< Back
Episode #
112

Thermo Fisher's Matt McKnew on the Evolution of Ransomware as a Service

When Matt McKnew, Senior Manager of Incident Response at Thermo Fisher,  tracked down the Nimda worm in 2001 by analyzing packet captures to identify NetBIOS saturation patterns, threat actors weren't trying to get paid; they were causing disruption. Today, he's defending against ransomware groups that operate like businesses, complete with service models and affiliate networks. 

Matt explains why Clop's acquisition of six zero-days puts them in APT territory regardless of financial motivation, how attackers now hide in the noise of criminal operations making nation-state activity harder to detect, and why the North Korean IT worker scam succeeds by exploiting weak hiring processes rather than technical vulnerabilities. 

Topics discussed:

  • Responding to the Nimda worm using packet capture analysis to identify NetBIOS saturation patterns across satellite ISP infrastructure
  • Building trusted peer networks for crowdsourcing threat intelligence during active incidents rather than relying solely on formal feeds
  • Analyzing Clop ransomware's acquisition of six zero-days as evidence of APT-level sophistication despite purely financial motivation
  • Implementing structured incident response documentation and processes to enable faster recovery and more nimble response
  • Evaluating nation-state threat actors by understanding their 5-year strategic plans and objectives rather than mapping everything to MITRE ATT&CK
  • Deploying agentic AI to standardize analyst work products and maintain consistent intelligence delivery across global security teams
  • Examining North Korean IT worker infiltration campaigns that exploit weak HR and recruitment processes
  • Differentiating financially-motivated ransomware operations from nation-state APT campaigns while recognizing blurred lines in TTPs

Key Takeaways: 

  • Document incident response procedures upfront with standardized policies to reduce response time during active security incidents.
  • Build trusted peer networks across industry for crowdsourcing threat intelligence when formal feeds lack critical real-time information.
  • Evaluate ransomware groups for APT-level capabilities when they acquire multiple zero-days regardless of their financial motivations.
  • Research adversary 5-year strategic plans and national objectives to understand nation state threat actor targeting.
  • Deploy agentic AI systems to standardize analyst work products and maintain consistent intelligence delivery formatting.
  • Strengthen HR and recruitment processes with technical screening questions to defend against North Korean IT worker infiltration.
  • Maintain curiosity and interrogate suspicious indicators until they make complete sense rather than accepting surface-level explanations.
  • Recognize that attackers leverage the same automation and AI capabilities defenders use, requiring equivalent adoption to maintain defensive parity.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website