The Hacker Mind Podcast: Crimeware As A Service
The LockBit ransomware gang no longer offers just one service, like ransomware, but multiple services, like anti-analysis tools and bug bounty programs.
Mick Baccio from Splunk’s SURGe explains how ransomware gangs are evolving into crimeware-as-a-service platforms, as one stop shop for all your online criminal needs.
[note: this is a machine generated transcript so there may be transcription errors]
Vamosi: In the summer of 2021, the Colonial Pipeline in the US. shut down
PBS: Judy Woodruff: Officials confirm that a Russian criminal group is behind the hacking of a crucial energy pipeline. The Biden administration said it is working with a Colonial Pipeline Company to deal with the cyber hack and its effects. Colonial shut down its pipeline, the largest of its kind in the US, after the company learned it was the victim of this cyber extortion attempt. William Bangham is back now with the latest on that story.
William Bangham: Judy, the FBI said a group known as Dark Side is responsible for this cyber attack, which used what is known as ransomware ransomware is malicious computer code that blocks and owners access to their computer network until a ransom gets paid. Colonial operates a 5500 mile long pipeline that carries almost half the jet fuel and gasoline that's delivered along the east coast. The company has so far refused to say whether it paid any ransom but said it hopes to be largely back online by the end of this week.
Vamosi: The Darkside ransomware contributed to the shutdown of the pipeline, and claimed other victims. Ransomware is not new. With ransomware, attackers encrypt an organization's data and hold it hostage until a ransom is paid. Once attackers receive payment, they are supposed to share a decryption key, enabling victims to recover their data.
In early 2022, the Russian government cracked down on several ransomware organizations, including Re-Evil. It was a limited gesture of good faith. As soon as Russian invaded Ukraine, the criminal activity rose once again. One group was Conti, and internal chats were exposed. What we learned was that they had a very advanced corporation framework, including billing and HR. This was an organization that intended to stick around.
And so there’s now an ecosystem of partners and affiliates that associate with a handful of large ransomware organizations. And these criminal organizations no longer just offer one service, like ransomware, but multiple services. They are expanding, deepening their holds, and increasingly becoming platforms for all sorts of criminal activity. And in a moment I’ll introduce you to someone who’s tracking that expansion and growth.
Vamosi: Welcome to The Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations of people who hack for a living.
I’m Robert Vamosi, and in the episode I’m talking about ransomware, and more specifically about the ecosystem of criminal activity that’s been built up around it as we more toward what some are calling crimeware as a service..
In 2022, Lockbit became the most widely used ransomware. At the time of this podcast, Lockbit accounts for 40% of the ransomware present today and it hits both Windows and Linux machines. And now there’s even a builder kit so that almost anyone can create their own branded version of the ransomware. We know this because there’s a disgruntled developer who leaked the builder to the general public.
Nonetheless, Lockbit has been particularly aggressive, going after a range of targets including local town governments. In the summer of 2022, Lockbit hit the Canadian town of St. Marys, Ontario, leaving the some 7,500 residents without government services. And Frederick, Colorado, a town roughly twice the size of St Marys, had the same thing happen.
Using the motto 'Make Ransomware Great Again,' new versions of LockBit are adding new features such as anti-analysis, new extortion methods, and even a ransomware bug bounty program. And Microsoft is investigating reports of a new zero-day bug being exploited to hack Exchange servers which were later used to launch Lockbit ransomware attacks.
This expansion of Darkside, Conti and Lockbit into service platforms is of concern to experts.
Baccio: My name is Mick Baccio. I am a global security adviser at Splunk. And I work on a team called surge which is primarily a research group focused on security. But at the company a little over two years, and in that time, it was surge launched and we have done a lot of work in the vein of research and response to things like solar winds to log for J Colonial Pipeline Casaya
Vamosi: What drew me to this story wasn’t Splunk;s Surge Research into the past. It was their white paper on the speed with which ransomware can hit an organization.
