventof rass, like as ransomware, as
a service.
Right, because before it waslike a standalone ransomware.
And then you're going tobasically start to see the
(23:04):
evolution of like how it becamelike with gang crab and with all
of these other gangs, likeconti, and how it became, um,
like an actual business model,um, so it's um.
It's definitely where I wouldstart, yeah
Pedro Kertzman (23:21):
no, that's awesome and and you're talking
about you're just talking aboutbusiness model.
One thing that people don'trealize there's a whole lot of.
You know those gangs.
They will try to hold theirword.
So it makes sense to people tokeep paying them because they
know they were gonna get thedecryption keys and all that.
(23:42):
So they're quote on quotetrusted.
But now we have, you know,triple extortion or I heard,
quadruple extortion and all that.
So it's kind of a.
I hope that people at somepoint will realize they might
not be as trusted as theythought in the beginning.
Uh, any like other you knowscenarios like gangs are trying
(24:02):
to squeeze as much as they canfrom the same victims could be
on this, you know, this samemoment in time or down the road
yeah.
Tammy Harper (24:12):
So this is again it's it's going to the point
where it's getting really hardto to monetize this, and this is
good.
That means that law enforcement, uh, is disrupting this
effectively, uh, but we'renowhere near winning the battle,
right.
We're winning small battles.
We're nowhere near winning thebattle, right.
We're winning small battles.
We're seizing some domains,we're seizing some
infrastructure, but the war isnot over.
(24:33):
So what these gangs are doingis they're always trying to
innovate.
How do we extort more money?
How do we put more pressure onvictims?
For example, there's one gangagain go back to the example of
Killen or Quillen One gang againgo back to the example of
Killen or Quillen.
So how, they are trying tofigure out how to adjust this
(24:54):
problem from their perspective.
Is they because, right now,like, they're telling new
affiliates, like the newrecruited affiliates, that
they're going to like they getpaid well one out of 20 victims
and paid well isn't is like,regarded as six figures, right,
(25:15):
that's a six figure ransom, soit's getting it's like, so that
means that you have to, you haveto attack 20 victims to get,
hopefully, get paid well on oneand you might get a few thousand
on a couple of different ones,but like it's definitely way
down from what it was before.
Now this is one group and whatthey're doing to, to to address
(25:36):
this and put more pressure istheir killing is essentially
saying, like we have a team oflawyers on hand that can help
you assist during negotiations,hand that can help you assist
during negotiations, and theycan essentially, like, tell you
what you have like, what type ofdata that you have, what type
of regulatory bodies that youcan contact to put more pressure
(26:00):
on the victims.
Because we saw, like Alf V andBlack Cat do this in the past,
where they were basicallytalking to the SEC and saying
like hey, this victim did notdisclose that they were breached
.
But now we're also seeing thiswith Anubis.
Anubis is doing this with, like,australian regulatory bodies
(26:20):
and European regulatory bodies.
So Killen is basically taking apage out of that playbook and
saying like hey, we can informyou on what to do with this and
actually have lawyers Throughyour points.
Exactly, they're going to havemore manpower to essentially go
(26:48):
through the data that was stolenand start calling the victims
and calling the clients of thevictims.
So this is going to be more oflike a supply chain attack where
they can basically start to saylike hey, this person or this
company was breached, we haveyour data, now we want you to
pay us, or they have to, or youtell them to pay us.
(27:09):
So they're going to be tryingto put more and more pressure
and having, like some, like callcenter in Kazakhstan or
something like that, or inRussia, start making these calls
Right, so, or like anywhere,really it's really difficult,
and so you're trying to put moreand more pressure on people.
Pedro Kertzman (27:28):
So they're basically scraping the data they
are exfiltrating to try to findfrom there their next victims.
That's crazy yeah it's happenedbefore.
Tammy Harper (27:39):
And also there's groups like, for example, global
, which I mentioned earlier.
Global is also rolling outAI-assisted negotiations, is
also rolling out AI-assistednegotiations.
And so because before it wasreally really interesting to see
like the psychology modelsbetween the negotiator and the
(28:03):
attacker and essentially Chinatalked to the attacker and say
like hey, I need more timebecause that way you can talk
with your board and all of thepeople, your insurance companies
and all that stuff and yourrecovery teams and trying to
delay and stall so that you havea better understanding of
what's happening during yourincident response.
(28:23):
But now, because these aremodels that threat actors are
using that are specificallytrained on this type of data,
because they have all the data,they're like no, like you're not
going to stall us, like we andthe uh.
It's getting harder and harderto negotiate right, and it's
forcing a lot more companies tojust get published right away,
(28:45):
um, and go in and like the.
the negotiation periods aregetting harder and shorter and
uh,
Pedro Kertzman (28:51):
so you mentioned the, the red team on the
adversary side and and all that.
Do you think it's fair, fromwhat you see from a ransomware
perspective, that it's probablynowadays rare, or more rare, to
see ransomware straight upcoming through an email or
something like that, and it'smore like a mix of living off
(29:13):
the land or other attacktechniques to get a foothold and
only then dropping the payloadlike how's, like traditional
tools, uh, functioning to thataspect, like, is it email still
the main thing or not as muchanymore?
Tammy Harper (29:30):
so, um, targeted attacks are definitely still
like we're seeing a mix now,right.
So every time there's like abig vulnerability for example,
like the SharePoint one or thatwe just saw recently or right
now in the news, there's theSonicWall one there's always
groups that are going to try torace to find a proof of concept
(29:54):
or an exploit or something thata researcher has published
somewhere on GitHub or shared ontheir website, and they're
going to try to leverage that,and then, essentially, this is
like a one-day or an end-daytype of situation where they're
going to try to exploitbasically those vulnerabilities.
