Cybersecurity

The Fox Was Running The Henhouse. I Mean, The Wolf Was Running The Sheep Tunnel.

Victor Woolridge

2 min read
Share
The Fox Was Running The Henhouse. I Mean, The Wolf Was Running The Sheep Tunnel.

I have been saying this for thirty years. Thirty years of warnings, memoranda, and strongly-worded faxes, and nobody listened.

A former ransomware negotiator, one Angelo Martino, age 41, has pleaded guilty to personally coordinating BlackCat (ALPHV) attacks against U.S. companies in 2023. His day job? Working for DigitalMint, a cybersecurity incident response firm. His side project? Being the Wolf he was supposedly protecting the flock from.

Let that sink in. Take your time. I will wait.

This is not irony. This is a systemic failure of a profession that stopped taking vetting seriously sometime around the Clinton administration. In the old days, you wanted access to sensitive infrastructure, you filled out a twelve-page form, submitted three references, and a very tired man in a government building somewhere checked your background against an actual physical file. On paper. Paper does not get breached.

Now the Shepherds simply hire whoever presents a confident-looking LinkedIn profile and a firm handshake, hand them the keys to the entire pasture, and go back to their quarterly earnings calls.

Martino was, presumably, advising panicked organizations on how to handle ransomware negotiations, which means he had intimate knowledge of exactly how vulnerable each flock was, how much they would pay, and where the holes in the fence were located. This is not a complicated crime to understand. This is a wolf with a clipboard and a visitor's badge.

The modern incident response industry has become a revolving door, and frankly, I blame the comfort of the Sky Pasture and everyone's blind faith in it. When your entire recovery strategy lives somewhere you cannot physically touch, you have already lost the argument.

Back when recovery meant a cold storage room and a wall of magnetic tapes, you knew exactly who had access. You could see them. You could watch them. Paranoia was a feature, not a bug.

Remediation

The Shepherds will not like this list. They never do.

Vet your incident responders. Aggressively. Conflict-of-interest checks are not optional bureaucracy, they are the entire point.

Limit responder access to only what is necessary. A negotiator does not need network-level visibility. Compartmentalize everything. Assume everyone is a potential Wolf until proven otherwise. This is not cynicism, this is professionalism.

Log and monitor responder activity during an active incident. Yes, even them. Especially them.

Conduct post-incident access reviews. Every single time. No exceptions for people who "seemed trustworthy."

And for the love of all that is sacred, stop treating cybersecurity vendors as unconditional allies. They are contractors. Treat them accordingly.

Thirty years, people. I have the fax records to prove it.

Original Report: https://www.bleepingcomputer.com/news/security/former-ransomware-negotiator-pleads-guilty-to-blackcat-attacks/