 Welcome to this CUBE conversation. I'm Lisa Martin. I'm joined by Derek Manke next, the Chief Security Insights and Global Threat Alliances at Fortygarde Labs. Derek, welcome back to the program. Yeah, it's great to be here again. So then a lot of stuff's happened since we last talked. So Derek, one of the things that was really surprising from this year's Global Threat Landscape Report is a 10, more than 10X increase in ransomware. What's going on? What have you guys seen? Yeah, so this is massive. We're talking over 1,000% over a 10X increase. This has been building, Lisa. This has been building since December of 2020. Up until then, we saw a relatively low high water mark with ransomware. It had taken a hiatus, really, because cybercriminals were going after COVID-19 lures and doing some other things at the time. But we did see a seven-fold increase in December 2020. That has absolutely continued this year into momentum. Up until today, it continues to build, never subsided. Now it's built to this monster, almost 11X increase from what we saw back last December. And the reason what's fueling this is new verticals that cybercriminals are targeting. We've seen the usual suspects like telecommunication, government in position one and two, but new verticals that have risen up into the third and fourth position following are MSSP. And this is on the heels of the Kaseya attack. Of course, that happened in 2021, as well as operational technology. There's actually four segments. There's transportation, automotive, manufacturing, and then, of course, energy and utility, all subsequent to each other. So there's a huge focus now on OT and MSSP for cybercriminals. One of the things that we saw last year this time was that attackers had shifted their focus away from enterprise infrastructure devices to home networks and consumer-grade products. And now it looks like they're focusing on both. Are you seeing that? Yes, absolutely. In two ways. So first of all, again, this is a kill chain that we talk about. They have to get a foothold into the infrastructure and then they can load things like ransomware on there. They can load things like information stealers as an example. The way they do that is through botnets. And what we reported in the first half of 2021 is that Mariah, which is about a two to three-year-old botnet now, is number one by far. It was the most prevalent botnet we've seen. And of course the thing about Mariah is that it's an IoT-based botnet. So it sits on devices, sitting inside consumer networks as an example or home networks, right? And that can be a big problem. So that's the targets that cybercriminals are using. The other thing that we saw that was interesting was that one in four organizations detected malvertising. And so what that means, Lisa, is that cybercriminals are shifting their tactics from going just from cloud-based or centralized email phishing campaigns to web-borne threats, right? So they're infecting sites, waterhole attacks where people will go to read their daily updates as an example of things that they do as part of their habits. They're getting sent links to these sites. And when they go to it, it's actually installing those botnets onto those systems so they can get a foothold. We've also seen scare tactics, right? So they're doing new social engineering lures pretending to be human resource departments, IT staff and personnel as an example with pop-ups through the web browser that look like these people to fill out different forms and ultimately get infected on home devices. Well, the home device use continues because we are still in this work from home, work from anywhere environment. Is that, do you think a big factor in this increase from 7x to nearly 11x? It is a factor, absolutely. Yeah, like I said, it's a hybrid of sorts. So a lot of that activity is going to the MSSP angle, like I said, to the OT and to those new verticals, which by the way are actually even larger than traditional targets in the past, like finance and banking is actually lower than that as an example. So yeah, we are seeing a shift to that. And like I said, that's further backed up from what we're seeing with the botnet activity, specifically with Morai too. Are you seeing anything in terms of the ferocity? We know that the volume is increasing. Are they becoming more ferocious these attacks? Yeah, there's a lot of aggression out there, certainly from cyber criminals. And I would say that the velocity is increasing, but the amount, if we look at the cyber criminal ecosystem, the stakeholders, right? That is increasing. It's not just one or two campaigns that we're seeing. Again, we're seeing, this has been a record case this year. Almost every week we've seen one or two significant cybersecurity events that are happening. That is a dramatic shift compared to last year or even two years ago too. And this is because the cyber criminals are getting deeper pockets now, they're becoming more well-funded and they have business partners. Affiliates that they're hiring, each one of those has their own methodology and they're getting paid big. We're talking up to 70 to 80% commission just if they actually successfully, infected some on that page for the ransom as an example. And so that's really what's driving this too. It's a combination of this kind of perfect storm as we call it, right? You have this growing attack surface, work from home environments and footholds into those networks, but you have a whole bunch of other people now on the bad side that are orchestrating this and executing the attacks too. So what can