Cybersecurity Talk with Andrew Hay: Ransomware: the new frontier in online crime & how to stay ahead of the game

Andrew Hay is an information security industry veteran with experience as a security practitioner, industry analyst, and executive. As the Co-Founder & Chief Technology Officer (CTO) for LEO Cyber Security, he is a member of the senior executive leadership team responsible for the creation and driving of the strategic vision for the company.

Watch the video where Andrew is talking about ransomware.

In this episode of Cybersecurity Talk, together with Andrew Hay, we are going to be talking about ransomware.

Paula J:

Hi, this is Paula Day, delivering Cybersecurity talk with Andrew Hay. Hi, Andrew, how’s it going?

Andrew:

Pretty good, you?

Paula J:

Perfect. Thank you so much. Thank you for coming to the interview.

Andrew:

No problem, I was in the neighborhood.

Paula J:

Yeah. Thank you.

So a couple of words about Andrew. Andrew is or was director of research for Open DNS. Right?

Andrew:

Yes.

Paula J:

And then you are the CISO of Data Gravity?

Andrew:

Yeah.

Paula J:

Perfect. What were you doing at Open DNS?

Andrew:

I ran the research team there. I had a team of analysts and data scientists that would track exploit kits and malware all over the world because we saw a ridiculous amount of the Internet’s DNS traffic. So it was a great corpus of information to do machine learning and analytics on.

Paula J:

For sure, this is a perfect source for data, yeah?

Andrew:

Yeah.

Paula J:

And what are you doing right now?

Andrew:

Right now, I’m the CISO at Data Gravity. So, because we are a start-up, it’s a lot of internal security but also external customer facing security. So I wear many, many hats. Anything from research to helping close deals, to helping marketing, it’s different every day. My job is different every single day.

Paula J:

That’s exciting, yeah?

Andrew:

Yeah.

andrew hay

Is ransomware a trend?

Paula J:

Okay. I’ve got a couple of questions to you regarding ransomware since this is one of your subjects. How do you see ransomware right now? Because that was a piece of code that was created a couple years ago and everyone was really surprised that someone can actually ask for money after encrypting a drive and it went through different types of transformations. What do you see as the trend? What is the future actually?

Andrew:

Right now all the quotes and all the stats say that it’s a billion dollar industry. A billion dollar criminal endeavor. It is going to get worse because it works.

Paula J:

There’s always someone to pay.

Andrew:

Like in telemarketing, people wouldn’t do telemarketing if it didn’t work. People wouldn’t send you unsolicited spam if it didn’t work at least some portion of the time. Now that it can be monetized and people will pay it, it’s just going to draw the attention of more organized criminal organizations and they’re going to adopt that. Because, it’s very low risk, there’s no face to face interaction and it’s just completely decentralized. It’s kind of the perfect crime right now.

Paula J:

And basically, do you see some trends in the code? Because I’ve heard that sometimes there’s different kind of samples coming out where you’ve got like personal shaming. Yeah?

Andrew:

Yeah.

Paula J:

This is something, this is the money that you want to pay right?

Andrew:

There’s personal shaming. There’s also almost nods to personal organizations. Like the no more ransom project, which is a combination of Europole and a bunch of other organizations. There were variants where they were actually called out in some of the file names. It’s not really a, “Hey, thanks, guys.” It’s really a “We know what you’re doing kind of thing.”

Some of the other trends. It became very opportunistic where people would take malware or ransomware and reuse the code and we still see a lot of code reuse. But, it really varies based on how the code is built. So, if it’s an automated code generator where you can just kind of pick and choose what features you want, it could be very advanced, it could be just very simplistic and easy to detect. Then if you throw in ransomware as a service, where you really don’t have to do much of anything, you say, “I’ll give you a share of my funds, build this for me,” and then you deploy it, it’s really become very easy or the bar has become very low to get started in the ransomware game.

andrew hay

The origins of ransomware

Paula J:

Okay. And it’s like all around the world, do you see some areas of focus where ransomware actually comes from?

