Allan “Ransomware Sommelier🍷” Liska @uuallan Twitter profile | Pikagi

Pikagi

Allan “Ransomware Sommelier🍷” Liska

@uuallan

17,022

Followers

6,255

Following

4,708

Media

23,876

Statuses

Back The Press Guardian on Kickstarter today!

Virginia, USA

https://t.co/9GbR2Qhunq

Joined April 2011

Don't wanna be here? Send us removal request.

Pinned Tweet

@uuallan

Allan “Ransomware Sommelier🍷” Liska

22 days

I am really excited to announce that next week we will be launching the @Kickstarter for our trade paperback of Yours Truly, Johnny Dollar. This 200+ page book will include all 4 Yours Truly, Johnny Dollar stories plus a brand new "Christmas Special" starring @ddd1ms

Tweet media one

Tweet media two

Tweet media three

2

12

33

Last Seen Profiles

@iamtyfrankel

@kimtaepg

@StengGang

@xxabii_xx

@HomeStartHOST

@bask_shady

@BandarStw

@yinqihuizi

@wu11171

@eirene1st

@iplugsupport

@ragu_lia

@ChiakiHaya51311

@tiny_mile

@No6050

@FightComedyhq

@Kingsford

@Squirreldoctor1

@Bella_P82

@wayzataghoops

@ArabianMancs

@ppvi

@MarioCCP19

@aldar

@kotokate_art

@5n9MFuuh521K1Sz

@JH7xsfakETCLwhY

@J4vv4D

@bhavith_1912

@teku0419

@Ou_Prg

@xlimkid7

@Scorp7642526787

@TheGo1denBull

@David_Alcala

@monseanahi_

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

How it started. How it went. How it ended.

Tweet media one

Tweet media two

Tweet media three

38

66

1K

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

🧵 I've been working on a presentation that looks at signs that you are probably in the early stages of a ransomware attack. The idea is to look at logs/threat hunting indicators that are almost always a sign of ransomware reconnaissance. Here is the list I have, I'd love to see

12

139

561

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I sincerely appreciate all of the great suggestions. Here is the updated chart based on everyone's input. I had to reformat it make it readable. I originally had company logos where the ransomware icon is but I figure companies won't want their logo on a ransomware chart 🤣.

Tweet media one

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I could use your (yes you) help. I am trying to compile a list of vulnerabilities ransomware groups (or their access brokers) use to gain initial access. Excepting Kaseya, are there any others I am missing from this list? Remember, this is initial access only.

Tweet media one

13

79

261

16

205

534

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I am trying to map out the anatomy of a ransomware attack. Are there any glaring steps or tools I am missing from this diagram (I know I didn't get all the tools ransomware groups use, but did I miss any big ones)?

Tweet media one

28

119

430

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Big News 🚨! My ransomware book is out, but the book is just one part of a bigger project, . A comprehensive site designed to help orgs defend against ransomware...and they are making all the content from the book available at no cost. Please visit!

Tweet media one

29

112

390

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

Weird question, but does anyone know where I got these cards? I thought it was @dustrial , but I don’t see them on their site. I just sent my last one and want to order more.

Tweet media one

5

36

391

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Meme for my talk today...

Tweet media one

7

87

377

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

20+ years ago, when I entered Infosec the books I read were about firewall configuration and deep dives into protocols. Now, I am reading @VossNegotiation ’s book, “Never Split the Difference,” to understand better ways to deal with ransomware groups.

Tweet media one

26

37

326

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

So, we are up to 42 vulnerabilities across 17 technologies (with 1 pending) that ransomware groups exploit for initial access. This is why preaching “just patch” isn’t good enough. I don’t know what the answer is, but what we’re doing clearly isn’t working.

@pancak3lullz

pancak3

3 years

@uuallan @serghei

Tweet media one

4

37

125

21

126

322

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

Well, this is awkward timing.

Tweet media one

14

46

292

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

It is always amazing to me the things it never occurred to anyone to start tracking. It am glad this is being done now.

