How Expensify got to $100M in revenue by hiring “stem cells” and not “cogs in a wheel”

The influence of a founder on their company’s culture cannot be overstated. Everything from their views on the product and business to how they think about people affects how their company’s employees will behave, and since behavior in turn informs culture, the consequences of a founder’s early decisions can be far-reaching.

So it’s not very surprising that Expensify has its own take on almost everything it does when you consider what its founder and CEO David Barrett learned early in his life: “Basically everyone is wrong about basically everything.” As we saw in part 1 of this EC-1, this led him to the revelation that it’s easier to figure things out for yourself than finding advice that applies to you. Eventually, these insights — and the adventurous P2P hacker attitude he nurtured alongside his colleagues and Travis Kalanick at Red Swoosh — would inform how he would go about shaping Expensify.

Expensify’s culture can’t be separated from its hiring and growth processes — by joining the company, employees self-select into a group that isn’t likely to get hung up about trade-offs.

It’s striking how Expensify has managed to maintain this character 13 years later, even on the threshold of an IPO. How did this happen? During a series of interviews in February and early March, we found the answer is tied to the level of thought and effort this expense management business puts into its culture.

You see, the people at Expensify are prepared to invent their own playbook, develop it and, if needed, rewrite it completely. Its HR policies and strategy are tailored to find people who would have fun building an expense management product. It has a unique growth and recognition scheme to offset the drawbacks of a flat organizational structure. It’s even got a “Senate” that vets all major decisions. No kidding.

All this, and more, has ultimately helped Expensify reach more than 10 million users and achieve $100 million in annual revenue with just 130 employees. Let’s take a closer look at how Expensify makes it happen.

“We want the fewest people necessary to get the job done”

It’s clear Expensify’s unusually high employee-to-revenue ratio is intentional: “We want the fewest people necessary to get the job done,” Barrett says. But how do you actually achieve it? How do you hire and keep people who can deliver such results? Barrett had to learn how the hard way.

Expensify’s first team was based in San Francisco and comprised Barrett’s old Red Swoosh and Akamai colleagues, who joined a few months after Akamai fired him. A small team was enough to get started, but it was much more difficult to hire additional people. Barrett is eager to clarify the Valley is not really the best place to recruit talent: “Sure, Silicon Valley has a ton of really awesome people, but all of them have jobs!,” he says.

Father and son duo take on global logistics with Optimal Dynamics’ sequential decision AI platform

Like “innovation,” machine learning and artificial intelligence are commonplace terms that provide very little context for what they actually signify. AI/ML spans dozens of different fields of research, covering all kinds of different problems and alternative and often incompatible ways to solve them.

One robust area of research here that has antecedents going back to the mid-20th century is what is known as stochastic optimization — decision-making under uncertainty where an entity wants to optimize for a particular objective. A classic problem is how to optimize an airline’s schedule to maximize profit. Airlines need to commit to schedules months in advance without knowing what the weather will be like or what the specific demand for a route will be (or, whether a pandemic will wipe out travel demand entirely). It’s a vibrant field, and these days, basically runs most of modern life.

Warren B. Powell has been exploring this problem for decades as a researcher at Princeton, where he has operated the Castle Lab. He has researched how to bring disparate areas of stochastic optimization together under one framework that he has dubbed “sequential decision analytics” to optimize problems where each decision in a series places constraints on future decisions. Such problems are common in areas like logistics, scheduling and other key areas of business.

The Castle Lab has long had industry partners, and it has raised tens of millions of dollars in grants from industry over its history. But after decades of research, Powell teamed up with his son, Daniel Powell, to spin out his collective body of research and productize it into a startup called Optimal Dynamics. Father Powell has now retired full-time from Princeton to become chief analytics officer, while son Powell became CEO.

The company raised $18.4 million in new funding last week from Bessemer led by Mike Droesch, who recently was promoted to partner earlier this year with the firm’s newest $3.3 billion fundraise. The company now has 25 employees and is centered in New York City.

So what does Optimal Dynamics actually do? CEO Powell said that it’s been a long road since the company’s founding in mid-2017 when it first raised a $450,000 pre-seed round. We were “drunkenly walking in finding product-market fit,” Powell said. This is “not an easy technology to get right.”