Now, a lot of the times, thosetypes of vulnerabilities don't
(30:18):
allow for encryption, justbecause of the type of access
that you actually have to thesefile servers, and so essentially
, it just becomes something likeMovid, where it's all
exfiltration, no encryption, andbasically now you're extorting,
you're doing single extortionbased off of just the data that
you have and not being paid offnot to leak it.
(30:40):
So, but now also, like goingback to phishing, essentially,
like we saw a lot of the stuff,it's phishing is still like
probably one of the biggestinfection vectors that we see
today, and what that is is likehow that looks like is.
It's not the actual ransomwarethat you're going to get in an
email attachment, it's going tobe a Trojan, and that Trojan,
(31:02):
essentially, is going to allowthe attackers to add you to
their botnet.
And then they're going tobasically allow you to recon
into your network and they'regoing to snoop around for a few
days, maybe a few weeks, and tryto depending on the size of
your network and they're goingto try to find your company's
crown jewels.
They're going to startexfiltrating data Right, they're
(31:23):
either going to do it all atonce overnight, or slowly and
methodically over a bunch ofdays, and then they're going to
start wiping their traces, right, and then they're just going to
deploy the payload.
When you see the payload, whenyou see your systems encrypted
right, it's too late.
Like that's the last stage ofthe kill chain, right, and so
(31:44):
it's not like that is not likean indicator of compromise,
that's an indicator that youhave been compromised.
So like, definitely startreviewing firewall logs and
stuff like that.
Another way that a lot of thesethreat actors are getting access
to infrastructure is throughsocial engineering.
(32:04):
Now we see groups like ScatteredSpider.
Now, scattered Spider is not aspecific group of individuals,
it's more a label attached to aloose collective of individuals
that operate under similartactics and techniques and
procedures.
So but how they how ScatteredSpider usually gains access to
(32:27):
infrastructure is like byleveraging compromised
credentials or by socialengineering and they're really
good at social engineering andalso SIM swapping, for example,
there was like a reallywell-known attack that happened
in Vegas a few years ago and howthat attack was conducted was
(32:48):
one of the employees wastargeted over LinkedIn and
essentially Scattered Spidercalled up the help desk of that
company and basically tried tosay hey, trust me, I just need a
password reset.
And it was able to convince thepoor tech worker there, the
poor help desk worker, to resettheir password and this gave
(33:11):
access the threat actor accessto um, to that account and and
to the vpn, and then from therethey were able to um pivot and
establish persistence into thenetwork and start doing a whole
bunch of damage yeah, no, that'suh.
Pedro Kertzman (33:24):
Yeah, I remember that episode and but basically
from a attack stages type ofthing, don't only look for that
ransomware being sent anymore onyour email, but for early
stages of compromise, likeyou're mentioning the phishing
and all that stuff.
It's all that they neednowadays to put a foothold and
then work their way throughthrough their network.
(33:47):
When the payload comes it'slike you mentioned it's too late
.
That's because they were theredoing stuff for weeks, months
already.
Tammy Harper (33:57):
Exactly the longest compromise I've seen was
from initial infection toransomware being deployed was a
year.
So the threat actors and thiswas like a really, really large
company, so the threat actorsand this was like a really
(34:19):
really large company and thethreat actors basically were in
there for a whole year and lawenforcement even notified the
company, saying like hey, we, we, we are getting weird metrics
and and warnings andnotifications from your network
and we've detected like cobaltstrike beacons from your
(34:39):
infrastructure.
Are you aware of this?
Like what's happening?
And the company was like, oh,we'll look into it, we'll look
into it.
And six months later they getransomware.
And that's when they actuallytook things seriously.
Pedro Kertzman (34:53):
Yeah, unfortunately, and that's when
they actually took thingsseriously.
Yeah, unfortunately, that'ssometimes.
They need, like a more shockingevidence that things are not as
they should.
Tammy Harper (35:01):
Yeah.
Pedro Kertzman (35:01):
Okay and from, like I would say you're on a
like an edge on the technologyor research and the things that
are happening out there.
Do you find like traditionallearning sources or kind of a
need to create your own learningsources?
(35:22):
How are you going to evolve onthat role?
Tammy Harper (35:26):
So learning this is really something that you
have to do hands on, becausethat's only good for, like,
really really large companiesthat need to have or implement
(35:57):
on that framework, becausethat's how their, their whole
program and their wholedepartment was built.
Newer companies right thatyou're going to probably be
working in a smaller team andyour job is really to try is
completely different.
Um, it's all about being agileand being able to respond
(36:17):
quickly.
Um, you're usually going to beworking with like the sock or
like in tandem with the sock, um, and it's your responsibility
to know like it's going to lookdifferent for every single
company.
But, uh, a lot of the times,like you want to know like what
type.
Like you want to know yourinfrastructure inside out, and
that's why I'm saying like you,like, if you want to get into
threat intelligence, like youneed to have a background in
(36:40):
other stuff.
Because, like, you need to knowthe entire infrastructure of
the company and you need to know, like the version numbers of
things.
Because if you see on a forumsomeone talking about oh I just
I just wrote this exploit forthis then, or in a private chat,
or another researcher comes upto you and says, hey, there's
this POC being shipped around.
Like you know right off the batthat that can affect you.
(37:06):
So you need to have, like thatunderstanding of infrastructure.
Or even like if something isjust designed a specific way,
because it doesn't mean like ifyou have something in your
environment that is technicallyvulnerable to an exploit, it
doesn't mean that the exploitcan actually be leveraged,
because sometimes configurationwill supersede an actual
vulnerable system.
