In this bonus episode of the Business of Tech, host Dave Sobel engages in a compelling conversation with Martin from Bitdefender, who describes his role as a popular scientist focused on making cybersecurity research more accessible and understandable. Martin Zugec highlights Bitdefender's long-standing commitment to research, particularly in Romania, where a wealth of security researchers contribute to the field. He emphasizes the importance of visibility for their groundbreaking work, aiming to inspire researchers who may feel their contributions go unnoticed.
The discussion shifts to the evolving profile of cyber criminals, particularly in the context of ransomware. Martin explains that the landscape has changed significantly since 2017, with a clear distinction between operators—primarily based in Russia—and affiliates who operate globally. He likens the cybercrime ecosystem to a gig economy, where individuals can leverage their unique skills, such as negotiation or business acumen, to participate in this illicit market. This transactional nature allows for a diverse range of participants, complicating the fight against cybercrime.
As the conversation progresses, Martin delves into the challenges of disrupting the cybercrime ecosystem. He notes that trust is a critical component of this world, and takedown operations can destabilize the entire network of criminals. For instance, when Bitdefender releases a decryption tool, it not only aids victims but also creates mistrust among affiliates and operators, leading to internal conflicts. Martin shares insights into how law enforcement agencies are beginning to adopt psychological tactics to undermine the trust within these criminal networks, showcasing the innovative approaches being taken to combat cyber threats.
Finally, Martin stresses the importance of prevention and the human factor in cybersecurity. He points out that many organizations fail to recognize the early signs of an attack, often focusing solely on the final stages of encryption. By understanding that cyber attacks can take weeks or even months to unfold, companies can better prepare and respond to threats. The episode concludes with a call for improved public-private collaboration in cybersecurity efforts, emphasizing the need for streamlined communication between organizations and law enforcement to effectively combat the ever-evolving landscape of cybercrime.
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:01] Dave Sobel here with another bonus episode of the Business of Tech from IT Nation Connect.
[00:00:06] Here with Martin from Bitdefender. Now Martin, you have one of these cool jobs that I think is worth taking a moment to describe.
[00:00:14] You're essentially a popular scientist. Give me a little sense of what your role is at Bitdefender.
[00:00:21] So Bitdefender is one of those companies that since the beginning for decades we've been heavily focused on research.
[00:00:29] Yeah. So we have hundreds of security researchers around universities in Romania.
[00:00:37] There are a few reasons. Amazing technical education. Part of NATO, EU, but also really close to Russia and like the whole eastern region.
[00:00:46] So we are very close proximity. And the problem is that we do a lot of amazing, amazing research that doesn't get enough visibility.
[00:00:55] So my job is pretty much just make it more popular, explain what it is, uh, to act to these researchers that think what they do, nobody cares and tell them like,
[00:01:06] this is actually amazing what you are doing. We should talk about it more.
[00:01:08] Well, then you're in the right place because I am completely an addict for good research.
[00:01:13] So let's, let's start with what, what's exactly happening on the ground. Talk to me about the profile of the cyber criminal.
[00:01:19] We're in the late 2024, as we're looking at 2025. Tell me what the profile of the cyber criminal looks like right now.
[00:01:27] Which one?
[00:01:28] Because there is...
[00:01:29] Say more.
[00:01:30] Say more.
[00:01:31] So there is this whole ecosystem that keeps changing. So we keep, for example, talking about the ransomware the same way since 2017.
[00:01:41] Today, it's very different than it was back then. Okay. So essentially you have two primary roles that we are seeing. Operators that are running the platform, running the business, essentially.
[00:01:55] Uh, they are, I would say, exclusively based in Russia for a couple of different reasons. And then you have affiliates, which are independent partners, contractors working with them.
[00:02:06] And they are all over the place.
[00:02:08] Learned. And so I am here.
[00:02:10] I could talk about this for a really long time. Uh, there is a lot of misunderstanding, misconceptions, how this whole business model works.
[00:02:17] Okay. I always like to explain it's really cyber criminals that were inspired by Uber and Airbnb. Okay. So it's very transactional. It's really geeky economy. The way how the money flows is pretty much again, the same as Uber.
[00:02:32] Okay. Um, yeah. So I think that actually gives us a good quick summary. So essentially you can pick up work as a criminal, essentially the same way that you would pick up as a driver in Uber.
[00:02:43] So it's, it's very transactional. They're not bound necessarily to that. They could be on multiple platforms. They are just, you know, they can do their craft where the platforms themselves do theirs.