What the company ultimately zoomed in on was the trucking industry, which has precisely the kind of sequential decision-making that father Powell had been working on his entire career. “Within truckload, you have a whole series of uncertain variables,” CEO Powell described. “We are the first company that can learn and plan for an uncertain future.”

There’s been a lot of investment in logistics and trucking from VCs in recent years as more and more investors see the potential to completely disrupt the massive and fragmented market. Yet, rather than building a whole new trucking marketplace or approaching it as a vertically integrated solution, Optimal Dynamics decided to go with the much simpler enterprise SaaS route to offer better optimization to existing companies.

One early customer, which owned 120 power units, saved $4 million using the company’s software, according to Powell. That was a result of better utilization of equipment and more efficient operations. They “sold off about 20 vehicles that they didn’t need anymore due to the underlying efficiency,” he said. In addition, the company was able to reduce a team of 10 who used to manage trucking logistics down to one, and “they are just managing exceptions” to the normal course of business. As an example of an exception, Powell said that “a guy drove half way and then decided he wanted to quit,” leaving a load stranded. “Trying to train a computer on weird edge events [like that] is hard,” he said.

Better efficiency for equipment usage and then saving money on employee costs by automating their work are the two main ways Optimal Dynamics saves money for customers. Powell says most of the savings come in the former rather than the latter, since utilization is often where the most impact can be felt.

On the technical front, the key improvement the company has devised is how to rapidly solve the ultra-complex optimization problems that logistics companies face. The company does that through value function approximation, which is a field of study where instead of actually computing the full range of stochastic optimization solutions, the program approximates the outcomes of decisions to reduce compute time. We “take in this extraordinary amount of detail while handling it in a computationally efficient way,” Powell said. That’s where we have really “wedged ourselves as a company.”

Early signs of success with customers led to a $4 million seed round led by Homan Yuen of Fusion Fund, which invests in technically sophisticated startups (i.e. the kind of startups that take decades of optimization research at Princeton to get going). Powell said that raising the round was tough, transpiring during the first weeks of the pandemic last year. One corporate fund pulled out at the last minute, and it was “chaos ensuing with everyone,” he said. This Series A process meanwhile was the opposite. “This round was totally different — closed it in 17 days from round kickoff to closure,” he said.

With new capital in the bank, the company is looking to expand from 25 employees to 75 this year, who will be trickling back to the company’s office in the Flatiron neighborhood of Manhattan in the coming months. Optimal Dynamics targets customers with 75 trucks or more, either fleets for rent or private fleets owned by companies like Walmart who handle their own logistics.

Google Cloud launches Vertex AI, a new managed machine learning platform

At Google I/O today Google Cloud announced Vertex AI, a new managed machine learning platform that is meant to make it easier for developers to deploy and maintain their AI models. It’s a bit of an odd announcement at I/O, which tends to focus on mobile and web developers and doesn’t traditionally feature a lot of Google Cloud news, but the fact that Google decided to announce Vertex today goes to show how important it thinks this new service is for a wide range of developers.

The launch of Vertex is the result of quite a bit of introspection by the Google Cloud team. “Machine learning in the enterprise is in crisis, in my view,” Craig Wiley, the director of product management for Google Cloud’s AI Platform, told me. “As someone who has worked in that space for a number of years, if you look at the Harvard Business Review or analyst reviews, or what have you — every single one of them comes out saying that the vast majority of companies are either investing or are interested in investing in machine learning and are not getting value from it. That has to change. It has to change.”

Image Credits: Google

Wiley, who was also the general manager of AWS’s SageMaker AI service from 2016 to 2018 before coming to Google in 2019, noted that Google and others who were able to make machine learning work for themselves saw how it can have a transformational impact, but he also noted that the way the big clouds started offering these services was by launching dozens of services, “many of which were dead ends,” according to him (including some of Google’s own). “Ultimately, our goal with Vertex is to reduce the time to ROI for these enterprises, to make sure that they can not just build a model but get real value from the models they’re building.”

Vertex then is meant to be a very flexible platform that allows developers and data scientist across skill levels to quickly train models. Google says it takes about 80% fewer lines of code to train a model versus some of its competitors, for example, and then help them manage the entire lifecycle of these models.

