Learn How Ransomware Affects Government Agencies In This Active Cyber™ Interview with Jason Baker of GRIT

July 10, 2024

I like returning each year to the AFCEA Technet Cyber Conference as it always has a lively exhibit hall and interesting panels and discussions. It is also focused quite a bit on government issues and solutions, although not exclusively, as members of the IC, DoD, and other federal agencies provide their insights into the trending cyber issues of the day. As a member of the media, I sometimes receive requests for interviews and this year I received one from GuidePoint Security for Jason Baker, a senior member of the GuidePoint Research and Intelligence Team (GRIT). After doing a little research on the company I was excited to see them positioned to help on defending and mitigating ransomware attacks. I have been interested in learning how ransomware is affecting federal agencies, or government in general, so I was happy when Jason accepted my invite to do an interview / podcast. So you can listen to our interview at this link, or you can read it below and learn a little more about ransomware and how it affects our government agencies.

Spotlight on Mr. Jason Baker

» Title: Senior Threat Intelligence Consultant, GuidePoint Security

» Website: https://www.guidepointsecurity.com/grit/

» LinkedIn: https://www.linkedin.com/in/jasonbaker0111

Read his bio below.

Chris Daly, Active Cyber™: Tell me, Jason, as we get started, a little bit about GuidePoint Security, some background on yourself and your role at GuidePoint Security.

Jason Baker, Senior Threat Intelligence Consultant, GuidePoint Security: Thanks for having me here to discuss GuidePoint Security. I’m a senior threat intelligence consultant on GuidePoint Security’s research and intelligence team, what we call GRIT. A lot of what I focus on is helping clients to mature and develop their threat intelligence program, integrate it more effectively with their security operations teams, and the like. But we also provide as-a-service offerings for threat intelligence feeds, threat intelligence program management, and exposure management. On top of all of that, we also have a recurring ransomware report that we put out monthly, quarterly, and annually, as well as some independent threat research that we get to do. That’s a lot of fun – trying to shed some light on what the latest trends are in the threat landscape and what that means for our clients from a vulnerability and a threat perspective.

Active Cyber™: Well, as you’re obviously aware, ransomware seems to be the thing that everybody’s kind of scared of these days. It makes it into corporate board discussions regarding risk and cyber these days. And so I guess I’d like to understand, based on your experience and the visibility that GuidePoint Security provides, is how the ransomware threat landscape is changing today?

Mr. Baker: Yes, good question. There’s a couple of ways that the ransomware threat is evolving. Most recently, and what’s been getting a lot of attention, has been the impact of law enforcement disruption operations on some of the largest players in the space. So amongst ransomware-as-a-service groups AlphV, spelled A-L-P-H-V, also known as Black Cat and Lock Bit, were the longest running and probably most prolific ransomware-as-a-service groups out there. And what we’ve seen is AlphV exiting the scene via an exit scam a couple of months ago, and really substantial impacts on Lock Bit as a result of Operation Cronos, which was a multi-national law enforcement operation. And the result of these events is these large stables of experienced ransomware affiliates are now facing a crisis of confidence in the core group that they’ve supported for a long time or they have to find a new home – i.e., if you are affiliated with AlphV and you’re no longer working for them, you have to find a new place to go. So we’re paying a lot of attention to where some of these affiliates end up, either by choice or by being forced to move. And an example of that is Ransom Hub – what would otherwise be a relatively unknown and more recent entrant amongst competitors in the ransomware space is performing at a very high level, which is unusual. And we’re attributing that at least in part to some of those displaced affiliates.

Active Cyber™: Interesting. So you can’t really get rid of ’em. The law enforcement actions just kind of scatter them and reduce their impact for a while, and then you have to wait and see what happens again.

Mr. Baker: Right. That’s one of the big troubling issues of the ransomware-as-a-service ecosystem. Even when you’re taking down the core group and a lot of its infrastructure, you still have all of these affiliates that can pick up and go to wherever they please.

Active Cyber™: So are you seeing any impact due to AI in ransomware types of attacks?