Baccio: in addition to that, researching like the name says, one of our big projects was a ransomware white paper where we took a bunch of different families and kind of analyze the ransomware speeds, how fast those binaries run, and you know, kind of give you who is the best in breed of the bad guys, which sounds like a weird thing to do. But what we found was in doing this research, the results we had was, you've got about between four minutes and four hours before your entire network is done.
Vamosi: Ransomware is the latest trend in malware. It’s pretty devastating in that it arrives through phishing or some other common attack vector, sits on your network for a period of time, and then encrypts your data such that the system is inoperable until you pay a ransom for the decryption key. It’s a clever way for malware to be monetized.
Baccio: So if you are a net defender, take this research and use that to inform your strategy. I want to say roughly, I think their last report I read was around five days dwell time.
Vamosi: Dwell Time. That’s the amount of time the attacker is in your network.
Baccio: So ransomware binary is the very last thing that happens that the boom, there are things you can detect before that happens and that's we're trying to drive with the research that we did. So ransomware obviously a pervasive problem.
Vamosi: Ransomware is the attack vector, and perhaps because of the profit generated from it.
Baccio: My background being what it is, I like in the techniques used by ransomware operators, very, very similar to a lot of nation state actors that I've tracked previously, where the initial attack vector, the dwell time inside the network, the kind of learning your way around mapping all the data. And when you think of an API at attack, where that data is just exfiltrated.
Vamosi: I should explain that Mick has a pretty cool background. He was the first CISO for a US presidential campaign, working for Pete Buttigieg. He also worked for the Office of the President, in Threat Intelligence, under Obama. And before that he was a threat analyst for HHS. He’s also a volunteer Goon for the DEF CON, which is where we met up for this interview.
Baccio: Ransomware differs slightly in that there's one more step right, I export the data and then I kind of burn the house down. And reports that I've read there are nation state threat actors who are actually adopting this technique where hey, I've got the intelligence that I needed on my way out, I'll just kind of ransom all the things and lock all the files and you kind of had that element of subterfuge and confusion added into it. Where is this a ransomware attack or was this intelligence gathering? Or was it both?
Vamosi: Ransomware is also effective in hiding one’s tracks. Say you wanted to exfiltrate a large number of … credit cards. You could do that, then unleash a ransomware attack to encrypt all the evidence.
Baccio:So I think it's the ransomware landscape to me, it's just fascinating. It's from a technical level. I think ransomware is kind of boring.
-- [MUSIC} --
Vamosi: So ransomware started with like individuals being compromised and their data collected and $300 in Bitcoin and then it became commercialized to industries and so first ransomware
Baccio: I think the very first one was at an HIV conference in 89. Where it was a cat who handed out or mailed out floppy disks, like a floppy disk and you put in your computer and you had to mail like 50 bucks to an address or something like that. And that was 1989. And then 2015, where around that time was when we saw like, Hey, you clicked on a binary and your computer's locked up, right, which is a very, that ransomware is a very singular thing. And now we're seeing the network aspect of it where it's not just the one computer it's all the computers with the same message because I've been around for a while in your network. And it's not just clicking on one thing. It's clicking on a domain controller, or logging into it an MDR or a service provider and infecting them so that all their downstream customers become infected with ransomware . It's amazing, amazing, terrifying. But from a technical level, it's just the way the world is connected to that ecosystem when everything interconnects to each other when one thing goes wrong. It's just a domino effect that kind of begets it and I don't know if there's easy fixes for things like that. If your MSP gets compromised, you're just a user, right? Like, how can you do that? So I know there's a lot of great folks that are working on the solutions and when I have one I will start my own Billion Dollar Startup All right, first to hang out with me. But yeah, that's an incredibly complicated problem. I don't think it's gonna get any easier anytime soon. And I think it actually gets more complicated the more technologies we throw out.
Vamosi: So, ransomware is at once pretty sophisticated sounding, in that it encrypts all your files, and on the other hand is pretty basic in terms of what it does. So I can see why there’s some hesitation among experts.
