Unspoken Security

What if Paying Ransom was Illegal?

AJ Nash and Brian Stack Season 1 Episode 6

In this episode of Unspoken Security AJ Nash is joined by Brian Stack, the Vice President of Engineering and Dark Web Intelligence for Experian, a globally recognized leader in data analytics and consumer credit reporting.

Brian and AJ take on the topic of ransomware, including talking about some criminal groups associated with this activity and the evolution from simple ransomware attacks up to complex double-, triple-, and quadruple-extortion tactics being used by some of the most industrious criminal groups that are always looking for new ways to pressure companies into paying these ever-growing ransoms.

After examining the financial impact of these ransomware attacks, the conversation turns to recent changes to the laws in a handful of states - making it illegal to pay ransom - and what those changes could mean
- What will the impact of these laws likely be?
- Will criminals change their behavior?
 -- If so, will this create haves and have-nots among corporations that eventually require the U.S. to consider a national law?

To prevent becoming a victim of a ransomware attack - or at least limit the harm of a ransomware attack should it happen - AJ and Brian provide recommendations for proactive defense, playbooks, and exercises that build organizational strength BEFORE things go wrong. 

As always, the show wraps up with Brian revealing something that had, to date, gone "unspoken." If you want to know the truth about some of the ugliest things you've ever heard about on the Dark Web...Brian's answer is one you'll absolutely want to hear.

Send us a text

Support the show

Unspoken Security Ep 6: What if Paying Ransom was Illegal?

brian_stack: [00:00:00] the third reason I'm kind of pro, um, banning payments is I think it'll just change, It'll force cultural changes for both private and public organizations to adopt more of a security first mentality. So I think tactically in terms of backups, culture will get improved.

And I, I, I do believe it will again. If, if the, if the threat actors primary focus is financial. So forget about kind of the nation states and the anarchist groups, you're different ones. If you're an organized crime organization, you're going to just, you're, you want to have the most efficient business possible. You're going to take your ransom somewhere else.

[00:01:00] 

aj_nash: Hello, and welcome to another episode of Unspoken Security, brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, A. J. Nash. For those who don't know me personally or are first time listeners, I'm a traditional intelligence guy who spent nearly 20 years in the intelligence community, both within the U S air force, and then as a defense contractor, most of that time was spent at NSA.

I've been in the private sector for about eight years now, primarily building or helping other people build effective intelligence driven security practices. I'm passionate about intelligence, security, public speaking, mentoring, and teaching. I'm also deeply committed to servant leadership, which is why I completed my master's degree in organizational leadership at Gonzaga University.

Go Zags. The goal of this podcast is to bring all of these elements together with some incredible guests and have authentic unfiltered conversations, even debates about a wide range of challenging topics. Most of us are facing [00:02:00] every day. This will not be the typical polish podcast. You might hear or see my dog.

She's literally over here sleeping right now. Uh, people may swear here. We may argue or debate and that's all okay. Uh, think of this as a podcast. It's a conversation. You know, it's like one you might overhear at a bar after a long day at one of the larger cybersecurity conferences. These are those conversations we usually have when nobody's listening.

Today, our guest is Brian Stack and he's the vice president of engineering and dark web intelligence at Experian. Uh, before his current role, Brian has been a leader for over 20 years in engineering and product development. So he's getting kind of old like me. Uh, he has a bachelor's in computers, uh, computer and systems engineering from RPI Rensselaer Polytech Institution and a master's in computer engineering from UC Irvine.

Uh, so Brian, anything, uh, I left out of your profile background, anything you want to add?

brian_stack: Yeah, I would say so, um, just like you, I did actually start my career, uh, working for Lockheed Martin, doing a lot of military work and had the whole top secret clearance and kind of that a whole dog and pony [00:03:00] show, uh, before I had my own business for several years, then got, got, got into the private sector and obviously working for experience.

So definitely seen, seen it all, so to speak across different markets.

Different 

aj_nash: Good point. I'm glad you mentioned the clearance piece. I actually, I should have probably put that in the original one, but it's better for you to mention it than for me to write. So, so both of us. Yeah, I have that background. We've done some, some work on the cleared side and seen it from both sides.

Right? And, and you've been doing really cool stuff at Experian. I know you and I presented together earlier this year on some cool dark web stuff. So I mean, I could talk to you about 1000 things. It'd be a lot of fun for sure. Sure. Um, you know, to do that, I'd love to get in deeper on some of those things today, though, today, we're gonna focus on just one thing.

We're gonna talk about ransomware. So the title of today's episode is pay the ransom. Go to jail. All right. Yeah, maybe it's a little bit dramatic. I like dramatic titles, but it does lead us into the discussion I want to have today, which is, you know, about the challenges we're all facing with ransomware.

And the debate over when, if ever, it's okay to pay the ransom. But before we tackle that, for those who might not be entirely familiar with all the ransomware [00:04:00] issues, like the first question we should go into is what is ransomware? How big of a problem is it? Okay. It's multiple questions. And what are you seeing on the experience side, you know, regarding this challenge?

I know you guys do a lot in this area. So let's start there. Talk to me a little bit about what do you see in ransomware, describe it to folks that are listening and, you know, some of the challenges there.

brian_stack: markets. Yeah. So, yeah, so gr great initial question, aj. So not all ransomware is the same and there's actually, you know, generally right now there's about four types and it's really about how the ransomware goes down, uh, how the extortion goes down. So there's kind of single extortion ransomware, uh, which is what most people think of a ransomware.

You know, a threat actor comes in, they lock your system and they say, you know, give me, you know, gimme $10 million. There's a, the double extortion technique was created a few years ago. Where they, they lock your system, they exfiltrate data out and often will publish some of that on the dark web.

aj_nash: Mm hmm.

brian_stack: Triple extortion, they like to turn the heat up a little.

So again, here's the evolution of [00:05:00] it, right? So triple is, yup, they lock your systems, they exfiltrate data, but they'll also layer on maybe some type of DDoS attack on maybe your public network, on your internal networks, whatever they can get, you know, whatever they can hit. To again, disrupt your system, disrupt.

Maybe if, again, if you're a private company, disrupt your profit flow. If you're a public company, disrupt a school, a hospital, again, turn up the pressure, the one that came out recently. And I think it was the C Lock ransomware gang, uh, quadruple extortion. So they did all the previous three. Plus they took that data, they exfiltrated and they started to publish it more to the surface web, uh, on, on social media.

Uh, so to be like, Hey, let's say. You know, company, I don't want to name any companies, but it's company X. You're, you're a customer of, they would hit that Facebook page or, or a Twitter feed for that company and be like, Hey, customers of company X, we have your data, maybe you should give them a call and have them pay the ransom.

So again, involving the consumers or the clients of a company to again, increase, [00:06:00] increase the pressure to, to pay the ransom.

That 

aj_nash: one's wild to me. So I know that's relatively new, right? And I remember you were the one that first introduced it to me. I hadn't seen it yet. And I think that's incredible. You know, it's, I don't want to root for the bad guys or criminals in this case, but you know, we got to give them credit for, for, you know, you showed the maturity, right?

