Explore the captivating world of cybersecurity with insights from Mikko Hypponen as he shares his expertise and journey from the early days of malware to the evolving landscape of corporate ransomware. Join hosts Sean and Marco on a new On Location episode with a promise of surprises and thought-provoking revelations at the RSA Conference.
Guest: Mikko Hypponen, Chief Research Officer (CRO) at WithSecure [@WithSecure]
On LinkedIn | https://www.linkedin.com/in/hypponen/
On Twitter | https://twitter.com/mikko
At RSAC | https://www.rsaconference.com/experts/Mikko%20Hypponen
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this new episode of On Location with Sean and Marco Podcast, the dynamic duo engage in an insightful conversation with Mikko Hypponen. Mikko shares his vast experience in the cybersecurity field, tracing back to the early days of malware on floppy disks in 1991. He emphasizes the importance of long-term dedication and expertise in becoming a global cybersecurity expert.
The discussion explores the evolution of cybersecurity over the past three decades, highlighting the shift towards increased security on mobile devices compared to traditional computers. Mikko elaborates on the rise of corporate ransomware and the organized crime tactics employed by ransomware gangs. He underscores the significance of branding and reputation management within cybercrime circles.
Sean and Marco inquire about the targets and methods employed by ransomware gangs, shedding light on the random and widespread nature of cyber attacks. Mikko shares insights on the vulnerability of organizations to exploits and the intricate dynamics of the ransomware ecosystem.
The episode concludes with anticipation for Mikko's keynote address at the RSA Conference, where he promises surprises and intriguing revelations. Listeners are left with a sense of excitement and anticipation for the informative and engaging session at the conference. Overall, the episode offers a deep dive into the world of cybersecurity, featuring thought-provoking discussions and expert insights from Mikko Hypponen, setting the stage for a compelling and enriching podcast experience.
Key Questions Addressed
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS-B9eaPcHUVmy_lGrbIw9J
Be sure to share and subscribe!
____________________________
Resources
The First Decade of Corporate Ransomware: https://www.rsaconference.com/usa/agenda/session/The-First-Decade-of-Corporate-Ransomware
Learn more about RSA Conference USA 2024: https://itspm.ag/rsa-cordbw
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
RSA Conference 2024 Keynote: The Cybercrime Unicorns: Exploring the First and Next Decades of Corporate Ransomware | An RSA Conference 2024 Conversation With Mikko Hypponen | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco.
Marco Ciappelli: Sean.
Sean Martin: Are we, uh, are we all getting caffeinated for our trip to RSA?
Marco Ciappelli: We are. You know, when you drive, you don't want to fall asleep. I know. Shots on the road, they need to have energy. So. And technology,
Sean Martin: God bless technology, it reminds us in our car that we need to pause and, and have, some of them even say take a coffee break.
Marco Ciappelli: Yeah, they, they, there are cars that do that. I don't necessarily listen to them, but, uh, You know, I do listen to my wearable and it says time to stretch your legs.
Sean Martin: There you go.
Marco Ciappelli: There we go. Let's do it.
Sean Martin: And, and if you don't, we're going to block other services, right?
Marco Ciappelli: Yeah. I got it right somewhere from, from that.
Sean Martin: There you go. There you go. Well, this year, I'm in fact, I thought I was going to fly. I am in fact, driving to San Francisco. You're flying and our guest, I presume is not swimming. He's also flying. Nico, how are you?
Mikko Hypponen: Great to see you, Sean. Great to see you, Marco. How are you guys doing?
Sean Martin: Doing great. [00:01:00] Always good to see you, my friend.
And, uh, congratulations on, uh, the keynote at RSA Conference 2024. Thank you. Um, yeah, I think, uh, everybody's going to have a good time listening to you as they always do. And, and the topic is great. And, and, uh, I think. As you were saying before we started recording, it sounds like you have some surprises, which we'll tease here.
We won't, we won't give away any surprises, but, uh, it's going to be a fun, fun, uh, engagement there. So I'm excited.
Mikko Hypponen: Over the years, I've spoken at RSA, I believe nine times, but this is, this is going to be the first keynote. And, uh, I'm really happy about that. It's been a long term goal for me to do, to do a keynote at RSA and, uh, now, now it's the time to do it.
