The Hacker Mind Podcast: Tales From The Dark Web: Ransomware, Data Extortion, and Operational Technology

Ransomware is now old news. Attackers are skipping the encryption and simply extorting the exfiltrated data, according to Thomas “Mannie” Wilken, from the Accenture Cyber Threat Intelligence Dark Web Reconnaissance Team. He should know; he spends his days on the Dark Web seeing new infostealers, deep fakes, and even the rise of OT technologies as potential targets.

‍

‍

The Hacker Mind Podcast is available on all the major podcast platforms. Subscribe today.

‍

[Heads Up: This transcription was autogenerated, so there may be errors.]

‍

VAMOSI: Something interesting happened with the ransomware that hit MoveIT early this year. MOVEit, by itself, is a managed file transfer software product from a company called Ipswitch. MOVEit encrypts files and uses FTP or SFTP to transfer data to transfer large quantities of data. So it’s used by a large number of organizations. But this ransomware attack? As of August it’s been suggested that over 1000 organizations have been compromised. And another estimate suggests that it affected over 60 million people with the data that’s been breached. 

‍

HEre’s the thing. None of the affected companies have been hit with ransomware; in other words, the organizations didn’t have their servers and terminals shut down with a ransomware notice. No, instead, the attackers moved directly to extortion, demanding money in exchange for not putting the stolen data online. 

‍

Who is responsible? Evidence shows a ransomware group known as Clop ransomware gang may be responsible. And it’s been suggested that Clop may have been sitting on its MOVEit exploit for years. Again, why?

‍

As we’ll hear in this episode of The HAcker Mind, ransomware operators have shaken up their operations. Instead of ransoming the data first and then extorting the victim into paying to keep the exfiltrated data from being leaked, they’re skipping the first step and going straight to extortion. And the services used for that, well they’re on the dark web.

‍

And in a moment I’ll talk with a researcher who spends his days on the dark web. I hope you’ll stick around.

‍

[music]

‍

VAMOSI: Welcome to The Hacker Mind, an original podcast from the makers of Mayhem Security. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi and in this episode I’m discussing Ransomware, Data Extortion, and the Dark Web with someone who practically lives in the DarkWeb because it’s his job.  

‍

[music]

‍

VAMOSI: 

‍

WILKEN: Yeah, my name is Manny. At least that's what everyone calls me. At work. I am an associate manager at the Accenture Cyber Threat Intelligence Dark Web reconnaissance team.

‍

VAMOSI: Like any major organization, Accenture has different business units and teams.  The Cyber Threat Intelligence Dark Web reconnaissance team sounds really specific and pretty cool.

‍

WILKEN: Yeah, so we're one of several specialized units within the wider practice. But essentially our mandate is to go on the on the deep and dark web, providing intelligence and quote unquote, weather forecasts about what's happening, essentially trying to look for threats and trends and warning clients about who's targeting who with what tools and what kind of capabilities.

‍

VAMOSI: So let's start out by defining what we mean by Dark Web for someone who may not know.

‍

WILKEN: Sure. So, I mean, at the very strictest definition, there are obviously very big differences between deep dark and clearnet, but from a criminal perspective, they all overlap. Some of these criminal forums are hosted on on unclear net sites, and some of them are in tournaments. Some of them are in messaging platforms. But for the intent of intelligence. It's part of the dark web.

‍

VAMOSI: So again, for someone who doesn't necessarily know, the clear web is what you get when you go to Google. And then if you go into a password protected area, that's another level of a deep web. And then there's the dark web, which is what you need Tor or PDP browsers to get into. 

‍

WILKAN: Yeah, that's correct.  

‍

VAMOSI: Okay. Good. So what are some of the threats that say enterprises need to worry about? I mean, you just said criminals operate on all three. So why would any organization need to pay attention to the dark web?