That there's a process here that there's growing and changing it and getting to the point of saying, Hey, we're going to make this public and actually have the public put pressure back on. The victim really in this case. Right. So, you know, like you said, putting some of this stuff online to push the retailer to say, Hey, you know, we're the criminals, we've stolen all your information.The company you do business with doesn'tt care enough to pay us. Maybe you should make it more difficult for them. Right. Raising the heat and the pressure on those companies. I think, I mean, You got to give them credit. They're creative, but, but it makes it so complicated, right? You said this was, you know, single was what we all knew originally ransomware, right?

Now you got double, triple, you got quadruple ransomware. Like this is just an, it's an amazingly difficult problem. It seems like, um, you know, what are you seeing in terms of like [00:07:00] costs and impact for this? Like how widespread is this? How, how expensive is this?

brian_stack: Yeah. So. It has been growing and you'll, you'll hear that like identity theft is growing. You always kind of hear that metric, right? But it's been about 13 percent growth over the last five years. And so my team of the dark web, we've been scouring, we've been doing this for a long time. And we see more and more of these, the kind of the double extortion where the data is exfiltrated out showing up on a lot of these dark, dark websites.

So about 13 percent growth, the average. Ransom is just under 2 million, about 1. 8 million. Now, now some of the extreme cases, um, what was it? The, um, uh, the National Health Service out of the UK, they were, that was 100 million ransom that was asked for them more recently. So probably more close to everyone's memory.

Uh, you know, Vegas got hit over the summer. MGM, Caesars, uh, and that was in the, the 10 to 30 million range. Uh, Caesars did pay according to some of the reports, MGM is [00:08:00] still undetermined whether they paid or somehow they had their, their data backed up enough to restore their systems. I haven't heard a clear.

Uh, I haven't seen a clear written article distinguishing either way, but again, start hitting Vegas. You're in the, you're in the 10 to 30 million range that some of these ransoms are trying to, uh, exfiltrate out. So

aj_nash: That's incredible. And it's a pretty profitable business. It sounds like it doesn't sound like it's all that hard to accomplish either. I mean, we see this happening everywhere, right? So the barrier to entry must not be remarkably high. Um, but yeah, you're talking tens of millions, a hundred million dollar, you know, ransoms.

So it's not just you and me getting hit. I mean, I know regular people still get hit occasionally too, but you know, it sounds like they're really targeting these, these large corporations, uh, which makes right? That's where the money is.

brian_stack: well, that's right. And that's what we've seen, where I think the shift about five years ago was that there was a lot of these data breaches. You know, this data was used by organized crime or others. And they'd monetize it. They would sell the data. Now they learn, boy, this is just so much easier. Let me just do that and [00:09:00] potentially get paid on both sides, do the ransom, have the data exfiltrated person pays the ransom, but then they still monetize that data for another attack somewhere else, or use, or use it to, to layer in future attacks.

So, you know, they're trying to, again, as a business, they're trying to operate, you know, they're trying to maximize their asset, which is, Hey, we've, we've stolen this data. Like how, how do we maximize profit for that? And ransom is just another, another piece of that, uh, that, uh, you know, that value chain for them.

aj_nash: Yeah, that makes sense. Well, with the Vegas one, right? So I was in Vegas, uh, not long before this. A lot of us were black hat and DEF CON and, uh, it was not, it was not us. It was not related to the black hat and DEF CON, uh, conversation, right? I'm wondering, uh, but you know, Vegas basically prints money, right?

I mean, it's, we've all been there, right? I don't know. I don't know anybody who walks away winning often, just how it works, right? It's fun. How much money are they? I mean, how much money they lose and when the, when the floors down, they're just printing money, right? So, I mean, Does it, in their case, did it just make more sense?

I mean, we don't know if they paid or didn't. Like you said, you think one did, we're not sure about the [00:10:00] other, but the math probably made sense, right? How much do we have any idea how much money they generate hourly on the floor? Like any guests?

brian_stack: no idea. I mean, it, right. It, it, it depends. I mean, it depends on, on the, on the casino, but yeah, you know, you're talking about millions and millions of. dollars per day. And again, I think, uh, also for him, it was the casino piece, but also it hit like the rewards program. I think some of the things in terms of the hotels and being able to get reservations.

So this was, you know, this was a catastrophic event. It wasn't just, Hey, you know what? Our daily Cut of the casinos getting hit. It was, you know, just, and then just the overall brand, just being able to consumers who are there and say like, I can't get a room, I can't get my reservation. Uh, the reports I saw was Caesars.

Again, they had a 30, it was a 30 million ransom. And according to public records, it's, they pay 15. So they were able to negotiate it down.

aj_nash: Well, 50 percent discount. What a deal.

brian_stack: It was a 50 percent 

aj_nash: Yeah, they really worked that one out. Well, I know, I mean, I got notification. I'm in the rewards programs for, for both, you know, casino groups and yeah, I [00:11:00] got notified, right. That there was the breaches, which is unfortunate. Um, and it was a lot of data, right? It wasn't like terabytes of data that was taken, uh, in

brian_stack: It was terror. Yeah, it was, uh, I think around 66 terabytes of data from MGM Caesar. I think it was a roughly around, around, around the same, the same amount. So very large amounts of data. And again, they, you know, you don't know how those negotiations go. Like, hey, we'll be sure to destroy the data, like, You know, are they going to do that are not, right?

So yeah, you may get your data back. It may be unlocked, but in terms of, um, you know, verification that they've deleted the data, that's never going to happen.

aj_nash: Sure. Yeah, that's that does add to the complication, right? I know we're going to talk a minute about whether it should be legal to pay, but then the question, of course, forgetting the legality from it. Yeah, if you do pay a, do you get your data back? I mean, sometimes you can't. Some of these groups don't even have the ability to decrypt it, right?

Uh, if you do get it back, does that mean they've destroyed all copies? Probably not. I mean, why would you, right? Why wouldn't if you're a criminal, Why wouldn't you hold on to the data and still sell it, right? Make more money. [00:12:00] So, you know, it's, you might get access to your stuff back, but it's hard to say that you're actually gonna have it protected, uh, for, for these, do we know who did this?

Like the Caesars and MGM, for instance, do anything about the

brian_stack: Yeah, it was, um, Oh God. It was a spider, a scattered spider was, was the, uh. Supposedly the ones who did again, some of the times, unless they come out publicly and say, and even if they do come out publicly and say, you don't, you don't know if they're trying to piggyback off someone else sometimes. So, you know, they're a little bit, you know, so, but according to the reports, it was scattered spider.

aj_nash: got All right. So, all right. So great job, by the way, I really appreciate you taking some time to kind of walk through. Hey, what is ransomware? And, you know, from single all the way up to quad, you know, pretty impressive stuff and some stories about this. So it's really interesting, right? And it's been a long standing business for criminals, a really effective one.

