Whodunit

As a reporter, it is one of the main parts of my job to find out who is behind criminal enterprises such as ransomware groups. And while attribution might be hard, in some cases it is doable. By pivoting, using leaks and correlating it with other publicly available information. I’ll show many examples that will help the audience better understand how reporters use techniques familiar within the threat intelligence landscape. During the last couple of years I was part of four investigations that ended up identifying people for the first time publicly.

But the main part of the talk will deal with one question: Under what circumstances does it make sense to publish? Because the decision to put out the story has immediate consequences. One of them being that law enforcement agencies, who might have been trying to catch the very same actors, will likely no longer be able do to that. Since the actors also read our reporting stories and take precautions. For one, they stop traveling to countries where they run the risk of being arrested and then extradited. Knowing this, I’m going to make the case that it is important and in the public’s interest to publish such investigations.