So, like, understanding howyour systems are configured and
(37:29):
how your network is configuredis really important as well.
So, learning I never stoplearning.
I'm always reading up on likeCISA, government websites, like
the latest TTPs.
I'm constantly looking atdifferent types of sources.
So, like the best place tolearn.
(37:50):
This is like talking to otherresearchers and definitely like
trying to get into the more likeadvanced types of learning
mechanics.
So like try HackMe or Hack theBox, things like that.
That will give you a goodunderstanding of how to like
establish persistence and whatthe latest techniques that
threat actors are doing.
(38:11):
So that will definitely likegive you a good understanding of
that.
So that's, I try to stay up todate on all of that and
especially like all the latestgroups and how they're operating
.
Pedro Kertzman (38:22):
Yeah, that's awesome and any like.
Closing thoughts to thelisteners.
Tammy Harper (38:28):
I love my job, I love doing what I do.
It is a very, very fulfillingcareer and I don't think I could
be doing anything else.
Answer any of your questionsand um, you can also always, um,
(38:59):
uh, check out your local animalshelter and volunteer there.
That's my big thing, and um, sothat way, uh, you can help
absolutely, dami.
Pedro Kertzman (39:06):
Thank you so much for so many insights.
Really appreciate you coming tothe show and I hope I'll see
you around.
Thank you.
Tammy Harper (39:15):
Thank you very much.
Rachael Tyrell (39:16):
Bye and that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show, just
let us know.
(39:37):
Until next time, stay sharp andstay secure.
We'll be right back.
How do we extort more money?
How do we put more pressure?
Rachael Tyrell (00:04):
Hello and welcome to Episode 19, season 1
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kertzman, will
(00:26):
chat with Tammy Harper, who is aseasoned threat intelligence
researcher, passionate aboutcybercriminal ecosystems and
shining light into theunderground.
She leads intelligence effortson ransomware, data leaks and
dark web threats, turningcomplex patterns into actionable
insights for defenders.
Her work spans from uncoveringaffiliate structures and malware
(00:47):
ecosystems to developingtraining and awareness tools for
the next generation of cyberprofessionals.
Over to you, pedro.
Pedro Kertzman (00:55):
Tammy, thank you so much for joining the show.
I really appreciate you cominghere.
Tammy Harper (01:00):
Thank you very much for having me.
Pedro Kertzman (01:01):
Usually we start asking the guests their journey
into CTI.
Would you mind walking usthrough that please?
Tammy Harper (01:08):
Yeah, absolutely.
So I don't think I have a veryconventional entry into the
world of CTI.
I originally went to school anduniversity for film studies and
I ended up dropping out aftertwo years.
I couldn't afford school.
It was too expensive.
You have to like pay for yourfilm, you have to pay for a lot
of things, so I just couldn'tafford it.
(01:30):
So I went into tech right away.
I started off with like help,desk stuff and IT support and
really like just troubleshooting.
I've always had a fascinationfor seeing how things worked and
I worked my way up.
It got to the point where I wasmanaging a small, like family
run office, like in terms of IT.
When the pandemic happened, Idecided to go back to school.
(01:53):
And I went back to school, notfor like a degree or anything
like that, but just to skill upand really focus on
cybersecurity.
And I took, like it was called,advanced Cybersecurity at York
University in Toronto, basicallywent through that program and
it was a certification and itwas fantastic.
It was split up into two partsand like fundamentals and
(02:15):
advanced, and when I got to theadvanced section I really
started to like hit my strideand to really like find like
concepts that I really likestarted to like hit my stride
and to really like, uh, findlike concepts that I really like
started to gravitate towardslike forensics and penetration
testing and things like that.
And I, uh, one of the teachersbasically uh, uh that was
(02:36):
teaching one of the classes, wasoffering students to like, uh,
go work at his company.
He had already hired likeanother one of, uh, my, like one
of another student that was inmy class, my classmates.
So basically he reached out tome and he's like, if you're
interested, you can definitelylike make an application.
And so I did and that was how Igot my first job.
(02:59):
I was very, very, very lucky.
I started from the bottom.
I was an associate, I basicallyworked my way up and I did
forensics, I touched penetrationtesting, incident response.
Then it came to the point whereI was doing a little bit more
CTI because they, when we weredoing incident response, we
needed someone to basically gocheck on the dark web to see,
(03:20):
like, if the threat actors hadleaked or anything or if they
were talking about the victim inspecific ways.
I had a collection like I had myown like internal database of
like onions and stuff, and so Iwas like basically the one to
always volunteer to be like, hey, I'm gonna, I have it, I can do
this.
Like let's show, like let me doit, and uh.
(03:40):
So I basically became the onelike responsible for a lot of
that stuff, like keeping up todate with the latest locations
and this sort of like intersectswith another one of my projects
, ransom Look, and we candiscuss that after and after
that I basically started reallylike falling in love with Threat
Intelligence because I saw whatthe field was going into and
(04:03):
how much demand there was for it.
So then I ended up in mycurrent position because I
currently work at Flare.
I essentially started when Isaw that they had an opening for
a researcher position in threatintelligence.
I applied for it.
The rest is history.
I absolutely love threatintelligence.
Pedro Kertzman (04:20):
That's so nice.
Maybe we can just, you know, gostraight to the ransomware
story as well.
If you want to share with us,that would be awesome.
That's so nice.
Maybe we can just, you know, gostraight to the Ransom Look
story as well.
If you want to share with us,that would be awesome.