So let's talk a little bit about, you know, the main point we kind of want to get into here, which is paying the ransom, right? What if, what if paying the ransom was illegal? I mean, people have talked about this before and like, listen, I've always told people don't pay the ransom. I think, and the FBI [00:13:00] says, don't pay the ransom.

A lot of people do rare exceptions, life and death, you know, ransoming hospital systems, I understand that. I've also had previous discussions with guests, you know, and we've been honest and said, yeah, I may recommend that, but if, if the most important data in the company was ransomed. And, you know, you're the CEO and you've got to give a briefing to the board next week.

There's a lot of cases where they're going to pay, whether we like it or not. But putting that aside, what if paying the ransom was illegal? Like do criminals even care about the law? Would it do us any good if paying the ransom was illegal? I'm curious about your thoughts. Hmm.

brian_stack: leaned towards, yeah, we should definitely make it, uh, illegal. Um, and. The reason is it, one of my pet peeves kind of just in the information security, cybersecurity space in general is we look at all problems through the lens of we got to buy a tool to solve it. Right. And I feel like when we need, we need as an organism, like as a culture within the community and as thought leaders to be like, not everything needs to be solved with some brand new tool or now some generative AI tool that's going to fix this, right.

I think [00:14:00] looking at novel ways, and I think this is. Potentially one novel way of doing it. And specifically kind of the season, the recent thing made me think about it even more. So apparently it came out afterwards that Caesar was hit before MGM. So if Caesar had told scattered spider, it's illegal in Nevada.

We can't do it. My hype, my assumption is that guess what? MGM wouldn't have gotten hit, right? Cause they would have moved now. They probably would have hit a casino in California or New York. I mean, I'm like, Oh, you know what? Vegas is kind of off limits. That's, that's my,

aj_nash: you think that really would have happened? You think criminals wouldn't have said, we don't care if it's illegal. We're going to hit you anyway. You think they really would have just moved on someplace else like quickly.

brian_stack: it, I think it would have again, they're running a business. So if, if, if Caesars came back and said, no, it's illegal for us, we can't do it. There's these obstacles for you getting this, probably we're not gonna be able to overcome, you're going to go [00:15:00] where you have a greater chance of succeeding in your business.

And so, yeah. Forget about the illegal part, like, these are difficult clients now, where are easier clients where I can go to casinos in New York, in California, and they don't have the law, and so let me, let me, that's the position I'm taking of how it could work.

aj_nash: That's, and that's really interesting. I mean, I, I know you do too, you know, talk about how criminals, criminals like the pathways resistance, right? You know, the, the, the number one thing for criminals, cyber physical, whoever it is, is success, right? I want to get in. I want to get out. I want to make my money.

I don't, I want a low risk of getting caught. I want low friction. I just want to move on. So, I mean, in that regard, I think what you're saying resonates, right? If it's too difficult to do it in Nevada, I'm going to move someplace else. Um, you know, the flip side of course, is they might push the issue at first.

I don't know that they would, I don't know if they pivot on immediately. I suspect if I was the criminal, I might challenge that and be like, well, let's find out, let's hit you anyway. But I think it might start the process, right? If nobody pays, then it wouldn't take long, I suspect before they move on. But then that brings up the question then, if we made it [00:16:00] illegal.

Wouldn't have to be federal like if it's illegal at the state level. You just said it. They're gonna move Hey, Nevada says can't do it. It's illegal. All right criminals are gonna hit, New York I mean a lot of states have gambling for instance using casinos as an example could be banking could be anything So doesn't that mean we'd have to make it a federal?

You know law as opposed to a state law and then then criminals theoretically would stop hitting American companies Do we go that far and has any of this even yet other state laws out there?

brian_stack: There, there, there are. So, uh, North Carolina in, uh, April of 2022. So, um, so a, a little over a year ago, they put in a pretty strict one so that that law, um, without going into the, the, the gritty, gritty details basically says you cannot pay ransom, but you also cannot interact with the ransomware gang in, in, in any fashion.

So you can't even have a communication with them, right? Florida law came in shortly after that, uh, July of 2022. So a few months after these, I think the Florida law probably has it right. Being that they said you can't pay the ransom, which I think is kind of what we're saying is [00:17:00] kind of the. The foundation of what we're trying to experiment with here, but they said you can communicate with the ransomware actor.

The reason I think that's useful is, so I'm thinking, like you said, practically something's happened, you know, you're the VP of engineering, you're the CISO you're at least trying to. Deep bug and being able to communicate with the threat actor. Maybe you can at least discern what systems they hit, maybe how they got in, right?

So that that open community, at least making communication possible, may allows you to maybe figure out like what exactly happened, how to patch it in the future or, or, again, how to, how to, how to recover, give you a better probability of being able to figure out how to recover from it. Um, and make sure that it is eradicated from your system as you try to move forward.

So those two laws exist. I'm right now. I'm so I'm not leaning. I would I lean towards states trying this out because maybe I'm totally wrong. Maybe doing this has some crazy unintended consequence. I can't see right. So doing it across on a federal level. [00:18:00] I'd say let's have, I mean, the beauty of the United States is we are a republic.

We have different states. We can experiment. And so I think is a great way to experiment on this, to see what works and what doesn't work. So I'm glad to see that both North Carolina, uh, Florida and, uh, in North Carolina both have slightly different laws. So we can see maybe which one works a little bit better.

aj_nash: Yeah. I mean, that's a really interesting point. I like, I like the idea of it being experimentation, right? You know, unintended consequences. Listen, anybody who's worked in Intel, anybody who's worked in the military, we all understand second and third order effects. You, you plan for these things and then you wait and see what happens.

And a lot of times our plans are wrong, right? So there's so many things we can't account for it, you know, with this anger. Criminal groups, could they, could it be the opposite effect? Could they say, well, we're going to hammer all of you in this state to prove a point and drive these laws out. So, you know, maybe, maybe it has a, an effect we hadn't considered as opposed to them just pivoting on.

So I think that's a good point. And, and I think you mentioned to me before we started, uh, I know there's a few other states that are kicking around some laws to, uh, Arizona, Pennsylvania, New York, and I think Texas, you mentioned are all kicking along [00:19:00] different possibilities about banning payments, right?

So it'll be interesting to see. I, the North Carolina and Florida laws, you know, you said the 2022 so they've actually been around for a little while. I don't know. I don't want to put you on the spot. I don't know if we have any data that shows whether ransomware attacks have gone up or down in those states or anything.

I don't know if we've got any of that kind of data yet.

brian_stack: I don't think we have enough and enough time has passed to get any type of significant trends. Um, I haven't seen any major ones in those specific states, but I haven't done enough due diligence to see if some of the soft targets, you know, small schools and others that, you know, may have been hit and some of these laws.

So, again, like, the Florida law is very specific around government institutions, local governments. So they're not necessarily tied to private private companies. So again. Figuring out is this purely, you know, state run businesses and organizations or affiliates, or is this something more, more broad, uh, across the entire state, including private and public institutions.

