The criminal underground is experiencing its own version of startup disruption, with massive ransomware-as-a-service operations fragmenting into smaller, more agile groups that operate like independent businesses. John Fokker, Head of Threat Intelligence at Trellix, brings unique insights from monitoring hundreds of millions of global sensors, revealing how defenders' success in EDR detection is paradoxically driving criminals toward more profitable attack models. His team's systematic tracking of AI adoption in criminal networks provides a fascinating parallel to legitimate business transformation, showing how threat actors are methodically testing and scaling new technologies just like any other industry.
Drawing from Trellix's latest Global Threat Report, John tells David why the headlines focus on major enterprise breaches while the real action happens in the profitable mid-market, where companies have extractable revenue but often lack enterprise-level security budgets. This conversation offers rare visibility into how macro trends like AI adoption and improved defensive capabilities are reshaping criminal business models in real-time.
Topics discussed:
- The systematic fragmentation of large ransomware-as-a-service operations into independent criminal enterprises, each focusing on specialized capabilities rather than maintaining complex hierarchical structures.
- How improved EDR detection capabilities are driving a strategic shift from encryption-based ransomware attacks toward data exfiltration and extortion as a more reliable revenue model.
- The economic targeting patterns that focus on profitable mid-market companies with decent revenue streams but potentially limited security budgets, rather than the headline-grabbing major enterprise victims
- Criminal adoption patterns of AI technologies that mirror legitimate business transformation, with systematic testing and gradual scaling as capabilities prove valuable.
- The emergence of EDR evasion tools as a growing criminal service market, driven by the success of endpoint detection and response technologies in preventing traditional attacks.
- Why building trust in autonomous security systems faces similar challenges to autonomous vehicles, requiring proven track records and reduced false positives before organizations will release human oversight.
- The strategic use of global sensor networks combined with public intelligence to map evolving attack patterns and identify blind spots in organizational threat detection capabilities.
- How entropy-based detection methods at the file and block level can identify encryption activities that indicate potential ransomware attacks in progress.
- The evolution from structured criminal hierarchies with complete in-house kill chains to distributed networks of specialized service providers and independent operators.
Key Takeaways:
- Monitor entropy changes in files and block-level data compression rates as early indicators of ransomware encryption activities before full system compromise occurs.
- Prioritize EDR and XDR deployment investments to force threat actors away from encryption-based attacks toward less reliable data exfiltration methods.
- Focus threat intelligence gathering on fragmented criminal groups rather than solely tracking large ransomware-as-a-service operations that are splintering into independent cells.
- Implement graduated trust models for AI-powered security automation, starting with low-risk tasks and expanding autonomy as false positive rates decrease over time.
- Combine internal sensor data with public threat intelligence reports to identify blind spots and validate detection capabilities across multiple threat vectors.
- Develop specialized defense strategies for mid-market organizations that balance cost-effectiveness with protection against targeted criminal business models.
- Track AI adoption patterns in criminal networks using the same systematic approach businesses use for technology transformation initiatives.
- Build detection capabilities that identify lateral movement and privilege escalation activities that indicate advanced persistent threat presence in network environments.
- Establish incident response procedures that account for data exfiltration and extortion scenarios, not just traditional encryption-based ransomware attacks.
- Create threat hunting programs that specifically target EDR evasion tools and techniques as criminals increasingly invest in bypassing endpoint detection technologies.