Tweet card media

FBI creates a national database to track swatting

4

73

285

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I could use your (yes you) help. I am trying to compile a list of vulnerabilities ransomware groups (or their access brokers) use to gain initial access. Excepting Kaseya, are there any others I am missing from this list? Remember, this is initial access only.

Tweet media one

13

79

261

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I want to expand on the targeting point I made yesterday, but in non-meme format. This is a breakdown of known ransomware victims by industry in 2020 and 2021 that @ddd1ms and I have been working on. Notice, that with the exception of healthcare and possibly local government 1/4

Tweet media one

16

134

259

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

All the people going to Blackhat/Defcon who talk about burner phones and burner laptops obviously don't know how to conference. I just bring my own portable Faraday Cage on wheels. Makes it easier to get around AND no one can hack me. Just kidding, I just don't go 🤣

Tweet media one

22

23

243

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

A windowless building with a bunch of satellite dishes on top in downtown Denver. 👋 @NSAGov

Tweet media one

44

15

229

@uuallan

Allan “Ransomware Sommelier🍷” Liska

10 months

It will surprise no one to learn that ALPHV are lying pieces of shit. They didn't "unseized" anything. The way .onion addressing works is that, as long as you have the signing key, if you register a second server with that address the newest server will be believed by default.

@aejleslie

Alexander Leslie

10 months

Oh… 😵‍💫 This is a first. I’m at a loss. The plot thickens? ALPHV claims to have “unseized” its primary blog from law enforcement. They’re removing their targeting rules. Affiliates are now permitted to attack critical infrastructure.

Tweet media one

10

40

200

8

35

224

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Question for Windows experts. Rather than deleting shadow copies, some ransomware resize it, which has the same effect. I keep seeing the same command. Is there something special about about 401MB or is this a case of ransomware groups copying each other? (cc: @SwiftOnSecurity )

Tweet media one

9

53

216

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I don’t care that my son is 19, I am not above slipping a note of encouragement into his lunch when I know he is nervous about a day at work.

Tweet media one

12

8

210

@uuallan

Allan “Ransomware Sommelier🍷” Liska

5 years

@zoe_samuel @artologica @Avi_Bueno @Efithor @FrankLuntz @ImperialVienna Of course, even America has its problem areas. I once heard of an elevator in an apartment building in Berkeley, CA (of course) that went unfixed for 11 seasons...err years.

9

7

179

@uuallan

Allan “Ransomware Sommelier🍷” Liska

11 months

I wanted to get in on @Malwarebytes meme day! Henceforth, I declare October 24th to be: “Malwarebytes Meme Day”

Tweet media one

4

23

196

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

This is what I was talking about earlier. These are the law enforcement actions taken against ransomware groups *this* year (I think I am missing 1 or 2). This is having a real impact on ransomware operators...it is not slowing down ransomware attack...yet. 1/2

Tweet media one

9

73

188

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Looks like the LockBit ransomware group had some fun with Google Translate this morning and decided not to make the same mistake as Conti.

Tweet media one

Tweet media two

Tweet media three

Tweet media four

6

49

172

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I also want to give a huge shoutout to the team at @LastWeekTonight they were really good and thorough. They Double and triple checked everything. I’ll post the segment as soon as it goes live on YouTube.

7

5

174

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

This is an underreported story that may slow down ransomware payments in 2022 (note: payments, not attacks). Many organizations are used to basically “we have cyber insurance” as their IR & DR plans. That may not work going forward. via @reutersCarolynC

Tweet media one

8

63

167

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

You know what happens when you don’t pay your ransomware affiliates? They give their username, password, and backend chats to the New York Freakin’ Times. Which makes the Times the extortion site for ransomware actors who don’t pay their affiliates’ extortion 🤯.

@ddd1ms

𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘

3 years

#DarkSide ransomware operator darksupp got RIPPER status 🥲

Tweet media one

2

26

100

4

47

153

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Here is the updated graphic. Thanks to: @ValeryMarchive , @BushidoToken , @deepthoughts10 , @jc_vazquez , @SecurityAura , @nf3xn , @sergedroz , @svenvarkel , @CoreSenses , @spy604 , @flhelt , @highonc0ffee , @streamsthoughts , @MarkSewe , @th3_protoCOL for the great input.

