Complex Cybersecurity Topics Made Not-So-Complicated.

Outside of my role at Human Security, I spend my free time writing articles on complex cybersecurity issues. It's something I love to do. My work includes data and trends analysis, technical pieces on reverse engineering and TTPs, and discussions on the business of the cybercriminal underground. Several examples of my work can be found below.

Articles Written

MilCyber.org - April 18, 2023

Augmenting Threat Hunting Using Threat Intelligence

Almost any organization can benefit from threat hunting - whether as part of a full-fledged adversary emulation exercise to determine how implemented security controls hold up against actor-specific TTPs or simply in order to ensure organizational systems are configured as expected. This becomes even more critical for entities that are frequently targeted by both ransomware and state-sponsored threat actors including government organizations, public utilities, hospitals, and schools. As seen in Figure 1, ransomware attacks against these entities may be slowing somewhat, but are very likely to continue. Threat hunting does not require a large team of experts to be effective,...

Ransomware.org - August 15, 2022

‘Sophisticated’ Vs. ‘Unsophisticated’ Ransomware

The most notable ransomware-as-a-service (RaaS) groups are well-known for the widely publicized attacks they conduct, even outside of the cybersecurity community. However, there also exist smaller, very short-lived groups that use ransomware derived from existing variants. They’re often considered 'unsophisticated' threat groups, and may be taken less seriously than that by a higher-level organization. How you deal with each type is important.

Ransomware.org - July 13, 2022

‘Internet of Things’ Devices and Ransomware

When discussing the ever-changing ransomware threat landscape, we often talk about what devices threat actors will target next. In addition to mobile devices, the other technology I get asked about the most is 'Internet of Things' (IoT), and whether we should expect threat actors to begin going after the 'smart' products in our homes or businesses.

Ransomware.org - June 16, 2022

Ransomware vs. Malware: What’s the Difference?

With the Russian invasion of Ukraine came the deployment of several destructive malware families, known as 'wipers', against entities in Ukraine, with nine distinct variants observed to date. The first two, WhisperGate and HermeticWiper/PartyTicket, masqueraded as ransomware, but they were actually destructive tools rather than legitimate ransomware. This raises an important question: What’s the difference between true ransomware and these destructive tools?

Ransomware.org - May 13, 2022

Initial Access Vectors for Ransomware

Initial access vectors are the methods threat actors use to first gain access to an organization’s systems. They can include exploitation of vulnerabilities, stolen credentials, phishing, or brute-forcing services like RDP or SSH. Many of these accesses can be purchased from threat actors who specialize in obtaining initial access, known as Initial Access Brokers.

Ransomware.org - April 6, 2022

'Living Off the Land' Ransomware

This month, our focus is on living-off-the-land techniques, and why they help ransomware threat actors execute attacks more stealthily. The concept of living-off-the-land (LotL) was first introduced by researchers to the broader security community in 2013, and has remained popular with threat actors ever since.

Ransomware.org - March 8, 2022

5 Tips for Building a Cybersecurity Career as a Woman

I’m Lindsay, a malware analyst and reverse engineer, with a special enthusiasm for obfuscation and anti-reverse engineering techniques used in malware! I am also a woman in the field of cybersecurity. I am often asked 'How did you get into cybersecurity?' or 'What advice would you give young women interested in cybersecurity?'

Ransomware.org - February 3, 2022

Mobile Phone Ransomware: a Primer

Mobile phones are certainly ubiquitous—85% of Americans currently own a smartphone, and in 2020, 3.5 billion people owned a smartphone worldwide. With so many devices out there, it seems like mobile would be an excellent target for ransomware threat actors. However, we don’t hear a lot about devastating ransomware attacks targeting smartphone operating systems, like iOS or Android. Let’s explore why.

Ransomware.org - January 12, 2022

Ransomware Increasingly Targets Linux and ESXi

Ransomware attacks have continued to plague organizations over the past few years, especially with the move to big game hunting at the end of 2019, and the debut of 'double extortion' in 2020. Initially, threat actors primarily targeted Windows-based environments, but have more recently expanded capabilities to include Linux-based systems. In 2021, well-known groups including REvil, Conti, RansomExx, and BlackMatter released ransomware specifically designed to target Linux and ESXi, and we expect this trend will continue.

Ransomware.org - January 1, 2022

2022 Ransomware Survey Results

We talk a lot about ransomware attacks within our own organizations—how to prepare for them, what to do when they happen, and the best way to stop the overall threat. While an ever-popular question is 'should we pay the ransom?'' (which most said they are unlikely to), there are so many other highly impactful aspects to ransomware preparedness and response. We surveyed more than 500 IT and security professionals to look at the impact of ransomware in 2021 and 2022 to begin to answer that question.

Articles Featured In

Bleeping Computer - March 26, 2024

Free VPN apps on Google Play turned Android phones into proxies

Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots.

Tom's Guide - March 26, 2024

Hackers are using these Android apps on the Play store to stage attacks — delete them all right now

These apps are turning Android smartphones into proxies in the background.

Ars Technica - March 26, 2024

Thousands of phones and routers swept into proxy service, unbeknownst to users

Two new reports show criminals may be using your device to cover their online tracks.

Help Net Security - March 26, 2024

Apps secretly turning devices into proxy network nodes removed from Google Play

Your smartphone might be part of a proxy network, and you might not even know it: all it takes is for you to download apps whose developers have included the functionality and didn’t mention it.