‍

WILKEN: Unfortunately, you have to pay attention to the dark web. I think more and more events, cyber events that businesses and enterprises are facing, can be tied directly back to the dark web in one form or another. You know, it can be something as specific as a set of credentials, or network access being sold. Or it can be something more vague, like a new and emerging threat or technique that's being sold. Our opinion and I know I'm biased is that nobody can afford to not look in this space, because you're missing out on a really big opportunity. To posture and prepare.

‍

VAMOSI: Manny mentioned forums and my understanding, when you do that type of surveillance in the dark web is you're basically listening to as many forums as possible.

‍

WILKEN: Yeah, you're you're I mean, there are various degrees of it. There are some forums where you can be a casual observer, and then there are some places where you have to be more active in the discussions, because otherwise you'll get booted out. And one of the benefits are the criminal underground used to be very centralized. And that meant you had all types of crime in one place, things like AlphaBay. That was hard because you don't want to be active in a forum that also deals with, for example, human trafficking. But now that the forums are more segmented cybercrime is its own thing. carding fraud, it's his own thing. You know, you can you can have more liberties on these forums.

‍

VAMOSI: So, as a researcher, how would you interact on this dark web forum? In other words, I know you'd probably have a burner laptop, a VPN, TOR, a burner account that you'd use, but are they transactional? Do you need to contribute something

‍

WILKEN: You need to have OpSec. If you don't have operational security in place, you have no business to be on these forums. In terms of do you need to be transactional, there are some places you need to do and obviously, to the degree that we can it's not good to to fund crime. So we avoid doing that entirely. But there are some places where if you've been there long enough, you can get around the transaction barrier.

‍

VAMOSI: So it's reputational. Who you know. How long have you been around?

‍

WILKEN: Reputational, exactly. And lucky for us. Some of my colleagues have been in the business longer than I have, and have ensured that there are foreign accounts that date back, you know, more than a decade.

‍

[MUSIC]

‍

VAMOSI: Man. Okay, so you, you must have some stories around some of some of that investigation work that you've done thus far.

‍

WILKEN: Yeah, I mean, I've I've I was lucky I joined this field. Around six and a half years ago. And in that time, I think the primary thing is that the cryptic criminal underground has become more professionalized. When I joined it was sort of disjointed and it was difficult to know what was a scam and what was a real service. But these guys want to make money. And they know the best way to do that is to build it like a legitimate business. So some of these criminal outlets operating on the dark web are more like an early stage tech startup in how they operate them a cyber criminal.

‍

VAMOSI: I’ve heard this before. That criminal hackers work 9-5, monday through friday. They have HR departments, Finance, even Engineering. We know this because shortly after the Russian invasion of Ukraine, members of the Conti Ransomware organization who disagreed with the invitation published emails and chats which revealed the internal structure of the organization in fine detail. These ransomware organizations are essentially startups in the world of organized online crime. As for what they produce, they produce services for others to franchise, receiving a cut of all their crimes. 

‍

WILKEN: Yeah, so ransomware is obviously on everybody's mind. And one service that is very interesting is what's called the initial access brokering. It's a threat actor that specializes in getting access to an enterprise network and then reselling that to the highest bidder. That is one of the main economies currently operating on the Darknet and in my personal opinion, without these initial access brokers ransomware and data extortion couldn't have scaled to the point that we're currently seeing.

‍

VAMOSI: Infostealers. This is where somebody uses, say, my creds to get into my company’s network and then from there, bootstrap their way into other areas, such as finance.

‍

WILKEN: Yeah, it can be a set of stolen credentials. It can also be, you know, some threat actors, some of these initial access brokers are highly highly specialized, they will have their own one day or zero day exploits targeting some sort of VPN provider. They'll use that as a way to compromise several companies, and then they'll resell that access.

‍

VAMOSI: So you just mentioned zero days and often I hear that you don't want to use a zero day you want to go for the low hanging fruit first and zero days. It's something that you save because they're quite expensive. Have they become less expensive?