Image Credits: Google

The service is also integrated with Vizier, Google’s AI optimizer that can automatically tune hyperparameters in machine learning models. This greatly reduces the time it takes to tune a model and allows engineers to run more experiments and do so faster.

Vertex also offers a “Feature Store” that helps its users serve, share and reuse the machine learning features and Vertex Experiments to help them accelerate the deployment of their models into producing with faster model selection.

Deployment is backed by a continuous monitoring service and Vertex Pipelines, a rebrand of Google Cloud’s AI Platform Pipelines that helps teams manage the workflows involved in preparing and analyzing data for the models, train them, evaluate them and deploy them to production.

To give a wide variety of developers the right entry points, the service provides three interfaces: a drag-and-drop tool, notebooks for advanced users and — and this may be a bit of a surprise — BigQuery ML, Google’s tool for using standard SQL queries to create and execute machine learning models in its BigQuery data warehouse.

We had two guiding lights while building Vertex AI: get data scientists and engineers out of the orchestration weeds, and create an industry-wide shift that would make everyone get serious about moving AI out of pilot purgatory and into full-scale production,” said Andrew Moore, vice president and general manager of Cloud AI and Industry Solutions at Google Cloud. “We are very proud of what we came up with in this platform, as it enables serious deployments for a new generation of AI that will empower data scientists and engineers to do fulfilling and creative work.”

WalkMe is going public: Let’s stroll through its numbers

Hot off the heels of our look into Marqeta’s IPO filing and dives into SPACs for Bright Machines and Bird, we’re parsing the WalkMe IPO filing. Later this week, Squarespace will direct list and we’ll see IPOs from Oatly and Procore. It’s a super busy time for public debuts of all sorts.

Given how hectic the IPO market is, we’re going to skip our usual throat clearing and dig into WalkMe’s IPO document. As always, we’ll start with a brief overview of its product and then move into discussing its financial performance.

Image Credits: Alex Wilhelm

WalkMe is the second Israel-based technology company to file to go public this week: No-code startup Monday.com is also pursuing an American IPO.

Alright! Into the breach.

What does WalkMe do?

WalkMe’s software provides visual overlays on websites that help users navigate the product in question. I base that explanation on my time at Crunchbase, which was a customer during at least part of my time there. WalkMe is popular with marketing teams who want to introduce users to a new or refreshed experience.

Per the company’s F-1 filing, other elements of its service that matter include its onboarding system and what WalkMe calls Workstation, or its “single interface to the applications within an enterprise and simplifies task completion through a natural language conversational interface and automation.” We’re including that last feature because it says “automation,” which, in the wake of the UiPath IPO, is a word worth watching. Investors are.

At a high level, WalkMe is a SaaS business, which means that when we digest its results we are digging into a modern software company. Let’s do just that.

WalkMe’s numbers

From 2019 to 2020, WalkMe grew its revenues from $105.1 million to $148.3 million, a gain of 41%. In its most recent quarter, the company’s growth rate slowed: From Q1 2020 to Q1 2021, WalkMe’s top line grew 25% from $34.2 million to $42.7 million.

In SaaS terms, WalkMe calculates that its annual recurring revenue, or ARR, grew from $131.2 million at the end of 2019 to $164.3 million in 2020. In more granular terms, the company’s ARR grew from $137.8 million to $177.5 million in the first quarters of 2020, and 2021, respectively.

How To Achieve Full Endpoint Security With Your Current Team And Resources 

Sometimes, trying to fight off hackers can feel like playing in a five-on-five football tournament, only the other four members of your team couldn’t afford the entry fee, so you’re playing five-on-one. You’re understaffed, under-resourced, and you stand little chance of winning. When you guard one area, they just go around you, exploiting an open space with no coverage.

Or, bringing it around to IT, when you protect one access point, hackers find entry elsewhere. By the time you detect them, they’ve already scored by stealing your data and sensitive information or locking apps within your device and demanding a Bitcoin payment to unlock them. You need a solution to defend against ransomware attacks.

Unlike football, compromised endpoints can have serious consequences. To win against attackers, you need a more complete defense, one that evens up the odds so you can guard each of their moves with one of your own. Or, even better, one that can bring a backup team to give your IT team the advantage.