[00:02:54] Yes. Yes. That's okay. And you can bring your expertise. So you can come up and say, I understand business. I can help you to read cyber insurance policies.
[00:03:03] So when you compromise the company, I can help you calculate like this is the ransom that you can demand. The company will pay. Uh, you can come up saying, Hey, I have some background in psychology.
[00:03:14] I'm really good negotiating. So any skill you have, if you can sell it to these ecosystem, you can be part of it. So again, we often simplify it as if there are like only two roles.
[00:03:26] And in reality, there is like the whole support ecosystem around it.
[00:03:31] It's very interesting because it busts completely as a parallel to the IT management ecosystem where you bring your skills and you can fill the rest in with partnerships.
[00:03:42] So as we think about it in those terms, and we have to think about our adversary and their gold, we know we can highlight it, see, well, make money, right?
[00:03:49] Everyone in the process is trying to make money. What do we need to know about the context in that the fact that they operate it?
[00:03:55] Is this the, you know, they're, well, let's think about the laws that they're either eluding or not even worrying about.
[00:04:02] Like what's the context that they operate?
[00:04:04] So again, depends if you talk about operators or affiliates.
[00:04:08] Okay. Uh, let's think about affiliates here.
[00:04:11] Okay. Affiliates are all over the place, different motivation, different skills.
[00:04:16] And for example, so what do we do at BDefender?
[00:04:19] We have dedicated team to work with law enforcement agencies.
[00:04:22] And we are involved in, in a lot of these takedown operations.
[00:04:26] Okay.
[00:04:26] So if you are affiliated that is operating in one of the countries that is cooperating with Interpol, Europol, and like globally understand pretty much that ransomware is cybercrime.
[00:04:40] Uh, those affiliates are usually arrested in quite short time.
[00:04:45] So this is, this model is likely why it's very, very difficult to deal with either end.
[00:04:51] We can't necessarily get rid of the affiliates because the affiliates will just fill in with more.
[00:04:55] You mean?
[00:04:55] Yes.
[00:04:56] Additionally, if we take out one platform, well, there are ultimately more platforms out there, right?
[00:05:02] Or is it an ecosystem of platforms?
[00:05:04] Give me a little bit of a system, you know, how large are these systems?
[00:05:07] So this whole ecosystem is based on trust.
[00:05:11] Okay.
[00:05:11] Yeah.
[00:05:12] That's critical.
[00:05:13] Anything we do.
[00:05:15] So the common argument is why even bother you take down one platform?
[00:05:20] It will immediately come back.
[00:05:21] Five others will appear.
[00:05:22] Yep.
[00:05:23] The reality is when we are monitoring this, we do one take down and then per month the whole ecosystem is destabilized.
[00:05:32] So another example of what we are doing, we are developing ransomware the cryptos.
[00:05:38] We released 32 up to now.
[00:05:41] We are planning to do something more soon.
[00:05:44] Okay.
[00:05:44] Not going to go into those details yet.
[00:05:46] Sure.
[00:05:47] But there is the thing.
[00:05:49] When we develop the cryptos, we provide it free of charge.
[00:05:52] Yeah.
[00:05:52] You are impacted by ransomware.
[00:05:56] You get access to your data.
[00:05:57] Free of charge.
[00:05:58] Amazing.
[00:05:59] The other thing that people don't see, every time we release the cryptos, that means that we pretty much interrupted dozens of operations between affiliates and operators.
[00:06:12] What's going to happen is all these affiliates are going to tell operators, I've been working on this customer for the last two months.
[00:06:21] I got nothing.
[00:06:22] Who's going to pay for my work?
[00:06:25] Operators are immediately going to say like, no, no, no.
[00:06:28] They would not pay or they would pay only 10% of what you think.
[00:06:32] So immediately there is mistrust between them.
[00:06:36] And we've seen it, for example, with the takedown of Lotbit, the biggest Q by 5.
[00:06:40] But months later, we still see a lot of new group appearing, trying to steal affiliates.
[00:06:49] It's completely destabilized for months after.
[00:06:52] Yeah.
[00:06:53] So I'm taking a broad look at this ecosystem, right?
[00:06:57] If the trust factor is what's so important, what strategies work broadly to disrupt these ecosystems?
[00:07:06] So I was talking about the cryptos.
[00:07:09] Yeah.
