Transcripts
ATR2500x-USB Microphone & Logitech BRIO: Today on the backup wrap up, we're
Speaker:starting a new series on ransomware.
Speaker:Today's episode starts at the beginning by defining the scourge.
Speaker:What is it?
Speaker:What isn't it?
Speaker:Uh, and why it's become such a massive threat to businesses and individuals.
Speaker:We'll talk about the evolution of ransomware attacks from
Speaker:simple data encryption to sophisticated extortion schemes.
Speaker:And discuss the critical importance of prevention and recovery strategies.
Speaker:In the coming weeks, you'll see many more episodes on this topic.
Speaker:As we focus, especially on how to prepare yourself, to be able to respond
Speaker:and recover from a ransomware attack.
Speaker:By the way, if you have no idea who I am.
Speaker:I'm W.
Speaker:Curtis Preston.
Speaker:AKA Mr.
Speaker:Backup.
Speaker:And I've been passionate about backup and recovery for over 30 years.
Speaker:Ever since I had to tell my boss that there were no backups of Paris.
Speaker:I don't want that to happen to you.
Speaker:And that's why I do this.
Speaker:On this podcast, we turn unappreciated backup admins into cyber recovery heroes.
Speaker:This is the backup wrap-up.
Speaker:W. Curtis Preston: Welcome to the backup wrap up.
Speaker:I'm your host, w Curtis Preston, AKA, Mr.
Speaker:Backup, and I have with me the person who's helping me to celebrate
Speaker:my financial freedom from the IRS.
Speaker:How's it going?
Speaker:Persona.
Prasanna Malaiyandi:I am doing well, Curtis.
Prasanna Malaiyandi:Yeah, congratulations.
Prasanna Malaiyandi:How does it feel to get, what would you call it, uh, the 10
Prasanna Malaiyandi:ton elephant off your back?
Prasanna Malaiyandi:Is that the
Prasanna Malaiyandi:W. Curtis Preston: Yeah.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:So for those that don't know, like through various things that weren't malfeasance
Prasanna Malaiyandi:on my part I have owed the IRS money.
Prasanna Malaiyandi:For the better part of 10 years, two different totally unrelated
Prasanna Malaiyandi:events I ended up owing them money and I've been paying them, uh, slowly
Prasanna Malaiyandi:and surely for somewhere in the neighborhood of the last 10 years.
Prasanna Malaiyandi:And the literally May 1st I.
Prasanna Malaiyandi:Made the last payment.
Prasanna Malaiyandi:And so for the first time in my fifties, I don't, I don't owe the IR Rs any money.
Prasanna Malaiyandi:Um,
Prasanna Malaiyandi:be in your fifties than your eighties,
Prasanna Malaiyandi:W. Curtis Preston: yeah, that is true.
Prasanna Malaiyandi:That is true.
Prasanna Malaiyandi:That is true.
Prasanna Malaiyandi:I don't recommend owing the IRS money.
Prasanna Malaiyandi:They get theirs for sure.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:W. Curtis Preston: Anyway, um, so I wanted for, we've, we've finished
Prasanna Malaiyandi:our series on cloud disasters and we had the one episode on.
Prasanna Malaiyandi:The A cloud non-disaster.
Prasanna Malaiyandi:It was a cloud disaster that had a good, happy ending.
Prasanna Malaiyandi:Um, and I wanted us to get back to something else that has been very
Prasanna Malaiyandi:popular with our listeners, which is this, the concept of ransomware.
Prasanna Malaiyandi:If you are, um.
Prasanna Malaiyandi:You know, a new listener to the podcast.
Prasanna Malaiyandi:We have covered ransomware in various ways over the years, and you're going to,
Prasanna Malaiyandi:uh, this episode will actually follow up.
Prasanna Malaiyandi:I'm going to be, if you're listening to this now, the previous few episodes will
Prasanna Malaiyandi:actually be reruns, if you want to call them, of, of, of really good episodes
Prasanna Malaiyandi:where we had guests on that really know.
Prasanna Malaiyandi:This, uh, issue of, of, of ransomware and recovering from ransomware.