Dark Reading - May 16, 2023

'MichaelKors' Showcases Ransomware's Fashionable VMware ESXi Hypervisor Trend

Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.

CyberSecurityDive - May 16, 2023

VMware’s ‘target-rich environment’ is growing more volatile, CrowdStrike warns

Ransomware groups continue to target VMware because they know the virtualization infrastructure is vulnerable and lacks security tools, threat researchers said.

CyberSecurityDive - February 13, 2023

VMware ransomware was on the rise leading up to ESXiArgs spree, research finds

Recorded Future analysis underscores a growing ransomware threat confronting organizations using VMware ESXi.

Politico Pro - October 19, 2022

Russia Media Day

This article is available to Politico Pro subscribers.

LeMag IT - June 30, 2022

Cyberattaques : qu’est-ce qu’un accès initial?

Le monde de la cybersécurité est marqué par un jargon qui lui est bien propre. Certains termes peuvent manquer de clarté pour le non-initié. Lindsay Kaye, de Recorded Future, nous aide à décoder le concept d’accès initial.

LeMag IT - June 21, 2022

Cyberattaques : en quoi consiste le déplacement latéral?

Le monde de la cybersécurité est marqué par un jargon qui lui est bien propre. Certains termes peuvent manquer de clarté pour le non-initié. Lindsay Kaye, de Recorded Future, nous aide à décoder le concept de déplacement latéral.

CSO - February 21, 2021

Egregor ransomware group explained: And how to defend against it

Egregor is one of the most rapidly growing ransomware families. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal,” according to Recorded Future’s Insikt Group. Although descriptions of the malware vary from security firm to security firm, the consensus is that Egregor is a variant of the Sekhmet ransomware family.

The Record - January 22, 2021

3 Ways Hacks Exploiting the COVID-19 Crisis Have Evolved

Over the last year, the COVID-19 pandemic has been punctuated by a series of crises and developments: In February, the U.S. declared a public health emergency; In March, the economy contracted and unemployment skyrocketed; Relief packages were both passed and stalled in Congress throughout the year; And by December, vaccines were given emergency approval.

Reuters - January 5, 2021

A COVID-19 shot for $150? Online scams surge as slow vaccine rollout frustrates

As millions of people await their turn to get a COVID-19 vaccine that could be months away, scammers online, in emails and on messaging apps are luring victims with claims they can deliver shots within days for as little as $150.

ComputerWeekly - December 4, 2020

Opportunistic Egregor ransomware is an emerging and active threat

Researchers at Recorded Future’s Insikt Group highlight links between the emerging Egregor ransomware and other strains, and offer guidance on defending against it

CSO - November 9, 2020

From pranks to APTs: How remote access Trojans became a major security threat

RATs were first created to prank friends. Today, they’re cheaply available and used by everyone from cybercriminals to espionage groups.

CyberScoop - October 29, 2020

Why the extortion of Vastaamo matters far beyond Finland — and how cyber pros are responding

At issue are the obligations of health care organizations to defend their data, and victims’ ability to hold them accountable for failing to do so.

CoinTelegraph - June 11, 2020

New Ransomware Uses Sophisticated Evasion Techniques

Recorded Future says that Thanos deploys a particular encryption technique in its attack and offers a revenue-sharing scheme for external hackers.

ThreatPost - June 10, 2020

Thanos Ransomware First to Weaponize RIPlace Tactic

Thanos is the first ransomware family to feature the weaponized RIPlace tactic, enabling it to bypass ransomware protections.

DanPatterson - May 29, 2020

Why COVID-19 is big business for bad actors

Threat researcher Lindsay Kaye of Recorded Future explains how scammers profit from coronavirus.

ITWeb - March 19, 2020

COVID-19 outbreak gives rise to opportunistic scammers

The South African Banking Risk Information Centre (Sabric) is warning bank consumers of cyber criminals exploiting the coronavirus (COVID-19) outbreak to spread an array of online scams.

The Telegraph - March 17, 2020

Hospitals under threat as hackers exploit coronavirus to carry out cyber attacks

Security experts warn that global concern over coronavirus risks creating a fertile hunting ground for cybercriminals

Business Insider - March 16, 2020

Hackers are exploiting the coronavirus crisis by posing as World Health Organisation officials in order to steal bank details and target government infrastructure

Hackers are exploiting growing anxiety over the coronavirus crisis by posing as officials from the World Health Organisation and government officials in order to steal the personal details of people online.

Forbes Mexico - March 16, 2020

Espías aprovechan la paranoia sobre coronavirus para robar datos por correo electrónico

Cibercriminales envían archivos referentes al coronavirus por email, que ocultan un spyware para robar los datos personales de usuarios y empresas.

NBC News - March 13, 2020

Intelligence agencies use coronavirus information to target enemies, analysts say

Intelligence agencies around the world are sending out fake coronavirus information to hack and spy on their targets, cybersecurity researchers say.

Forbes - March 12, 2020

Coronavirus Scam Alert: Watch Out For These Risky COVID-19 Websites And Emails

Cybercriminals and nation state-sponsored spies didn't take long to catch onto the coronavirus panic. Research released Thursday shows crooks and snoops have been rapidly registering vast numbers of potentially-malicious websites and sending out masses of scam emails as they try to make money from the pandemic.