Mr. Baker: We’re not seeing AI guiding the intrusion process or being adapted really successfully by threat actors. But one area where we do see that we’re concerned about AI is in enhancing the credibility, believability and apparent authenticity of things like phishing emails. Phishing and adversary in the middle attacks are commonly used to gain valid credentials for initial access as part of a ransomware intrusion. Prior to the introduction of AI to phishing attacks, many of the phishing emails are really inauthentic looking. They’re not believable, and a well-trained eye can spot them and say, this is off. There’s a spelling mistake, there’s a grammar error, or something like that. AI and similar tools can make those phishing emails more believable for non-English speakers or for threat actors that are trying to convince and trick a victim or a member of an organization that’s being victimized. So we do see that as being a current use case for AI, but throughout the duration of the kill chain, it’s not something we see a lot of use by threat actors.

Active Cyber™: Interesting. Okay. Do you expect that you’re going to see more use of AI in the near future as these threat actors gain more confidence in using AI?

Mr. Baker: I think what we’re most likely to see is continued reduction of barriers to entry due to the adoption of AI. And what I mean by that is that the first wave of ransomware was in-house and insular and that it required threat actors to be really well-rounded technical experts in everything from the encryption to the actual intrusion exploits in terms of hands-on keyboard aspects. That changed when ransomware-as-a-service came along because you could sort of split up the different responsibilities with different people being different experts in different areas. Now what AI can do is make it easier for somebody with a lower level of technical skill to perform ransomware operations in almost like a playbook manner because you don’t necessarily need to understand what everything in the ransomware life cycle is doing. If you’re able to get answers by Chat GPT, for example, you don’t need to spend as much time troubleshooting why a script might not be working. I do think that is something that we’re likely to see more of in the near term.

Active Cyber™: So does Ransom Hub and their new affiliates pose threats to defense and federal agencies today?

Mr. Baker: So that’s a bit of a complex question. Obviously they’re going to continue posing a threat, but I have to caveat that by saying we don’t observe a lot of successful ransomware attacks against federal and military agencies. The notable exception is last year there was an alleged successful ransomware attack against the US Marshals. Nobody ever claimed that attack, but it ostensibly happened. One of the difficulties in tracking these incidents is that to be aware of some of these attacks in the wild we’re dependent to some extent on them being posted on data leak sites by these ransomware groups. And federal and military agencies, at least in the United States, are not frequently popping up on these leak sites. What is popping up there in terms of governments are state and local governments and their associated institutions such as healthcare or education. Those organizations are a prime target for ransomware groups right now.

And just assuming that the question is why are these federal agencies or military agencies not being hit more frequently? There’s a couple of different possibilities there, including first and foremost, the federal government has a very good history of standardizing its security standards, of enforcing standards that everybody has to adhere to, and that can help from a defensive position. In addition, an attack on a federal or DoD organization attracts a lot of unwanted attention to the attacker. What we saw with Lock Bit most recently was a group that was very loud and made a lot of noise and impacted a lot of people, and that brings law enforcement pressure, that brings pressure from the intelligence community, and from multi-national efforts. There’s little incentive to target federal and military agencies that are going to attract that kind of attention while at the same time they’re less likely to actually pay a ransom than say a private sector organization. So there’s a couple of possible explanations there to tie that back into my overarching answer of why we don’t see a lot of successful ransomware attacks against that particular sector. It’s a large problem for state and local. Absolutely. But not so much at the federal level.

Active Cyber™: But we heard at the recent TechNet Cyber Conference [June 2024] that there are attacks, maybe not ransomware attacks going on against these agencies today. How are they different from the ransomware attacks? How would you characterize those types of attacks then?

Mr. Baker: Right, and I will take care to sort of clarify there. Just because we’re not seeing successful ransomware intrusions doesn’t mean that there aren’t efforts to attack and to impact networks in federal and defense agencies. It’s just not getting to the point where encryption is taking place, exfiltration of data is taking place, and a ransomware actor is able to necessarily claim that as a successful attack. Now, outside of ransomware there’s a couple of different threats ranging in sophistication and impact level. For example, hacktivist groups, which may be interested in exfiltrating data, hacking and leak operations, ostensibly for ideological purposes. Think back to anonymous, or in the modern day you’d see groups like Ghost Sec. These are often a little bit less sophisticated, focused on grabbing whatever information they can and often exaggerate the extent of any access that’s obtained. Now, if you’re to step further to the right in terms of sophistication, you have your state-sponsored advanced persistent threats – your government-sponsored or sanctioned or directed threat actors that are performing different types of operations for the interests of that government.

