Mandiant has some early history responding to extortion operations against the education system. TDO was pretty nasty, but they couldn’t hold a candle to the persistent threats deploying ransomware today. Today, these extortion operations are running like a well oiled machine. https://twitter.com/fireeye/status/1319005485060816898

Fairly fresh to the private sector, and solely interested in espionage, I remember @cglyer visiting my desk in 2017 to discuss SAMAS. At the time, ransomware intrusions were bottom shelf priority. However, he described a new modus operandi indicative of a higher threat.

He saw where things were headed. From there, you saw FIN actors, including FIN6, adopt it. Today, industry talks about this stuff like it’s common knowledge, but just a few years ago it was an emerging threat only forecasted by those in the trenches. How things have progressed.

Four years ago, you would see me maybe discussing how pointless king of the hill race to domain admin style offensive testing is, but today, that might actually be at least a high priority for offensive engagements. Can you prevent or detect and contain in hours?

I’ve said, for a couple years now, that ransomware will drive more security adoption than any other threat in the past. It’s because everyone is susceptible to extortion. You can ignore data theft. You can’t ignore encrypted files. Tens of millions of dollars in single demands.

These actors have demonstrated they can ransom organizations with some security. These actors are pulling off multimillion dollar extortion jobs with often less than two days work leveraging phishing, botnet access, freely obtained OSTs, and freely obtained exploits.