Meet the ex-Marine hunting the world’s most dangerous cybercriminals

A profession in cybersecurity was most likely the past matter on John Fokker’s intellect as he was speeding throughout the Indian Ocean with his fellow Marines toward a ship crewed by pirates. But as it turns out, there are a stunning quantity of similarities in between the two disciplines.

Now Head of Cyber Investigations at stability organization McAfee, the beat Fokker finds himself in nowadays is much more digital than actual physical, but substantial-stakes however.

In a world in which cybercrime is progressively beneficial and ever much more advanced, attackers and defenders are now engaged in perpetual conflict, each and every striving to outwit and outmaneuver the other.

Whilst he acknowledges his route into cybersecurity was an atypical one particular, Fokker told TechRadar Pro his expertise in the army really delivered him with the ideal grounding.

“When you just take absent all the technical components, ransomware is incredibly a great deal like a hostage negotiation condition. Especially when you glimpse at the emotional point out of threat actors and victims,” he said.

“Ransomware is one particular of the couple cyberattacks wherever you as the victim interact with the cybercriminal. From a psychological stage of watch, it is incredibly interesting everyone wishes some thing from a person else.”

(Image credit score: Shutterstock / Sapann Style)

A exclusive grounding

A position with the Royal Netherlands Marine Corps was, for Fokker, an antidote to the drudgery of the business office position he took up just after graduating with a degree in laptop or computer science. It was not about the beat automatically, much more about doing some thing different.

He invested 8 yrs as a Marine in total, the past five of which with the Exclusive Functions Branch performing counterterrorism, counterpiracy and hostage rescue, which took him throughout the world.

In North Afghanistan, wherever he was stationed for a time, Fokker was tasked with provincial reconstruction, which included aiding neighborhood civilians develop infrastructure this kind of as colleges and h2o pits, and holding the engineers safe and sound in the course of action.

At an additional putting up in Somalia, he was part of a group centered on a Navy ship, whose position was to check pirate exercise in the region.

“We did a ton of shut variety reconnaissance at night time to see wherever the main camps were being and who was ready to sail out it was a ton of intelligence gathering,” he said. “If there was any indicator a pirate ship was about to sail out or was working at sea, or if there was a hostage condition, we would intervene.”

As glamorous as this could audio, Fokker said he at some point worn out of the lifestyle, which retained him absent from home for all but a couple weeks each and every 12 months. He selected to move up a purpose as a position officer in the Marine Corp in favor of a different taste of beat. 

“I saw the nature of what was heading on in the world shift,” he told us. “Even even though I was not actively in the cybersecurity realm, I could see that this was the long run.”

Cybersecurity will come contacting

Despite the fact that Fokker experienced established his sights on a position in cybersecurity, he didn’t changeover quickly to civilian lifestyle, as an alternative taking on a purpose as a digital investigations specialist with the Dutch nationwide law enforcement.

As part of the arranged crime group, he went just after drug kingpins, assassins and other criminals of a comparable class, tapping their phones and examining the recordings. On occasion, even though, he located himself lurking in the undergrowth in a ghillie suit aiming to “sniff their Wi-Fi”, proving that cyber investigation does not all just take put driving a desk.

He also played a purpose in several malware investigations and botnet takedowns for the duration of his time with the law enforcement. According to Fokker, even with the country’s diminutive sizing, the Dutch uncover themselves the coronary heart of lots of global cybercriminal investigations.

“The Netherlands is small, but a ton of web backbones terminate in the nation, so it is a central hub and there is a ton of world wide web web hosting,” he said. “From the incredibly commencing, the Dutch law enforcement have been included in a ton of investigations, purely since which is wherever cybercriminals host their methods.”


(Image credit score: / Gorodenkoff)

However, while the law enforcement get to take care of the most major cybercrime there is – the “dire stuff”, as Fokker termed it – the extent of their affect is restricted in some respects. The main issue is that only a small percentage of cybercrime victims file a formal report, restricting the scope of law enforcement investigations.

“[The police’s] watch on cybercrime is not automatically incomplete,” Fokker told us, “but it could be restricted to the reviews that get there on their plate. And the total threat landscape could really be a great deal bigger.”

To illustrate his stage, he gestured toward the formal figures from the World-wide-web Crime Criticism Center (IC3), which propose business email compromise is the most threatening type of assault. However, any person working in cybersecurity will explain to you that the harm from ransomware is a great deal better it just does not get reported by using formal channels.

An additional issue is that intelligence sharing can be challenging, since governing administration entities are hamstrung by distinct processes and global politics.

