Interview: ThreatLocker’s Danny Jenkins – ‘AI is making it so easy’

It’s not Canada or the UK or somewhere like that. Because of the Essential Eight and the mandate for application control, essentially, it’s allowed ThreatLocker to grow exponentially in Australia, even before we had a presence here. We did hire our first Australian employee, I think, nearly three years ago, and they happened to be in Brisbane.

And then it seemed that everyone we hired after that was in Brisbane. Now we are, I think, coming up on 20 employees here. So we need to get more control, and we need to grow. So we’re hoping to be adding at least another 20 over the next 12 months.

And it seemed like Brisbane was the place, because that’s where we’ve got employees currently, of course.

Cyber Daily: Is it purely the Australian market, or is ThreatLocker servicing the region from that Brisbane office?

Danny Jenkins: We do quite a lot of business in New Zealand as well. So, New Zealand will also be served from that office, and the general area, but I guess Australia [and] New Zealand tend to take up most of the area. We do get some of the Middle East as well. We technically have an office in the Middle East, but we have more engineers in Australia. So the Australian engineers serve the Middle Eastern market.

Cyber Daily: That makes a lot of sense – but now let’s move to cyber crime. In the past, you’ve compared ransom-as-a-service operators to the way start-ups build. Can you expand on that a little more?

VIEW ALL

Danny Jenkins: Essentially, if we think about how cyber attacks are happening, it used to be some guy in the basement who wanted to show that they could write malware. If we think about the Love Bug virus or the Blaster virus, back in the early 2000s, that malware was really just to show Bill Gates that he should be focusing on fixing his software rather than making money. And that was the reason the malware was created.

Today, malware is created with the intent of making money, and in order for a business to make money, any business, there’s more than one role. It’s more than a case of, “Hey, I want to write a piece of malware” and send it out … You have to profile your target. So you essentially, the way these guys work, is they prospect; they go out and say, “Who are my targets?” and then they’ll send emails out to thousands of people, and then they’ll get a few different bites, and then they’ll push them into the pipeline, they’ll gain access to their machines, and then they’ll eventually encrypt and steal their data and start demanding a ransom.

All of this requires different skill sets and different people, from the people doing the research to find open RDP ports, or someone who’s going to click on an email, right up to the attackers, who are the people who are actually collecting the money at the end of the day.

And so successful ransomware operators tend to be larger organisations, or sometimes start-up organisations, but they’re organisations with multiple departments, and they run like a business with quotas and targets.

Cyber Daily: How big are some of these operations? I mean, how many warm bodies are we talking about?

Danny Jenkins: Oh, the biggest ones are thousands of bodies, and sometimes they’ll trade data. So we think about ransomware-as-a-service: you can buy things like Cobalt Strike, which will often get used, but that’s not necessarily intended to be used as ransomware. But you’ll see malware that was created and guarantees avoidance past antivirus, and they’ll go off and sell just that component.

And then you’ll see groups that actually just string the whole lot together and deliver it. And sometimes, you’ll see someone who will gain initial access and then sell that access on. So they won’t actually deliver ransomware – they’ll deliver reverse shells via people opening emails, or they’ll scan the world for open RDP ports, and then they’ll sell access to a big organisation.

The problem is, if you’re in the US and you’re going to try and extort someone, or you’re in Australia and you’re going to try and extort someone, you’re probably going to go to jail. But if you just sold that access for $5,000 or $10,000 and then someone in Russia does it, it makes it a little bit harder to track back to you.

Cyber Daily: What kind of process does a prospective affiliate or RaaS operator go through to be accepted? I imagine it’s not as simple as just going, Hey, can I buy some malware?

Danny Jenkins: Yes, in many cases it is.

A lot of this gets traded through the dark web. There are more complex, bigger business relationships, but a lot of it would be, “I want to buy this”, or “I want to sell this”, and you can go on the dark web, and you can buy ransomware, and you can buy access to systems, and then you could deliver the attack just by initially using bitcoin.

Cyber Daily: So it really is that simple? I could effectively find one of these operators, have the money, get access to the malware, and that’s it?