Sean Martin: Oh, well, well deserved, well deserved. And, uh, Yeah, nine. That's, that's a good number as well. So, well, I presume pretty much everybody on my show knows who you are, but those who watch from Marco's show may [00:02:00] wonder who Miko is and, uh, and, uh, the, the larger, the, the new, the new crew that's joining forces, uh, may not be familiar with all the other eight times you've spoken or nine times you've spoken at RSA.
So a bit of background, Miko, some of the things you've been up to and what you're up to now.
Mikko Hypponen: Yeah, well, I've been around forever and one of our younger employees at with secure, which is where I work, asked me recently that, Hey, Mikko, how do you become a global? Cyber security expert, or how do you become an expert in anything?
And the answer I gave to him was that you simply pick a field and then you work in the field forever. And eventually, everybody's going to assume that you must be an expert. And that's basically what I've done. I started with, uh, Reverse engineering malware spreading on floppy disks in 1991. And if you think about the changes we've seen over the last 33 years, the world has changed many times over, especially [00:03:00] the world of cybersecurity.
And I've monitored all those changes throughout my career. I've done malware reverse engineering. I've done hunting of online hackers. I've done profiling of online crime groups. I've tracked. Governmental attacks. And, uh, and I've done all of that from from Helsinki, which is which is where I live. And as mentioned today, I work for with secure as the chief research officer.
Sean Martin: I love it. And holding up that floppy. I don't have one to show as well. But it brings me back to my days at Symantec. I worked Symantec. I worked in the virus lab and we'd have stacks and stacks of those boot viruses and all kinds of thing. And when When we knew we didn't want that virus to be around anymore, we had actually punch hole the floppy to make it not usable any longer.
Mikko Hypponen: You're confusing the younger listeners. They have no idea what you're speaking about.
Marco Ciappelli: Oh yeah. That's, uh, somebody's [00:04:00] floppy what?
Sean Martin: That's right. Control what? Exactly.
Mikko Hypponen: Just the idea that you have to carry data around is so foreign. But I know the world changes and it changes for the better. I think we're, um, from cybersecurity point of view, we're in a much better place than we were back then or where we were.
Let's say 10 years ago, cybersecurity, it might not seem like it, but we are making progress.
Sean Martin: Any, any highlights you want to share on that?
Mikko Hypponen: Well, think about, think about the fact that most of the computing we do today, we do with, with our mobile phones, the most common computer worldwide is a mobile phone.
The operating systems we run in our mobile phones are much, much more secure from cybersecurity point of view than, you know, the windows on your laptop or, or a Mac OS on your MacBook. And a great example of that, um, It is linked to the topic that I'll be speaking about at RSA because my, the title of my keynote is the first decade of corporate ransomware.
We [00:05:00] don't have a ransomware problem on our phones. We don't have a ransomware problem on our, on our tablets. It is a computer problem. And, and, and that's one of the best examples on how security has been getting better. Ever since iPhone was released 14 years ago, more and more computing has been moving to more.
Um, limited devices, devices which are not programmable by the end user. And that is a trade off. We get great security benefits, but of course, it's also a much more restrictive system. But this particular trade off is good for security.
Marco Ciappelli: I'm gonna get on that because There is probably the majority of the population that prefer it like this, right?
Like I just want to have something to use and I always End up having the example of the car. I don't need to know how the car works as long as it does, right? Absolutely It doesn't limit the way that we can improve [00:06:00] on it and leave it more in the end of the corporation, the big tech company that decide what we're going to use and limit maybe the startup to jump on innovation.
Mikko Hypponen: This trade off only really affects the people who are programmers. I mean, the big restriction you have on these more limited devices is that you cannot write programs or them or you have to be a registered developer. You have to send your applications to be approved if you want to have them run on other people's devices.
And, and, uh, that restriction is completely foreign for the vast majority of the, of users of these systems, but it is a trade off. These are, they are not real computers at all. I mean, computers are devices that you can program. You cannot program your iPhone, not directly, not in the sense we think about when we, when we think about programming a computer.
So, so I think it's a trade off worth taking. Um, we do [00:07:00] need real computers for, for computing tasks, for writing programs, but, uh, for everyday use. Using iPhones, iPads, things like Chromebooks are great trade offs for security. Again, you don't have ransomware problem on any of these devices.
Sean Martin: And maybe describe a bit of that, uh, for our listeners.