Baccio: My background being what it is like there was a mutex targeting six people from this state targeting this state. That's amazing. But again, that doesn't do a lot of work and a lot of help for a lot of folks out there. So the ransomware work itself is you know, ransomware it's just a binary that launches, it encrypts files, encrypts the header encrypts the whole file, it's not really a unique tactic. I think what's novel and what's unique in ransomware is that the results of the impact are immediate.
Vamosi: Unlike Advanced Persistent Threats, which, as their name implies, sit on your network for weeks, months, years, going undetected, ransomware has a short dwell time -- five days on average - and then it very publicly announces --hey, I just encrypted all your files; pay me or lose them forever.
Baccio: And you know, if your network is impacted, it comes down to how fast is your response time? What can you do to recover from it? You know, my favorite quote from Mike Tyson was, everybody has a plan to get punched in the face. And I think if your organization falls victim to a ransomware attack that is when you need to have that plan for getting punched in the face. How is your organization going to respond and recover? And ransomware operators are? I don't know what the word to use would be. I want to say vicious is not the word I mean, but it's what I keep coming back to the ransomware.
Vamosi: So where I was going with that was the targets have expanded. It's espionage, its financial.
Baccio: I see. It's been shifting a touch, where, to your point, the targets are very specific targets and are very broad now. And it's not based on a specific thing. It's really just financially based for the most part from what I've seen. The folks that are getting targeted are our folks I think will pay. It's just I do think the unusual hallmark for me has been ransomware operators have successfully conducted operations for years now, without much repercussion. except in the case of a few edge cases where the United States government got involved and was gonna put the smackdown on a lot of people, and I think it crossed a certain threshold or a certain target. I just think it's really hard to what's a valuable target. Like what's that threshold that if I attack this person, I'm gonna get smacked down by some government and come back after me. And I think that line is still being kind of drawn in the sand. I think all of them are all the operators you just Everything that happens has just been targeted to be a response to it, but I don't know, either. And if the whole world goes blind, the internet shuts down. It's just I don't I don't see easy fixes for it. Other than that, I do see the community getting better. Like information sharing groups. I think folks are trying to help each other out. Ransomware playbooks are a big thing from not just a technical response, but I've seen you know, just just C level executives have conversations with each other. Hey, what do you do when that happens? Like what's your plan? And these are obviously you know, chatting discussions just off the record, but it's very interesting to see. Yeah, we're pretty sure we're gonna get ransom this year. What do we do? Do we put it in our budget? Do we, you know, have all new equipment, it's ready to go and it's just it's definitely something that organizations need GamePlan for. And I would not have really said that to your point in 2015 era. It's just yeah, you just reimage the machine, you're fine. And now it's you get ransomed in and we've seen organizations go offline period and just not come back up. businesses shut down. Hundreds of millions of dollars in recovery and operational expenses. I just think it's a big problem. But it goes back to those little things, right? Asset Inventory, impact your stuff, eat your cyber vegetables.
Vamosi: So if Mick isn’t so jazzed by the technical nuances of the ransomware itself. No, it’s the ecosystem that fascinates him.
Baccio: ransomware as a service is what we all kind of started off tracking right where Kanzi lock Bay doesn't matter who it is. There's a ransomware affiliate selling their services to you. And you can hire them to carry out a ransom they'll get a portion of it affiliates, blah, blah, blah, blah, blah. We kind of know how that background works. So the new cool thing depend on your level of omega this is on fire. It's I would call it cybercrime as a service where it's kind of not just ransomware anymore. I think the big problem that you run into is it starts off with the access brokers, where there are organizations out there where they just have access to credentials to organizations and leverage those for the attacks.
Vamosi: So imagine a large corporation. You have the executives in HQ, you have different business units, and those business units have employees, partners, contractors executing the deals. That’s what a criminal malware enterprise looks like today. And with any business, you have to learn how to diversify and grow your business. So offering just ransomware isn’t enough.