Tammy Harper (04:28):
That's a funny story.
So Ransom Look is an opensource project and I've been
volunteering with them for alittle over two years now.
So my collaboration with themstarted back in 2023 when Conti
was starting to publish Move itVictims.
So back then I had a Twitteraccount and I was X and I was
(04:53):
basically like posting updateson there and I was interacting
with a lot of the CTI communitybecause back then, like Twitter
actually had a quite a decentlike CTI community.
So I was, I had this like noname account and I was just into
, I was just posting updates.
One day my my twitter accountgot banned, so I was a little
frustrated.
So I reached out to one of theuh maintainers and admin of
(05:16):
ransom look and I was like hey,I have a bunch of onions.
I can give them to you if youwant.
They were like sure, I'll takethem, I just continue.
And this was done over like umdiscord at the time and I was
just like sending them like abunch of onions, onions, onions.
And at the point and he waslike, okay, so look, uh, can you
, uh, do you want to like sendit to me over signal?
(05:39):
And I was like sure, I'll sendthem over to you over signal.
And then from there like, uh, wemade it a formal introduction,
like, hey, my name is like Tammyand he gave me his name.
And then we were like, okay, socan we follow each other on
LinkedIn?
He's like, yeah, sure.
I was like Do you have a GitHubaccount?
I was like, sure, I do.
And so then I started likemaking commits, like, or like
(06:02):
opening like issues on more,more so, opening issues on
GitHub.
And then I started likebasically making more
recommendations.
And to the point where it waslike a year later he was like
okay, so like like, most ofthese new onions are yours, like
they're thanks to you, so I'mgoing to make you like an
official member of the team.
(06:23):
That would be fantastic.
And yeah, it's, it's beenmember of the team.
That would be fantastic.
And yeah, it's been one of thebest teams to work with, for
sure.
Pedro Kertzman (06:29):
That's amazing.
That's an awesome project forsure.
So you know you trackransomware gangs, cybercrime,
any like particular I would saymaybe aha moments.
Oh, that's how those guys aremoving on the.
You know the other siderecently or at any point in time
.
Tammy Harper (06:47):
Yeah, so how these guys move is there's different
variations of how they moveRight.
So there's because there'sdifferent types of groups.
So there's the groups that areestablished, that are highly
sophisticated.
I classify these more like on asyndicate level.
So these are very, veryprofessional.
They operate as a business.
It's basically a vetted inviteonly process to getting into
(07:11):
them and they don't really needto advertise.
They do advertise on, like someof the forums, but like they
keep it very to a very, veryminimal.
Recently there was a story, anarticle.
Recently there was a story, anarticle, a research paper
(07:49):
published by Talos, from Cisco,saying that chaos ransomware is
a Texas to help them seize andbasically liquidate a
cryptocurrency account that isworth $2.4 million and that just
came out that that was actuallyrelated to the April seizure of
like and disruption of blacksuit infrastructure back in
April of 2025.
And so this is like connectedto like chaos now and the threat
(08:09):
actor behind that wallet iscalled Horse H-O-R-S.
So this is like the syndicatelevel.
These guys are making millions.
They use like large, large,large networks and
infrastructure to obfuscate andto move their money around and
to do the conductor clandestineoperations.
But then there's like the othertier.
(08:29):
And the other tier is like Icall them, not necessarily at
the syndicate level, but they'remore like operators.
They usually run smaller teams,they rely heavily on forum
advertisements and they operateon Telegram, they operate on
other types of networks and theybasically are online 24-7.
(08:54):
And they're trying to managetheir infrastructure.
They're trying to advertisetheir infrastructure.
It's getting harder and harderto recruit red teamers like good
red teamers, like the hackersthat actually conduct the
attacks on behalf of theseransomware gangs, because that's
how the affiliate model works.
So a lot of these guys aretrying to get creative with
(09:17):
their advertising.
So that's like the operatorlevel.
And then you have the scriptkitty or the skid level, and
this is where the other level is.
Like these, again, they'retalking everywhere, but this
you'll see like skids or scriptkitties talking on the open
forums like reddit, or they'regoing to be talking on open
forums like tiktok, instagram,like this, and there's there's
(09:43):
the, the level, um, the level oflike, uh, opsec is just not
there, right?
Um, it's not that becausethey're they're worried is they
don't really care, right, causea lot of these script kitties
are usually younger and um, sothat goes into the, into playing
into like uh, their inexpertiseand their inexperience on the
(10:04):
subject.
Pedro Kertzman (10:05):
No, that's awesome.
And you mentioned a few things,let's say on this higher
syndicate level.
You mentioned theinfrastructure aspect and also
the ransomware as a service.
Do you see those guys on theERP level per se of operation
kind of also doing theransomware as a service kind of
offerings, or have you seen anyat any point?
(10:25):
They're kind of also doing theransomware as a service kind of
offerings, or have you seen anyat any point?
They're kind of uh, jealous no,not my stuff, because when I
hate somebody I only want to beknown as that person and not
like generic script kitty thatpaid for that payload or
something like that yeah,absolutely.
Tammy Harper (10:42):
So I can take.
Uh like lock bit was asyndicate level and they were
ras and like chaos.
Uh, chaos is actively beingadvertised on a forum right now.
Um, they, they require a tenthousand dollar deposit to get
into the to pass like verify,like a verification, like to,
because this is to weed out lawenforcement, or, more
(11:04):
specifically, it's mostly doneto weed out uh like researchers,
um, like myself, uh, so theymake the the entry bar really
really high.
Now, there's always ways aroundthis, but, uh, it just makes
the things a little morechallenging to get around the.
