Insikt: Insights to Intelligence

May 15, 2017 • Amanda McKeon

Turning information into actionable intelligence is a critical activity for organizations of all types and sizes. The challenge remains sifting through the enormous amount of data coming at us from all angles and at ever-increasing rates.

In this episode, we give the scoop on Recorded Future’s new team dedicated to helping organizations overcome these challenges.

Insikt Group is a team of veteran threat researchers that back up the intelligence analysts, engineers, and data scientists that create and deliver our products. The word “insikt” is Swedish for insight and highlights the team’s core mission of finding insights that reduce risks.

We speak once again with Levi Gundert, vice president of intelligence and strategy at Recorded Future. We cover some of the research being done by the Insikt Group, including “Fatboy,” a new ransomware-as-a-service product, as well as how Chinese and Russian cyber communities are digging into malware from the April Shadow Brokers release.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, welcome to episode six of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. We’ve spoken about the importance of turning information into actionable intelligence, of how crucial it is to be able to sift through and make sense of the data that comes at us. Recorded Future has a new team that does just that.

The Recorded Future Insikt Group is a team of veteran threat researchers that back up their intel analysts, engineers, and data scientists. The word “insikt” is Swedish for “insight” and highlights their mission, finding insights that reduce risk for their customers. Today, we’re speaking once again with Levi Gundert, vice president of intelligence and strategy at Recorded Future, about some of the research being done by the Insikt Group. Stay with us.

Levi Gundert:

The Insikt Group is our new research arm. So, it’s the cyberthreat research arm of Recorded Future. The team is comprised of individuals formally from intelligence backgrounds, law enforcement backgrounds, foreign-language specialties, technical proficiencies like incident response. We’re just very excited about the team and the research that we’re doing and will produce for our customers in telling some of the stories about threats and how businesses can reduce operational risk.

Dave Bittner:

Alright, well why don’t we jump into some of the research that you all are working on? Why don’t we get started with Fatboy? Interesting name for a new ransomware-as-a-service product.

Levi Gundert:

It is interesting and it’s interesting because these products, these criminal products are run like any western business would be run and they put thought and effort into sales and marketing. And so when you’re selling a new product in the underground economy and you’re selling on forums, you have to differentiate your product, and so this is sort of some clever marketing with the name Fatboy. And what they’ve done is tied it to the economist Big Mac index. So the price of the Big Mac varies by country and obviously it’s cheaper in certain countries and more expensive in others, and so what they’ve done is essentially tied victim ransom payments on this particular ransomware strain to the country of infection. So, the price of decryption, the price of un-ransoming the data is gonna vary based on where you’re geographically located. So it’s kind of interesting because it’s a development in the business model and the model for ransomware continues to mature as criminals think about the most efficient way to monetize victims’ computers.

Dave Bittner:

So, just so we understand here, the Fatboy ransomware automatically, I suppose based on your IP address, makes an educated guess of where you’re located and sets the ransom based on what it predicts your ability to pay would be?

Levi Gundert:

Exactly, exactly. So it’s gonna look at your IP address and match that to a country, and going to present the sliding scale, so to speak, for the ransom payment.

Dave Bittner:

So take me through exactly how ransomware-as-a-service like Fatboy works.

Levi Gundert:

Well, the ransomware-as-a-service as a model, you install it once, there’s one criminal control panel and the owner of that criminal control panel will attempt to partner with other criminals. And those criminals would or should have the ability to infect some number of computers with ransomware through whatever means or methodology they specialize in or have available to them. And so there’s a splitting of revenue from those ransomware infections and the owner of the ransomware family and the malicious code itself is offering it to these other criminals who can help with infections and maximize exposure and infections and so everyone splits the revenue coming out of that. And so the criminal that provides the ransomwares is the one that’s also providing the control panel, everybody can login and look at infection statistics and what the revenue split will be at any given point in time.

Dave Bittner:

It’s interesting looking at the blog post that you have on the Recorded Future website about Fatboy. These are really professional-grade interfaces.

Levi Gundert:

Yeah, absolutely and again when you think about ransomware, it’s like again any western business and the time that they put into not just the sales and marketing of it, but also the development and the user interface. You know, it’s a big part of how they sell that product and if you look at products across the last decade in the underground economy, the ones that have been very successful are the ones that have very clean intuitive interfaces for criminals to use.

Dave Bittner:

So have we seen Fatboy out in the wild?

Levi Gundert:

We haven’t personally observed it in the wild yet, but it’s likely not long before the infections begin.

Dave Bittner:

And is Fatboy a bit of ransomware where if you pay the ransom, you will actually get your files back or not?

Levi Gundert:

It seems to be. There seems to be an incentive generally in the ransomware industry. And it’s not guaranteed of course, but it seems that they want to establish the correct incentives that the behavior they’re looking for, there’s a reward and a path there because it helps the industry at large gain more credibility that this is somehow a legitimate business transaction. So there’s definitely an incentive to do it the right way on the criminal side.

Dave Bittner:

It’s interesting, I mean it seems like there’s sort of a spectrum of professionalism amongst the criminals who are generating these ransomware products. And I suppose at the high end, is it fair to say that it’s the high end where you have these professional interfaces and also sort of the honor among thieves of actually giving you your files back?