So [00:20:00] again, another variable to figure out.

aj_nash: that's a good one to mention too. So I know, you know, here I'm in Minnesota. Uh, we've had, you know, ransomware attacks on, uh, education. Uh, the, the public school systems here have been hit and, and nationally that's been an issue, right? Uh, attacks on public schools are up on, on public institutions, schools being a big part of it have, have gone up dramatically, uh, as I recall over the last year or so, uh, you know, because those institutions generally are underfunded, uh, in terms of cybersecurity.

Uh, and therefore may not have the resources they need to protect proactively or to react, you know, they don't really know what to do a lot of times, right? Unfortunately, they also don't have a lot of money. So, um, ransoming a public school system tells me you don't know much about how much we fund our public schools in America.

But, um, you know, it's, I've seen that go up. So it's interesting you mentioned there was in the public and private sector, you know, implications here, right? Because public sector, obviously the government has more authority to tell the public sector what they can or can't do, I suppose. I'm curious. So, you know, some pros and cons, right?

If we made ransomware illegal, you know, some of the outcomes we would expect. So, you know, what, what are some of the, you know, good reasons for trying [00:21:00] to get this and maybe some of the negatives you've already considered.

brian_stack: Yeah, so I'd break it up into 2 pieces. 1, just think about just kind of the rationale, uh, against just paying ransomware. Like, in general, like, you know, what, what, what are the kind of the motivations of ransomware and what are the, some of the issues, right? And so you have no guarantee of data recovery, as we said, like, generally running again, if someone's purely a ransomware gang, their business is to build.

It sounds crazy, but to build some level of trust that you pay us, we'll honor that and we won't, we won't hit you. And again, but again, there's no guarantee depending on who you're dealing with. The other piece is is copycats, right? If you're paying the ransom, you're endorsing copycats and some of these ransomware gangs are, are, uh, purely a business, but others do fund, you know, terrorist organizations and other things.

So again, you're, you paying a ransom. You're not only promoting crime, you could be promoting, you know, terror organizations across the world. Um, There's [00:22:00] in the same way, you know, the United States doesn't pay, you know, pay off terrorists because they don't want to kind of repeat attacks again. If you do that, maybe not for your business, but for other businesses like yours again, if your public education system, a hospital, you're a soft target.

You're, you're allowing, you're encouraging that type of behavior. Um, if you're a big business public perception, again, depending on which ransomware gang you're paying, you know, obviously there's, there's a lot of, uh, you know, some of the current wars that exist. If those, those organizations are tied to, you know, whether it be Russia, Ukraine, some of the stuff going on in Israel and Gaza, if they're tied to those organizations, there could be a, a brand issue with your company that depending on what ransomware gang and where they're located.

You paying them? Um, and then just the security investment piece, I think of. You're taking money that you probably should be investing internally to improve security. So, so just like those are just broad strokes about when you pay ransomware. Here are some of the negative pieces [00:23:00] specifically around legislation.

I think, um. By doing this, you remove the financial incentive piece, um, from these attackers hitting governments, private institutions. Um, second, I think, uh, restrictions on the ability, uh, to purchase decryption keys, so you can, in other words, you can't get the decryption key, will force these institutions to really put together a better plan around, Not just their security.

Security is really hard, right? It's always changing, right? And all it takes is that one, that one. I mean, again, we talked about Vegas earlier. They have some great IT security folks. They make a lot of money. They invest a lot in security and they still got nailed hard. Right. But I think what a lot of businesses don't do is the backups, right?

The restoration and backups because it's expensive. Oh, you know, what's the chance of a catastrophic event? So don't do it or they only back up like key pieces of data, not everything. So I think it'll [00:24:00] change that. Hey, we need to, we're going to assume everything's going to get locked down for a true catastrophic event.

Like, how do we recover from that? So I think it'll improve that. And the third reason I'm kind of pro, um, banning payments is I think it'll just change, It'll force cultural changes for both private and public organizations to adopt more of a security first mentality. So I think tactically in terms of backups, culture will get improved.

And I, I, I do believe it will again. If, if the, if the threat actors primary focus is financial. So forget about kind of the nation states and the anarchist groups, you're different ones. If you're an organized crime organization, you're going to just, you're, you want to have the most efficient business possible.

You're going to take your ransom somewhere else.

aj_nash: Yeah. I mean, that's a good point, right? I mean, most of these are criminal enterprises. Yes, there's some nation state. I mean, if it's hacktivists, if you're pulling stuff for political reasons, whole different set of motivations, the laws probably won't do much there. I don't imagine. But, but your point is [00:25:00] valid in that most of this is criminals, right?

This is a, this is a big business. And criminals, again, their number one concern is success. They want to get in, they want to get out, they want to get caught, they want to make money. And so it's financial incentive by far. So what you're saying is, you know, legislation could really remove a lot of the financial incentive makes good sense.

I think that the next two points were really interesting in that you talked about, you know, being removing the ability to, to buy the decryption keys, right? Cause you can't pay for them anymore. And forcing that, that change in culture, because I think. I think it's an interesting point. I don't think I was mentioned to me when I've talked about this in the past that there's probably a sense that, well, you know, worst case scenario, we'll just pay the ransom.

Like, that's the backup plan, right? Is if, you know, backing things up is difficult and having all these positions in place where we can pull things again. So, and maybe it's expensive, although storage is certainly getting much cheaper. So. Maybe they just think of it as a safety net is, you know, if something horrible happens, well, at least we can always just pay and what you're saying basically is, well, that would get ripped out.

You want to have that as an option. So now you're going to have to be more proactive because there is no fallback position of just just [00:26:00] pay the bad guys. And I think the pieces you mentioned earlier, you know, these are the ones I talk about all the time too. If you pay the ransom, you, you're going to get hit by ransomware again, like you're on the list, you're, you're a known payer now, so you're, you just, you've told people you're a payer, so why wouldn't they hit you?

You've proven that you're, you're weak in terms of, of standing up against these things. No offense to anybody when I say weak, you might just not be in a position to be strong enough, but you've proven you don't have the backups, you're confident, all those things, right? And the negative public perception is an interesting one you talked about with, you know, with all the politics, right?

So if you end up paying a ransomware group that supports one side of a war, uh, Now you're labeled as supporting that war, I guess. I mean, you might not have intended to, you are, right? You're funding this, this war, whether you like it or not. Uh, which is big and you know, the security investment component you mentioned, which is of course, huge.

It's funny how many organizations don't have enough money to pay for security proactively. No, no, I keep cutting the budgets. You know, we, we can't prove the ROI on this. We better not spend. And then all of a sudden they come up with 30 million for ransomware. So, you know, it's funny, apparently you have the money.[00:27:00] 

When you need the money, right? In some cases, and not everybody, of course, this isn't a blanket statement, but you make a good point. If you just said, Hey, we're never going to pay ransomware, you know, we're not going to pay the ransom groups. That's money we could be putting into other places. Cause I'm sure some organizations are budgeting for this.