‍

WILKEN: No, they like it there. It depends on where you're looking, I should say. We recently saw a cod offered for sale on a key underground forum for two and a half million euros. That's about as expensive as I've ever seen it on the dark web. And then you have a seared a targeting some CRM provider that nobody has heard of selling for $300. So you've got the spectrum.

‍

VAMOSI: Okay. But in general, might you agree that they would withhold using a zero day as long as possible?

‍

WILKEN: 100% I agree with you, because there's just not, there's no reason to do it, right. If you can get away with using a set of credentials that you either stole yourself or you purchased for $10 on the underground, why would you burn your most valuable asset? Right.

‍

[MUSIC]

‍

VAMOSI: Given that Mannie’s on the Dark Web, I’m imagining he’s seeing some cutting else infostealers.  

‍

WILKEN: Yeah, so infrostealer is really one of the places where the dark web is innovating the most at the moment. You know, I like to say that what we're seeing is the infrastructure 3.0 is the new age of infrastructures. You know, if you think about an infrastructure from two years ago, it was designed to target the individual. There are banking apps that Bitcoin addresses. The infrastructure of today is designed to target enterprises by targeting overlays in multi factor authentication targeting corporate applications. So the infrastructure is rapidly becoming the go to tool from initial access, progress to date extortionist to ransomware groups as a tool of entry.

‍

VAMOSI: What else is Mannie seeing in the segmented forums? And what might be the most pressing threat coming from the dark web today?

‍

WILKEN: That's a hard question to answer.  I can, I can tell you so many different things. We're seeing infra stealer we're seeing data extortion. We're seeing deep fakes but in my personal opinion, the biggest blind spots for businesses is augmented social engineering.

‍

VAMOSI: Augmented. Social engineering. I’m not sure what that is.

‍

WILKEN: Sorry? Yes. So augmented social engineering is sort of the current state of social engineering where Dark Web criminals are buying tools, services and accesses on the dark web to enhance their social engineering ploy. I can give you an example. Yeah, the most famous, the most famous group that has done this is Lapsys$ Right? What they did is they would buy a set of credentials on one of the big marketplaces, they would get access to. In this case, it was a Slack account. And then they would write to the tech stack saying, Hey, I'm sorry, I lost my phone at a party. Can you reset MFA, and then that way they were inside the network. But the cool thing here is that that ploy was so successful because it originated from a trusted internal account. It wasn't an outside spoof. And that's what I mean by augmented social engineering where these threat actors are taking the data, the tools and the services that you can buy on the on the ground and enhancing social engineering.

‍

VAMOSI: So, oftentimes, when dealing with cybercrime, or criminal hackers, they're not very sophisticated, deep down. They're lazy. They script kiddies, they just grab stuff here and there and mount attacks. And what I'm hearing from you is a real uplevel in the sophistication of these attacks.

‍

WILKEN: Yeah, that's correct. I mean, as I said, In the beginning, the criminal underground has become professionalized to a very, very high degree, but also I don't think you should. I don't think people should necessarily write off the damn script, Kitty, because, again, going back to lapses

‍

VAMOSI: Lapsys is interesting. It turns out it was a group of teenagers in the United Kingdom. But using just social engine ering, they managed to criminally hack into and breach Microsoft and Okta, the identity management company.  These kids were doing it for the laughs. They didn’t even charge for the data-- they just posted it online for free.

‍

WILKAN: We've worked on incidents where a Lapsys affiliates came into the environment again, using using augmented social engineering moved deeper into the network, but because they are who they are, they didn't charge there was no ransom there was no chance for the, for the, for the enterprise to actually do anything about it. They just stole the data, deleted it from their servers and disclosed it for free. So the problem with these script kiddies is that they can be unpredictable, right? Even if you as a business want to pay a ransom, you're not sure you're going to get the chance depending on who it is that gets inside of your your systems.

‍

VAMOSI: Right. And there's certainly a number of examples where people pay and they don't exactly get the decryption key or the decryption key doesn't work.

‍

WILKEN: Yeah, exactly. That's another issue. But to be honest, that's as big as an issue for the ransomware group as it is for the victim because if their decryption key doesn't work, nobody's going to pay the next brands.