Um, I think we all up and down the stack. We, I have security leaders who probably understand this better than me and practitioners as well. But then also, uh, broader ITSB magazine may not understand that. How ransomware works and why that's the case on those devices. So maybe a brief overview, that would be great.
Mikko Hypponen: Yeah, sure. Well, the basic idea is that there has to be a way of users or the devices to be able to install software on them. Some ransomware on computer systems is led in by the end users. End users [00:08:00] download and click, execute programs, or they get owned by exploits, which are fairly easy to do on computers because they are designed to be programmable.
On your iPad, you cannot click on a file and execute it. If someone sends you a malicious link, it might phish you, but it will not run code. On your system. It will not install on app. And of course, exploits are possible. They do happen. We have seen them on these devices, but they are so much harder to do that the going price for exploiting a single user through their iPhone is 100, 000.
That's, um, that's the kind of price that governmental attackers might pay to gain access to a political figure's phone, but they will not pay that kind of money to target an individual user. So, it's just better protected system because it doesn't carry the same legacy as our computers do, which are based on operating systems designed decades ago.[00:09:00]
Sean Martin: So, what about the, sorry Marko, what, you mentioned programmable, Developers working within the, we'll say the iOS ecosystem, they're bound to certain rules and controls and, and then auditing and, and reviews before the app gets published, things like that. So there's the device, there's the operating environment for the application, but then there's the app itself.
And presumably it's connecting to some other service in the cloud, right? That's it, or maybe some data center even. Um, talk about the exposure there with respect to Rasmus. Because you mentioned it can't compromise the device, but it could still phish you and you're not completely risk free, right? So maybe a little bit about that.
Mikko Hypponen: Yeah, I'm specifically speaking about the end, endpoint security about the device itself, the systems it connects to, the servers that run the backends. Those can definitely be, be hacked. [00:10:00] They can definitely be attacked by ransomware. That's, that's a different question. But, um, when we think about endpoint security as a particular problem, this is the big differentiator.
Um, I've sometimes used PlayStations and Xboxes as, as a metaphor, um, Xbox is the most secure Windows computer you could buy. Xboxes are made by Microsoft. They run Windows. Funnily enough, you never hear about malware on Xboxes. And it's all, it's a great example on how the old wisdom about how, um, if hackers gain physical access to your device, it's a game over, is no longer true.
Xbox has been, I mean, the latest Xbox has been out for a decade. There's still no jailbreak available for it. There's no pirate feed games. Everybody has a copy of this windows computer. Nobody has broken the security of the device, even [00:11:00] though they could, they can open it up and pick up a soldier and try to figure out a way to execute code.
And it, nobody's done it. And that's a massive security achievement. And that's basically the same security model. You have on your iphone or your android devices or your ipads.
Marco Ciappelli: Well, so we're just going to walk around with an xbox, I guess Yes And you're putting your pocket. Okay,
Mikko Hypponen: this is this is uh, i'm giving you a permission to buy an xbox
Sean Martin: Perfect
Marco Ciappelli: There you go.
So then i'm not going to record or work anymore because i'm just going to play video.
Sean Martin: Yeah. Thanks. Mico
Marco Ciappelli: Thanks so much. So going to back to the to the keynote. I mean you're going to look at the the The 10 decades of, uh, corporate malware and then you look into the future of the next 10 decades, which is where I really get curious.
So yeah, any hints on that? What's gonna happen?
Mikko Hypponen: So we found CryptoLocker and Crypto Wall [00:12:00] ransomware families in 2013. That's 11 years ago. So, so why, why am I speaking about the first decade of corporate ransomware? Well, CryptoLocker was the very first Bitcoin enabled ransomware. We had seen malware before that, but none of them used Bitcoin to collect the ransom payments.
And of course, that's the, that's the thing which really made the problem explode. The fact that they could actually move money around in blockchain made it much harder to catch the criminals. But the first year, From 2013 to 2014, all the early ransomware attacks were targeting home users. It's hard to even remember this anymore, but first, CryptoLocker and CryptoWall and a couple of other early clones of those.
They were trying to gain access to home computers and they would encrypt your photos. Basically, they would go after your photos, maybe your documents, and then they would ask you to pay 200 bucks. That's what all the early versions were doing. [00:13:00] It was not a corporate problem early on at all. That started changing then in 2014, when, when they slowly, but surely started to realize when the attackers realized that there's much more money to be made by targeting corporate entities, enterprises, public sector, it's much harder.