Empowering Humans with AI and ML Automation

Fortunately, there is a way to do this without struggling for additional headcount or paying for expensive services: automation. The best endpoint protection solutions combine automation with artificial intelligence (AI) and machine learning (ML) to detect and remediate modern attacks in real-time, at machine speed, without human intervention. Your team must only respond to the most severe attacks, which means you can rely on your same IT team, experience, and resources you have now.

That’s how SentinelOne approaches endpoint protection. SentinelOne is the only cybersecurity solution encompassing AI-powered prevention, detection, response, and hunting across endpoints, containers, cloud workloads, and IoT devices in a single autonomous platform. It gives your organization full transparency into everything happening across the network at machine speed—and it gives you the additional resources to defeat every attack at every stage of the threat lifecycle.

How SentinelOne’s Automation Augments Your Team

SentinelOne’s static and behavioral AI models live on each device, detecting anomalous activity without a cloud connection and enabling devices to self-heal from any attack instantaneously. The behavioral AI fully replaces antivirus software and delivers real-time prevention, detection, response, and hunting against known and never-seen-before malware strains.

The Sentinels are managed via SentinelOne’s globally available, multi-tenant SaaS platform designed for ease-of-use and flexible management. SentinelOne is easy to tailor and set up for the unique needs of your business.

The SentinelOne platform includes three primary tiers for EPP+EDR (endpoint protection platform and endpoint detection and response) with increasingly intensive protection, detection, and response:

  • Singularity Core, the entry-level endpoint security product for businesses that want to replace legacy or next-generation antivirus solutions with an endpoint protection platform that is more effective and easier to manage.
  • Singularity Control adds increased options for device control and management, including Firewall Control and USB & Bluetooth Control.
  • Singularity Complete is made for organizations that need modern endpoint protection and control, plus advanced EDR and threat-hunting features.

The Vigilance Managed Detection and Response (MDR) service subscription can augment your security team by ensuring that every threat is reviewed, acted on, documented, and escalated if needed.

Singularity Control, with device control capabilities that offer granular device management for USB and Bluetooth on Windows and Mac, provides centralized and customizable policy-based control with hierarchy inheritance.

Firewall Control enables you to control inbound and outbound network traffic for Windows and Mac devices. You can tag mechanisms for streamlined policy assignment and administrative clarity, while touchless location awareness allows you to assign network control based on the system’s physical location.

The rogue device discovery feature identifies the endpoints that are not protected by SentinelOne, and passively and actively sweeps networks to provide enterprise-wide visibility.

SentinelOne Singularity Complete, which is made for organizations that need modern endpoint protection and control plus advanced endpoint detection and response, features Storyline™ technology that automatically contextualizes all OS process relationships at all times and stores them for future investigations. This feature saves the IT team from tedious event correlation tasks and helps them get to the root cause of an event quickly.

Staying A Play Ahead Of Attackers

With SentinelOne, it’s like you’re bringing professionals as your teammates into the football tournament. And they brought their friends. Suddenly, you have the advantage and every play attempted by the other team (we’ll call them The Hackers) is blocked.

Organizations are changing, and that requires a digital transformation to ensure continuity when unforeseen circumstances occur—like a pandemic. With SentinelOne, you get the security you need to keep your business on track.

If you would like to know more about the capabilities that make up the SentinelOne Singularity Platform, contact us or request a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Fast growth pushes an unprofitable no-code startup into the public markets: Inside Monday.com’s IPO filing

At long last, the Monday.com crew dropped an F-1 filing to go public in the United States. TechCrunch has long known that the company, which sells corporate productivity and communications software, has scaled north of $100 million in annual recurring revenue (ARR).

The countdown to its IPO filing — an F-1, because the company is based in Israel, rather than the S-1s filed by domestic companies — has been ticking for several quarters, so seeing Monday.com drop the document on this Monday morning was just good fun.


The Exchange explores startups, markets and money. 

Read it every morning on Extra Crunch or get The Exchange newsletter every Saturday.


The Exchange has been riffling through the document since it came out, and we’ve picked up on a few things to explore. We’ll start by looking at the company’s revenue growth on a historical basis to see if it has accelerated in recent quarters thanks to the pandemic. Then, we’ll turn to profitability, cash burn, share-based compensation expenses and product vision.

