167: Threatlocker - Darknet Diaries Recap

Podcast: Darknet Diaries

Published: 2025-12-23

Duration: 49 minutes

Guests: Hunter Clark, Danny Jenkins

Summary

The episode explores how ThreatLocker uses a 'deny by default' approach to prevent ransomware attacks, illustrating its effectiveness in both a manufacturing company and a hospital setting.

What Happened

The episode begins with the story of a manufacturing company that suffered a ransomware attack five years ago by the Conti group, encrypting 250 servers and 350 endpoints within just 15 minutes. The company's head of IT operations drove six hours back to address the situation and worked 27 consecutive days to resolve the issue. Initially lacking a protocol for ransomware, the company decided on a full infrastructure rebuild over a hasty recovery, which took three weeks. They implemented ThreatLocker, a tool recommended by a supplier, designed to block unauthorized applications and prevent such incidents in the future.

Hunter Clark, a cybersecurity engineer at ARC Technology Consultants, shares a similar incident at a hospital where ThreatLocker successfully blocked a ransomware attack. The hospital's network was initially compromised through credentials bought on the dark web, but ThreatLocker stopped the ransomware in its tracks. Unfortunately, the attacker moved to another connected hospital without ThreatLocker protection, leading to a ransom payment. This incident highlights the importance of comprehensive network security.

Danny Jenkins, CEO and co-founder of ThreatLocker, explains his motivation for starting the company, rooted in his experience with frequent ransomware recoveries. He emphasizes the 'deny by default' security model, which involves allowing only pre-approved applications to run, thus drastically reducing vulnerabilities. This zero trust approach changes the paradigm from 'default allow' to 'default deny,' offering a robust defense against known and unknown threats.

The episode also details ThreatLocker's growth, from its initial development by Jenkins and a small team to its deployment in a school plagued by daily malware issues. The school experienced a dramatic reduction in IT management time, demonstrating ThreatLocker's efficacy in real-world environments.

A significant part of ThreatLocker's mission is educating the public about security, as evidenced by their participation in over a thousand trade shows annually. Jenkins notes that despite the widespread adoption of ThreatLocker by approximately 70,000 companies, none have experienced ransomware cases without ignoring clear warning signs.

ThreatLocker is actively hiring, with Jenkins warning potential employees about the challenging yet rewarding nature of the work. He asserts that the zero trust model is crucial for modern cybersecurity, particularly in preventing ransomware, which he describes as the most successful business model for cybercriminals.

Key Insights

• A manufacturing company experienced a ransomware attack by the Conti group, which encrypted 250 servers and 350 endpoints in just 15 minutes, leading to a full infrastructure rebuild over three weeks.
• ThreatLocker employs a 'deny by default' security model, which only allows pre-approved applications to run, significantly reducing vulnerabilities and offering a robust defense against both known and unknown threats.
• Despite its adoption by approximately 70,000 companies, ThreatLocker users have not experienced ransomware incidents unless clear warning signs were ignored, indicating its effectiveness in preventing attacks.
• ThreatLocker participates in over a thousand trade shows annually to educate the public on cybersecurity, reflecting its commitment to raising awareness and promoting the zero trust security model.