To hack your way into a corporate network than into a random home computer. Home computer is a very easy target, but you can ask for much larger payments from corporate systems. And when you look at the problem today in 2024, nobody's targeting home users with ransomware. It's, it's only a corporate problem and a public sector problem.
So it really has changed. And, and, and we've been living in that world for, for one, two years. One decade now.
Sean Martin: And so, I mean, I could probably pull a few out of my head, but any examples of corporate, uh, [00:14:00] yeah, uh, well, notable corporate ransomware activities that, uh,
Mikko Hypponen: Okay, let's, let's think about this. What, what could they be?
Well, I actually, I have a term for these. I call them. The cybercrime unicorns and that's, of course, a reference to unicorn companies. And what I'm speaking about here is that the largest ransomware gangs, if you look at their revenue, if you look at their profit, if you look at their wealth, if they would be companies, they would definitely be categorized as, as unicorn startups.
Um, and when I speak about groups like these, I'm, I'm referring to look bit alpha flop, Akira Royal, black pasta, Ragnar play. On and on. There's dozens of these groups. And one thing I'll point out in my keynote is, is how corporate or how organized these gangs have become. We'll look at a couple of examples on, on just, uh, How they are starting to build bureaucracy in their operations, because they've been [00:15:00] operating for years and years.
They have physical offices, they have an HR department, they have lawyers, they have business analysts. Uh, it's starting to be like a boring job at the office in, in, in some sense. And maybe my, my, um, favorite example on how these groups have become much more, how they've become organized crime, like online organized crime gangs is, is how much they do branding.
The fact that I, I just list the names, basically brands of organized crime gangs is already an example of that. And all these gangs like Alpha and Klopp and Conti and Lockbit, they have logos. They have names, logos, websites, and it's. It might seem a bit weird, like why would a crime gang come up with a brand?
But then when you think about real world organized crime gangs, they have brands as well. One of the strongest brands in the world is Hell's [00:16:00] Angels. That's a great brand. Everybody knows Hells Angels. We, we recognize their, their emblem and it's a scary brand. It's a powerful brand, but it's also a scary brand.
You know that they are a group that you don't want to mess with and that's the reputation these ransomware gangs are trying to build. They're trying to build a reputation that, uh, if you work for an IT department and you come to the office Monday morning only to realize that, Oh my God, we've been hit with ransomware.
And then. Oh my God, it's Klopp. Oh my God, it's Akira because we know these brands. We know these groups by name. We know them by reputation. And we know that this is serious. Like these guys have been in business for years. They know what they're doing. They use strong encryption. We will not be able to decrypt the things they've encrypted.
But we also know by reputation [00:17:00] that these criminals. Are honest criminals. Like if, if you play with their rules, if you pay the ransom, they will give you tools to degroup the files. They will not leak your files on their leak site. They will not hack you again. They promise. And they pretty much keep their promise.
Doing anything else would be bad for their business.
Marco Ciappelli: It sounds so much like the Godfather.
Mikko Hypponen: It says the Italian.
Marco Ciappelli: It says the Italian,
Mikko Hypponen: right?
Marco Ciappelli: No, but I mean, I was like smiling and nodding with my head when you were saying these things because It all makes sense. I'm like, where is he going with this branding thing and how this reputation, which has always been in, in the, in the building of any, you know, even evil brand that's still still that's
Mikko Hypponen: part of building any enterprise, including criminal enterprises.
And it's, it's also interesting how one of the biggest problems, these largest [00:18:00] ransomware gangs ever had, and how the biggest challenge, maybe ransomware ecosystem ever had. Where in 2017, when we saw WannaCry and we saw NotPetya, because these two cases are probably the largest ransomware cases in history, and they were both cases where paying the ransom didn't work.
So, so they really destroyed. This reputation that these gangs were trying to build. They had a pretty good reputation already by the time WannaCry hit. Um, people sort of knew that paying the ransom works and then WannaCry came and paying the ransom didn't work. Three months later, NotPetya, same thing, paying the ransom didn't work.
With WannaCry, it was supposed to work, but it didn't because it was buggy. With NotPetya, it wasn't even supposed to work from the beginning. Being or looking like a ransomware was just a [00:19:00] cover story because NotPetya wasn't ransomware at all. It was actually a cyber weapon developed by Russian government used to attack Ukraine.