Prasanna Malaiyandi:And so I wanted to, um,
Prasanna Malaiyandi:Do you
Prasanna Malaiyandi:W. Curtis Preston: we're gonna follow up.
Prasanna Malaiyandi:What's that?
Prasanna Malaiyandi:are you gonna put Tony's episode out?
Prasanna Malaiyandi:W. Curtis Preston: Uh, oh, you know what?
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Uh, yeah.
Prasanna Malaiyandi:Now that I realize who you're talking about, yes.
Prasanna Malaiyandi:I will definitely put Tony.
Prasanna Malaiyandi:So, uh, you know, that's probably was the most popular episode that
Prasanna Malaiyandi:we had of that timeframe, which was, uh, our friend Tony over at, uh,
Prasanna Malaiyandi:SPECT Logic and them talking about.
Prasanna Malaiyandi:How they actually recovered from a ransomware attack.
Prasanna Malaiyandi:And, um, and we'll, we'll have some stuff coming up where we're
Prasanna Malaiyandi:gonna be talking about ransomware and different things about how to
Prasanna Malaiyandi:protect from it and how to, uh, more importantly, how to, I don't know.
Prasanna Malaiyandi:More importantly, it's just.
Prasanna Malaiyandi:So many people talk about how to protect from it.
Prasanna Malaiyandi:They don't talk enough about how to respond to it and how to recover from it.
Prasanna Malaiyandi:And that's where, uh, you know, our specialty lies.
Prasanna Malaiyandi:But I Go ahead.
Prasanna Malaiyandi:You know what I just read in the paper, or not
Prasanna Malaiyandi:the paper, what I read online today.
Prasanna Malaiyandi:So insurance companies are now trying to not have companies pay the ransomware
Prasanna Malaiyandi:and just sort of keep this self.
Prasanna Malaiyandi:Propagating, uh, issue.
Prasanna Malaiyandi:Keep going.
Prasanna Malaiyandi:And so they're actually working to not, or to tell their
Prasanna Malaiyandi:clients, don't pay the ransom,
Prasanna Malaiyandi:W. Curtis Preston: Yeah, which is something we've always advised, right?
Prasanna Malaiyandi:We can't make that decision on behalf of those, uh, people.
Prasanna Malaiyandi:But obviously it's not a good thing to pay the ransom, right?
Prasanna Malaiyandi:In some places it may be illegal to pay the ransom.
Prasanna Malaiyandi:In other places and well, and in all places.
Prasanna Malaiyandi:I think it emboldens the behavior.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And you're
Prasanna Malaiyandi:I liken it to my dog where it's like, if you want
Prasanna Malaiyandi:him to do something, you give him a treat and then he keeps doing it
Prasanna Malaiyandi:because he keeps expecting the treat and he knows he'll get a treat.
Prasanna Malaiyandi:W. Curtis Preston: Exactly, uh, yeah, there's a lot of
Prasanna Malaiyandi:reasons not to pay the ransom.
Prasanna Malaiyandi:So let's, let's just start with, I.
Prasanna Malaiyandi:Just talking about what ransomware is and just as importantly what ransomware isn't.
Prasanna Malaiyandi:So ransomware, um, and, and I'm gonna start with saying
Prasanna Malaiyandi:that it's, it's a bad term.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:The, the term ransomware suggests that it's software.
Prasanna Malaiyandi:It, it suggests that it is a piece of software that you accidentally
Prasanna Malaiyandi:get and boom, you have ransomware.
Prasanna Malaiyandi:And that's actually what I thought in my early days of, of working with ransomware.
Prasanna Malaiyandi:If you click the wrong link And then all of a sudden it
Prasanna Malaiyandi:encrypts
Prasanna Malaiyandi:everything.
Prasanna Malaiyandi:yeah,
Prasanna Malaiyandi:W. Curtis Preston: And, and that isn't really what it is, or at least not from
Prasanna Malaiyandi:what I can tell, uh, most of the time.