Andrew:

Where it comes from? There is a lot that comes from Eastern Europe. From China, from North America as well. It’s really where there are surplus developers that have a lot of time on their hands or have this idea that they can make money developing this ransomware. It’s profitable so in some cases you …

Jeremiah Grossman did a great presentation yesterday where he talked about Somali Pirates. They could make $500 a year or they could become a pirate and make $10,000 per attack and that’s very high risk. High risk, high reward where ransomware is very low risk, high reward. There’s been a lot of people talking about how the next blue collar job is software engineering and software development. That’s going to really pave the way for people saying, “I could make a lot of money by being a little …”

Paula J:

On the edge.

Andrew:

Yeah. This big gray area that no one’s going to attack me for or arrest me for.

Paula J:

So isn’t it a conclusion, for example, for cyber units of certain countries that they should do a better job maybe on tracing this kind of guys?

Andrew:

Yeah. They really have to understand the new technologies. There’s a lot of really good information sharing in organizations within Europe and it’s a constant evolving threat. Just like the organizations, the police organizations and the law enforcement organizations will make sure that they know what payment fraud looks like from country to country or wire transfer fraud. They know exactly what’s happening because they’re keeping up to date on that. They have to do the same thing on ransomware. Especially because it is a criminal enterprise and it’s growing in importance. So they’re going to make sure they understand all the nuances of ransomware and its capabilities and where the money’s going. It’s with any criminal enterprise, you follow the money until you get to the source.

Paula J:

That’s quite a tough task.

Andrew:

It is. It is. But that’s why they got into law enforcement.

Graph theory and data science

Paula J:

Yeah, that’s true. One of your specializations is also graph theory, no?

Andrew:

I don’t know if it’s a specialization. It’s a hobby or a …

Paula J:

That’s a good hobby then.

Andrew:

When I was at Open DNS, I really decided that I needed to learn graph theory and data science principles so I could communicate with my team and then translate the very technical details to a business audience. I really kind of went head first into learning data science principles and graph theory and it was very interesting. I was always very, very bad at math and I still am, but, graph theory …

Paula J:

That’s why your title of this session is if you’re bad at math.

Andrew:

Yeah. For people who can’t math good.

Paula J:

Yeah.

Andrew:

I found that for advanced data science and advanced analytics and statistics, you do need to know math, but it is relatively simplistic math. It’s not math that you’re inventing on the fly, it’s very logical. There are hard and fast rules and with graph theory, it just makes sense because I’m a very visual person. So, when I can see connections from A to B and then B to C but not C to A, it just resonates with me and I don’t know what it is. It’s funny because I was terrible in art class when I was a kid.

Paula J:

Okay. Okay. But then it turned into a hobby, so. Let’s think about it because graph theory could be used for prediction of different kinds of things. Could we, for example, use graph theory for prediction of subjects related with ransomware, like where it’s going to pop up or what’s going to be the next trend and so on? Could we use it for that?

Andrew:

Yeah. When I was at Open DNS, we use that quite a bit for tracking botnets and exploit kits. And ultimately, the end dropper for ransomware but, you need to have a large corpus of information in order to actually mind that data and make those educated guess and those predictions. So, you can graph everything together but you still need to have a base set of knowledge that you can draw from in order to connect all the dots.

Paula J:

And there are not many companies in the world that actually have a great set of data.

Andrew:

No, there’s really a handful. You could probably count on both hands how many companies see that much traffic or have that much data. A lot of them are so customer centric so that all of their data is associated with just their customers so you have to make a lot of inferences and assumptions that your results apply to the greater world as it stands. You’re taking a leap of faith there, it’s not as scientific as if you had all of the information obviously. But, you can take samples of the data and make reasonable assumptions.

Contribution to overcome ransomware

Paula J:

Okay. That’s cool. And what if someone, for example, that is at the very beginning of their career, wants to be, for example, ransomware analyst or contribute to the world, in general, in order to help our world not to be vulnerable to ransomware. What would be your advice? Where to look for information?