Obviously there's cyber insurance tied to this. I'm sure too. So there's, there's a payment into that, but you know, if, if all these changes happen. I think we covered some of this, but you know, how much do we think criminals would care? You know, I, again, their, their goal is financial. We know that. So, you know, there'd be some changes in, in this, but you know, I'm curious, you know, how much do we really need to care?

What would it do for the, you know, groups that are doing, say, cyber espionage? What does it do for organizations that are motivated by politics instead? You know, would this have any effect on them?

brian_stack: Yeah. And so, yeah, my position is, and I think you mentioned this early, right? If, if it's, if, if your motivation is political, right? So I think, what was it? The Sony hack from North Korea a few years ago, right? You can have a movie that came out like. That won't change like that'll happen, right? Their [00:28:00] motivations are, are, are, are different.

Um, but again, most of the folks who are mature ransomware gangs, they're organized crime organizations. Yet some of them do have tentacles into other places that fund different things politically or, or, or through terrorist organizations. But again, most of them, their primary business financial. And so just like, again, think about you're running a business.

You're always looking at how to make things efficient, how to get the most EBIT out of something, right? And so you a framed it as a difficult, you're of a difficult client, um, with potentially a long, uh, procurement process to get that ransom, because now they got to go get an exception from the government, like.

Why, why, like, why are you going to, unless the payday is a hundred million dollars, like, why are you going to deal with that? Like just go hit five hospitals that, you know, there's, you know, they got that, they got that plastic surgery units that make a lot of money. We'll get, we'll get a million from each of those done.

aj_nash: Yeah, that's a good point. Well, and you know, Hey, maybe they'll just ramp up business email compromise, [00:29:00] which still costs, you know, what is it? 10, 10 X what a ransomware costs worldwide. Anyway, that's a whole different discussion, by the way. I ransomware is important. I'm glad we're chatting about today.

We've got to have some discussion about business email compromise at some point, but, um, yeah, I think you make, you know, a lot of good points there, you know, so there'd be some changes that wouldn't do much for the political stuff, you know, in the espionage, you know, it's challenging, but I think you said it like, it also depends on the payout, right.

You know, if, if the ransom, if there's real money to be made in it, if there's, and they're all real money, but if there's Vegas money to be made, and if there's bank money to be made you know, they may be willing to go a bit further on push a bit harder. I would, I would gamble that not to use a pun for Vegas.

But, uh, then if it's a small time, you know, right, I think, you know, the risk reward is also part of everybody's business model, including criminals. Um, I'm sure they were willing to put in more time and effort, uh, and be a little more patient. I mean, I've seen some groups. I'm noticing that you've seen this too.

The customer service is really ramped up in ransomware over the last several years. Right. Where there's platforms and they'll actually give you customer service. Like if [00:30:00] you're calling Best Buy or something for a computer problem to help you buy your Bitcoin and, and where do you put the money? Like, it's amazing how professionalized some of this has become.

Right.

brian_stack: Well, right. And so like a tie back to something we talked about, like, Hey, the Florida law looks, maybe it's better, right? Because it allows you to at least talk to the threat actor to maybe get some information. I could see them saying, you know what, we'll hit a few Florida places. We don't want to get the ransom, but we'll charge for customer service.

We'll charge to tell what we did and how we did it. Like, it'll be low. You know, it'll be our, our, our, our bronze package. Yeah. You know, here it is. You know, take a hundred K off. Well, And we'll tell you like what we did, So,

aj_nash: It's, it's, uh, guerrilla red teaming at that point. You didn't hire us, but we did it anyway. And now you're to pay us to show you, to show you what we did, but it's not really a ransom anymore. It's just, it's guerrilla red teaming. They'll re market 

brian_stack: correct, 

aj_nash: No idea for the ransomware groups out there, by the way.

brian_stack: joke about it, right? But again, they're creative. They're very creative. I can very easily see something, something like that [00:31:00] happening.

aj_nash: Yeah, I could too. That's sad, but true. I mean, I sit here and laugh about it, but yeah, these guys, they are creative, as you said, and their business people, you know, these groups are not everyone's the same, of course, but a lot of these are really professionalized business groups. And yeah, they'll, they'll find a way to pivot on some of this stuff, but we got to try something, I think.

So, you know. All right, moving on to the third of the three questions, at least the main questions we have here. So we've talked about what ransomware is. We've gone through some of the, you know, the details about it. We talked about maybe we should make it illegal, whether, you know, whether it be federal, whether it be state and some of the pros and cons of that.

But what do we think? And again, we won't get all of them obviously here, but we should probably at least lay out some ideas on an unintended consequences or exceptions that would happen if there were these new laws. You know, so, you know, what are your thoughts about that first figuring state level, you know, I mean, aside from the fact, I worry this would pit states against each other and we should probably talk about that more too, but what are some of the unintended consequences and some of the exceptions you can see to a law like this?

Sure.

brian_stack: maybe there is a, [00:32:00] a, a, a revenge piece where they say, you know, we're going to hit you harder to try to break the law. Potentially this could make things worse. That's that's that that is a variable on the table. I think also some of the looking at again, most of the laws are structured around, you know, public institutions, government run agencies that could just shift a lot of things towards, you know, private schools and private hospitals, right?

Um, so within within the state, which could have could have have an issue. I think trying to figure out what is the right, what is the right parts of these laws in terms of can you communicate? Can you not communicate? Maybe is there just a limit? Um, it, the type of, are there exceptions around the type of data that's, that's exfiltrated or still like if it's, you know, MRIs and health records, does, should there be an exception there?

My, my initial gut is probably it shouldn't matter because I often get asked that [00:33:00] question a lot of, Hey, you know. We taught you, I might talk about how my guys. You know, see data breaches with M. R. I. S. And cat scans. And why do threat just care about that? They don't. care about the PII attached to those records.

They don't, know, they're going to there's no blackmail of, hey, we know, we know you

aj_nash: We know you have cancer.

brian_stack: right. Right. So, like, I think people view that as much more sensitive data, but. When you boil it, boil it away, it really is just about the personal information and being able to hack into somebody's email account and stuff like that.

So that I don't think there needs to be a carve out for that. But maybe somebody could could could could make the case for some of those situations. Maybe they need some exceptions.

aj_nash: Well, and if they're just holding the system hostage, right. Forgetting the data for a minute, if they've rocked up the system and there's got to be, I assume exigency, you know, using a legal term would come into play. Right. If it's life and death, if you're holding a hospital system, hostage, all their systems are locked up, you know, think of the casino, but it's a hospital in this case.

Right. So now I can't perform surgery because none of our systems work. Uh, you know, we've got people that are on life support [00:34:00] and now we can't trust the monitoring systems, et cetera. So I assume in that case, there would have to be some sort of an exception. Unfortunately, that would. You would also have to, you know, deduce would raise the, raise the interest in targeting life and death situations, right?