Tweet media one

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I am trying to map out the anatomy of a ransomware attack. Are there any glaring steps or tools I am missing from this diagram (I know I didn't get all the tools ransomware groups use, but did I miss any big ones)?

Tweet media one

28

119

430

5

73

155

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

@SwiftOnSecurity Taking a screenshot and seeing they are googling the process I injected my loader into.

1

3

151

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Hey all! My new book, Ransomware: Understand. Prevent. Recover. Will be live on Monday in Kindle and Paperback versions! Apologies to everyone who pre-ordered the first time and had the orders cancelled, but this is actually happening!

24

33

148

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

When this image is shown on the sphere then, and only then, you will know they succeeded.

@LasVegasLocally

Las Vegas Locally 🌴

@LasVegasLocally

1 year

The DEFCON hackers are actively trying to hack the Sphere Thingy, according to multiple sources. Be safe out there.

100

257

2K

9

19

136

@uuallan

Allan “Ransomware Sommelier🍷” Liska

11 months

@SwiftOnSecurity I point this out to people all the time. There are some really skilled ransomware actors at the top of the food chain. However, there are many, many more who rate just above script kiddie and benefit from the tools the skilled actors created, but have no idea what they are doing.

5

5

132

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

This write-up about the ransomware challenges by @GossiTheDog is worth the 21 minute read. This passage struck me as especially relevant given the release of CVE-2021-31963, an RCE against SharePoint, yesterday. 1/2

Tweet media one

3

34

133

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

This Tweet is my resume now.

@C_C_Krebs

Chris Krebs

3 years

This is a useful exercise. @uuallan continues to be a leader in the fight against ransomware…

0

28

127

3

4

123

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Resharing this from yesterday, just because I am so proud of it...best thing I ever did for a talk that didn't get accepted 😂

11

28

123

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

By my calculations we are already at ~400 *publicly reported* victims for June. Which means three out of the last four months will have 400+ *publicly reported* victims. I don’t think we’ve ever seen a ransomware feeding frenzy like this. I’ll be honest, I am tired y’all.

Tweet media one

8

37

121

@uuallan

Allan “Ransomware Sommelier🍷” Liska

11 months

Congratulations 🎉! It is well-deserved and, now I can say publicly, thank you @CISAJen for the challenge coin, i added it to my collection with great pride because I love the serious and hard work that @CISAgov is doing!

Tweet media one

@Gi7w0rm

Gi7w0rm

11 months

Dear friends and followers! It is with immense pride and greatefulness that today I received an official @CISAgov challenge coin, accompanied by a personal letter from CISA 's director @CISAJen . I am very happy to see see my work appreciated in this way! #infosec #reward 1/6

Tweet media one

Tweet media two

62

32

598

3

9

120

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Nicely done @HomeDepot , I wish more merchants would follow suit.

Tweet media one

3

20

113

@uuallan

Allan “Ransomware Sommelier🍷” Liska

10 months

🧵Your periodic reminder ransomware attacks against healthcare providers have been EXCEPTIONALLY bad this year. Through the end of November 2023 there have been: 322 *publicly reported* ransomware attacks against healthcare providers. Compared to all of: 2022: 245 2021: 290

Tweet media one

6

50

104

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

Hey 👋 Austin, there is a fine line between being “weird” and whatever this is 😂.

Tweet media one

20

5

112

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

As a number of people have reported, Hive has has their infrastructure seized by a truly impressive array of law enforcement. This also means another leader, in terms of postings to data leak sites (FWIW), has fallen and certain members of Conti are now 0-2.

Tweet media one

Tweet media two

5

31

108

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

🧵 A number of journalists have asked me to comment on the NSA's statement that sanctions are reducing the number of of ransomware attacks. so I want to share some numbers. Let me preface this by saying that I think the sanctions and other law enforcement actions

1

39

107

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

I am supposed to talk to some college students tomorrow about preparing for cybersecurity jobs of the future...and I really want to include this meme, but I am not sure if I should break their hearts or not. What do you all think?