And that can range from staging for future military operations, say, infiltrating a water plant or a power plant or something like that. Not necessarily to take something offline now, but potentially to do something in the future. Or there’s the more traditional route of intelligence collection breaking into a network with the intent of compromising sensitive information, stealing intellectual property or sensitive secrets or anything of that. And those are often far more advanced, more customized, more persistent, and they have the benefit of state money behind them. So those are probably the biggest and most relevant threats in the defense and federal sectors.

Active Cyber™: I tend to agree with you on that. At the Technet Cyber Conference, we heard a lot about supply chain attacks and protecting the defense industrial base as they’re somewhat the Achilles heel to the military and other government agencies that deal with them because they may not be as well defended, so to speak, as some of the military and government agencies themselves.

Mr. Baker: That’s an excellent point, Chris. It brings to mind, it’s not necessarily that hacktivist, but there’s also onesie-twosie threat actors out there that sometimes just try to grab whatever they can and post it up either for sale or for clout. And there’s been a couple of those in the past year that have claimed to have breached sensitive government information or classified information and posted that up on any number of illicit forums. What we found is that while the nature of that access may be a bit exaggerated or a bit played up, most of the time this is appearing to come from those third parties that may have access to government information or government networks. These organizations are less well secured, less poised to detect and respond to an intrusion like that. So think your defense contractors, think tanks, and the like where they’ve got access to government secrets, but they’re not the actual agencies themselves.

Active Cyber™: So let’s talk about cyber defense for a minute. We’ve got ransomware attacks. You’ve mentioned some of these other more direct attacks. There’s supply chain attacks. Where should the military, where should government agencies or where should companies in general look to invest to best defend against these different types of attacks? And obviously maybe the investment may be different depending on the type of threat that you’re looking at, but can you walk through a little bit of that for me?

Mr. Baker: Absolutely. As far as where to prioritize resources, a lot of that’s going to come down to where an organization already is in terms of their defensive maturity. So the advice that I would give to an up-and-coming defense contractor that’s trying to make a name for itself and is building its business is obviously going to be different than say, a federal agency, which already has a well-established and robust security program. So starting from the ground floor it’s important to recognize that a lot of these attackers are opportunistic in nature. And so where we typically recommend starting is with making sure everything is set up well, configured well, and the best security practices are followed. This includes segmenting your network, to implementing least privilege, to architecting a layered defense in depth approach to security. And we believe that the majority of attacks, not the most dangerous necessarily, but the majority of attacks that organizations are going to face on a daily basis can be successfully mitigated through these best practices in security.

So we recommend starting there and once that’s well in place, there’s a couple of other areas that we like to recommend focusing on. Vulnerability management is a big one. In recent years, we’ve seen increased willingness and ability to adopt exploits of emerging vulnerabilities as a means to kick off or enhance an intrusion, A robust vulnerability management program fed in by vulnerability intelligence is a really good way to help shut down some of those access vectors and some of those threats early on in the process. And then I’d say another big thing that I’d highlight would be your incident response planning, not just making sure you have an IR plan, but also that you’ve drilled it well, that you’ve rehearsed, that you’ve practiced through tabletop exercises and the like. That’s really going to speed up your response time and speed up your ability to recover from an incident or an intrusion.

A lot of the times what we found are organizations that have a notional IR plan, but they’ve never really practiced it to identify what their gaps might be or where they may not be functioning as designed. And I suppose finally, foot stomp, [this may tie into my earlier piece on security fundamentals] is user education. For some organizations this may stop at phishing education – oh, here’s what phishing emails look like. That’s a great place to start, but we’re continuing to see evolving trends and evolving tactics from threat actors that are directly impacting the frontline worker from business email compromise to QR codes that are smuggling malicious URLs. These are all things that the actual user has to adapt to and that we need to prepare them for so that they handle it correctly and so that they’re reporting it to the security team who’s able to detect and react a little bit faster.