When they're they, they likethey're advertising their
ransomware as a service.
Let me explain to you what thatactually means.
(11:27):
These guys are usually runningan operation where they're going
to offer a payload, which isthe malware, which is also
called a locker or an encryptor,and that is actually the
ransomware that will be deployedand detonated on a network of,
like an enterprise level or acompany or a business, and that
(11:48):
is what actually is going to gothroughout the entire network
finding files and encryptingthem so that they cannot be
accessed anymore.
So they're essentially held atransom.
That little locker is going todrop a readme text file or
sometimes change the wallpaperbehind a desktop and say, like
please contact me here, you needto pay in Bitcoin.
(12:11):
This is an emergency right,really playing on that urgency
of like trying to get yourattention.
So that's one of the thingsthat they offer.
The other thing that they offeris the ability to communicate
safely outside of networks thatcould be monitored.
So they're going to be usuallyusing their own hosted version
(12:33):
of a chat system, or they'regoing to be using a special type
of privacy-forward emails likeOnion Mail or Proton or Tuta or
Tuta Nota emails like onion mailor proton or tuta or like tuta
nota.
Um, sometimes they'll even use,uh more like unregulated email
services, uh like that arehosted in countries that like
(12:53):
don't respect any form of likedcma takedowns or any like type
of like law enforcement requests, or they're going to be using
something like talks, which islike a decentralized, like
instant messenger.
They're going to be using likeso then the, the ransomware as a
service, provides thatinfrastructure as well.
They're also going to providethe infrastructure of like
hosting the victims, like actualdata, which is really expensive
(13:15):
, and they're going to behosting the website, that the
blog, so that they can shameeach victim on there.
So, um, there's actually a lotthat these ransomware as a
service provide and they have tokeep updating these tools
constantly so that they don'tget detected by antiviruses or
(13:35):
EDR solutions.
So, like the exfiltrators, thestealers, the payloads, all this
stuff needs to constantly betweaked so that it doesn't get
detected and hopefully there'sno vulnerability in them for
them, hopefully for them there'sno vulnerability so that it can
be exploited.
And so then there's avulnerability in the decryption
(13:58):
and then all the data can bedecrypted for free.
This is the responsibility ofthe ransomware as a service,
decrypted for free.
This is the responsibility ofthe ransomware as a service and
as an affiliate, I basicallyforego a cut of the ransom.
So let's say, like, a ransom is$100,000.
And so usually the model is an80-20 split.
(14:21):
What that means is 80% will goto the affiliate, so as the
affiliate, I will retain $80,000.
And then $20,000 will go to theransom.
So, as the affiliate, I willretain eighty thousand dollars
and then twenty thousand dollarswill go to the ransomware as a
service.
Um, now you have to launch thatmoney and you have to move that
money around, so, and you haveto pay off your team, you have
to pay off your intern initialaccess broker.
You have to pay off a lot ofpeople.
Everybody has to pay off a lotof people to make this work, so
(14:43):
your cut is going to get onlygoing to keep going down as
things go on, but that'sessentially how the whole
operation works, yeah that'sperfect, and we were talking
about infrastructure as well.
Pedro Kertzman (14:57):
I know it's more common to see, you know, gangs
sharing tools, for example, butwhat about infrastructure and or
operations?
Have you seen it as well?
Tammy Harper (15:08):
absolutely so.
There's recently been a gangcalled dragon force.
Uh, so dragon force is tryingto start something, um, that
they're calling a cartel, is it?
This hasn't is not new.
Like this has actually beentried many times before, and
they're really taking a page outof the playbook of, like, the
(15:29):
mexican cartels in trying tounionize, like union, like
bringing things together so thatit's easier to manage and then,
hopefully, you are the onemanaging that's.
That's the play they want to do.
What they're trying to doessentially is saying like, hey,
you come to us, we will whitelabel a ransomware as a service
(15:51):
for you.
So let's say, you have an ideaof a group, let's call it I
don't know Black Star, that'syour ransomware gang.
And I go to Dragonforce and I'mlike hey, I want to start this
gang, but I have no expertise inanything.
I have money, I have, like aninitial investment that I can
(16:12):
give to you, that I can actuallyget this started, but I don't
have a locker, I don't haveinitial access brokers, I don't
have a team, I have nothing.
So then what they're going todo is they're going to say like
OK, so it's actually prettyexpensive if you think about it.
But what they're going toessentially do is they're going
to give you a website, they'regoing to give you access to
their builder, which is whatcreates the encryptors and the
(16:35):
decryptors, and they'rebasically going to give you
access to all of this stuff.
They're going to use your logo,your brand, they're going to
host the infrastructure, they'regoing to basically protect you
against DDoS attacks and allthat stuff, and then they're
going to basically say we want a20% cut of all of your ransom.
So it's an 80-20 split still,but now it's on the like.
(16:57):
So then so if I make $100,000,like as an affiliate, one of my
affiliates makes $120,000, sorry, $100,000.
I have to give them.
It's like, let's say, I do an80-20 split myself, so they keep
$80,000.
I have $20,000.
I have to give 20% of that$20,000 now to Dragonforce for
(17:20):
hosting my infrastructure andfor creating all of my tools and
for me to use all their tools.
So I'm going to give them$5,000.
So essentially, that's how a lotof these gangs now are not just
only trying to get creative inhow they're shipping off their
platforms, but really they'realso getting really creative in
(17:43):
terms of marketing.
