Ransomware Negotiations and Original Hacker Culture

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 168 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest today is Sherri Davidoff. She’s the founder and CEO of LMG Security, a cybersecurity and digital forensics firm with clients across the globe. She shares the story of her professional journey, including her time deep in the hacker culture at MIT, where she adopted the hacker nickname Alien.

She also discusses her insights on the evolution of ransomware, and how she and her team help negotiate with the ransomers on behalf of her clients. We’ll learn more about her leadership style, the importance of team building, and what she looks for when hiring.

Sherri Davidoff:

I started in cybersecurity at MIT in around 2000, before it was called cybersecurity, back when it was still computer security or infosec. And I started off monitoring the network for viruses and shutting down ports and chasing infected computers all around campus. And since then, that has evolved into a career. These days, I'm the CEO of LMG Security. We're a 30 person company based in Missoula, Montana, and I get to do penetration testing and forensics and all kinds of stuff.

Dave Bittner:

Did you have any stops along the way? What did you do in between graduating college and starting your own company?

Sherri Davidoff:

I kept doing computer security until I could figure out what I wanted to do with my career. So it was quite a surprise. Yeah. I worked at a hospital, which was a fantastic experience, right when HIPAA first came out. I worked at Los Alamos National Laboratories. I was lucky enough to get an internship there after college. And I also did cybersecurity consulting. I've had my consulting practice since 2009.

Dave Bittner:

Now you are the subject of an interesting book, which you and I have discussed before together over on the CyberWire. It's titled Breaking and Entering: The Extraordinary Story of a Hacker Called "Alien". That alien is you.

Sherri Davidoff:

It is me. I am an alien. Shh, don't tell anybody.

Dave Bittner:

Well, give us the backstory here. Where did the name come from and what sort of things are covered in the book?

Sherri Davidoff:

Yeah, so the name is — it was actually my username at MIT. I wanted something a little more interesting than my first initial, last name, and didn't realize as I typed it in that that was like a lifelong decision. And at MIT, we went hacking, and this was before hacking, at least to me, was online — hacking meant that we were exploring the buildings like climbing up elevator shafts. We would go hacking on Saturday nights. It was really fun. Or you would pull a hack, which means you would sneak up on the dome and put something funny up there or do something smart or wily that surprised people. So we would always say, look up. Often people don't look up and there can be surprises up there.

Dave Bittner:

And so what sort of lessons do you take with you from that sort of hacking? I suspect, I mean, it must really be great for problem solving and things like that.

Sherri Davidoff:

I think it really is. It teaches you, first of all, independence and to take initiative and to solve problems on your own, but that you have to have creative solutions to problems. MIT — it was our playground, it was our living room, it was the place that we wandered all hours of the night, even in our pajamas sometimes. We just sort of took it over. And at the same time, there's huge containers of chemicals in the hallways and giant pieces of equipment that are being given away on reuse. So it's a fascinating place and yeah, hacking teaches you to be creative and independent, and the culture rewards that.

But in my mind, ethics was something that was very strongly emphasized during my period of time at MIT. In fact, we have little hacker ethic cards, and now that I've started my own firm, or now that I've been running my own firm for a decade, we actually have a giant poster with penetration tester ethics that's based off of that. So a lot of what I use in my work today came from the culture at MIT so many years ago.

Dave Bittner:

Well take us through, what is your day to day like these days?

Sherri Davidoff:

That's a big question. I sometimes say to Karen, who's our COO, "I wish for a boring day," but I don't really mean it. Every day is different. So I might wake up and find out that we just got a new ransomware case in. We do a ton of ransom cases. Karen actually does a lot of the ransom negotiation.

Sometimes I do the boring stuff like the contracts, which we try to keep our attorneys on their toes. Try asking your attorney in Missoula, Montana, “Hey, I need a template for a disclaimer because we're going to make a ransom payment on somebody's behalf.” So a lot of the back and service development that supports these brand new innovations in cybersecurity — that's what I do. And it's really fun because you have to keep your finger on the pulse.

Like as threats started getting more and more subtle and stealthy, we realized we needed to do threat hunting. And that was just emerging at the time. And now we have a team of experts in threat hunting. When ransomware first really started getting big in 2016, I remember the first time someone asked if we could make a ransom payment and we thought we could spin up a team that can do that and is capable. And now we've been doing ransom negotiation really since it took off years ago.

So it's important to not be afraid to go to these places because somebody has to push those boundaries. And somebody has to be on the frontier. Cybersecurity really is where the wild west is these days, I think, when it comes to the internet. So yeah, I get to develop our new services and really keep my finger on the pulse.

Dave Bittner:

Can you give us some insights? So what goes into a ransomware negotiation?