Baccio: it's not just a ransomware attack, whether it be you know, data Expo, whether it be DDoS whether it just be site defacement, whether it just be extortion or intelligence collection. There are several different things that ransomware operators are offering now kind of expanding that portfolio. And I think as a net defender, it's really bad news for all of us. Just because the volume of attacks I think will increase and the sophistication and complexity is also increasing. I mentioned earlier the ransomware speeds we that the Chandy was the research that we did, where we had 10 Different families and just let them all run.
Vamosi: Right. So Splunk SURGe team did a report on this recently. They used a scientific method, within a controlled environment, to measure the speed at which 100 samples of ransomware from 10 popular variants encrypted nearly 100,000 files, totaling nearly 53GB, across different Windows operating systems and hardware specifications. One of the tricks the ransomware teams are using doesn’t encrypt the entire file. It encrypts just the header and the first few bits.
Baccio: That depends on the ransomware family and some binaries. will encrypt the entire file an entire file. Some will encrypt just the header of the file like the first eight bytes and then the file is rendered useless. Recovery is slightly easier if you're able to do that but you still can't use it initially. And and I want to say the new versions are encrypting a bit more of the header because it's faster. One of the things we noticed about the malware whether it was packed or unpacked was compressed or not compressed when it's initially sent over. That's a whole other discussion as far as like how they're they're built out.
Vamosi: To escape detection, malware has to pack itself tightly, for example, it will encrypt an encrypted file several times. This is so antimalware programs will have a harder time finding the actual malware. And, yes, this level of sophisticated packaging is another conversation entirely.
Baccio: How the families are built, how the ransomware binary is actually coded and developed. And I think that is getting more complex and more complicated. There is also a growing concern. You know, the ransoms that we've seen out there, the ones we've known about the ones we know that are publicly reported.
Vamosi: Right. There are a lot of ransom attacks that go unreported. Why? Well, the victim may have had a good backup and recovery process in place. Even if you have a good backup, that doesn’t necessarily mean you can back up quickly, not if it’s stored off site and several GBs of data. Maybe we’re only hearing more about ransomware attacks now because the malware itself is getting faster, and hitting more targets.
Baccio: I think if we took those same families now, there are new versions of ransomware binaries being written by authors and the ransomware is getting more complicated it is getting more difficult to detect difficult to respond to. And once that foothold isn't once that ransomware happens, you know your your network is really in a bad place. In addition to those, you know ransomware services you're also have the potential to be targeted for other cybercrime activity and everything from BTC you know, business email compromised to intellectual property theft, insider threat, things like that.
Vamosi: Some of these criminal organizations, they are concerned about their … brand. We heard that from Mikko Hyppoenen in episode 50. Mick, too, has seen this as well.
Baccio: You know, I used to have to, maybe some have PR teams and some don't. I don't. Yeah, I think it's really interesting. I think it goes to the operators behind it. Because there is a criminal or a cyber criminal and you're someone who plays crime. Right. And the folks that are in other affiliates may not have the business acumen or the plans for longevity, that I think you saw immediately in Locke did that and I think you know, the geographical location of some of the potential operators probably played a hand into their longevity as well. If I know the police aren't gonna come look for me. Why would I stop right? So I think that's kind of played no part of it. And there is chatter of, you know, tattletales like, you see criminals ran out other criminals so that there'll be a better criminal because there's less competition. There's a lot of that. So I think it's locked but to me has taken it more as a business approach and not just oh, look, we ransom something. And here's money. It's, I'm making a business out of this. I'm making an ecosystem. I'm growing as a company and it's really weird to say about a ransomware group. But again, it goes back to that ransomware as a service to cybercrime as a service and I think that's where we are now.
Vamosi: Mick continued to talk about the broader threat here. Not just the fast ransomware, but this idea that these criminal organizations are diversifying, offering other schemes in addition to ransomware.