Danny Jenkins: You just download the Tor browser, get on the dark web, and you can start getting access to the malware and delivering ransomware.

And part of the fear we have as well now is that the world has changed. Five years ago, you had to be pretty smart to be able to do this stuff. You have to be pretty smart to write malware. You have to be pretty smart to deliver malware, to create campaign emails.

Now, AI is making it so easy. You’ve got 6 billion people on the planet that can suddenly deliver ransomware campaigns, and they don’t even have to have any experience in this.

Cyber Daily: That’s a sobering thought.

Often, when we look at these ransomware groups, you know, your Dragonforces, your Akiras, what have you, and it’s easy to think that these are defined groups of people. Is that really the case? Or are there more porous lines between all these groups and affiliates going back and forth, and people being part of one group and part of another at the same time?

Danny Jenkins: So the groups we hear about tend to be … They are defined people. They’re bigger groups, and they tend to be the people delivering the attack, like the last point, if you like, as there are lots that might be buying data from other people. They might be trading access with other companies, but they tend to be defined, and they tend to be hidden behind extradition or non-extradition treaties and harder to get access to.

Cyber Daily: You mentioned earlier that these operators will go out and they’ll look for prospects. Something I’ve always thought I understood was that a lot of these operators look for the low-hanging fruit. But I do definitely see trends among ransomware operators, and RaaS operations as well, that they seem to go through a phase of ‘now we are targeting this industry. And now we are targeting that industry.’ Is that the case?

Danny Jenkins: So here’s the thing – small businesses very seldom get reported on when they get hit by ransomware, and that tends to be 99 per cent of the ransomware attacks. It’s not MGM or Colonial Pipeline or massive organisations. It’s smaller businesses.

The reality is, obviously, that doesn’t make the news, and how they’re targeting often depends on who they’re going after. If a ransomware group’s going after, say, MGM – obviously one of the bigger ransomware attacks we’ve seen in the last few years – they’re probably spending a lot of time researching and figuring out who the people are. They did some voice phishing, so they’re using AI to copy people’s voices.

If they’re going after a small business, they’re more likely to send 10,000 emails out to small businesses. They’ll get a 1 per cent open rate, and then they’ll get 0.1 per cent access right? And then at that point, it’s kind of like any marketing: you’ve got a prospect, you show someone a social media ad, and they hover over a video, and then you start feeding them ads, which is what all companies do.

But then you have a ransomware group. They’re essentially doing the same thing. They’ll do email campaigns or do social media campaigns. They’ll gain initial access, and once they gain that initial access, then it becomes a case of … Let’s go! We’ve got someone interested. Let’s quantify. Let’s see if they have any money. Let’s see what we can actually steal from them.

Cyber Daily: So what can a business do, given the way these guys operate? Is it a matter of just really making sure that not only is your systems secure enough, but also your staff is educated enough? Because I imagine the point of failure is often someone clicking on the wrong link.

Danny Jenkins: Absolutely.

I think the idea that we can train employees to make a significant enough difference is kind of naive. And I say that as we train all of our employees, it’s required for compliance. And we see training reduces the likelihood of clicking on a link by 10 per cent, 20 per cent, 30 per cent … But it’s still quite significant.

I spent many years as an ethical hacker, and I knew if the company had 100 employees, you’re guaranteed to get in, because 10 of them are going to click on the link. So what companies should probably focus on is assuming that people are going to make mistakes, and making sure that those mistakes aren’t fatal; some of this is really basic stuff, like users shouldn’t be able to run untrusted software on their machine without approval from the business, without approval from the IT team.

So if you stop a user running untrusted software, it means they won’t be able to download a piece of malware, a remote access tool, or something like that. Users aren’t going to put their passwords in a phishing link to some website. But at some point, it’s going to happen. But if we have two-factor in play, those passwords become less usable.

I’m not saying you shouldn’t do training at all. I actually think we should do less training, because when we overtrain people, they tend to forget 90 per cent of it – I would actually focus on the high-intensity training; I’m just going to tell you five things that are most likely to make a big difference.

But I think businesses should be focused on putting controls in place that actually make it less relevant when people do make mistakes.