Prasanna Malaiyandi:But let's just define this concept of ransomware, and it comes from the
Prasanna Malaiyandi:term ransom, which, where outside of the world of, of it, where, where
Prasanna Malaiyandi:would we see the word ransom used?
Prasanna Malaiyandi:Hostage negotiations,
Prasanna Malaiyandi:W. Curtis Preston: Exactly right.
Prasanna Malaiyandi:kidnapping.
Prasanna Malaiyandi:W. Curtis Preston: kid.
Prasanna Malaiyandi:Yeah, I've taken your kid.
Prasanna Malaiyandi:And you can have them back for $1 billion.
Prasanna Malaiyandi:the most famous kidnapping of all time that I know of was
Prasanna Malaiyandi:the Getty kidnapping, right.
Prasanna Malaiyandi:So I believe it was, uh, John Paul Getty at the time that he
Prasanna Malaiyandi:was the richest man in the world.
Prasanna Malaiyandi:They kidnapped his, um, like grandson and, uh, they demanded probably a
Prasanna Malaiyandi:million dollars or something like that.
Prasanna Malaiyandi:He told him to go pound sand, and then they sent him, uh, his grandchild's ear
Prasanna Malaiyandi:and uh, and he said, fine, you know, I'll, I'll, I'll pay the ransom he got, and
Prasanna Malaiyandi:he got the, he got his grandchild back.
Prasanna Malaiyandi:Interestingly enough, I sat next to.
Prasanna Malaiyandi:I was gonna say,
Prasanna Malaiyandi:W. Curtis Preston: Yeah, I sat next to the grandson of that grandson on a plane once.
Prasanna Malaiyandi:His name's Bazar Getty, also, uh, an actor.
Prasanna Malaiyandi:Um, and, uh, I just randomly asked him if he was related to the Getty
Prasanna Malaiyandi:family, and he's like, well, you know, the, you know, the guy with
Prasanna Malaiyandi:the ear that's my grandfather.
Prasanna Malaiyandi:It's like, wow, that is definitely a connection.
Prasanna Malaiyandi:Um, yeah, so that's what a ransom is, right?
Prasanna Malaiyandi:Is is give me, you know, I've got something of yours.
Prasanna Malaiyandi:And you can have it back if you give me the ransom.
Prasanna Malaiyandi:And you, you've watched tv.
Prasanna Malaiyandi:You've watched
Prasanna Malaiyandi:movies,
Prasanna Malaiyandi:watch tv.
Prasanna Malaiyandi:W. Curtis Preston: well you have watched movies.
Prasanna Malaiyandi:You, you definitely watched YouTube more.
Prasanna Malaiyandi:What is the general thinking regarding paying the ransom in such movies?
Prasanna Malaiyandi:The SBI comes in and everyone else, and they're like, don't pay
Prasanna Malaiyandi:the ransom 'cause you're not gonna see it.
Prasanna Malaiyandi:And it's just gonna, they're just gonna go and do something else again.
Prasanna Malaiyandi:W. Curtis Preston: Exactly.
Prasanna Malaiyandi:Exactly.
Prasanna Malaiyandi:And, and they often do things like demand proof of life.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:Um,
Prasanna Malaiyandi:Hold up the newspaper with today's date.
Prasanna Malaiyandi:W. Curtis Preston: Exactly right.
Prasanna Malaiyandi:I want to talk to my kid.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:I want to verify.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And all of this has, uh, they, they have parallels in the, the
Prasanna Malaiyandi:world of the ransomware, right?
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:W. Curtis Preston: So really, it, this is where the term comes from, is that
Prasanna Malaiyandi:we're holding your data for ransom.
Prasanna Malaiyandi:And the, the classic way that that manifested itself was what?
Prasanna Malaiyandi:They basically would encrypt your data and say, Hey, if you
Prasanna Malaiyandi:want your data back, then pay us the money and we will give you the encryption key
Prasanna Malaiyandi:so then you can go unencrypt your data and everything will be back to normal.
Prasanna Malaiyandi:W. Curtis Preston: Yeah, it's interesting.