‍

VAMOSI: Right. But they do have that second step of disclosing the data if they've managed to exfiltrate it

‍

WILKEN: Correct. And I would actually say that based on the research that I'm doing now, and based on my dealings with our incident response team, that second step is becoming the first step right? If you look at the reasoning club attack against movement, as far as I'm aware, there's 349 confirmed victims, not one of them has suffered a known ransomware attack. It's a pure mass data exfiltration event. I have my own theories and my own sort of research on why that is happening. But that's the second step of data exfiltration is becoming the first step.

‍

VAMOSI: And are they then keeping the ransomware for like, a second wave? They're just reversing it, or they're just dropping the ransomware and exfiltrating

‍

WILKEN: Yeah, some groups are entirely dropping the ransomware component. I mean, it's cheaper to not have a cryptolocker. It's easier. You don't need to have technical skills. And it's just as effective. Right. I think there was a recent survey by some CISOs who said that increasingly, they're not as concerned about ransomware because they know how to deal with it. They can segment their networks and all that kind of stuff. But no matter what, you don't want your sensitive corporate data disclosed on the underground. So the exfiltration component, and the disclosure component is just as big if not a bigger concern than the actual ransomware depending on the maturity of the client.

‍

VAMOSI: So in some ways, you're suggesting that clop isn't really ransomware, it's just a data breach.

‍

WILKEN: Yeah, I mean, I would say that the current operations of the club is more akin to a data extortion event exclusively without ransomware.

‍

VAMOSI: Might that be more of a new category? Pure extortion

‍

WILKEN: Yeah, I mean, we classify it as a separate category, but it is a little bit muddled because a lot of the former ransomware operators are moving to become data extortionists. So. So, you know, there's a little bit of the blurring of the boundaries there. But I mean, one of the benefits for these groups is that we've seen the leaks from Conti, right? Yeah. Their locker got leaked, and that allows everyone in their mother to reverse engineer it, protecting them. If you don't have a crypto locker, you're less likely to or you're more likely as a criminal to be resilient to the volatility of these toxins, right.

‍

VAMOSI: The original CryptoLocker was first spread on September 5, 2013, and it was shut down in May 2014, and so any new versions are variations on the original. Ransomware gangs are lazy, in it for the money, and now, according to Mannie, they don't have to go through that process of developing a crypto locker because they're just going to go right to the exfiltration. Still I’m interested. How many of the crypto lockers have been shared among these groups? Are they unique and proprietary?

‍

WILKEN: Oh, there's a quite a big degree of overlap every single time that we're seeing a cryptolocker that's been leaked and a new group emerges. A lot of it can be traced back right so I I can't remember I'll check this for you but I'm pretty sure that the when fabric was a thing back in 2021. Their cryptolocker was entirely based on the leaked content locker at the time. So there's quite a big degree of overlap, right?

‍

VAMOSI: And then are you seeing any like what I call smashing grabs where they encrypt only the first eight bits out of the file very quickly and not really exfiltrate. These are still the ransomware focused people.

‍

WILKEN: I mean, I will I'm fairly sure that we are seeing some of them. I have to check with my Incident Response colleagues, but it's becoming less of a thing, simply because they know the ransom is primarily delivered because of the extortion of the data. Right. And if I may I just want to add to a point on that, right. So an interesting consequence of this is that a lot of ransomware groups were apprehensive. They had a moral notion in the sense that they would, for example, not put ransomware on a hospital. Or, as I'm sure you're aware, after the darkside attack against Colonial Pipeline, a lot of ransomware groups went out and said we don't want to target oil and gas or infrastructure companies. But if you don't have a ransomware component, that moral notion has been lifted. So because of this focus on pure data extortion, we've seen a rise in the targeting of healthcare for example, which was previously a fairly shielded industry.