Levi Gundert:

Absolutely. And what you see in the crimeware market in general is that typically most of the business in any sort of crimeware-as-a-service model, most of that business ends up with the criminal products that are most professionally developed and managed, and you know that includes customer support. Again all of the features that you would see in a normal software as a service business, those are the ones that tend to attract the most criminal investment and ultimately success, and so there is a lot of ransomware families out there and there’s usually only one or two families that will take the majority of the market share. And you know again, it’s really about the effort that gets put into the product and the support around it.

Dave Bittner:

Sure. I want to move on to another topic you have on the Recorded Future blog. It’s about Chinese and Russian cybercommunities digging into malware from the Shadow Brokers release. Take us through what’s going on with that.

Levi Gundert:

Well it’s really Christmas come early for the criminal community. It’s very rare that you have these sorts of disclosures or releases in terms of the capabilities and the level of tools that were distributed by Shadow Brokers when they decrypted the last files there. And so, when the news started pouring out about remote code execution possibilities as well as local privilege escalation possibilities, for criminals, it is really Christmas come early because they just generally don’t get to interact with this quality of tool sets. So you know for them it’s, how quickly can we monetize these exploits, how quickly can we package these into the revenue streams that we already have currently. So whatever the specialization is, how can we capitalize on these types of exploits? So it’s sort of a feeding frenzy to figure out how quickly they can maximize revenue and how quickly they can find vulnerable instances of computers across the internet where these remote code exploits especially will be effective.

Dave Bittner:

And is it a matter of being a race against time where they’re against the vulnerabilities being patched?

Levi Gundert:

Absolutely. They know that it’s a race against time but they also know that there’s a large segment of hosts out there on the internet that won’t patch anytime soon. So they know that there is an opportunity and at the end of the day, most of these folks are opportunists and so it’s really a matter of locating them. But they would like to maximize, so anything that they can do to beat the clock on patching or workarounds is more money for them.

Dave Bittner:

And who specifically are you seeing taking an interest in the Shadow Brokers releases?

Levi Gundert:

Well we’re seeing general chatter across a lot of different types of forums both Chinese-speaking and Russian-speaking criminal forums. So it’s difficult to know exactly what the specializations are, but you can imagine that anybody who is scanning for new vulnerabilities and exploiting large amounts of machines across the internet are going to use those machines in the ways that are really maximizing profitability so whether that’s launching denial-of-service attacks, launching spam campaigns, launching watering hole or drive-by attacks, staging from web servers, installing ransomware on those machines. There’s so many different ways to monetize and so it’s really a matter of how many machines can they gain unauthorized access to. Spam continues to be profitable, phishing continues to be profitable, there’s so many different avenues for monetization.

Dave Bittner:

So just by way of explanation, give us a description. Who are we talking about when we’re talking about the Shadow Brokers?

Levi Gundert:

Well there’s certainly many theories out there. I can’t speculate on who they are or who they aren’t, there is certainly a lot of information out there and theories about who they are. There’s not a ton of data that I’ve personally seen, it doesn’t mean that there isn’t data, I just I haven’t seen the data. So there’s certainly inferences that they’re related to an Asian state, an Asian state intelligence service. Again, it’s really speculation on my part.

Dave Bittner:

But the tools that they are claiming to have, they are claiming that those tools are coming from the U.S. NSA, correct?

Levi Gundert:

That claim has been made, absolutely. That it’s coming from American intelligence group or contractors that work for that group.

Dave Bittner:

And so for your average enterprise user, what level of alert should they have knowing that these tools are out there?

Levi Gundert:

Well businesses obviously need to be super alert and having a vulnerability management program in place is pretty critical because this isn’t a one-off event. Obviously we see some pretty large watershed moments in the internet over the last couple of years in terms of major vulnerabilities in protocols and applications that we all use on a daily basis. So if you’re an enterprise, if you’re a fairly good-sized business, you have to have a vulnerability management program in place, there’s just no way around it.

Dave Bittner:

So what’s on the horizon for the Insikt Group? Can you give us any sort of sneak preview of what kind of stuff you all are working on?

Levi Gundert:

Well, we are super interested in geopolitical events and evolutions in what’s happening across the globe, and not just cybersecurity, but also what that means in the larger geopolitical realm. And so, we’re focused on data that is coming out of Recorded Future. We’re also working with our partners to tell larger stories about what’s going on at the nation-state level as well hopefully.

Dave Bittner:

Our thanks to Levi Gundert for joining us.

You can find details about Fatboy and the Shadow Brokers as well as more intelligence analysis on the Recorded Future blog, at recordedfuture.com/blog.

And of course we covered some of their research on the Karmen ransomware strain back in episode three of this podcast, so be sure to check that out as well.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes, Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

How Small Businesses Can Fight Cybercrime With Threat Intelligence

How Small Businesses Can Fight Cybercrime With Threat Intelligence

December 4, 2019 • The Recorded Future Team

When most people think about threat intelligence, they think about large organizations Perhaps a...

How to Reduce Third-Party Risk With Security Intelligence

How to Reduce Third-Party Risk With Security Intelligence

December 3, 2019 • The Recorded Future Team

Editor’s Note: Over the next several weeks, we’ll be sharing excerpts from the newly released...

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...