We’ll wrap at the end with a summary of what we’ve learned and also make sure to check out the company’s marketing spend, because I’m sure you’ve seen its digital ads.

It’s a lot to chew through, so no more dilly-dallying. Into the numbers!

As always, we’re starting with revenue growth because it’s still the single most important thing about any venture-backed company.

Revenue adds are accelerating

This is great news for the startup, its employees and its investors. From 2019 to 2020, Monday.com grew its revenues from $78.1 million to $161.1 million, or 106%.

From Q1 2020 to Q1 2021, the company’s revenues grew from $31.9 million to $59 million. That’s about 85% growth. So, by what measure do we mean that the company’s revenue growth is accelerating? Its sequential-quarter revenue growth is picking up. Observe the following:

Image Credits: Monday.com F-1 filing

From Q2 2019 to Q3 2019, the company added around $4 million in revenue. From Q2 2020 to Q3 2020, that number was $6.1 million. More recently, the company’s revenue added $7.6 million from Q3 2020 to Q4 2020, which accelerated to $8.8 million from the final quarter of 2020 to the first quarter of 2021. Of course, from an ever-larger base, the company’s growth rate may decline. But the super clean and obvious expanding sequential revenue gains at the company are solid.

The fact that it added so much top line in recent quarters also helps explain why Monday.com is going public now. Sure, the markets are still near record highs and the pandemic is fading, but just look at that consistent growth! It’s investor catnip.

Merge raises $4.5M to help B2B companies build customer-facing integrations

Merge, a startup that helps its users build customer-facing integrations with third-party tools, today announced that it has raised a $4.5 million seed round led by NEA. Additional angel investors include former MuleSoft CEO Greg Schott, Cloudflare CEO Matthew Prince, Expanse co-founders Tim Junio and Matt Kraning, and Jumpstart CEO Ben Herman.

Launched in 2020, the core focus of Merge is to give B2B companies a unified API to access data from what is currently about 40 HR, payroll, recruiting and accounting platforms, with plans for expanding to additional areas soon. But Merge co-founders Shensi Ding and Gil Feig, who have been lifelong friends and previously worked at companies like Expanse and Jumpstart, stress that the service isn’t aiming to replace workflow tools Workato or Zapier.

Image Credits: Merge

“What we built is more similar to Plaid than MuleSoft or other things,” Feig said. “We built a unified API, so we’re fully embedded in a customer’s product and they build one integration with us and can automatically offer all these integrations to their customers. On top of that, we offer what we call integrations management, which is a suite of tools to automatically detect issues where the customer would have to get involved — automatically detect that stuff and handle it without ever having to involve engineering again.”

When Merge’s systems detect issues with an integration, maybe because a data schema in an API response has changed without notice (which happens with some regularity), Merge’s engineers can fix that within minutes, in part because the teams also built an internal no-code tool for building and managing these integrations.

Image Credits: Merge

As Ding also noted, B2B buyers today also simply expect their tools to feature integrations with the service they use. “Companies, when they purchase a vendor, they expect that vendor to have integrations with all the other vendors that they own,” she said. “They don’t want to have to purchase a vendor and then purchase a workflow product and then connect those products.”

And while Merge’s focus right now is squarely on a few verticals, the plan is to expand this to far more areas shortly, likely starting with CRM. “Salesforce has a pretty large market share, so we thought that it wasn’t going to be as interesting of a market,” Ding said. “But it turns out that their API is so complex that customers would still prefer to integrate with us instead if we simplify it for them.”

Ding and Feig tell me the company, which came out of stealth about two months ago, already has about 100 organizations on its platform, varying from seed-stage companies to publicly listed enterprises. The team credits its focus on security and reliability (and its SOC II compliance) with being able to bring on some of these larger companies despite being a seed-stage company itself.

To monetize the service, Merge offers a free tier (up to 10,000 API requests per month) and charges $0.01 per API request for additional usage. Unsurprisingly, the company also offers customized enterprise plans for its larger customers.

“The time and expense associated with building and maintaining myriad API integrations is a pain point we hear about consistently from our portfolio companies across all industries,” said NEA managing general partner Scott Sandell, who will join the company’s board. “Merge is tackling this ubiquitous problem head-on via their easy-to-use, unified API platform. Their platform has broad applicability and is a massive upgrade for any software company that needs to build, manage, and maintain multiple API integrations.”