‍

VAMOSI: So a nuance there if I may, with colonial wasn't it? Was it data exfiltration or were they really going to do that was ransomware ransomware Yeah. Right. And that shut down the pipeline and had enormous repercussions. Right. So I guess what I'm suggesting without attack, it's it's like I'm not sure that they were exfiltrating data that they were actually targeting an infrastructure.

‍

WILKEN: Yeah, no, you're absolutely right. But what I mean is that because of Colonial Pipeline, a lot of other brands and workgroups went ahead and said, Oh, shit, we don't want this level of law enforcement scrutiny. on us. Let's just drop ransomware against  oil pipelines or critical national infrastructure because it simply got so heated.

‍

VAMOSI: Yeah, then the response from the United States was to put a reward for any information leading to the arrest of the people responsible for that which probably killed some of the activity in that space.

‍

WILKEN: Yeah, I mean, it was quite interesting. In those days afterwards, we saw the key forums that was catering to the ransomware groups at the time, they flat out banned ransomware on the marketplaces, and to this day, some of them still have that ban in place.

‍

VAMOSI: Right? And so that's also interesting, they have franchisees and so attacking like SickKids Hospital in Toronto, was considered to be that was a franchisee that made that mistake. In December 2022, Toronto’s SickKids hospital was hit with ransomware. A hopsital. For sick kids. Over the winter holidays. Here’s the CBC.

‍

SickKids

‍

Then, a few days later, this.

‍

SickKids

Here we have a ransomware gang apologizing. Here's a decryption key. We're not going to do that anymore. That happens as well.

‍

WILKEN: Absolutely, yeah. I mean, the ransomware as a service model, and now the data extortion as a service model is entirely reliant on, as I said earlier, initial access brokers as well as willing participants who wants to, to who wants to go into a franchise model with you on the underground.

‍

VAMOSI: Right, but like even large corporations that are legit, you can't really control what your franchisee is doing all the time.

‍

WILKEN: Exactly. And we've seen numerous mistakes made on that behalf. We've also seen some franchisees thinking they targeted one entity and posting the data on the data leak site and then it turns out it was a different entity altogether. And in this case, it was locked with they have to go out and say sorry, this was the wrong entity and you know, kind of repair that reputation a bit.

‍

VAMOSI: And you're right about the reputation. There's there's a bit of branding going on here. These These, these organizations aren't so much in the shadows as they used to be.

‍

WILKEN: Absolutely. I mean, they're competing everywhere. They can't they're, they have measurement contest about who has the who's got the fastest and krypter Who's got the best looking data leak sites, who's got the most amounts of affiliates, all this kind of stuff is a competition.

‍

VAMOSI: So where do you see that  that's in the dark web where they're competing against each other?

‍

WILKEN: Yeah, yeah, there's often ever so often there will be a report coming out from a a white hat solution, some sort of InfoSec security company will say this, this locker was this fast, this ransomware was this fast, and they will proliferate that wildly on the underground, based on whether they're on top or at the bottom.

‍

[MUSIC]  

‍

VAMOSI: So Mannie mentioned deep fakes, and I'm thinking of like manipulating a political candidate and getting them to say something embarrassing, which they obviously didn't do. What do deep fakes?

‍

WILKEN: I mean, that is a great example of a deep fake and I think at a societal scale, that is where deep fakes posed the biggest risk at a individual enterprise focus. Deep fakes are a problem because they can be used as a as a novel way to get into corporate networks. We've seen one case where there was a voice deep fake that was successful in resetting a password, just through the biometric identification of a voice. And then of course, you can also use it as a way to enhance the chance that your victim is clicking on a link or is is, you know, taking their communication outside of whatever controlled environment, the old empty enterprise us.

‍

VAMOSI: So the biometric is interesting to me. So, somebody's voice when you call a bank, they often use voice to authenticate you so they know that it's actually you based on your prior conversations, but with deep fake, they're just manipulating the words around from a recording of you, for example, from a podcast like this, and using it to authenticate you into an enterprise.