organizations do to start to slow down or limit the impacts of this growing ransomware as a service? Yeah, great question. Everybody has their role in this, I say, right? So if we look at from a strategic point of view, we have to disrupt cyber crime. How do we do that? It starts with the kill chain. It starts with trying to build resilient networks. So things like ZTNA, Zero Trust Network Access, SD WAN as an example, for protecting that WAN infrastructure. Because that's where the threats are floating too, right? That's how they get the initial foothold. So anything we can do on the preventative side, making networks more resilient. Also education and training is really key. Things like multifactor authentication are all key to this because if you build that up preventatively, and that's a relatively small investment up front, at least that compared to the collateral damage that can happen with these ransomware tasks, the risk is very high. That goes a long way. It also forces the attackers to, it slows down their velocity. It forces them to go back to the drawing board and come up with a new strategy. So that is a very important piece, but there's also things that we're doing in the industry. There's some good news here too that we can talk about because there's things that we can actually do apart from that to really fight cyber crime, to try to take the cyber criminals offline too. All right, hit me with the good news, Derek. Yeah, so a couple of things, right? If we look at the botnet activity, there's a couple of interesting things in there. Yes, we are seeing Marai rise to the top right now, but we've seen big problems of the past that have gone away or come back, not as prolific as before. So two specific examples. Emotet, this was one of the most prolific botnets that was out there for the past two to three years. There was a takedown that happened in January of this year. It's still on our radar, but immediately after that takedown, it literally dropped to half of the activity it had before and it's been consistently staying at that low watermark now, at that half percentage since that six months later. So that's very good news showing that the actual coordinated efforts that we're getting involved with the law enforcement, with our partners and so forth, the takedown, these are actually hitting their supply chain where it hurts, right? So that's good news, part one. TrickBot was another example. This is also a notorious botnet, was takedown attempt in Q4 of 2020. It went offline for about six months. In our landscape report, we actually show that it came back online in about June this year. But again, it came back weaker and another form is not nearly as prolific as before. So we are hitting them where it hurts. That's the really good news. And we're able to do that through new, what I call high resolution intelligence that we're looking at too. Talk to me about that high resolution intelligence. What do you mean by that? Yeah, so this is cutting-edge stuff really. It gets me excited and keeps me up at night in a good way because we're looking at this under the microscope, right? It's not just talking about the what. We know there's problems out there. We know there's ransomware. We know there's botnets, all these things. And that's good to know and we have to know that. But we're able to actually zoom in on this now and look in. So for the first time in the threat landscape report, we've published TTPs, the techniques, tactics, procedures. So it's not just talking about the what, it's talking about how are they doing this? What's their preferred method of getting into systems? How are they trying to move from system to system? And exactly how are they doing that? What's the technique? And so we've highlighted that. It's using the MITRE ATT&CK framework, TTP. But this is real-time data. And it's very interesting. And so we're clearly seeing a very heavy focus from cyber criminals and attackers to get around security controls, to do defense evasion, to do privilege escalation on systems. So in other words, trying to be common administrator so they can take full control of the system. As an example, lateral movement, there's still a preferred over 75%, 77, I believe, percent of activity we observed from malware was still trying to move from system to system by infecting removable media like thumb drives. And so it's interesting, right? It's a brand new look on these, a fresh look, but it's this high resolution is allowing us to get a clear image so that when we come to providing strategic guides and solutions of defense and also even working on these takedown efforts, it allows us to be much more effective. So one of the things that you said in the beginning was, we talked about the increase in ransomware from last year to this year. You said, I don't think that we've hit that ceiling yet, but are we at an inflection point? Is the data showing that we're at an inflection point here with being able to get ahead of this? Yeah, I would like to believe so. There is still a lot of work to be done. Unfortunately, if we look at, there's a recent report put out by the Department of Justice in the US saying that, the chance of committing a crime to be caught in the US is somewhere between 55 to 60%. The same chance for a cyber criminal lies less than 1%, about 0.5%. And that's the bad news. The good news is we are making progress and sending messages back and seeing results, but I think there's still a long road ahead. So there's a lot of work to be done. We're heading in the right direction. But like I said, it's not