Try This One Weird Trick Russian Hackers Hate

In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick.

The Commonwealth of Independent States (CIS) more or less matches the exclusion list on an awful lot of malware coming out of Eastern Europe.

The Twitter thread came up in a discussion on the ransomware attack against Colonial Pipeline, which earlier this month shut down 5,500 miles of fuel pipe for nearly a week, causing fuel station supply shortages throughout the country and driving up prices. The FBI said the attack was the work of DarkSide, a new-ish ransomware-as-a-service offering that says it targets only large corporations.

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities.

In Russia, for example, authorities there generally will not initiate a cybercrime investigation against one of their own unless a company or individual within the country’s borders files an official complaint as a victim. Ensuring that no affiliates can produce victims in their own countries is the easiest way for these criminals to stay off the radar of domestic law enforcement agencies.

Possibly feeling the heat from being referenced in President Biden’s Executive Order on cybersecurity this past week, the DarkSide group sought to distance itself from their attack against Colonial Pipeline. In a message posted to its victim shaming blog, DarkSide tried to say it was “apolitical” and that it didn’t wish to participate in geopolitics.

“Our goal is to make money, and not creating problems for society,” the DarkSide criminals wrote last week. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

But here’s the thing: Digital extortion gangs like DarkSide take great care to make their entire platforms geopolitical, because their malware is engineered to work only in certain parts of the world.

DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that all currently have favorable relations with the Kremlin, including Azerbaijan, Belarus, Georgia, Romania, Turkmenistan, Ukraine and Uzbekistan. The full exclusion list in DarkSide (published by Cybereason) is below:

Image: Cybereason.

Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install.

[Side note. Many security experts have pointed to connections between the DarkSide and REvil (a.k.a. “Sodinokibi”) ransomware groups. REvil was previously known as GandCrab, and one of the many things GandCrab had in common with REvil was that both programs barred affiliates from infecting victims in Syria. As we can see from the chart above, Syria is also exempted from infections by DarkSide ransomware. And DarkSide itself proved their connection to REvil this past week when it announced it was closing up shop after its servers and bitcoin funds were seized.]

CAVEAT EMPTOR

Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. There is plenty of malware that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online.

But is there really a downside to taking this simple, free, prophylactic approach? None that I can see, other than perhaps a sinking feeling of capitulation. The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian.

If this happens (and the first time it does the experience may be a bit jarring) hit the Windows key and the space bar at the same time; if you have more than one language installed you will see the ability to quickly toggle from one to the other. The little box that pops up when one hits that keyboard combo looks like this:

Cybercriminals are notoriously responsive to defenses which cut into their profitability, so why wouldn’t the bad guys just change things up and start ignoring the language check? Well, they certainly can and maybe even will do that (a recent version of DarkSide analyzed by Mandiant did not perform the system language check).

But doing so increases the risk to their personal safety and fortunes by some non-trivial amount, said Allison Nixon, chief research officer at New York City-based cyber investigations firm Unit221B.

Nixon said because of Russia’s unique legal culture, criminal hackers in that country employ these checks to ensure they are only attacking victims outside of the country.

“This is for their legal protection,” Nixon said. “Installing a Cyrillic keyboard, or changing a specific registry entry to say ‘RU’, and so forth, might be enough to convince malware that you are Russian and off limits. This can technically be used as a ‘vaccine’ against Russian malware.”

Nixon said if enough people do this in large numbers, it may in the short term protect some people, but more importantly in the long term it forces Russian hackers to make a choice: Risk losing legal protections, or risk losing income.

“Essentially, Russian hackers will end up facing the same difficulty that defenders in the West must face — the fact that it is very difficult to tell the difference between a domestic machine and a foreign machine masquerading as a domestic one,” she said.

KrebsOnSecurity asked Nixon’s colleague at Unit221B — founder Lance James — what he thought about the efficacy of another anti-malware approach suggested by Twitter followers who chimed in on last week’s discussion: Adding entries to the Windows registry that specify the system is running as a virtual machine (VM). In a bid to stymie analysis by antivirus and security firms, some malware authors have traditionally configured their malware to quit installing if it detects it is running in a virtual environment.