‍

WILKEN: Yeah, I mean, I don't have the hard data on how successful this is, but we do know of cases where it has successfully worked. So unfortunately, the RE scrambling of words if even from some of the free tools that are out there has been successful in doing so.

‍

VAMOSI: Wow. I would think that there would be like, you know, Editing Marks or things like that, that would be discernible to an AI listening to it, but I guess that's not quite where we are.

‍

WILKEN: I mean, I don't think you're wrong. I think you're absolutely right. And that is the case. And I also think that the vast majority of these ploys will be will be mitigated before they become a thing, but the fact that it has been successful is telling and also, you know, from a theoretical perspective, anyways, there's the idea that anything we do to mitigate deep fakes, deep fake creators will then take turn against us and use it to enhance the next generation.

‍

[MUSIC]--------------------

‍

VAMOSI: So we briefly touched upon OT as something new in the dark web.  I asked Mannie for his definition of Operational Technology.

‍

WILKEN: Yeah, so, I mean, internally anyways, we have various definitions, but the what we've been looking at we're looking at SCADA systems, critical national infrastructure, oil and gas companies, energy utilities, energy providers, and the the granular level computers that they are running on think PLCs and stuff like that.

‍

VAMOSI: right. So I do want to talk about, as you mentioned, operational technology being a subject of your recent research. I'm very keen on that, that not enough is being said, and I'm trying to do more to shine a light on OT.

‍

WILKEN: Yeah, I mean, I'm lucky I have some really extraordinary colleagues in this field who has been dealing with this kind of space for a long time, but not from a dark room perspective. And sort of talking to them is what inspired me and a colleague to start looking at how this operational technology space overlaps with dark with threat actors? The first thing we saw is for the first time in the seven years that I've been doing this six and a half years, all three major categories of darkweb producteurs, financial, political ideological, are have elevated intent on targeting OT and a lot of that can be tied back to the Russia Ukraine war. At a very high glance, the financial threat actors want to target because they can sell that for more money. The ideological predators they want to target ot because they get blockbuster headlines in the news, right anytime one of these DDoS activist groups managed to take offline, you know, some sort of oil website or even if they've managed to actually take off some some production facilities, that that makes international news in a way that a DDoS attack doesn't do anymore. And then the political threat actors are targeting OT in support of Russia. So that's what we're seeing at a very, very high level.

‍

VAMOSI: I would think the diversity would help protect the OT space. It's not like homogenous. Every device has its own Programmable    Logic Controller or PLC. It's not like Linux. It's not like Windows or Mac OS.

‍

WILKEN: Yeah, and I think you're right. I think the diversity is maybe shielding it from a systemic organized campaign, but that diversity is also making it easier for some threat or threat actor out there to find a target that hasn't been protected as well.

‍

VAMOSI: So I guess then, are you seeing some, like PLCs are going to be more of a target than something else or you know, is it our toss that they're going after?

‍

WILKEN: Let me think the most recent reports that I've written up on have targeted PLCs programmable logic controllers, and they've targeted our teams are Yeah, I believe it was the let me get back to you on that one. But then there was a group that recently claimed to have done the first ever ransomware slash wiper attack against an RTM in Belarus.

‍

VAMOSI: Wow. And on a physical level, what we would see day to day I mean, you talked about oil oil companies and things like that. But it could be something like escalators going down elevators going down. It could be physical in other ways, right?

‍

WILKEN: It could be for sure. At the moment, from a pure dark web perspective, the focus is primarily on utilities and energy providers simply because that's where they can make money and that's where they get the headlines. But you have to write that should they choose to branch out and should they continue down this path? We can see other things also being hit in, you know, elevators, escalators, various traffic lights, that kind of that kind of activity, but from a dark web perspective, that's still in the future.

‍

VAMOSI: Right. So saying in the future for a moment, you could see like a smart building completely held hostage a DDOS of a building.

‍

WILKEN: Yeah, I mean, if you make a building sufficiently smart, someone out there will find a way to make it dumb and charge you to restore it.