Sherri Davidoff:

Ransom negotiation is, well, it's interesting. Ransom negotiations are different than live kidnapping negotiations. Because first of all, the criminals come in and they lock up all your data. And I'll talk in a minute about some of the changes we've been seeing in the past six months, because they have been significant. In a live kidnapping, they have a human being that they need to feed and keep alive and keep contained. And so the ransomer would actually have a vested interest in bringing the situation to a successful conclusion. In the case of your data being locked up, the criminals can literally just decide to walk away and delete whatever data that they have on you, delete the key and they don't really have to worry about what's going to happen to the hostage that they're holding. So there's some differences in the negotiation tactics.

One of the big things, one of the big developments that's come out in the past couple of years is the emergence of a proof of life standard. So before you pay a ransom, you want to verify that the criminals actually can decrypt the data. And so you would send them an image file like a JPEG or something like that, and have them demonstrate that they can decrypt it. And this has become so common that the criminals actually expect it. In fact, there is ransomware software, like the Sodinokibi portal, where you can automatically upload files to be decrypted and they will take care of it for you in their professional interface. So the criminals have really come to expect it and it's become a standard part of the negotiation process.

Dave Bittner:

You mentioned that you've been tracking some changes recently, what sort of things have you seen?

Sherri Davidoff:

Well, in the past six months, criminals have started engaging much more in what we call exposure extortion. And this really took off with the Maze group in December when they took over a company called Southwire, the leading manufacturer of wires and cables in the United States. So they held them hostage for $6 million. And when Southwire said, we have backups, we're not going to pay. They threatened to release their data to the world, to publicize this. The Maze group actually has a blog. We're now seeing the same thing with other ransomware strains. So the Sodinokibi gang has a blog called “The Happy Blog”, and they don't only lock up your data, they will threaten to release it on “The Happy Blog”. This happened with a law firm in New York where a ransomware gang took over the law firm to the stars and released some of Lady Gaga’s information, threatened to release other people's information. So this is a new twist.

Several years ago, we had a spike in exposure extortion cases. For example, the Dark Overlord would take over school districts, dental clinics, or healthcare clinics, and threaten to dump that data out to the world. The difference is we are now seeing this combined with turnkey ransomware strains. So now you have commercial hacking software. You have these very effective and scalable ransomware strains, and they're recognizing that they can make more money if they also steal your data and then lock it up. And that way, even if you have backups, even if you decide not to pay to get your data back, they can then threaten to expose you. And they're well aware of the regulations like GDPR, and they will use those when they threaten you.

But if you are hit with exposure extortion, you should not pay that ransom. And I understand that in a normal ransomware case, some people pay the ransom, some people don't. Whether or not you pay the ransom can be a decision up to your organization, but when it comes to paying a ransom to keep people quiet, to not expose your data, if you do that, you just end up with a skeleton in the closet. So it's not a good idea to pay to keep somebody from releasing your data.

Dave Bittner:

And when it comes to running your own company there, how would you describe your leadership style?

Sherri Davidoff:

I believe in our team, I believe in hiring strong and independent and effective managers, and then giving them freedom to do their own thing. I mean, LMG is a bootstrapped company. We are really here because every member of the team has worked to make this happen. So several years ago we created an employee ownership program, so most people at the organization also have an ownership stake in our company. And I think that's really important — sweat equity — we're all building this together.

Dave Bittner:

I want to get your take on threat intelligence, which is sort of the focus of this show. What part do you think threat intelligence plays in an organization's defenses?

Sherri Davidoff:

Well, threat intelligence is critical of course, because you need to have good information in order to make the right decisions, in order to make smart decisions. The challenge I see in our work, or at least in the organizations we serve is that when organizations have good information, often responding to it can be a challenge. And that's especially the case these days, Dave, because so much has changed in the past six months. We were just talking about that. I mean, everybody's working from home. We have this distributed infrastructure and it can be even harder to coordinate in that environment. So threat intelligence is key.

Recently, the IBM Ponemon Institute report came out and they found that companies that have more cyber-related tools actually have lower threat detection capabilities. So on average, companies have 45 cyber-related tools and organizations that have over 50 tools have a lower threat detection capability. And that really says something. A lot of organizations are investing in threat detection capabilities, threat intelligence services. But once you have that information, we don't always have organized systems for processing it, organizing it, and responding to it.

Dave Bittner:

Well, what sort of advice do you give to organizations who are starting that journey with threat intelligence, or they know they want to do it, but they're not really sure how to get started?