We've seen some groups likeGlobal and Black lock and van
helsing essentially like startcreating commercials, like video
commercials, like flashygraphics and things like that,
trying to attract talent andtrying to uh get them to to sign
up, and it really plays reallyhard on, like you want to be a
(18:05):
millionaire, you want to drivethat Lamborghini, like Lockbid
was saying a lot of that stuffas well.
So it's like it's really tryingto twist on that and then prey
on that idea of like amillionaire like Maverick,
driving around in a Lamborghiniwith all the hot babes, like
that's really the image thatthey're trying to sell, jeez.
Pedro Kertzman (18:26):
Yeah, it feels sometimes that we ended up
seeing like a DragonforceUniversity coming down the pipe,
I guess.
Tammy Harper (18:33):
Well, you're seeing that already a little bit
with a group called Quillen orKillen, and again this is going
through the issue of not havingenough, like not having a lot of
like good red teamers.
There's a dime, a dozen redteamers, but I'm talking about
like the good ones that can pulloff like an enterprise level
(18:54):
attack, like by themselves orwith three other people, right
like the good ones.
Um, so like those ones, thoseare much rarer now, um, and
because a lot of them retired,like they made their millions
and now they're not, they don'twant to heat anymore, they don't
need it anymore and they'reretired for the time being or
for forever.
So the next generation is goingto come in.
(19:16):
And so you see, like groupslike quillen, essentially
training on forums, liketeaching techniques and tactics
and procedures, like TTPs toanyone who's willing to learn on
these like exclusive, likeforums, saying hey, this is how
you're going to do it, this ishow you, you like, create a
(19:38):
payload.
We're seeing groups likeHellcat come out with manuals.
Lockbit had their two manualversions come out like actual,
like PDF manuals and how totrain affiliates to conduct
these attacks.
Yeah, so it's actually like theschool or the university of
right.
Like ransomware is actually athing.
Um, it's not in the clear web,but this is absolutely happening
(20:02):
yeah, that's, um, you know, asad part of uh so much knowledge
available.
I guess if you get people thatdoesn't have the, the core
principles and all that, theycan steer away from the bright
side and maybe go to the nottalking star wars but go to the
to the dark side a little bitand um, but how you from a you
(20:23):
know on the not on the dark side, but on the like learning this
particular niche and get intolike a ransomware uh tracking
type of role and and all that,any like learnings throughout
your path that you could share,people also getting interested
in uh studying or tracking thosegangs and all that could, could
(20:47):
follow or best practices aroundthat yeah.
So there's so much happeningright now and it could really
feel intimidating to get startedin learning like threat
intelligence or specificallylike ransomware absolutely, but
the way I treat it is reallylearning about the lore, and
it's no different than likestudying the lore of like or the
(21:12):
rings or dungeons and dragons,or like pokemon or whatever like
.
It's very like that.
Or even like learning thestatistics of sports teams like
um.
If you have a passion for it,you can learn anything and um,
but definitely you need apassion for this Um, and if it's
this is not your thing, there'sno point in going into it.
(21:34):
Um, like threat intelligence isnot necessarily like an entry
level position Like um.
It is definitely something thatum requires, uh, you to have
various different skills.
You need to understand a littlebit of coding, you need to
understand a little bit aboutnetwork security, a little bit
about psychology, a little bitabout a lot of different things,
(21:55):
and so it's definitely a rolethat you work your way into, but
it is not far off from likeanother entry level position,
like, but definitely it'ssomething that you can work your
way into.
Um, like I did um, and whenyou're like learning the lore, I
recommend starting off with,like, for example, wanna cry uh,
(22:19):
which was very, very popular.
It's very well documented and itreally is gonna like.
If you go down the rabbit holea little bit on on wanna cry,
you'll start to see like how,like, shadow brokers had a
little bit of a play in thereand like how they weaponized
like, uh, blue keep and internalblue, um, and then, like,
you're gonna see like how it waslike basically weaponized as a
(22:42):
worm and, um, how it disruptedand how it spread and how it was
stopped and um, so there's alot of really cool lore that can
you can start from there.
And then this is since ithappened in 2017.
This is right before the adventof rass, like as ransomware, as
a service.
Right, because before it waslike a standalone ransomware.
And then you're going tobasically start to see the
(23:04):
evolution of like how it becamelike with gang crab and with all
of these other gangs, likeconti, and how it became, um,
like an actual business model,um, so it's um.
It's definitely where I wouldstart, yeah
Pedro Kertzman (23:21):
no, that's awesome and and you're talking
about you're just talking aboutbusiness model.
One thing that people don'trealize there's a whole lot of.
You know those gangs.
They will try to hold theirword.
So it makes sense to people tokeep paying them because they
know they were gonna get thedecryption keys and all that.
(23:42):
So they're quote on quotetrusted.
But now we have, you know,triple extortion or I heard,
quadruple extortion and all that.
So it's kind of a.
I hope that people at somepoint will realize they might
not be as trusted as theythought in the beginning.
Uh, any like other you knowscenarios like gangs are trying
(24:02):
to squeeze as much as they canfrom the same victims could be
on this, you know, this samemoment in time or down the road
yeah.
Tammy Harper (24:12):
So this is again it's it's going to the point
where it's getting really hardto to monetize this, and this is
good.
That means that law enforcement, uh, is disrupting this
effectively, uh, but we'renowhere near winning the battle,
right.
We're winning small battles.
We're nowhere near winning thebattle, right.
We're winning small battles.
We're seizing some domains,we're seizing some
infrastructure, but the war isnot over.
(24:33):
So what these gangs are doingis they're always trying to
innovate.
How do we extort more money?
How do we put more pressure onvictims?
For example, there's one gangagain go back to the example of
Killen or Quillen One gang againgo back to the example of
Killen or Quillen.