Active Cyber™: Yes, I agree with everything that you mentioned there too, but I’d like to add one question about that. One of the things I found was that user education was important, but I also thought that simplifying security was needed too, which means making it simple to understand what security configurations are all about. For example, if somebody wanted to configure their personal firewall. It seems this type of knowledge is out of reach for your typical user. You kind of have to be a specialist in order to be able to do some of this stuff. And it would seem to me AI could play a role in how to do that transition from a kind of regular user to becoming more of a power user that can actually do something with their own personal security tools.

Mr. Baker: Yes I think that’s a good point. I think that if you were to combine something like that to make your content more accessible and couple that with making it a more recurrent presence as well for folks, it’s just that, oh, here’s my annual phishing thing. I click through it and I get done right. Really creating a culture of security and making materials like what you’ve described there, more present and available, I think that would go a long way as well. So it’s less of an afterthought that comes to the front of mind once a year and more something that we’re periodically revisiting a skillset that we’re honing even at the user level.

Active Cyber™: Yes, exactly. So now you mentioned some of these security fundamentals and other things like that. Obviously they apply to the IT world, but what about the OT world, the operational technology or the internet of things, or even autonomous systems like autonomous vehicles? Do these fundamentals change? How do things work in those environments? Or do they change in terms of the threat model and the things you got to pay attention to?

Mr. Baker: I’ll preface my answer by caveating that I’m not by any means an OT expert. We do have a team of OT experts in our newly formed operational technology practice that could probably give a more in-depth technical answer than me on that. But what I will say is that OT is very unique in the challenges that it presents. We see this comes up a lot in manufacturing environments and places that have a heavy dependence on OT environments because of the way they’re, the word that I’m looking for here, they’re, because of the technology that’s used and it’s sort of niche focus, you see a lot of out of date technology and you see a lot more complications in patching vulnerabilities. This means that you may see manufacturing plants or OT environments that rely on very dated, very insecure technology that if an attacker were to gain access to, it’s pretty much a playground.

Now, in most cases, this shouldn’t in any way be exposed to the public internet or become attackable, but there are instances where it does end up that way. There were a couple of defacement operations from a hacktivist group, but probably a nation state sponsored group, a series of water plant interfaces that were accessible over the internet, for example. Shouldn’t have been connected that way. But when people make mistakes or there are errors in configuration like that, it does open them up to some impacts. One of the bright sides there is that most threat actors are not overly familiar with those niche OT environments. A prime example is there was a hacktivist group that was routinely getting into a water plant and similar critical infrastructure environments. But once there, they were sort of just clicking around and they weren’t able to do any real damage because of safety controls that were in place. I think learning from those thankfully minimally impactful incidents before threat actors and nation states become more comfortable and capable of exploiting those, and, hardening those environments before that happens is going to be critical. And OT’s problems been getting a lot of attention from government and security vendors alike.

Active Cyber™: I guess in a way, AI could help attackers by making OT environments simpler for them to understand and then being able to exploit them easier.

Mr. Baker: Oh, I hope not. I hope not. I hope that they don’t listen to that and take you up on that idea.

Active Cyber™: I do too. Our nation’s defense really depends a lot on that critical infrastructure, and that subject also was brought out quite a bit during the recent TechNet Cyber Conference. The federal government and the military seem to be pretty worried about vulnerabilities in the CI as an Achilles heel to their cyber defenses.

Mr. Baker: I’m comforted somewhat by the fact that it is getting a lot of attention, with CISA putting out specific OT vulnerability and technology alerts. As you mentioned, the federal government is taking it very seriously and I think that the reason behind that is less from a “oh no information breach” perspective, but because of the amount of damage that those kind of compromises could lead to in a wartime scenario.

Active Cyber™: So back to ransomware for a minute. So pay or don’t pay. I mean I’ve been hearing that the government says don’t pay, don’t pay, but you can only put up with being down so long before you need to do something. So what percentage of victims actually do pay? Do you have thoughts on that?