Sherri Davidoff:

Keep it simple. Think about the whole flow of your process and keep it as centralized as you can. Whenever we do, for example, a ransomware investigation or we're responding to a case, and not just ransomware, any kind of incident, we always end up having to do an investigation before the investigation. And that first investigation is all about, well, what information sources do you have? And it turns out that they're all over the place. And there are systems running in the corner that are generating information that some guy who left set up. So keep it simple, keep it well documented.

It's the boring stuff that will actually help you to improve your cybersecurity processes the most. So making sure that you know what you have, that you've documented it, that you have people trained in it. It's better to do less and to have less information, but to process and respond to it very effectively, than to have lots and lots of different tools and bells and whistles and gadgets and end up with a fragmented infrastructure.

Dave Bittner:

Yeah. That's a really interesting insight. I'm curious. When you are out looking for folks to hire, what are the things that catch your eye? What's important to you?

Sherri Davidoff:

Experience is the number one thing that's most important. And even if you don't have work experience, taking the time on your own to practice and play around with Kali Linux to do and Nmap scans, to do Nessus scans. This is when we're hiring someone for a technical position. So take that time, get really comfortable with the command line, because there are things that you can do in cybersecurity from the command line that are just going to be way more efficient than if you don't have those command lines skills. And then we also do compliance at LMG. So if you have a background in compliance and advisory and auditing, that's a whole separate track of cybersecurity that we absolutely look for.

Dave Bittner:

Where do you fall when it comes to certifications and people having degrees and so on and so forth? How important is that when you're evaluating someone who might be joining your team?

Sherri Davidoff:

Mark Twain always said, "Never let your schooling interfere with your education." And while certifications and degrees are fantastic, there are many very talented people in our industry that do not have them — especially those that started like myself before there were degree programs or before there were certifications. So it's always nice to see certifications. I like those in particular because typically when people have certifications, they also have professional experience. So you might get someone who's an experienced IT practitioner that has taken the time to get one or two certifications on top of that. That's fantastic. That shows that you go above and beyond and the degree programs are great. These days they're new enough that we typically see degree programs with folks that don't have as much experience in the industry, and the quality of the program, at least to me, matters a lot.

Like who are the instructors in that program? How practical is it? How hands on was it? Because there are cyber programs that don't necessarily give you the practical hands on experience that you need. They're definitely maturing and there's value in them, but it's a balance. So I think all education is valuable, but nothing is more valuable than the school of life.

Dave Bittner:

I guess it couldn't hurt if they came through MIT though, right?

Sherri Davidoff:

It doesn't hurt.

Dave Bittner:

What advice do you have for folks who are coming up through school right now, or may be considering a career change and want to get into cybersecurity? Do you have any tips for that person who's just starting their career?

Sherri Davidoff:

I do. I think there's a misconception that cybersecurity is one field and it's actually a collection of several different fields. So the first thing to think about is whether or not you want to be on the red team. Do you want to break into things or do you want to defend things? Because those are two totally different things and two totally different career paths. Do you want to do technical penetration testing, again, where you're breaking into things? Do you want to do incident response where you're jumping in and cleaning out ransomware, doing forensic investigations, analyzing malware? Do you want to do compliance? In which case, having a certification in some area of specialty would be helpful. You can do HIPAA compliance, you can do GDPR, those different specialties. So think about what area of cybersecurity you want to focus on, because then you can really start to get training in that specialty, and that gives you a leg up when you're entering the workforce.

Dave Bittner:

Do you have any insights on where you think the business is heading as you look out over the next year or more — are there changes that you see on the horizon?

Sherri Davidoff:

Absolutely. We've already seen such a giant shift in the adoption of the cloud that criminals are following very quickly and there was already an increase in the works anyway, but these days, the perimeter isn't just disappearing. The perimeter has shattered. And McAfee has said that cloud attacks are up over 630 percent just in the first four months of 2020. That is not surprising given the number of people that have rushed to the cloud over this first couple of quarters. Do you ever use Shodan, Dave?

Dave Bittner:

Yes.

Sherri Davidoff:

So I love just poking around shodan.io. And I noticed between March and June, there has been a dramatic increase in the number of exposed remote desktop protocol interfaces. So the number of exposed interfaces there. It's gone from 726,000 up to over a million as companies rushed to these virtual platforms, started turning on virtual desktops and not realizing that RDP was open to the world by default. Or in some cases they probably do realize, but we all have to get work done. So the criminals are taking advantage of this.

We're going to see more and more attacks on these cloud environments. I think we're going to see ransomware really starting to adapt to the cloud environment as well. And unfortunately the visibility that defenders have in the cloud is a lot less. A lot of people have a centralized logging infrastructure internal to their network, but then that doesn't include cloud logs. So make sure that you're including your cloud logs when you're centralizing all of your monitoring systems.

Dave Bittner:

Our thanks to Sherri Davidoff from LMG Security for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.