Baccio: Hey, X ransom was demanded from this company is to the point where I mentioned that the Cybercrime as a service, there is a vulnerability market out there, there is a zero day market out there. And I don't think there's any mechanism or safeguards in place to stop a ransomware affiliate from purchasing a zero day and offering that as you know, one of their weird service offerings like here's our business unit where when you look at ransomware ransomware as a service I think that's a that's it's over with I think it's cybercrime as a service I don't think it's just a it's not a business. It's it's an ecosystem. It's a whole economy, where there are competitors, you know, there's coffee, there's lockpick, there's dark matter, you know, the drugs rebrand, shut down change names, but there's competition among them. That is where we initially got the idea for the ransomware research was, there was a ransomware affiliate who, hey, hire me because my rants were binarias the best, you know, there's like a, there was a magic chart of you know, this performance chart. It's what he had on the website, and I thought that was really, really odd. And why would you do that? And is it true? I guess that would that was it for us was is it true? It turns out it was. So I again, I think the ransomware part of it is getting worse and worse. But just I think it's not just the ransomware it moves into other, you know, technical merits that they have.
Vamosi: We mentioned the initial infection could be through phishing. It could. It also be from insiders as well.
Baccio: There was postings I believe recently were ransomware affiliates where hey, if you sell me logins to your company, here are X dollars. I think ransomware affiliates are also launching bug bounty programs, which is amazing when you think about it, just because the bug, the other vulnerability tracking groups that we know currently, hey, we're doing this for good. There's a reason we're doing this to make the security community better so products will get better. And I don't think that cyber criminal operators share that same ethos. So I think that is going to be a growing problem.
Vamosi: Mick goes on to explain that the credential process is a really a bad problem.
Baccio: It all starts with the credential access, right? And once the credentials are compromised, you can use that to log in pivot around get admin access and go from there. You know, and it's the same solution that we say and it's an impossible line, you know, patch all of your systems inventory, your assets multifactor all the things. I remember reading a report that Google had implemented hardware tokens, their entire employee, everybody has a hardware token. Now, it took it to Google. I can imagine the size I can't imagine a lift that most have done as a multi year project. But once that was completed, they I want to say I've not had a successful credential phishing attack in over two years. It's it's an amazing thing that they were able to do and I think that adds that layer of security that is currently not there. If I'm constantly if I'm being asked for a second factor of authentication, as long as that's secure, and I think hardware token is the way to go. Definitely prevent that login.
Vamosi: If there’s one thing the information security industry needs is to stop thinking about the one thing, and start seeing the related things. For example, there are exploit chains, where multiple tactics are used. Same with ransomware attacks.
Baccio: Other hallmarks I think, is just the New Zealand cert has a fantastic diagram that they put out where it was the stages of a ransomware attack. So you take that and it's like, you know, reconnaissance phase like you mentioned. And then it's exactly like the kill chain, Lockheed Martin cyber Kill Chain like that, but for ransomware, where the last objective is just the binary launches. So there's the initial access that you're detecting there is the lateral movement that you're detecting. You know, there are small things you can do that initially wouldn't be an alert on their own.
Vamosi: that’s a problem I hear a lot, that there are too many alerts, and often they are quite granular, specific to this and not that. So we need to look at the problem more holistically.
Baccio: But I think when you look into conjunction, one of the folks at Splunk Hayley Mills has been doing a lot of work with something called RBA, where it's an analytic system where one alerts not bad but in conjunction these three different alerts disparate coming together will paint a bigger picture for me and say, Hey, these three things together are that security alert that I'm looking for, and it's small things like that. But it's the basic it's diligence, it's patching on your system, its inventory all your systems you can't defend what you don't know. And that's the like one of the hallmark solutions. But the problem is it's been a hallmark solution for as long as I've been doing security, and it's that you know, Sisyphean task of just pushing the boulder up the hill to count the assets. That's what we do every day. So I think there are things you can do that but it does start with that diligence and and just, you know, maintaining your network as best you can.