[00:07:09] And I can quantify it because we do have a ways that we can measure what's the amount of ransom that was denied thanks to our cryptos.
[00:07:19] Right.
[00:07:19] So at this moment, it is over 1.6 billion US dollars.
[00:07:25] And you can imagine between the cyber criminals, that's a huge amount of money.
[00:07:29] Each is blaming each other.
[00:07:30] Sure.
[00:07:30] So this is doing an amazing job.
[00:07:33] We started seeing the law enforcement agencies actually focusing on this trust a lot more than before.
[00:07:40] So we've been now seeing the cases of doxing.
[00:07:43] You have ransomware operators that are in countries that don't cooperate.
[00:07:48] What you are going to do is that you are just going to say, hey, this is the name of the guy.
[00:07:53] This is his address.
[00:07:54] This is his net worth.
[00:07:56] And we will just say it publicly.
[00:07:58] And maybe there is some other local criminal group next to him.
[00:08:02] Or maybe there is some political player.
[00:08:04] Okay.
[00:08:05] We just announce and let's see what happens.
[00:08:07] And we actually see that this psychology aspect is really working out.
[00:08:13] Interesting.
[00:08:14] So a really good example was the log bit that I mentioned before.
[00:08:18] It was taken by the task for chronos.
[00:08:21] What they did is that they kept the web portal where this group was announcing like, hey, we have this victim.
[00:08:27] You have 24 hours to pay us or release the data.
[00:08:31] They kept the same portal.
[00:08:33] Just change it.
[00:08:34] So they were saying, we are going to release identity of this anonymous person that is part of this ransomware group in the next 48 hours.
[00:08:43] Countdown.
[00:08:44] Another thing they did is any of affiliates that would log into this portal would be welcomed by law enforcement agencies by name.
[00:08:51] Saying, hey, affiliate, welcome to this portal.
[00:08:54] Actually, we own it now and we know who you are.
[00:08:57] So this psychology, psyops effectively, is actually really, really impacted.
[00:09:04] So if I take a broad look at this as well and sort of say like, which governments and governmental programs and through law enforcement are the most effective that we should as citizens look to encourage more investment in?
[00:09:19] Let's talk to this.
[00:09:20] I would say what we need more is the public-private collaboration.
[00:09:26] Okay.
[00:09:26] So just have better programs where we have, for example, a relationship with many of these agencies.
[00:09:33] But sometimes it's really hard, for example, for us, if we know this company has been compromised, who should we talk to?
[00:09:42] Who should we tell that this company is compromised and what should they do?
[00:09:46] So just having this kind of, just removing obstacles and making it easy, for example, for us to help, that would probably be huge.
[00:09:55] Gotcha.
[00:09:56] And it's on the good way.
[00:09:57] Like, it's getting better over the last few weeks.
[00:09:59] So that's good.
[00:10:00] There's particular programs and investments that have made that process better.
[00:10:04] Don't say that.
[00:10:05] I would say just law enforcement, understanding, adopting, and really taking this seriously as a threat.
[00:10:14] Because again, pretty much every year is the year of ransomware.
[00:10:18] Since 2016, 2017.
[00:10:21] Yeah.
[00:10:22] Is it going to disappear?
[00:10:23] I don't believe.
[00:10:25] It's going to change.
[00:10:27] It's not going to be about data encryption.
[00:10:29] It is already about exfiltration.
[00:10:32] But again, like, it's going to stay.
[00:10:34] We need to find more effective ones.
[00:10:37] Gotcha.
[00:10:37] So I want to also get a sense of somebody who looks at the research and looks at the effectiveness.
[00:10:42] How much does refusal to pay ransom matter in this process?
[00:10:48] Like for a victim who refuses?
[00:10:51] How does that change both the individual outcome and the pattern broadly?
[00:10:55] It's ultimately a business decision.
[00:10:58] Okay.
[00:10:58] So I'm a big believer.
[00:11:00] I do a lot of investigations where we look at individual incidents, do forensics, understand what happens.
[00:11:08] And then what we try to do is that we look at multiple cases and figure out, is there a play?
[00:11:15] Is it this case?
[00:11:17] Was it unique?
[00:11:18] Or can it tell us how all these groups are operating so we can summarize it?
[00:11:22] And something that I see public still not understanding is these attacks take a long time.
[00:11:29] Somewhere between two weeks to two months.
[00:11:33] Every single time we look in investigation, there are red flags all over the place.
[00:11:38] There is more than enough signs something is happening on your network.