But James said this prohibition is no longer quite so common, particularly since so many organizations have transitioned to virtual environments for everyday use.

“Being a virtual machine doesn’t stop malware like it used to,” James said. “In fact, a lot of the ransomware we’re seeing now is running on VMs.”

But James says he loves the idea of everyone adding a language from the CIS country list so much he’s produced his own clickable two-line Windows batch script that adds a Russian language reference in the specific Windows registry keys that are checked by malware. The script effectively allows one’s Windows PC to look like it has a Russian keyboard installed without actually downloading the added script libraries from Microsoft.

To install a different keyboard language on a Windows 10 computer the old fashioned way, hit the Windows key and X at the same time, then select Settings, and then select “Time and Language.” Select Language, and then scroll down and you should see an option to install another character set. Pick one, and the language should be installed the next time you reboot. Again, if for some reason you need to toggle between languages, Windows+Spacebar is your friend.

The Good, the Bad and the Ugly in Cybersecurity – Week 20

The Good

They say every dark cloud has a silver lining, and it could just be that the DarkSide ransomware incident that caused Colonial Pipeline to shut down its network on Saturday may end up doing less harm and more good in the long run. That possibility is reinforced by two events that have occurred in the wake of the attack.

First, President Biden has announced an executive order to improve the nation’s cybersecurity in the wake of this and similar high profile cyber attacks on U.S. critical infrastructure. Among other things, that order instructs service providers to share cyber threat and incident information with government agencies, for all Federal agencies to deploy EDR solutions and to engage in threat hunting activities across all federal infrastructure. Biden’s order also aims to improve the security of the software supply chain in the wake of attacks like SolarWinds and Hafnium. The White House Fact Sheet provides a good summary of the details.

Meanwhile, on the other side of the fence, it seems the attack is having repercussions among criminal gangs now running scared of increased attention from authorities. Intelligence gathered by SentinelLabs suggests that some criminal forums are banning discussion of ransomware topics and that some ransomware operators are now forbidding their affiliates from attacking government and public sector industries in any country.

Has the DarkSide team scored an own goal for the bad guys? Let’s hope so, and that in the wake of this incident, we see improved cybersecurity across all organizations and fewer attacks on our critical infrastructure.

The Bad

This week’s bad news revolves around the disclosure of twelve vulnerabilities that can be found in some combination in nearly all Wi-Fi devices. Three of the flaws occur in the design of the IEEE 802.11 technical standard, while others are implementation flaws in particular devices. Combined, the vulnerabilities impact Wi-Fi protocols from WEP all the way up to WPA3.

Dubbed FragAttacks (Fragmentation and Aggregation attacks), the twelve flaws are a result of programming mistakes related to the way IEEE 802.11 fragments and aggregates frames, the data structure that encapsulates packets and is processed by the Data link layer.

The researcher, who in 2017 demonstrated Krack attacks against WPA2 – also due to flaws in the Wi-Fi standard – says that the vulnerabilities could allow an attacker to inject arbitrary packets and “to trick a victim into using a malicious DNS server to then intercept most of the victim’s traffic”. The attack was successfully tested against devices running Linux, Windows 10, macOS 10.15.4 as well as mobile devices running Android 8.1 and iOS 13.4.1.

In practice, the three design flaws are difficult to abuse because they either require user interaction or certain uncommon network settings. Some of the other twelve bugs which were due to specific Wi-Fi vendor implementations are more trivial to exploit, and have been addressed by firmware updates. Users are encouraged to ensure all internet-capable devices (including IoT devices) are patched where possible. For those that cannot patch, see the mitigation advice here. The researcher has also released an open source tool with comprehensive instructions for those wishing to test Wi-Fi clients and access points for vulnerability to FragAttacks.

The Ugly

While news of the DarkSide ransomware attack has dominated the cyber headlines this week, the claim that a U.S. police department engaged in negotiations with a criminal gang and agreed, in principle, to pay that gang for its criminal activity seems to have largely flown under the radar.