So how, they are trying tofigure out how to adjust this
(24:54):
problem from their perspective.
Is they because, right now,like, they're telling new
affiliates, like the newrecruited affiliates, that
they're going to like they getpaid well one out of 20 victims
and paid well isn't is like,regarded as six figures, right,
(25:15):
that's a six figure ransom, soit's getting it's like, so that
means that you have to, you haveto attack 20 victims to get,
hopefully, get paid well on oneand you might get a few thousand
on a couple of different ones,but like it's definitely way
down from what it was before.
Now this is one group and whatthey're doing to, to to address
(25:36):
this and put more pressure istheir killing is essentially
saying, like we have a team oflawyers on hand that can help
you assist during negotiations,hand that can help you assist
during negotiations, and theycan essentially, like, tell you
what you have like, what type ofdata that you have, what type
of regulatory bodies that youcan contact to put more pressure
(26:00):
on the victims.
Because we saw, like Alf V andBlack Cat do this in the past,
where they were basicallytalking to the SEC and saying
like hey, this victim did notdisclose that they were breached
.
But now we're also seeing thiswith Anubis.
Anubis is doing this with, like,australian regulatory bodies
(26:20):
and European regulatory bodies.
So Killen is basically taking apage out of that playbook and
saying like hey, we can informyou on what to do with this and
actually have lawyers Throughyour points.
Exactly, they're going to havemore manpower to essentially go
(26:48):
through the data that was stolenand start calling the victims
and calling the clients of thevictims.
So this is going to be more oflike a supply chain attack where
they can basically start to saylike hey, this person or this
company was breached, we haveyour data, now we want you to
pay us, or they have to, or youtell them to pay us.
(27:09):
So they're going to be tryingto put more and more pressure
and having, like some, like callcenter in Kazakhstan or
something like that, or inRussia, start making these calls
Right, so, or like anywhere,really it's really difficult,
and so you're trying to put moreand more pressure on people.
Pedro Kertzman (27:28):
So they're basically scraping the data they
are exfiltrating to try to findfrom there their next victims.
That's crazy yeah it's happenedbefore.
Tammy Harper (27:39):
And also there's groups like, for example, global
, which I mentioned earlier.
Global is also rolling outAI-assisted negotiations, is
also rolling out AI-assistednegotiations.
And so because before it wasreally really interesting to see
like the psychology modelsbetween the negotiator and the
(28:03):
attacker and essentially Chinatalked to the attacker and say
like hey, I need more timebecause that way you can talk
with your board and all of thepeople, your insurance companies
and all that stuff and yourrecovery teams and trying to
delay and stall so that you havea better understanding of
what's happening during yourincident response.
(28:23):
But now, because these aremodels that threat actors are
using that are specificallytrained on this type of data,
because they have all the data,they're like no, like you're not
going to stall us, like we andthe uh.
It's getting harder and harderto negotiate right, and it's
forcing a lot more companies tojust get published right away,
(28:45):
um, and go in and like the.
the negotiation periods aregetting harder and shorter and
uh,
Pedro Kertzman (28:51):
so you mentioned the, the red team on the
adversary side and and all that.
Do you think it's fair, fromwhat you see from a ransomware
perspective, that it's probablynowadays rare, or more rare, to
see ransomware straight upcoming through an email or
something like that, and it'smore like a mix of living off
(29:13):
the land or other attacktechniques to get a foothold and
only then dropping the payloadlike how's, like traditional
tools, uh, functioning to thataspect, like, is it email still
the main thing or not as muchanymore?
Tammy Harper (29:30):
so, um, targeted attacks are definitely still
like we're seeing a mix now,right.
So every time there's like abig vulnerability for example,
like the SharePoint one or thatwe just saw recently or right
now in the news, there's theSonicWall one there's always
groups that are going to try torace to find a proof of concept
(29:54):
or an exploit or something thata researcher has published
somewhere on GitHub or shared ontheir website, and they're
going to try to leverage that,and then, essentially, this is
like a one-day or an end-daytype of situation where they're
going to try to exploitbasically those vulnerabilities.
Now, a lot of the times, thosetypes of vulnerabilities don't
(30:18):
allow for encryption, justbecause of the type of access
that you actually have to thesefile servers, and so essentially
, it just becomes something likeMovid, where it's all
exfiltration, no encryption, andbasically now you're extorting,
you're doing single extortionbased off of just the data that
you have and not being paid offnot to leak it.
(30:40):
So, but now also, like goingback to phishing, essentially,
like we saw a lot of the stuff,it's phishing is still like
probably one of the biggestinfection vectors that we see
today, and what that is is likehow that looks like is.
It's not the actual ransomwarethat you're going to get in an
email attachment, it's going tobe a Trojan, and that Trojan,
(31:02):
essentially, is going to allowthe attackers to add you to
their botnet.
And then they're going tobasically allow you to recon
into your network and they'regoing to snoop around for a few
days, maybe a few weeks, and tryto depending on the size of
your network and they're goingto try to find your company's
crown jewels.
They're going to startexfiltrating data Right, they're
(31:23):
either going to do it all atonce overnight, or slowly and
methodically over a bunch ofdays, and then they're going to
start wiping their traces, right, and then they're just going to
deploy the payload.
When you see the payload, whenyou see your systems encrypted
right, it's too late.
Like that's the last stage ofthe kill chain, right, and so
(31:44):
it's not like that is not likean indicator of compromise,
that's an indicator that youhave been compromised.
So like, definitely startreviewing firewall logs and
stuff like that.