Targeting hospitals, you know, so there's, there's an unintended I would imagine there and that bad guys are going to realize what hospitals can pay. They have to pay, you know, it's exigent circumstances. So let's just really hammer the hospital systems, uh, because law or no law, they're going to pay.

So, I mean, I guess I'd worry about that part.

brian_stack: Yeah, I guess I have a hard time of looking at the timeline of seeing someone's life being at risk where, you know, the threat actors come in, they lock up, you know, your M. R. I. Machines or or or some of the, I mean, some of the equipment now, the remote equipment is pretty amazing between hospitals and experts.

They lock it up like, and you're about to start a. A, a life-saving operation. I think people are like, well, we need an exception for that case. I don't think appreciate how hard it is to get a, a decryption key, bring the encryption key and try to try to unencrypt everything, [00:35:00] restore the system with not to be callous, but I feel if someone was in a crazy situation.

Probably they're not going to survive it because it probably is going to take at least the time to recovery, probably at least two hours in that situation. So it's like, I get like, Oh, naturally feel like you need a life exception. Like the kind you know, but I don't know if it's a practical problem that would,

aj_nash: that's a, an interesting point. I mean, I guess I would advocate, I don't disagree with you, but I guess I would advocate for the exception then because let's at least not make the law become what people blame, right? Just go ahead and put the exception and let them try if they want. They're going to, if they're going to succeed or fail, that's separate, but at least we're not, we're not slowing down their abilities to try to save lives.

I'd put the exception and just for that purpose. I think you're probably right. But in a lot of cases, it, yeah. Wouldn't work out the way people would want it to, but I wouldn't want anybody to be able to turn around and blame the, the state for the law. Right. Um, you know, so I, I think that's an interesting point.

I mean, there's other issues in, what do you do with multi-state corporations, for instance, you know, who has jurisdiction then? Is it where the attack took place? Is it based on [00:36:00] where the company is headquartered? You know, will companies be able to use that as their excuse? Well, we're headquartered in a state where it's illegal.

Uh, we're going to go ahead and say the origin of the attack was in a different state where it is legal and therefore we can, are they going to work around that? Bye. I don't have any idea how that would be enforced, I suppose.

brian_stack: I think. So, I mean, I think that's a great question and again, neither of us are lawyers, so I'm sure, I'm sure if lawyers got a hold of it, it would be, it would be, uh, uh, you know, an interesting, interesting write up. I think the template already exists, though, around privacy laws, right? So, you're a multi, you're a multinational company or you're a multi-state company.

If you operate, so CCPA, the California Consumer Protection Act, if operate in California, regardless if you're headquartered in Thailand, You've got to follow that law. So I think it's more about where do you operate? If the law exists, then that just like for privacy, this, I think the same type of framework would apply here.

aj_nash: Yeah, I suppose that's a good point. And again, you said it clearly for those listening, neither of us are lawyers. Uh, we're, we're spitballing ideas here on what consequences would be [00:37:00] as Intel guys. Um, if there's lawyers listening, feel free to, you know, chime in and let us know your thoughts on this one.

I, you know, I'm happy to have a lawyer talk about it, you know, we're kicking around the idea. But again, originally this did start as an Intel discussion of. You know, should you or shouldn't you not pay the ransom? We're just discussing the possibilities of if you're on this path and make it illegal. So, uh, none of us are pretending to be lawyers or, or practicing law.

So, uh, if we're, if we're missing anything on the legal standpoint, just remember, this is the conversation after hours at the bar at a conference. We haven't had drinks yet this morning, but, uh, this is not a true legal discussion. So, you know, save the darts,

brian_stack: Exactly. But to do. Yeah, yeah. So to your point of, hey, states competing. So I think you're, so assuming my, you know, our, our hypothesis, you know, plays out as we think, yes, states would start to compete. And all of a sudden you'd start to see, you know, whoever's states have no laws on the books on this potentially getting hammered.

I don't have an issue with that. Because I think the long view is competition makes everyone stronger over time. So, [00:38:00] like, so if this, if this, if this methodology works, then yeah, fine. Great North Carolina, Florida don't get hit. Then New York, Arizona, Pennsylvania, like, and then others. And then the United States overall starts to get stronger.

And then a lot of these ransomware, you know, gangs move to different countries. Right. And they're to where. It's

aj_nash: Yeah, frankly, I'd like to see that. I mean, obviously, nobody wants to hear this, but if, if, if, if we saw that pivot, we saw states pivot, you know, uh, pitted against each other as a base, based on these laws, it would, it would tell us the laws have an effect, right? That they're working. If, we do this and nothing changes, I guess the laws don't really impact, you know, the way we thought they would.

Right. So I, I think, yeah, I think you'd have to see that as a bright side. If you're one of the states getting hit more often, you don't, but maybe that's why you go to your legislature and go, well, we're going to mimic this law, figure out which, you know, which states are getting hit less. And we're going to, we're going to.

Yeah. Go the same direction. And like you said, it could lead to a federal law at that point. And then the question is, would criminals go to other countries? Now, the U S is a, has a lot of corporations with a lot of money. So I don't know that they would all [00:39:00] disappear because some of the biggest money's here, but It's not all of it.

You know, yeah, we have casinos in Vegas, but last I checked, there's a lot of casinos around the world to Macau is a very big place for gambling. For instance, you know, uh, Monaco, there's other places for that. And there's certainly banks around the world. So, uh, we aren't the only targets out there. So it'd be interesting to see how that would progress from states pivoted, you know, pitting against other states if they had laws and then maybe if being federal and seeing if it, if it pushed out any further, it'd be interesting.

I don't know. It's, it's a, it's a, it's a hypothesis, right? I personally, uh, continue to advocate for not paying the ransom. Uh, the law at a minimum, I think it would really be helpful. As you said, for, for state and local governments, you know, for the, for the government entities, at least to say, Hey, you guys can't pay.

We got to stop. Um, it's too much money getting sent out there. We've got to have a different, different way and forcing that prioritization back to preventative work, right? The proper hygiene, proper backups, cyber intelligence, all the things we should be doing to stay ahead of this. Instead of just closing our eyes and hoping we won't get hit, math says we will eventually.

And then when we do paying [00:40:00] it out. You know, because we're panicking, we haven't made those choices. So I'd, I'd love to see that pivot to the proactive side.

brian_stack: And, and, and, and I, and I guarantee right it right now, you know, folks in the, in, in the security space are all talking about, you know, generative AI and LLMs, how LLMs are gonna be, you know, be, how can we leverage them to be, you know, improve our firewalls and our, and our WAPs and, and all that stuff. And I, I mean, this is just.

Me just, just, just, you know, I have no data to back this up, but I guarantee you 90 to 95 percent of those organizations don't have a proper backup and restoration strategy

aj_nash: A hundred percent. 

brian_stack: we got AI to our systems to, to help make things more secure. Right. And like, that's where people need to really start and it'll solve not just this problem, but just other operational issue problems first.

aj_nash: Yeah. Well, and then I, I have no doubt you're right. Uh, I don't have hard data, but I can tell you, I certainly have anecdotal. I've been around and, and, you know, organizations love to chase shiny objects. Um, and then you look and go, what are you doing in the basics? Well, the basics are kind of [00:41:00] boring. So a lot of those don't get done, you know, how's your CMDB.