Regular readers may recall that two weeks ago we reported on a Babuk ransomware attack on Washington DC’s Metropolitan Police Department. Since then, things have gone from bad to worse. It has been claimed that the police department’s attempt to hand the criminals a handsome reward was rejected for being too paltry. As a result, the ransomware operators leaked personal files of officers with threats of more to come if the offer is not improved.

Alleged negotiations between the police and the criminals reached a dead end after the gang – who claim to have 250GB of stolen data pertaining to investigations, arrests, informants, job applications and more – demanded $4 million in ransom. Screenshots provided by the ransomware operators purportedly show their interactions with the police negotiators, who apparently stated that:

“Our final proposal is an offer to pay $100,000 to prevent the release of the stolen data. If this offer is not acceptable, then it seems our conversation is complete. I think we both understand the consequences of not reaching an agreement. We are OK with that outcome”.


Source

Subsequently, the police were given 24 hours after which the criminals threatened “if they do not raise the prices, we will release all the data”.

It appears that no one in this unfortunate story comes out looking good, whatever happens next. While there’s no doubt about the criminal activity of the ransomware operators, there is something seriously worrying about a police department agreeing to pay criminals a ransom and reward them for their illegal behavior, assuming the communications above are genuine.

Meanwhile, officers who have had their PII leaked – not to mention members of the public who may be discussed in the stolen police files – are all victims who could be at risk of further crimes as a result.

Let’s hope that, like the Federal government, police departments start taking cybersecurity more seriously in the wake of this sorry affair. Preventing ransomware attacks shouldn’t be beyond the capabilities of any organization, let alone the nation’s police forces.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Cisco strikes again grabbing threat assessment tool Kenna Security as third acquisition this week

Cisco has been busy on the acquisition front this week, and today the company announced it was buying threat assessment platform Kenna Security, the third company it has purchased this week. The two companies did not disclose the purchase price.

With Kenna, Cisco gets a startup that uses machine learning to sort through the massive pile of threat data that comes into a security system on a daily basis and prioritizes the threats most likely to do the most damage. That could be a very useful tool these days when threats abound and it’s not always easy to know where to put your limited security resources. Cisco plans to take that technology and integrate into its SecureX platform.

Gee Rittenhouse, senior vice president and general manager of Cisco’s Security Business Group, wrote in a blog post announcing the deal with Kenna that his company is getting a product that brings together Cisco’s existing threat management capabilities with Kenna’s risk-based vulnerability management skills.

“That is why we are pleased to announce our intent to acquire Kenna Security, Inc., a recognized leader in risk-based vulnerability prioritization with over 14 million assets protected and over 12.7 billion managed vulnerabilities. Using data science and real-world threat intelligence, it has a proven ability to bring data in from a multi-vendor environment and provide a comprehensive view of IT vulnerability risk,” Rittenhouse wrote in the blog post.

The security sphere has been complex for a long time, but with employees moving to work from home because of COVID, it became even more pronounced in the last year. In a world where the threat landscape changes quickly, having a tool that prioritizes what to look at first in its arsenal could be very useful.

Kenna Security CEO Karim Toubba gave a typical executive argument for being acquired: it gives him a much bigger market under Cisco than his company could have built alone.

“Now is our opportunity to change the industry: once the acquisition is complete, we will be one step closer to delivering Kenna’s pioneering Risk-Based Vulnerability Management (RBVM) platform to the more than 7,000 customers using Cisco SecureX today. This single action exponentially increases the impact Kenna’s technology will have on the way the world secures networks, endpoints and infrastructures,” he wrote in the company blog.

The company, which launched in 2010, claims to be the pioneer in the RBVM space. It raised over $98 million on a $320 million post-money valuation, according to PitchBook data. Customers include HSBC, Royal Bank of Canada, Mattel and Quest Diagnostics.

For those customers, the product will cease to be standalone at some point as the companies work together to integrate Kenna technology into the SecureX platform. When that is complete, the standalone customers will have to purchase the Cisco solution to continue using the Kenna tech.

Cisco has had a busy week on the acquisition front. It announced its intent to acquire Sedona Systems on Tuesday, Socio Labs on Wednesday and this announcement today. That’s a lot of activity for any company in a single week. The deal is expected to close in Cisco Q4 FY 2021. Kenna’s 170 employees will be joining the Security Business Group led by Rittenhouse.