[00:11:43] There are a chance.
[00:11:44] Just no one is really looking for them.
[00:11:46] That's every single investigation we see the same thing.
[00:11:49] Okay.
[00:11:50] So I always see a lot of focus on the final stage.
[00:11:57] Encryption and so on.
[00:11:59] That's right.
[00:12:00] Okay.
[00:12:00] You have on your network someone who's been there for weeks or months, have domain admin privileges, in many cases understands your network better than you do.
[00:12:10] Because again, we are talking about really sophisticated threat actors.
[00:12:16] So again, when they decide to launch the attack, it's already too late.
[00:12:22] Like, you just want to get back to business.
[00:12:25] You can decide to pay.
[00:12:26] You can decide to restore film backups and so on.
[00:12:29] But you actually, your window of opportunities to stop this is ideally prevention.
[00:12:35] And if not, then it's between initial access and lateral movement where you actually have a few weeks to find out something is happening.
[00:12:43] So how subtle is that week period?
[00:12:45] So let's talk about from the initial incursion through to the incident, right?
[00:12:51] Do we have several weeks?
[00:12:52] Let's just use a broad several weeks.
[00:12:54] Are they so good that it is so subtle that no one can ever see it?
[00:12:58] Or is it more, if anyone was looking at all for any level of signs, they'll find it?
[00:13:03] It's more of a lie?
[00:13:04] Yeah, it's more of a lie.
[00:13:05] So essentially, they make mistakes.
[00:13:09] They have different behavior than what you see.
[00:13:13] So what we see very often is like companies buying EDR XDR, hoping it will help them and completely ignoring the human factor.
[00:13:23] So if you have a system that is telling you, I see something suspicious, please investigate it.
[00:13:31] And no one is going to investigate it.
[00:13:34] All we can do is after the attack, we can come back, look at it and say, here you have 20 warnings.
[00:13:43] If anyone would be looking like this, it would be really hard to miss.
[00:13:47] Okay.
[00:13:47] So ultimately, yet again, it is a people process problem.
[00:13:51] It is far more than a technology one.
[00:13:53] Absolutely.
[00:13:54] This has been absolutely fascinating to get insights into it.
[00:13:57] I really appreciate you joining me.
[00:13:58] If people are looking for more resources, where should they go to get more insights like this?
[00:14:03] So from us, it would be business insights, which is our goal.
[00:14:07] And we are releasing all the research, everything we do.
[00:14:11] Every single month, we are releasing BFN and ThreadDebrief on the same place, which is our look at who are the top 10 ransomware group, what's happening, which groups are new, what are the changes.
[00:14:21] And then we are trying to update the ransomware playbook.
[00:14:25] So we have, I don't know, we have a white paper where we are not only adding more and more stuff that we see, we are removing the one that changed.
[00:14:34] Okay.
[00:14:35] So every single year we go back and we describe, this is the playbook that is playing this year.
[00:14:41] Here is how it's different compared to the last team.
[00:14:43] Well, there are the resources that you need.
[00:14:45] Thank you so much for joining me today.
[00:14:47] Thanks a lot for having me.
[00:14:50] Are you ready to get your brand in front of the tech leaders shaping the future of managed services?
[00:14:56] Here at The Business of Tech, we offer flexible sponsorship opportunities to meet your needs, whether it's live show sponsorship, podcast advertising, event promotion, or custom webinars.
[00:15:07] From affordable exposure options to exclusive sponsorships, our offerings are designed to fit businesses and vendors of all sizes looking to make an impact.
[00:15:17] Prices start at just $500 per month, making our packages a fraction of typical event sponsorship costs.
[00:15:26] Be a part of the conversation that matters to IT service providers worldwide.
[00:15:32] Join us at MSP Radio and amplify your message where it counts.
[00:15:37] Visit MSP Radio dot com slash engage today to explore all the ways we can help you grow.
[00:15:46] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines, posted at businessof.tech.
[00:15:53] If you like the content, please make sure to hit that like button and follow or subscribe.
[00:15:58] It's free and easy and the best way to support the show and help us grow.
[00:16:03] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP Radio or buy our Why Do We Care merch at businessof.tech.
[00:16:16] Finally, if you're interested in advertising on this show, visit MSP Radio dot com slash engage.
[00:16:23] Once again, thanks for listening to me.
[00:16:26] I will talk to you again on our next episode of The Business of Tech.
[00:16:32] Part of the MSP Radio Network.