Uh, crickets, you know, how have you done a crown jewels assessment? Uh, you know, do you have intelligence requirements? You know, all these basic things? No, but you know, we do actually want to run out there and do, like I said, you know, generative AI and some of these other, you know, big flashy items, which may or may not be all they're cracked up to be, but more importantly, they aren't the fundamentals, right?

Do you have a backup plan? Is your patching process in place? All these things that are boring, like, let's be honest, cyber hygiene is boring. But it's fundamental, right? You just have to have it. Uh, and people want to jump to the, to the flashy new thing, which often is the thing that will get them the most budget too, unfortunately.

And I think that's a problem. So, you know, speaking of that, being more proactive, right? And talking about, so you've seen a lot of this, right? You've seen it from all different sides. You got a great team that does a lot of research in deep and dark web. I know, you know, ransomware really well. And I know you've seen how it's impacted folks.

Do you have tips for organizations to plan for ransomware attacks to get ahead of it? You know, we've talked a little about this, but what should organizations today be doing if they're worried [00:42:00] about this? They don't have a plan in place. How do you get yourself prepared for a ransomware attack? Oh

brian_stack: happens, and it probably will happen at some time, if you're in the security space in your career, sometime within an organization is: contain first, then eradicate, then restore, right? So I think people start to, you know, something happens. They're trying to figure out how do we get this out of our system?

First, you got to figure out what's the scope of it? Because even if they say, hey, you know, we took your loyalty rewards database. They may or may not be in other parts of the system. So you got to first contain, right? Definitely call your, uh, assuming you have cyber insurance, uh, most significantly considerably large corporations at all enterprise corporations do medium sized ones do different insurance.

Cyber insurance has different clauses in terms of. If they'll fulfill their requirements of paying you, depending on when you notify them. So some of them, it's 24 hours, 48 hours. So make sure you loop in your insurance company as soon as possible. [00:43:00] Involve law enforcement. So whether it be at a, at a state level or potentially FBI, depending on to get the data and the type of business you run.

Include those and, and like we talked about kind of the basics that are boring and not sexy is you have to run simulations like here's the, this, this happened, get everyone's kind of, uh, ransomware muscle toned to having this happen, because if not, it'll end up, it's, it'll be a Friday night, you know, everyone will be, you know, getting ready for the weekend.

This will happen and people will go into panic mode. Especially if you are a public, publicly traded company and it couldn't get out, like, so being able to have that muscle where you're not reacting emotionally, you're just saying, we have this plane, we've done this before. Uh, it'll help for everyone to think a little bit more clearly.

Cause when the pressure's on it's the events like this, I can just can imagine what it was like at MGM in the IT department when things falling apart left and right.

aj_nash: Uh, yeah, just call to the next about systems that are going down. I'm sure that was a nightmare. Right? [00:44:00] So, you know, when you talk about simulations, right? So military background, government background, we talked about you fight the way you train, right? So that's why you do as many training exercises.

You do to get out there. So, for the simulations. I don't want to put words in your mouth, but I'm thinking you got to have run books in place. You got to have all these plans out. I don't personally think tabletops are good enough. I think tabletops and books are great as a, as a step, but I think you need to do live ones.

I mean, what are your thoughts about actually running this thing? You know, live. Even to the point of not scheduled, right? Scheduling. It still gives people a chance to know what's simulated, et cetera. I like doing a lot of books and a lot of, you know, planning and training, get all these runbooks, always play books in place and do some tabletops with leadership, but I think you got to be able to do it live, right.

And really just run it.

brian_stack: I've never heard anybody say that. And I actually love that idea. Now that I think you just kind of off the cuff, think about it, right? Because you do the planning, everyone's kind of sort of trained, but the thing that everyone forgets is, okay, this happens again, maybe it's on Friday or maybe it's a Wednesday afternoon and you're dealing [00:45:00] with a client and you have big sales pitch.

Everyone's priorities need to shift and change. And I think people need to know how to adapt to that situation of, it's not something we can allocate and clear our schedule and get ready for. Now this has happened, you know, uh, you know, Capital One's coming into town for a brief presentation, okay, this happened.

What do you do? How do you handle that?

aj_nash: Exactly. And I think it's to be clear for those listening, I've done training and exercise stuff and, you know, plant all these things before. I think it's a progression. I'm not saying you go straight to live. That would be foolish, right? You got to have these playbooks in this run books. You got to have leadership together.

You got to do tabletops. You can do a scheduled, uh, exercise across the org where everybody knows it's, it's, it's exercise. And, you know, everything's labeled properly. I'm not saying you don't lead up to that, but I personally think at some point you just do one thing. At least one that's just surprising live, right?

You'll, you'll get all the notes from all the other things. You'll do all the lessons learned you'll improve, but let's see how it really works and just run it. And I realized that can be disruptive. And I realized that probably doesn't apply to every business and organization, but I personally think that disruption is.

That's, that's when you're really going to get the findings that you, you, you look [00:46:00] for the training findings. Those are great. And we see people panic in trainings and you learn from that, but let's see what happens when it's live. Like you said, what if you really have a big client meeting coming in and you just got to tell them, Hey, we're, we're dealing with a security incident right now, just as you would in real life.

And how do you reprioritize? How do you run it through? Because you, you fight the way you train. It's as simple as that. And if you haven't prepared and overprepared, you're going to panic. Like that's what organizations do. And I, I think that's a lot of times what leads people to go just, just pay it. I'm like, just how, how fast can we get the money?

What does it take to get them paid? Because that's the expedient approach. Whereas if you have done this to the point where it's just second nature for you, you're going to be calm and you're going to be in a better position to say, okay, here's the process. Here's the checklist, you know, hold, keep them on hold.

Don't talk to them, go to the insurance, go do all these things. Right. And. Not have to worry so much. Now, of course, we also talked about the proactive pieces. Listen, if you have a good backup plan in place and you have all these other systems in place, you can be less concerned. You know, I've told people if you ransom me, you're gonna be [00:47:00] really disappointed.

Now granted, I'm not a large enterprise, but if you get a hold of my laptop and ransom me, you're gonna be really disappointed because there's nothing on it I care about. Uh, so go ahead. Now, please don't. I'm not encouraging people to come find me because I don't need the inconvenience of wiping my systems, but you're not gonna find much.

Everything's backed up in other places and it's encrypted and I'm pretty safe. I'm one guy, of course, um, but it does help. I wouldn't panic, you know, and to be able to do that organizationally have that kind of proactivity in place from your defenses and then have the training in place to know when it happens.