Vamosi: How sophisticated are these criminal families? Well, they’re now crowd sourcing their own vulnerabilities.They’re not just fuzzing their own zero days in black market labs. They’re going public, they’re even hosting black market bug bounty programs.
Baccio: right where you have a company and I don't want to lipstick Splunk right Splunk we have a vulnerability program and if you find something, here's a reward for it, but you report it to Splunk to us. If you're a ransomware operator, if you're that cybercrime affiliate, I will not tell this company that they are vulnerable. I will just leverage that and I think from my understanding of what I've read, so far, the bounties that are being paid out are significantly higher than legitimate ones. So again, you know, it's it's I think it is getting worse because of the economies involved.
Vamosi: So if I want to get into bug bounties, I get all excited about it. Obviously, there are brand names. Yep, yep. That are sponsoring these. There are companies that do bug bounties that are brand names and so forth. So I should use that as an indicator for me that that's a legitimate bug bounty.
Baccio: Yes. But if somebody comes along and says, I'm going to pay you three times, whatever that gonna be reporting reward is chances are and I think that goes into a large part of the security community, right. We all want to say we're all great. We're all here to help but again, there's always that element if it's it's, you know, I had this thought in my head of how you would go about doing that, right. Like I want to ransom someone or I want to take this company down. How do I find that there's like a yellow pages that you go through. But there are forums or according forums where that bug bounty program is advertised and I honestly, I've talked to some folks that are in a vulnerability disclosure arena, and it's just so unique, and they're having troubles with I don't know how to respond to that properly, other than its personal ethics that come into play, right. And hopefully, I think we are getting better as a community, you know, but there's always going to be that one money's money. I really like money. So we'll see. But I do see that becoming more and more of a problem. I just thought that was very bold, right, that is a flagrant Hey, we're doing what you're doing. But we're doing like the opposite side of the coin where the evil side of the coin and just the you know, just just the brazenness to be able to launch that and just the adverts you've seen Hey Stella some access will give you reward for it. Just the ransomware operators of cybercrime operators are just becoming more you know, I guess bold in what they're doing. Because it's working.
Vamosi: So it should be too surprising that they’re paying for new vulnerabilities. They’re paying for access and other things as well. Which tells you how much they stand to make, if they can pay others upfront.
Baccio: Sure starts off with the access brokers, you know, if you are, if you sell access, you sell logins, you'll get paid for that if you find some vulnerability, you'll get paid for that. And again, it goes back to it's not just cybercrime as a service. I think it's just a whole economy that's built on cybercrime now and I do see that getting worse. I think I want to say it's getting worse, but at the same time, it's what we've seen, you know, my entire security career, there's always been issues. There's always been hiccups, right? There's always been problems. I think. As technology advances, technology grows, you know, with Moore's Law every 18 months, things get better. Every 18 months, ransomware operators get better cyber criminals get better, so we're getting better. So as the bad guy is just that continual cat and mouse game.
Vamosi: we touched on criminal organizations, but might there also be nation-states doingt his as well. And might there be both -- where someone who works for a nation state goes home and makes a few more bucks on their own?
Baccio: That is a 100% true from my understanding, okay. And there's no penalty or scrutiny for that. There's no my background being what it is, you know, I had a lot of experience with Chinese counterintelligence with the Ministry of State Security in the People's Liberation Army. And you saw that a lot where during the day you work and at night to moonlighting thing. I don't think it's unique to to the PLA or the MSS. I think there are other operators that do it. I find it fascinating. It's, it muddies the waters for attribution. If I'm an intelligence analyst. I don't know if this was group x. Or if this was Billy after work gives, you know, kind of making a couple extra dollars. It's really hard to to attribute any of that.
Vamosi: So the way we tell if it’s a criminal or a nation state is through their fingerprints. That’s how we define Advanced PErsistent Threats, APTs. There are signatures. MOs if you read mysteries. And so attribution keeps getting harders, particularly if a criminal working for a nation state goes home and performs the same tactics on a different target for different reasons.