‍

VAMOSI: That's great phrasing. I like that. Wow. I find the OT space to be interesting because again, it's not something that everybody thinks about. They don't think about, you know, their, their elevators or whatever. I mean, we have Stuxnet as an example. And that was more than a decade ago, but it doesn't seem to be as prevalent like we haven't seen that many other attacks on that level.:

‍

WILKEN: I think that's right. I think the only big one I can think of is the Triton malware that was discovered in Saudi Arabia, and some of those wiper attacks affiliated with that. But I mean, you're right and i i 100% agree with your sentiment that oh t will be definitely on the radar from a lot more threat actors. But as you were touching upon earlier, you know, these guys at the moment stick to what works and the low hanging fruit. So while they can, why not just blackmail and enterprise the same way that's worked for the last four years and when that resource dries up, because businesses go to password lists or whatever other reasons we have, then we're looking at branching out is my opinion. So if I, if I was a betting man, I would say Oh, tea was going to emerge on the Dark Web in a serious manner within the next three years.

‍

VAMOSI: Interesting. So along those lines, then is it because  we're connecting more to the internet and making it more accessible or is it that we've run the gambit of like we've done Linux we've done Windows we've done this before. Here's something brand new. Let's deep dive into PLCs. Let's deep dive into our ATMs?

‍

WILKEN: I think it's both so there's definitely and right a lot of these actors are optimistic. So simply by making more ot Internet facing, we will be exposing ourselves to more opportunistic threat actors that's like it's a correlation that you cannot avoid.

‍

[Music] ----------

‍

So is there any stories? Are there any stories that you can share around some of the topics that we've discussed on the deep web? The deep fakes or OT?

‍

WILKEN: Um, yeah, I mean, some of the some of the research that I find very interesting at the moment is we, as you're aware, all ransomware groups worth their salt will have a data leak component to their operations because there are so many ransomware groups because there's so much data leaked, there is an extraordinary amount of sensitive, high fidelity corporate data available on the underground. And typically, businesses only are aware of their own compromise. They have a blind spot for a you know, a trusted supplier, either upstream or downstream. If you take that data, and everything that that data can give a social engineering engineering threat actor and you pair it with the deep fakes capabilities. Then you have a situation where both the message and the messenger are so heightened that it'll become very, very difficult for people and enterprises to know what's real and what's not real.  But just to give you a little snippet, right, so if you're talking about we're developing this space, right, we've seen an 850%. Actually, that's wrong. We've seen a over 1,000% increase over the last two years in the targeting of Mac OS by Docker predators. And this ties to your point of Linux little windows has been done Linux has been done. Right now, you know, we're kind of in the space of targeting rootkits and then what's the next thing that's highly targeting? It's it Mac OS, and we've seen the criminal underground adjust accordingly.

‍

VAMOSI: So there could also be a backlash against the advertising that was done that you just don't get problems with MacOS use us. And now there's vulnerabilities, there's attacks being directed directly at Mac OS.

‍

WILKEN: Yeah, I think I think an average user has a full sense of security if they're on a Mac compared to what we're seeing on a daily basis.

‍

VAMOSI: Right. But from an enterprise perspective, Mac's are still better in the sense that they're not centralized as much on the network. They're pretty isolated.

‍

WILKEN: I mean, I don't think you're wrong. There. I think that is right, that in terms of like, if you're an enterprise, where would you want an attack to be directed? Probably steal your Mac user. But the problem is that all it really takes is one user with some sensitive data or some sensitive credentials and you can move away from that initial compromise. And obviously, the enterprise adoption of Mac OS is increasing every year. So there are more victims coming out or more potential victims coming out, that has a more central role.

‍

VAMOSI: So really, everybody should be switching to Linux.

‍

WILKEN: I mean, you know, as with anything cyber, it's always the cost benefit on ease of ease of use and security. I personally wouldn't wouldn't want that because I'm not a command line warrior. So I'm perfectly happy on a Mac but yeah, from a theoretical perspective.

‍