Mr. Baker: I would like to point out that this is something that we at GRIT [GuidePoint Security Research and Intelligence Team] have a lot of experience with because one of the functions we provide along with our DFIR [Digital Forensics and Incident Response] team is ransomware negotiations or threat actor communications. So if a business unfortunately finds themselves the victim of a ransomware incident, they want to communicate with a threat actor, negotiate down to a price if they’re willing to pay, figure out what happened and understand the threat actor a little bit better. I think we’ve seen a big shift about how the government communicates their stance on this. In recent years, I know there was a big focus on “don’t ever pay” the threat actor, you’re propagating the problem and you’re encouraging it. I think this stance discouraged people from reporting to the FBI for a couple of years.

To get back to your question about how frequently people pay, there’s varying numbers out there, but the general consensus seems to be somewhere in the 50/50 range going up or down, depending on what industries you’re looking at and what the circumstances are. We look at it as a business decision and we don’t support or otherwise discourage payment to ransomware actors. It’s wholly a business decision based on the degree of impact and viable alternatives. So most of the time if you’re just looking at data has been exfiltrated, but nothing has been encrypted, you’re less likely to see payment. If you have data encryption and there’s no backups to restore from, there’s no recovery option that’s going to be viable for some businesses. Making that payment is the difference between their business having to fold and continuing to operate in the future.

So we talk with each customer that’s impacted to understand what those different level of effects are and walk them through what payment might look like and where it might be feasible or a good idea versus when it might not. There’s always the risk with any criminal actor that you pay them and they don’t make good or the provided crypto doesn’t work, or they just disappear and ghost you. And so we also have to communicate and understand that risk when we’re dealing with criminal actors, they are frequently going to behave in a criminal manner.

Active Cyber™: And has it become less predictable now that the two big ransomware players have been taken down and you’ve got all these other affiliate guys scrambling around creating new alliances on the darknet?

Mr. Baker: Yes. Typically what we’ve seen is with the larger and more established groups, they’ve been more likely to adhere to their “promises” of any kind, or agreements that are made, and that’s partly for brand preservation. If everybody knows this is group Lock Bit, for example, and enough people pay Lock Bit and they don’t recover, then future victims aren’t going to pay.

When we’re dealing with less mature ransomware organizations or groups that we haven’t heard of, it’s tougher to have that background and that level of confidence in making good on their agreements. Where we typically see the most backing out of or failing to honor agreements is with those less mature groups, we call them “no name” groups – essentially one-off threat actors or newly emerged threat actors that don’t really have a brand or name that they’re identifying by. We find that problem to be much more common with that type of group. And we published a blog on it a couple of months ago actually on that behavior that we’ve been seeing.

Active Cyber™: Okay. That’s interesting. And along that same line, I have seen some reports that the FBI has had success in getting the keys to unlock some of these ransomware crypto attacks. Is that becoming more prevalent or is it just kind of hit or miss?

Mr. Baker: Yes, so there’s two instances where that’ll happen or where we’ve seen that happen recently. The first being instances where law enforcement is fully taking down ransomware infrastructure, as was the case in AlphV and Lock Bit. Those types of operations are fairly rare, but when they do happen, it’s a big get for the FBI and for the victims that may still be pending. Unfortunately, by the time that they’re getting into that environment and taking it over, a lot of the victims have either already had their information posted or maybe they’ve already paid a ransom. The amount of people that are currently not posted and that can benefit from receiving those keys is pretty low. Where we also see decryption keys becoming available is sometimes in the security research realm from vendors or the like that are able to crack encryption or find some sort of weakness in the encrypter that they’re able to crack.

Avast has done a number of these, and when that happens, there’s sort of two ways that things go. Either the group goes towards just exfiltration only, where they’ll just focus on stealing data and say, fine, if our encryptor doesn’t work, then we just won’t bother encrypting. Or they’ll go back to the drawing board, and they’ll develop a different encrypter that hasn’t been breached. But those are the two main methods by which keys for decryption is available for most people that suffer from a ransomware event.

Active Cyber™: Interesting. I’m waiting to see what happens with quantum computing. If that technology will allow law enforcement or victims to crack those ransomware keys and you don’t have to worry about it so much anymore,

Mr. Baker: That would be great.

Thank you Jason for educating me and my listeners / readers about ransomware attacks and what their impacts have been on government agencies, as well as providing some advice on how to handle these attacks. And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.