“Right now, I can dangle up the phone with you and connect with the NCAA or FBI and I can share facts no issue. In the law enforcement, the several policies and global treaties make that form of collaboration a ton tougher,” Fokker told us.

At McAfee, in the personal sector, he suggests he enjoys a level of versatility and dynamism that was unavailable to him in the earlier purpose.

“I think it is the finest position in the world,” he said. “We get to hunt cybercriminals, figure out what is heading on and shield our shoppers. And if we have useful facts that could direct to attribution or be valuable to the law enforcement, within just specific situation we’ll share it.”

Requested irrespective of whether there is ever a reluctance in the industry to share intelligence with other stability distributors, owing to level of competition in between them, Fokker laughs.

“Nobody is wanting to steal engineering or criticize other people today,” he suggests “Actually, everyone has a piece of the puzzle and we all consider to perform with each other to develop as entire a picture as possible. It’s not as cutthroat as you could visualize.”

A different form of hostage negotiation

A ton of Fokker’s time nowadays is invested pondering about one particular sort of cyberthreat in individual: ransomware.

According to all method of reports, ransomware assaults are becoming much more elaborate, much more efficient and much more beneficial for operators, who have been emboldened and are demanding better and better ransom service fees.

A report authored by researchers at Coveware, for instance, located that the ordinary ransom payment achieved an all-time substantial in Q1 2021, at $220,298. The increase was attributed to one particular particularly opportunistic team, termed CloP, which capitalized on a distinct vulnerability to seize the info of a raft of businesses.

Modern info from Kaspersky, meanwhile, displays ransomware is also becoming ever much more specific, with assaults on substantial-profile victims this kind of as corporations and governing administration agencies expanding by 767{d11068cee6a5c14bc1230e191cd2ec553067ecb641ed9b4e647acef6cc316fdd} 12 months-on-12 months.

What fascinates Fokker, even though, is the psychological aspect of ransomware assaults and the strange dynamic recognized in between the attacker and victim.


(Image credit score: Shutterstock / binarydesign)

“As with real-lifestyle hostage scenarios, victims are incredibly vulnerable in the very first couple minutes and hours just after an assault. Often, they are striving to get their bearings and often make more than-hasty decisions with no taking the time to evaluate what is heading on,” he described.

There is an aspect of system to mitigating ransomware that does not use to classic malware assaults, he suggests. It’s not just a technical issue, but a psychological one particular that demands the victim to “size up the criminal” and respond appropriately.

“I’ve also viewed lots of instances of cyber Stockholm Syndrome, wherever the victims that do close up negotiating are grateful to the perpetrator,” Fokker told us. “It’s nearly like a real hostage condition wherever any person varieties an emotional bond with their captor.”

To shell out or not to shell out

In 2017, in a bid to aid the lots of victims of ransomware, Fokker started a task termed No A lot more Ransom, which archives free of charge decryptors that can assist people today get better their info with no caving in to ransom demands.

The provider grew swiftly and turned the very first ransomware portal developed off the again of collaboration in between law enforcement and the personal sector fitting, supplied Fokker’s own profession route.

No A lot more Ransom now offers decryption equipment for a variety of different ransomware strains, this kind of as Avaddon, Zigggy, Fonix, Decide and Darkside, with much more becoming added all the time. It also allows people today diagnose the sort of infection they are struggling from, by cross examining facts delivered with acknowledged destructive URLs and Bitcoin addresses.

When there is no decryptor available, however, the query gets irrespective of whether or not to negotiate with the attacker. According to the No A lot more Ransom internet site, the information is under no circumstances to shell out the ransom, entire prevent.

“Paying the ransom is under no circumstances recommended, mostly since it does not warranty a solution to the issue. There are also a quantity of concerns that can go improper accidentally. For case in point, there could be bugs in the malware that can make the encrypted info unrecoverable, even with the correct key,” reads the FAQ site.

“In addition, if the ransom is paid, it proves to the cybercriminals that ransomware is efficient. As a final result, cybercriminals will continue their exercise and glimpse for new strategies to exploit methods.”

However, Fokker concedes that the complex mixture of variables at perform signifies the issue is not fairly that reduce-and-dry in reality, particularly for firms.

“In the trenches, some companies are presented with a different threat, since it turns into a business final decision. For case in point, they may possibly uncover themselves in a condition in which they would have to lay off staff members if they refused to shell out the ransom and info was leaked. There are tons of companies that are in a condition wherever they have no selection but to shell out.”

The final goal, he suggests, is that the tactic to cybersecurity matures to the stage at which ransomware victims no longer have to make that final decision. By possessing stable backups in put and a clear system in anticipation of an assault, the hope is that the ransomware business design can be shattered after and for all.