Tweet media one

19

14

109

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

@CISAJen @CISAgov That's one hell of a subtweet ❤️‍🔥

3

4

108

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

🚨🚨🚨 Announcement! 🚨🚨🚨 @BrettCallow and I are starting our own ransomware negotiation firm! We named the company: Give Me the Key You Bastard Our only negotiation tactic is: "Give me the key and kill yourself you bastard or I am sending in a drone" Now accepting clients.

17

11

105

@uuallan

Allan “Ransomware Sommelier🍷” Liska

4 years

Another hospital hit with ransomware...that is at least 5 (in the US) in the last 24 hours. Still looking for more. via @KOBITV

Tweet card media

Cyber attack reportedly hits Sky Lakes Medical Center

KLAMATH FALLS, Ore. – A local hospital was reportedly the victim of a cybercrime. Sky Lakes Medical Center in Klamath Falls serves tens of thousands of people in Southern Oregon and Northern Califo...

2

103

99

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

And, it is live!

5

12

103

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Paying the ransom doesn’t mean recovery is going to be easy. Decryption tools provided by ransomware groups suck. Your third-party IR will have to rewrite it and you are looking at months of recovery time as every machine still needs to be cleaned/replaced. #RansomwareSucks

7

34

96

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Ransomware, and other, groups are already exploiting CVE-2021-21985, this new vCenter RCE vulnerability, CVE-2021-22005, looks even worse. Please patch or enable compensating controls. via @serghei

Tweet card media

VMware warns of critical bug in default vCenter Server installs

VMware warns customers to immediately patch a critical arbitrary file upload vulnerability in the Analytics service, impacting all appliances running default vCenter Server 6.7 and 7.0 deployments.

www.bleepingcomputer.com

3

61

94

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

Y’all! I am going to be on @NBCNightlyNews this evening to talk about the MGM and Caesar’s attacks. Please tune in and fingers crossed 🤞 that tonight is finally the night @ratemyskyperoom rates my room!

11

7

98

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

After seeing my Tweet, Kris informed me that we would NOT be turning ransomware “WANTED” posters into Christmas cards. Instead, I turned them into stickers. If you are at #CYBERWARCON on Tuesday hit me up if you want one or grab one at the @RecordedFuture booth.

Tweet media one

7

9

94

@uuallan

Allan “Ransomware Sommelier🍷” Liska

8 months

🚨Scattered Spider Arrested! 🚨 ( Member of…) Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider – Krebs on Security via ⁦ @briankrebs ⁩

Tweet card media

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency....

krebsonsecurity.com

5

36

96

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Yay! I get to break out my favorite meme! Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

Tweet media one

1

21

92

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Just a prop, but still pretty cool.

Tweet media one

5

7

92

@uuallan

Allan “Ransomware Sommelier🍷” Liska

7 months

🚨🚨Exclusive!!!🚨🚨 I’m tired of people doing LockBit interviews wrong, so I broke my “no contacting cyber criminals” rule to interview him. Below is a lightly edited transcript. Note: if you try to confirm he will undoubtedly deny it, but remember he is a liar and I am not.

Tweet media one

Tweet media two

6

8

91

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

What shall we call the Conti Soap Opera? “Days of Our Conti” “General Conti” “Conti and the Restless” “Law of the Conti” “Conti of the Neighborhood”

@ddd1ms

𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘

3 years

#cyberwar unfolds with a leak of internal communications of the #conti #ransomware group for the past 13 months ⚡️

Tweet media one

15

260

959

16

25

91

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

You all are amazing! Thank you to everyone who ordered!

Tweet media one

3

1

91

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I know I am going to regret saying this, but has anyone else noticed that ransomware groups have been EXTREMELY quiet over the last 3-4 days?

23

9

92

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Inside Conti leaks: The Panama Papers of ransomware via @NPRDina

Tweet card media

Inside Conti leaks: The Panama Papers of ransomware

Conti, one of the most successful ransomware gangs in the world, has a leak problem. Shortly after the group pledged its support to Russia in its campaign against Ukraine, someone released more than...

therecord.media

2

31

91

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

😂 ⬅️ Me laughing so I don’t cry.