Andrew:

Really, the best way to learn how to deal with ransomware and malware, in general, is to use a home lab and see what happens when you detonate malware. Even in a controlled environment and then you can see exactly what hooks there are, what files get encrypted, what other indicators are dropped and then see what the steps are and then just go back and just do it again and do it again. And install monitoring tools. There’s plenty of forensics and incident response monitoring tools that when you execute code, you will see what’s going on.


From there, you can start detonating them in sandboxes like Cucu Sandbox is probably the number one, I would say, it’s the number one hobbyist and threat analyst tool out there for analyzing malware dynamically. You just throw it in there and see what comes out the other end. Once you get very familiar with that, the next logical step is learning how to reverse engineer malware.

There are several online sources where you can get that information and step you through some of the basics. Once you start reversing and stepping through pieces of malware and finding the passwords to decrypt or step over things and get encryption keys, you think like you’re the king of the world at that point. Because I can do anything now. I’m the master of this piece of malware and it’s very satisfying to know that you can defeat something that’s going to defeat you.

Paula J:

You can see the end. The end is understanding. Like a long or short term project, you can see what’s going to be the success at the end. So that’s very rewarding.

Andrew:

And with time and repetition, you become very adept at analyzing malware very, very quickly so you know based on what files it encrypts or what domains it calls out to and the frequency at which it calls out you can say, “Yeah, I know exactly what type of malware that is. I know exactly what is going to happen when I double click and it executes.”

A word about reverse engineering

Paula J:

I had an interesting question because we do a little bit of malware analysis, our team. One of the guys said, “Don’t you think that what you’re doing is illegal? Because you’re doing reverse engineering and you have to have an agreement of someone who writes the software in order to analyze it.” And we’re thinking, “Hmm, that kind of makes sense, but on the other hand, will a malware writer give you that license?”

Andrew:

Yeah. You don’t really get an end user license agreement when you go to install malware.

Paula J:

No.

Andrew:

I would say that that definitely falls into the gray area but leaning more towards the white side as opposed to the dark side.

Paula J:

Yeah, it’s more in this direction.

Andrew:

Hacking, in general, is not malicious. It’s to gain knowledge and that’s what you’re doing. You’re gaining knowledge of how something operates in a controlled manner and it’s not harming the world by doing what you’re doing.

Learning about security: where to start? A a piece of advice from Andrew Hay

Paula J:

Absolutely. And what about graph theory? If someone wants to jump into the subject, what would you recommend?

Andrew:

The way I started was probably a very trial by fire approach where I went to Coursera. Coursera has a number of great online courses in data science and it will step you through the various pieces and really work you up. It’s not going to focus on graph theory but there are follow along courses that will direct you towards graph theory. Probably, one of the easiest ways to really get into using graphs in a security context is using Maltego.

Paula J:

Oh yeah, of course.

Andrew:

Because you can download that for free. You can make those associations and then start enriching the data as you go and you’ll see how the graphs build themselves out.

Paula J:

And there’s also a free edition of it yeah?

 

Andrew:

Yeah.

Paula J:

So whoever wants to start, it’s a perfect place to start from, yeah?

Andrew:

Yeah. Exactly.

Paula J:

That’s a good suggestion.

Andrew:

And it’s visual.

Paula J:

Yeah, and it’s visual, definitely and there can be a little bit of math underneath but still, it’s visual.

Andrew:

Yeah.

Paula J:

Cool. Okay guys, let’s summarize. We have talked about ransomware, ransomware trends. What is next? What is important to know. What are the areas and why ransomware writers do what they do? And we have also discussed graph theory as one of the interesting subjects that you do, yeah?

Andrew:

Mm-hmm (affirmative)

Did you like this interview? See how much YOU really know about cybersecurity! Test yourself against Paula Januszkiewicz. 

>>>Take Her HARDCORE Windows Security Quiz<<<

Comments