It just looked like ransomware. It actually really was a wiper. And even if you paid, you didn't get your files back. It didn't encrypt the files. It actually overwrote the files.
Sean Martin: And I have, 'cause I've heard, so obviously there's holding the, the files for ransom, they encrypt them. We can de, they can decrypt them if they want.
Uh, there, they're, they're leaking them as well. And they're not leaking them. If you pay. Uh, so a bit of extortion there, how much of it is, or are there any other changes and we, with respect to that, what they're, what's going on? What their aims are and in terms of targets, are they looking at systems within the organization?
Are they targeting individuals? Like I can think targeting executives can be a nice double whammy, right? I have this picture of you on [00:20:00] the beach that you don't want to get out and. And, uh, I also have access to your, your corporate account, which is right. So what, what, what do things look like from that perspective?
Mikko Hypponen: The most common targeting mechanism isn't actually targeting specific targets at all. It starts from having an exploit. So you have an exploit, you have a way in, um, which might be something you've developed yourself in your organized crime gang or something you buy from an IOC initial, uh, initial access broker, um, Someone else has figured out a way to get in and they just sell you the access.
Um, in both cases, the end result is that the victims are organizations of all kinds, all sizes, from all over the internet. It's as if someone would have shot at the internet with a shotgun, hitting random targets. And you can easily see this simply by browsing the leak sites. [00:21:00] Go to Thor Hidden Service and go to one of the leak sites of the largest ransomware gangs and Look at the victims.
This, this particular cyber problem, if you compare ransomware into denial of service attacks or data theft or, or banking trojans, this is, Completely different problem from visibility point of view. You can look at the victims yourself. Just go to our website and you'll see exactly how big of a problem it is.
You can keep scrolling these leak sites for, you know, forever. There's more and more and more victims right next to each other. You have completely different organizations, a public sector, let's say a hospital from Canada. Then you have a furniture making company. From Denmark, then you have a steel mill from Brazil, completely different areas, completely different businesses, some of them are public sector, some of them are private, some of them are publicly listed large enterprises, some of them are small companies all over the world.
And that's a great example on how [00:22:00] it really is. As if someone would have shot at the Internet with a shotgun, they have a vulnerability. They have a hole in a VPN server, in an RDP server, in a file management tool. And they just scan the whole Internet, find the victims and try to, try to break in. And that's why it looks so random.
That's the most typical story.
Marco Ciappelli: It's a randomware.
Mikko Hypponen: I'll steal that, Marco, go for it, I'll get the domain right away.
Marco Ciappelli: You gave me permission for the Xbox, I gave you permission to use that. Well, I am really excited about this keynote, it's fascinating all these things you're telling us and I will definitely make my way. To to see it. And I hope a lot of people will do.
Uh, Sean, when is that? You want to give the?
Sean Martin: Well, it's uh, Wednesday, May 8th. First thing in the morning. I think maybe after after coffee, 8 30 in the morning, there's 30 [00:23:00]
Mikko Hypponen: south south stage keynote. That's where I'll be.
Sean Martin: Yes. Yes. South stage keynotes. And, uh, yes, I can see what else is in there. Yeah. So I will be there for sure.
Uh, I hear Here you say there's gonna be some secrets, so I'm, I'm excited to hear what you, uh, what you uncover.
Mikko Hypponen: I will make a promise that you will be surprised during the talk. All right.
Marco Ciappelli: There you go. Just one more reason to be there. And the other reason also is to see you in person. I know. And say hi.
Sean Martin: Yeah, it's been, been far too long for that. So, uh, looking forward to that, Mikko. And, uh, again, congratulations. Uh, it's gonna be a great talk, I know. And, uh, Certainly everybody attending the conference will get something from it. There's no question about that. So, um, thanks Miko. Enjoy, uh, enjoy that session and, uh, safe travels to San Francisco.
We'll see when you arrive and everybody watching and listening. Thanks for following us on our chats on the road, [00:24:00] RSA conference, uh, lots of stuff, and there's another one. I think we have one more. That's the alert to say we have another episode recording in a minute. Um, yeah. Yeah. Lots, lots to cover. Lots to talk about.
And, uh, appreciate you Nico joining us and appreciate everybody for following us. Thanks. Uh,
Mikko Hypponen: thank you, Sean. Thank you, Marco. I'll see you in Moscone.
Marco Ciappelli: See you in Moscone.
Sean Martin: Perfect.