@Cyberknow20

CyberKnow

1 year

Meme explainer for #ransomware #cybersecurity #infosec #Memes

Tweet media one

3

62

189

1

15

90

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

Protip: As Jeff points out, DDoS’ing airport websites does not “take the airport offline.” I honestly can’t remember the last time I visited an airport website, this is a headline grabbing stunt that like has minimal disruptive impact.

@jeffstone500

jeff stone

2 years

Russian-speaking hackers are claiming credit for temporarily knocking some US airports' websites offline. No indication of 🚨RUSSIAN GOVERNMENT HACKING US AIRLINES TO DISRUPT TRAVEL 🚨 let's get smarter about some of this stuff

3

7

30

9

27

89

@uuallan

Allan “Ransomware Sommelier🍷” Liska

9 months

I don’t normally like to post pictures of my lunch, but these cheese and charcuterie platter was lovely, so I needed to share.

Tweet media one

5

1

88

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

The 2nd Edition of my book, Ransomware: Understand. Prevent. Recover. Is now available on Amazon! Big, thanks to @actualtechmedia (especially the amazing Katie!) and @RansomwareO for getting this out and thank you all for providing feedback!

Tweet media one

13

26

86

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Guess what arrived today, @egflo ! I can’t wait to dive in.

Tweet media one

3

6

87

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

🧵Today marks 7⃣years for me at @RecordedFuture ! It has been incredible watching the company grow and contributing my small part. I've been honored to work with so many amazing people like @ddd1ms , @thegumshoo , @verylongbloke , @levigundert . @CharityW4CTI , and @aejleslie

11

6

86

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

This is how I have spent the last 6 months of my life. I am really excited with the results. Wine fraud is a much more pervasive problem than most people realize, and it is affects all types of wine drinkers. I'd love to hear your thoughts on the research.

Tweet card media

Counterfeit Wine, Spirits, and Cheese | Recorded Future

Is what you're consuming genuine? Explore the evolving trillion-dollar criminal landscape of Counterfeit Wine, Spirits, and Cheese products – that pass as real....

share.postbeyond.com

17

25

78

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

I've been asked to give a talk called "What is the Dark Web?" here are the slides I am going to use...would love your feedback 😂.

Tweet media one

Tweet media two

Tweet media three

18

8

83

@uuallan

Allan “Ransomware Sommelier🍷” Liska

4 years

@r0wdy_ I’ve made this suggestion before, but no one listens to me: Most ransomware won’t install on computers with the Russian language pack or Cyrillic keyboard layout. Convert your org to only use the Russian language and buy everyone Cyrillic layout keyboards.

6

8

77

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

Umm...did someone hit LockBit with a drone? Jan - Mar: LockBit accounts for 31.6% of attacks Apr - Jun: LockBit accounts for 19.9% of attacks July LockBit accounts for 9.1% of ransomware attacks I've been doing this too long to count LockBit out, but the data is interesting.

Tweet media one

Tweet media two

Tweet media three

13

23

81

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Respectfully, I disagree. If you launch a ransomware attack against a hospital you are evil. If you reach out to patients who are seeking help for their mental health and threaten to expose their private discussions unless they pay your extortion demands, you are evil.

@drbvaler

Valeriano

3 years

Language is important, mythologizing any actor as good or evil misconstrues the threat. “Ransomware actors are evil. … Anything they can do to get money, they will absolutely do it.” – @uuallan

2

2

6

3

5

79

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

In 2020, at the start of the pandemic, I built (had built) a “wine cellar” under our stairs. After a couple of years, it stopped working for me, so I spent the day redesigning the storage. I like the funky look that makes better use of the space.

Tweet media one

17

2

76

@uuallan

Allan “Ransomware Sommelier🍷” Liska

9 months

Your periodic reminder that yinz insisting I spend the money to get the @lecreuset bread oven was 100% the right call.

