Andrew Brandt
π€ SpeakerAppearances Over Time
Podcast Appearances
so that they could pull those down and start to, they wanted to sink all the domains and see what was connecting into them.
It's just fascinating to think that, like,
I don't know, a Netgear, a Linksys, some other commercial product was checking into SophosFirewallUpdate.com.
It almost screams of like, well, we could be bothered to register this domain for Sophos.
We're not going to bother to register it for these other companies.
We're just going to keep using it for these other things.
But then they also registered for the kill switch, they registered Ragnarok from Asgard, right?
And Ragnarok, of course, is the Norse mythology end of world myth.
And it was fascinating that that was how they, you know, used that nomenclature and that language behind it.
Because by this point, we already had some folks who were using Marvel characters, superhero names in their user accounts that they were, you know, that they were using for downloading these firewalls.
who was involved in some of the exploit development and had registered a bunch of these virtual firewalls.
And now we're seeing, you know, this is the timeframe when the TV series Loki came out and when the Thor Ragnarok movie had come out as well.
And it's just fascinating to imagine that these guys who were doing this stuff
saw themselves as some kind of, you know, superheroes, or maybe they just, like, put themselves in the shoes of, like, that maybe they're just, you know, maybe they're, like, up there with gods, and that they can, you know, engage in, you know, a hammer that can throw lightning from a distance at an enemy.
Within about six to eight weeks after the hotfixes were rolled out, the threat actors had figured out what the hotfix did to make it impossible for the Ragnarok attack to work.
They had just bounced their attack around the thing that the hotfix was able to, in a very rapid way, kludge together to make it not work.