Baccio: and you can go all the way back I know it's like why seven, eight years ago, when the Sony counseling pictures compromise, the if you look at the hallmarks of that attack, where it was an attacker got in dwell time for weeks mapped out all the network and then the last action was, you know, the the actions on objective that binary and that was 2014. So those techniques have been around I just think they're being employed more because they are incredibly successful. You wouldn't know if this attack was a nation state or a ransomware. Operator. There are reports of nation states that are using ransomware binaries as the last step after they gather the intelligence and then it goes oh, that will never know what happened. So I think that's a really, really unique TTP. We're going to see more of that
Vamosi: TTP that stands for tactics, techniques, and procedures which is commonly used for attribution.
Baccio: a lot of the infrastructure might be the same, the techniques would be the same. When you write a letter, I know you wrote it because of the words you choose the addiction pattern. When you see an attack, it's roughly the same way you kind of know who's behind it based on the TTPs and those TTPs don't shift up much. So I think that's that's a real unique one where it does muddy the waters for attribution. I think as ransomware evolves from a technical level, the way that it's used by the cybercriminals the actors out there will kind of shift with it to kind of take advantage of it. Peak Performance Right, right.
Vamosi: Another point about ransomware, using it as a last resort, is it to distract because that's often a thing or is it to wipe their traces completely by a bit of
Baccio: Right if, if I catch all the fish, you don't know that I was looking for just these three fish and I wanted to catch them, right. And that same vein, I can just kind of collect all the things and last minute, I guess we're just a ransomware attack and that I think is very common, and it makes once that ransomware hits on the back end me as a net defender, the forensic capabilities to reconstruct the incident to do my internal incident response to forensics on it. become you know, not impossible to do once that binary launch is in which my network is kind of kind of hosed out. Right.
Vamosi: We started off by talking about LockBit. I wanted to know Mick’s interpretation of it.
Baccio: I think it is one of the oldest, one of the steadiest and operates like a business the earliest version of lockpick arrays where it was fine or you know it didn't go back to you do you mean lock bit? The ransomware binary do you mean lock bit the ransomware affiliate or do you mean lock bit ranch? You know, it's part of that ecosystem and I think we're locked. It has been very successful as you know, you started out 2.0 And I think three points was floating around or getting ready to. You're like any organization where you've kept up with the landscape. You've gotten better as you know, the good guys have gotten better. So you've gotten worse, right? You've gotten your bad guy game on even better now. I think the way that blue teams that we talked to at surge every day are updating their techniques and learning new things. Lock bit. It's kudos involved, like it's a really good group like yeah, they're all criminals and scumbags. But you've gotten better, you took it seriously, right. The binaries used are incredibly effective. They're easy to propagate and the way the services are offered its business and I think lock bit more than other ransomware affiliates have understood that.
Vamosi: So you mentioned some government responses. It's been suggested to me that elevating it to like a terrorist level and identifying players and marking them for $10 million rewards for their whereabouts has started to chill the environment a little bit. Would you agree with that, that it's helpful or is that just oh, look over here. The government is doing something now and we put $1 next to it.
Baccio: I saw that the US Department board that came out of the FBI is most wanted list. You know, I've seen operators on there. I I think it's good to kind of expose a lot of the ecosystem. Because to your point, like you mentioned, a lot of folks just don't understand how big ransomware is, and how large it's a, you know, what, $26 billion in a couple last couple years. It's an amazingly large industry. And I don't think people quite grok that end of it. So I think putting folks on the most one of those rewards goes to kind of show the fiduciary amounts involved. If I'm offering a $10 million reward for this cat that runs a, you know, locked bid. How much has he gotten for you? To be able to offer that up? How many minutes of lip service I don't know, like I don't know any of my friends are gonna get it. I'll get a strap on your keyboard and go over and start looking for operators. I just don't think that's gonna happen. But I think it draws awareness to it. And that may not have previously been there so it's nothing but good.