Tweet media one

12

1

79

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

Interpol takes down phishing-as-a-service platform used by 70,000 people @TheRecord_Media & @daryna_antoniuk

Tweet card media

Interpol takes down phishing-as-a-service platform used by 70,000 people

The phishing-as-a-service platform 16shop was taken down Tuesday in a global investigation led by Interpol.

therecord.media

1

38

76

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

8 of 14 suspects in yesterday’s FSB raid against REvil ransomware members have been charged today via @Ionut_Ilascu

Tweet media one

4

31

76

@uuallan

Allan “Ransomware Sommelier🍷” Liska

7 months

Celebrating the LockBit takedown in person with the amazing (for a Canadian) @BrettCallow

Tweet media one

7

4

78

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Heard from a buddy of mine that a "salesperson" from a "security" vendor reached out letting them know that shell access to their organization was being sold on the "Dark Web." Vendor would not supply any information without a sales call. If you do this, you are a bad company.

6

4

77

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I have been a @WIRED subscriber since the early 2000’s. So, this is absolutely amazing…I even got my picture turned into a little draw-y thing. Kind of weird that WIRED thinks I am at the same level as @BillGates (though, only one of us made the cover 🤣).

Tweet media one

Tweet media two

10

7

76

@uuallan

Allan “Ransomware Sommelier🍷” Liska

21 days

There are some things money can’t buy; for everything else there’s @RecordedFuture

@cahlberg

Christopher Ahlberg

21 days

I am thrilled to announce that @Mastercard is acquiring @recordedfuture for $2.65B. It has been an incredible journey, starting in 2007 when we wrote down the patent application for what became the Recorded Future Intelligence Platform.

79

211

1K

8

4

77

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I know infosec already has #dfirfit and @greglesnewich ’s #100DaysofYARA but I am going to add one more, #52WeeksofWine as I work my way through my next level of certifications.

4

3

72

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

Several people have shared an older version of the anatomy of a ransomware attack graphic that was crowd-sourced here. This is the latest version, it reflects two changes: 1. A big jump in third party initial access seen in 2021 2. The growing concern around insider threat

Tweet media one

2

27

71

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Cyber attack turns off the taps at Barcelona's Damm brewery

Tweet card media

Cyber attack turns off the taps at Barcelona's Damm brewery

Spain's second biggest beer maker Damm halted output at its main brewery outside Barcelona after a cyber attack hit its computer systems earlier this week, a spokesperson said on Friday.

www.reuters.com

6

39

69

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

Really good reporting from @Jon__DiMaggio and @Analyst1 on a number of the problems happening with LockBit.

Tweet card media

Ransomware Diaries V. 3: LockBit's Secrets

In "LockBit's Secrets", Jon DiMaggio will show the state of LockBit's criminal program and demonstrate with evidence-backed analysis that he is hiding critical issues in its organization.

3

28

70

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

Hey ransomware groups, I am going to say this slowly since apparently you all are too stupid to understand: Schools. Don't. Have. Revenue. Школы. Не. Иметь. Доход. Bastards.

Tweet media one

1

15

71

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

🧵I lived through the dot com crash. In 2002 I was laid off from WorldCom and was unemployed for about 100 days. Here is what it was like…

@IanColdwater

Ian Coldwater 📦💥

2 years

"Tech workers who didn't live through the dot com crash, you have no idea what's coming. Prepare yourselves." This isn't actionable. People who don't know what's coming probably don't know how to prepare for it. Dotcom crash survivors, what is your actionable advice for people?

576

1K

6K

3

10

67

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

Took a break from wine and whisky fraud this morning to build my Bayraktar TB2! Thanks for the tip @C_C_Krebs .

Tweet media one

@C_C_Krebs

Chris Krebs

2 years

Hung out w/ Ukrainian fighter pilot callsign Juice last week. He & wingman Moonfish were in DC to brief the Pentagon & Congress on state of play in the skies of Ukraine. It was an incredible honor to spend time with a real hero defending his homeland from Russian war criminals.

6

42

506

2

5

68

@uuallan

Allan “Ransomware Sommelier🍷” Liska

8 months

The @RecordedFuture Boston Office is celebrating LockBit Takedown Day with Cupcakes. How are you celebrating?