just about that. Everyone has their role in this, all the way down to organizations and end users. If they're doing their part of making their networks more resilient through all of the, increasing their security stack and strategy, that is also really going to stop the, really ultimately the profiteering that wave, because that continues to build too. So it's a multi-stakeholder effort. And I believe we are getting there, but I continue to expect the ransomware wave to build in the meantime. On the end user front, that's always one of the vectors that we talk about it's people, right? It's, there's so much sophistication in these attacks that even security folks and experts are nearly fooled by them. What are some of the things that you're saying that governments are taking action on some recent announcements from the White House, but other organizations like Interpol, the World Economic Forum, Cyber Crime Unit, what are some of the things that governments are doing that you're saying that is really advantageous here for the good guys? Yeah, so absolutely. This is all about collaboration government. So I really focused on public-private sector collaboration. So we've seen this across the board with Forty Guard Labs. We're on the forefront with this and it's really exciting to see that it's great. There's always been a lot of will to work together, but we're starting to see action now, right? Interpol is a great example. They recently this year held a high level forum on ransomware. I was actually spoken and was part of that forum as well too. And the takeaways from that event were that we, this was a message to the world that public-private sector, we need, they actually called ransomware a pandemic, which is what I've referred to it as before in itself as well too, because it is becoming that much of a problem and that we need to work together to be able to create action against this measure success, become more strategic. The World Economic Forum, we're leading a project called the Partnership Against Cyber Crime Threat Map Project. And this is to identify not just all the stuff we talked about in the threat landscape report, but also looking at things like how many different ransomware gangs are there out there? What are their money laundering networks look like? It's that side of the supply chain to map out so that we can work together to actually take down those efforts. But it really is about this collaborative action that's happening and it's innovation. And there's R&D behind this as well that's coming to the table to be able to make it impactful. So it sounds to me like ransomware is no longer for any organization in any industry you were talking about, the expansion of verticals, it's no longer a, if this happens to us, but a matter of when and how do we actually prepare to remediate, prevent any damage? Yeah, absolutely. How do we prepare? The other thing is that there's a lot of, with just the nature of cyber, there's a lot of connectivity, there's a lot of different, it's not just always siloed attacks, right? We saw that with Colonial obviously this year where you have attacks on IT that can affect consumers right now to consumers, right? And so for that very reason, everybody's infected in this, it truly is a pandemic, I believe on its own. But the good news is there's a lot of smart people on the good side. And that's what gets me excited, like I said, we're working with a lot of these initiatives. And like I said, some of those examples like held up before we're actually starting to see measurable progress against this as well. That's good. Well, never a dull day, I'm sure, in your world. Any thing that you think, when we talk about this again in a few more months, the second half of 2021, anything that you predict crystal ball-wise that we're gonna see? Yeah, I think that we're gonna continue to see more of the, I mean ransomware absolutely, more of the targeted attacks that's been a shift this year that we've seen, right? So instead of just trying to infect everybody for ransomware as an example, going after some of these new high-profile targets, I think we're gonna continue to see that happening from the ransomware side. And because of that, the average cost of these data breaches, I think they're gonna continue to increase. It already did in 2021 as an example, if we look at the cost of the data breach report, it's gone up to about $5 million US on average. I think that's gonna continue to increase as well too. And then the other thing too is, I think that we're gonna start to see more action on the good side like we talked about. There was already a record amount of takedowns that have happened, five takedowns that happened in January. There were arrests made to these business partners that was also new. So I'm expecting to see a lot more of that coming out towards the end of the year too. So as the challenges persist, so do the good things that are coming out of this. Derek, where can folks go to get this first half 2021 global threat landscape? What's the URL that they can go to? Yeah, you can check it all over updates and blogs, including threat landscape reports on blog.fortanet.com under our threat research category. Excellent, I read that blog, it's fantastic. Derek, always a pleasure to talk to you. Thanks for breaking this down for showing what's going on, both the challenging things as well as the good news. I look forward to our next conversation. Absolutely, it's great chatting with you again, Lisa. Thanks. Likewise, for Derek Mankey, I'm Lisa Martin. You're watching this CUBE conversation.