Prasanna Malaiyandi:They, they don't steal it, like in the, in the old, in, in the way of the, you
Prasanna Malaiyandi:know, the, um, uh, of stealing your, your child to, to demand a ransom.
Prasanna Malaiyandi:They.
Prasanna Malaiyandi:Steal it right away from you, like right in front of you.
Prasanna Malaiyandi:It's like, here's your data, but you can't use it.
Prasanna Malaiyandi:You can't
Prasanna Malaiyandi:have it.
Prasanna Malaiyandi:but I think it's also one of those things where it's probably
Prasanna Malaiyandi:faster and easier for them, right?
Prasanna Malaiyandi:anD maybe it's also less detectable, right?
Prasanna Malaiyandi:Because all of a sudden if you're like, Hey, why is my, why am I
Prasanna Malaiyandi:uploading like 10 terabytes today?
Prasanna Malaiyandi:W. Curtis Preston: Exactly.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:It, it's super easy and super fast to, to encrypt the data just
Prasanna Malaiyandi:enough that it's not useful to you.
Prasanna Malaiyandi:And so they're saying, we'll give you the keys, um, you know,
Prasanna Malaiyandi:and you can have your data back.
Prasanna Malaiyandi:That is a traditional ransomware attack.
Prasanna Malaiyandi:What was that?
Prasanna Malaiyandi:Hopefully we will
Prasanna Malaiyandi:give you the keys and you can recover your data.
Prasanna Malaiyandi:W. Curtis Preston: Right, right.
Prasanna Malaiyandi:And the idea was that, that, that paying the ransom, you know, historically paying
Prasanna Malaiyandi:the ransom was only a good idea if you had no backup of your data or if your backup.
Prasanna Malaiyandi:Was such that it was going to take you so long in order to restore.
Prasanna Malaiyandi:I, when I think back to one of the most famous ransomware attacks in
Prasanna Malaiyandi:the last few years was the Colonial pipeline attack, and that one, as I
Prasanna Malaiyandi:understand it, was that they had a.
Prasanna Malaiyandi:A backup, right?
Prasanna Malaiyandi:But they didn't think they could get the backup recovered fast enough.
Prasanna Malaiyandi:And so they decided to pay the ransom.
Prasanna Malaiyandi:And, um, and, and so they did both, they did recovery and they paid the ransom,
Prasanna Malaiyandi:and, which just seems fundamentally wrong, but historically, that was the
Prasanna Malaiyandi:only reason that you would pay the ransom is if you had no backup or a backup.
Prasanna Malaiyandi:That was not good enough because.
Prasanna Malaiyandi:Unencrypting the data or deen encrypting the data was, the idea
Prasanna Malaiyandi:was that deen encrypting the data was faster than restoring it, right?
Prasanna Malaiyandi:Yep, yep.
Prasanna Malaiyandi:And that was worthwhile until sort of the.
Prasanna Malaiyandi:Ransomware actors, they had poor code quality, right?
Prasanna Malaiyandi:And so you're putting faith that you are going to pay the ransom
Prasanna Malaiyandi:and you're going to, going back to our classic example, right?
Prasanna Malaiyandi:You're gonna get back your kid,
Prasanna Malaiyandi:W. Curtis Preston: Right.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Except sometimes these ransomware actors,
Prasanna Malaiyandi:they would write sort of bad code.
Prasanna Malaiyandi:And when they gave you back the key, like how they actually did the encryption
Prasanna Malaiyandi:W. Curtis Preston: Right.
Prasanna Malaiyandi:very sound.
Prasanna Malaiyandi:And so yeah, it would.
Prasanna Malaiyandi:Decrypt maybe some of the data, but it wasn't still usable.
Prasanna Malaiyandi:So that's like paying the ransom and they give back your kid's finger.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:Or
Prasanna Malaiyandi:W. Curtis Preston: Yeah,
Prasanna Malaiyandi:right.
Prasanna Malaiyandi:Or
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:Or Or they give like a doll of your kid back.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:Or whatever it is.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:But it's not what you originally had transacted for.