Tweet media one

4

6

69

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

I am looking for a ransomware intern to help with writing up information on new samples. You basically get paid to blow up ransomware. The position is part time, paid, remote and will be through the summer and fall. (cc: @CyTalks , @hawkinsw , @Vamegabyte )

Tweet card media

Recorded Future

boards.greenhouse.io

6

54

66

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

I want to share this passage from @Renee_Dudley & @DanLGolden ’s book about @VK_Intel . He was right about the importance of the TrickBot-Emotet-Ryuk connection, as well as a lot of other things. Rest in peace and thank you for your contributions to the security community.

Tweet media one

0

17

67

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline // great reporting by ⁦ @josephmenn ⁩ & ⁦ @Bing_Chris ⁩

Tweet card media

EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline

The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former...

www.reuters.com

1

27

68

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

This is likely NEW Cooperative. Depending on the extent of the attack, this could be disruptive to the food chain and would definitely get CISA/USDA involved.

5

37

68

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Mom’s ring (against my advice) is set up and she says “Hi” to the people of Twitter.

Tweet media one

11

0

64

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

👀 🍾 🎊 Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses | OPA | Department of Justice

Russian National Arrested and Charged with Conspiring to Commit

The Justice Department today announced charges against a Russian national for his involvement in deploying numerous LockBit ransomware and other cyberattacks against victim computer systems in the...

www.justice.gov

5

31

67

@uuallan

Allan “Ransomware Sommelier🍷” Liska

2 years

My next 2 days…

Tweet media one

13

0

68

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

Incredible write up from ⁦ @rj_chap ⁩! Also, and I cannot stress this enough: Enable. PowerShell. Logging. Then look for weird shit…

Tweet card media

Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land

The Vice Society ransomware gang exfiltrated victim network data using a custom Microsoft PowerShell script. We dissect how each function of it works.

unit42.paloaltonetworks.com

4

17

68

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

One of our sales team had me sign copies of my book to hand out to his clients for Christmas. I am honored he asked, but it feels like a weird Christmas gift 😂

Tweet media one

9

4

67

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

A quick reminder that, by far, the most effective way to deter ransomware is to change the language and keyboard layout of all your workstations to one of the ones listed below. Practical: Not even close. Effective: Yup.

@nicoleperlroth

Nicole Perlroth

@nicoleperlroth

3 years

The assumption is that Darkside is not nation state affiliated, but like oh-so-many ransomware groups it uses tools like “GetUserDefaultLangID” to perform language checks. If the victim uses any languages below, DarkSide moves on.

Tweet media one

30

222

469

5

24

63

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

👀 (keep it together allan, play it cool)

Tweet media one

6

0

67

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Watch out for CVE-2021-38666 in this month's Patch Tuesday. RCE against Windows RDP that Microsoft Labeled "Exploitation More Likely," I think we'll be updating our chart soon @pancak3lullz

2

34

66

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

Something interesting: The number of victims posted to ransomware extortion sites has been down significantly for the last 3 weeks, back to Jan 2020 levels. This doesn't necessarily mean that the number of ransomware attacks are down, just victims posted to extortion sites. 1/2

Tweet media one

3

31

66

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

I feel a win like this deserves a meme!

Tweet media one

@uuallan

Allan “Ransomware Sommelier🍷” Liska

3 years

EXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline // great reporting by ⁦ @josephmenn ⁩ & ⁦ @Bing_Chris ⁩

1

27

68

2

8

65

@uuallan

Allan “Ransomware Sommelier🍷” Liska

7 months

Everyone laughed at me when I said LockBitSuck was an FBI informant and yet… h/t @LawrenceAbrams

Tweet media one

2

12

65

@uuallan

Allan “Ransomware Sommelier🍷” Liska

1 year

I’ve always admired the work of @runasand , but this article really lays out how much work goes into protecting journalists. Absolutely a must read. via @cjr

Tweet card media

Runa Sandvik has made it her life’s work to protect journalists against cyberattacks. Authoritarian regimes are keeping her in business.

1

21

66