Another way that a lot of thesethreat actors are getting access
to infrastructure is throughsocial engineering.
(32:04):
Now we see groups like ScatteredSpider.
Now, scattered Spider is not aspecific group of individuals,
it's more a label attached to aloose collective of individuals
that operate under similartactics and techniques and
procedures.
So but how they how ScatteredSpider usually gains access to
(32:27):
infrastructure is like byleveraging compromised
credentials or by socialengineering and they're really
good at social engineering andalso SIM swapping, for example,
there was like a reallywell-known attack that happened
in Vegas a few years ago and howthat attack was conducted was
(32:48):
one of the employees wastargeted over LinkedIn and
essentially Scattered Spidercalled up the help desk of that
company and basically tried tosay hey, trust me, I just need a
password reset.
And it was able to convince thepoor tech worker there, the
poor help desk worker, to resettheir password and this gave
(33:11):
access the threat actor accessto um, to that account and and
to the vpn, and then from therethey were able to um pivot and
establish persistence into thenetwork and start doing a whole
bunch of damage yeah, no, that'suh.
Pedro Kertzman (33:24):
Yeah, I remember that episode and but basically
from a attack stages type ofthing, don't only look for that
ransomware being sent anymore onyour email, but for early
stages of compromise, likeyou're mentioning the phishing
and all that stuff.
It's all that they neednowadays to put a foothold and
then work their way throughthrough their network.
(33:47):
When the payload comes it'slike you mentioned it's too late
.
That's because they were theredoing stuff for weeks, months
already.
Tammy Harper (33:57):
Exactly the longest compromise I've seen was
from initial infection toransomware being deployed was a
year.
So the threat actors and thiswas like a really, really large
company, so the threat actorsand this was like a really
(34:19):
really large company and thethreat actors basically were in
there for a whole year and lawenforcement even notified the
company, saying like hey, we, we, we are getting weird metrics
and and warnings andnotifications from your network
and we've detected like cobaltstrike beacons from your
(34:39):
infrastructure.
Are you aware of this?
Like what's happening?
And the company was like, oh,we'll look into it, we'll look
into it.
And six months later they getransomware.
And that's when they actuallytook things seriously.
Pedro Kertzman (34:53):
Yeah, unfortunately, and that's when
they actually took thingsseriously.
Yeah, unfortunately, that'ssometimes.
They need, like a more shockingevidence that things are not as
they should.
Tammy Harper (35:01):
Yeah.
Pedro Kertzman (35:01):
Okay and from, like I would say you're on a
like an edge on the technologyor research and the things that
are happening out there.
Do you find like traditionallearning sources or kind of a
need to create your own learningsources?
(35:22):
How are you going to evolve onthat role?
Tammy Harper (35:26):
So learning this is really something that you
have to do hands on, becausethat's only good for, like,
really really large companiesthat need to have or implement
(35:57):
on that framework, becausethat's how their, their whole
program and their wholedepartment was built.
Newer companies right thatyou're going to probably be
working in a smaller team andyour job is really to try is
completely different.
Um, it's all about being agileand being able to respond
(36:17):
quickly.
Um, you're usually going to beworking with like the sock or
like in tandem with the sock, um, and it's your responsibility
to know like it's going to lookdifferent for every single
company.
But, uh, a lot of the times,like you want to know like what
type.
Like you want to know yourinfrastructure inside out, and
that's why I'm saying like you,like, if you want to get into
threat intelligence, like youneed to have a background in
(36:40):
other stuff.
Because, like, you need to knowthe entire infrastructure of
the company and you need to know, like the version numbers of
things.
Because if you see on a forumsomeone talking about oh I just
I just wrote this exploit forthis then, or in a private chat,
or another researcher comes upto you and says, hey, there's
this POC being shipped around.
Like you know right off the batthat that can affect you.
(37:06):
So you need to have, like thatunderstanding of infrastructure.
Or even like if something isjust designed a specific way,
because it doesn't mean like ifyou have something in your
environment that is technicallyvulnerable to an exploit, it
doesn't mean that the exploitcan actually be leveraged,
because sometimes configurationwill supersede an actual
vulnerable system.
So, like, understanding howyour systems are configured and
(37:29):
how your network is configuredis really important as well.
So, learning I never stoplearning.
I'm always reading up on likeCISA, government websites, like
the latest TTPs.
I'm constantly looking atdifferent types of sources.
So, like the best place tolearn.
(37:50):
This is like talking to otherresearchers and definitely like
trying to get into the more likeadvanced types of learning
mechanics.
So like try HackMe or Hack theBox, things like that.
That will give you a goodunderstanding of how to like
establish persistence and whatthe latest techniques that
threat actors are doing.
(38:11):
So that will definitely likegive you a good understanding of
that.
So that's, I try to stay up todate on all of that and
especially like all the latestgroups and how they're operating
.
Pedro Kertzman (38:22):
Yeah, that's awesome and any like.
Closing thoughts to thelisteners.
Tammy Harper (38:28):
I love my job, I love doing what I do.
It is a very, very fulfillingcareer and I don't think I could
be doing anything else.
Answer any of your questionsand um, you can also always, um,
(38:59):
uh, check out your local animalshelter and volunteer there.
That's my big thing, and um, sothat way, uh, you can help
absolutely, dami.
Pedro Kertzman (39:06):
Thank you so much for so many insights.
Really appreciate you coming tothe show and I hope I'll see
you around.
Thank you.
Tammy Harper (39:15):
Thank you very much.
Rachael Tyrell (39:16):
Bye and that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show, just
let us know.
(39:37):
Until next time, stay sharp andstay secure.
We'll be right back.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.