It's not As much of a shock, right? It would be easier.

brian_stack: Yeah, and I think anyone listening who's like, Oh, you know what? Maybe I could get this through, but I can convince, you know, senior management because of the cost. Like, don't frame this purely as a security exercise, but a business continuity one. And also kind of a, a, uh, your personnel backup plan. Because again, in a real event.

Maybe your director of data operations is in Hawaii on vacation and like his backup maybe isn't as great and that at least, you know, like, hey, we need to train this person or you'll find out where your real personnel [00:48:00] holes are in terms of knowledge and ability, um, compared to where you said, if you do a fully planned one, everyone's going to be on board.

You're gonna have all the knowledge in a real life situation. You're gonna have people who just aren't there, not away for whatever reason. And you're gonna have to rely on again, people who, um, You know, maybe don't have all the keys to the castle and figuring some of this stuff

aj_nash: Yeah, that's a really good point, that business continuity piece, right? I think that's, that's excellent. I know I've done exercises, and if you have a good white team, you can also simulate that and say, okay, today, this person's not here, right? You can do that, but it's still not the same as if it's live.

And I think you're right to be able to say, well, we've realized there's gaps. We have training issues, you know, who's, who's the backup? Who's the third person? Do we have, you know, do we have these documents available to say, you know, who backs up whom and what are, I always call it a depth chart, right? I'm a sports guy.

So, you know, what's your depth chart look like? Who fills in where and how things pivot, you know, when, when, when something goes terribly wrong, cause people will be on vacation or they'll be sick or they have other issues going on, right. Or what if the key person. Resigned three days ago, and then you get hit.

Oh, [00:49:00] and now you've got a gap and nobody's filling that position. So I think, you know, those are all excellent points, right? So, okay. So I think we've, we've hit this pretty well. We've, we've even hypothesized on some legal stuff. That's probably behind us, but it'll give some people that, you know, some, some, something to chew on and talk about here.

So we're, we're running out of time here and I want to get to the point where we start closing it up. But we've talked about the ransomware piece and possibly, you know, whether we should or shouldn't pay that. And that was the big piece. But now, I mean, the question I like to ask, right, the name of the show is unspoken security.

So I always close with the same question for the guests, which is with that in mind, you know, tell me something you've never told anyone. Tell me something that's so far been unspoken.

brian_stack: So when I first took over kind of the dark web team and experience, I knew a little bit about it, but you know, the in and outs and a lot of what we do is personal information, but I hadn't heard a lot of the mythology, I read everything. I could study everything I could. One of the. Kind of the, the, the mythology of the dark web is around red rooms.

Um, which for [00:50:00] those who may not know, it's this idea of, of these rooms where, you know, there's, you know, potential torture and horrible things that happen and people kind of do pay per view, you know, you know, think about Dr. Evil, a lot laughing as he, you know, gives Bitcoin for someone to do terrible things.

And so I had heard rumors and stories. So I actually. Dove in and tried to explore for my felts, kind of trying to figure out if I can separate fact from fiction. Um, what, what I, my analysis was that if you, if you take a strict interpretation of Red Rooms of, you know, it's a pay per view, live, torture, or horribly, a murder event, um, those are not on, on, on the dark web.

And there are, but if you take a slightly different, more liberal view of people do post horrible things on there, you can, and, and they'll sell 'em, they'll post horrible videos of, of everything from, from, from torture to, to actual, you know, uh, cartel murders. Um, but the, the classic Hollywood kind of, um, the, the [00:51:00] Red room is kind of a modernization of Hollywood snuff films from the seventies, right?

It's that same idea that's basically been brought up to speed in the modern world with, with the, with the emergence of the dark web. But my take is. They, they don't exist, um, in their truest form. Right,

aj_nash: I mean, that's, that's good to know that's, that's encouraging. I mean, I, I know that, you know, I've spent a little bit of time in the dark web, um, you know, strictly for professional reasons, of course. Uh, but yeah, I mean, there's a lot there, right? I mean, you can buy virtually anything you buy weapons, you can buy drugs, you can, you can hire a hit man, uh, you know, there's, there's human trafficking.

There's all sorts of horrible things. Um, But it is interesting to know that the, that stereotype you're talking about of like, you know, just a live torture session, for instance, um, that at least those don't exist, which, uh, frankly, I suspect has a lot to do with just logistics of it. To be truthful. I mean, I, I hate to put it that way.

I don't think criminals are this. I think they'll do whatever there's money, but the logistics of that seemed like they'd be really, really challenging.

brian_stack: Well, right, and some of it is technical logistics, like, so most people think of Tor when they think of the dark web, in [00:52:00] terms of the web browser. Like, it doesn't offer streaming capabilities in order to do that kind of stuff, so there's, there are some, like, technical limitations of it that, that does that.

That don't make it as feasible. That being said, people put stuff on Facebook live that have been horrible events, but again, they're not, they're not pay per view live events. So again, it depends on your interpretation, liberal or conservative of the actual term. But yeah, the, the, the true kind of letter of the law definition is, is definitely, I think a, a, a fiction.

aj_nash: Well, that's good. Uh, again, for those wondering, uh, dark web still full of, uh, plenty of terrible things. Don't worry. All of your favorite TV shows and movies are mostly accurate. Uh, anything horrible in the world is, is, is down there waiting to be found. And that's why we're lucky to have guys like Brian and his team, uh, that are that are in there, uh, ahead of us, thankfully, and hopefully ahead of some of the bad guys.

So, uh, listen, we're out of time. So I'm going to wrap up at this point, but I, I wanted to thank you. I mean, I really can't thank you enough, you know, for taking the time, uh, to come today and talk to me a little bit and, you know, for us to chat about this [00:53:00] ransomware discussion and whether it should be illegal to pay the ransom.

I think it's a really interesting topic. I think you brought up some very cool points to, you know, for folks to chew on. I'm sure there'll be more debates about this and we'll see what happens with some of these laws. You already mentioned Florida, North Carolina. You know, looking to see if, uh, if these other laws go through as well, is there anything, anything left, anything I failed to mention as we went through here is anything you want to add, uh, talk about experience or the team or yourself or anything else you want to add before we, you know, we call it a show.

brian_stack: No, I appreciate the opportunity. It's always great. And, you know, speaking with you, AJ, and, uh, definitely, and probably, probably see you sooner than later, maybe at the next black hat. So, but, uh, thanks for the opportunity today. It was

aj_nash: Yeah, man. No, absolutely. Thank you. I'd love to have you back sometime to talk a little bit more about what you guys do. We can talk about some other dark web stuff, you know, in 2024. So, uh, you know, as, as the year goes on, right. So again, thank you. Appreciate it for everybody listening. Thanks for tuning in.

Uh, you know, feel free to. Take the time to subscribe and like and download and all the things we need to keep this going. I really appreciate it. Uh, you know, give me feedback. If you like the show, let us know. If you don't let us [00:54:00] know, you know, let's, let's figure out how we can make this better. This is really about, you know, the guests in the audience.

So thanks again for tuning in to unspoken security and until next time, have a good one. Be safe.