Prasanna Malaiyandi:W. Curtis Preston: Here's some videos of your, while we, while we had kidnapped.
Prasanna Malaiyandi:You have to think about these organizations as very
Prasanna Malaiyandi:sophisticated businesses.
Prasanna Malaiyandi:This is not a script kitty.
Prasanna Malaiyandi:This is not a random piece of software that you download off the internet.
Prasanna Malaiyandi:This is an organization that is trying to make money for other reasons, right?
Prasanna Malaiyandi:They're, they want to do things.
Prasanna Malaiyandi:Sometimes they're state actors, sometimes they're, they're just criminals that are
Prasanna Malaiyandi:just trying to make a lot of money and.
Prasanna Malaiyandi:You need to think about what are they going to focus on
Prasanna Malaiyandi:in terms of software quality?
Prasanna Malaiyandi:The thing they're gonna focus on is making sure that the data gets
Prasanna Malaiyandi:encrypted and making sure that you can't decrypt it without their help.
Prasanna Malaiyandi:They're not necessarily that focused on that second half,
Prasanna Malaiyandi:which is the the decryption part.
Prasanna Malaiyandi:You could make some argument that maybe they want it to work because
Prasanna Malaiyandi:they want to have a reputation as.
Prasanna Malaiyandi:An organization that does get the data back if you actually pay
Prasanna Malaiyandi:the ransom, but the, you know,
Prasanna Malaiyandi:yeah, or the other thing is it may not be very fast, right?
Prasanna Malaiyandi:So
Prasanna Malaiyandi:you might get all your data back, but it might take you a month
Prasanna Malaiyandi:W. Curtis Preston: Exactly.
Prasanna Malaiyandi:Exactly.
Prasanna Malaiyandi:Um, so go ahead.
Prasanna Malaiyandi:I know you talked about, uh, these organizations, right?
Prasanna Malaiyandi:By which you mean the ransomware actors.
Prasanna Malaiyandi:Who are kind of well organized.
Prasanna Malaiyandi:I think the other thing to also mention is it's no longer just a
Prasanna Malaiyandi:single organization necessarily, right?
Prasanna Malaiyandi:You have ransomware as a service where you have these people who have all these
Prasanna Malaiyandi:tools and capabilities and they provided as a service just like you might use AWS
Prasanna Malaiyandi:as a service to host your application.
Prasanna Malaiyandi:They provide all the infrastructure tooling for all these other
Prasanna Malaiyandi:organizations to now start.
Prasanna Malaiyandi:Um.
Prasanna Malaiyandi:Attacking other companies and also encrypting their data.
Prasanna Malaiyandi:W. Curtis Preston: Right.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:And, and actually I want to get into that in, in a little bit,
Prasanna Malaiyandi:um, what I want to, and that, that everything you said is, is correct.
Prasanna Malaiyandi:Um, let's talk a little bit about what ransomware is not
Prasanna Malaiyandi:what is ransomware, not Curtis.
Prasanna Malaiyandi:W. Curtis Preston: So it, well, it's not just a piece of software that downloads
Prasanna Malaiyandi:and, you know, magic happens, right?
Prasanna Malaiyandi:Um, the, the, the process of getting infected with ransomware is actually
Prasanna Malaiyandi:a very manual process with many steps.
Prasanna Malaiyandi:And, uh, and, and they are steps that are being manually driven by a human
Prasanna Malaiyandi:being somewhere else in the world.
Prasanna Malaiyandi:And.
Prasanna Malaiyandi:The, the idea is that there is that initial access.
Prasanna Malaiyandi:There is, uh, that, that, you know, that basically the, the initial breach, which
Prasanna Malaiyandi:could be via a number of mechanisms.
Prasanna Malaiyandi:It could be, uh, old school phishing.
Prasanna Malaiyandi:It could be something that you download.
Prasanna Malaiyandi:Uh, it, it quite possibly will be something that you download, that
Prasanna Malaiyandi:you get via email, an attachment that you open that you shouldn't have.
Prasanna Malaiyandi:What was the, what was the thing you said?
Prasanna Malaiyandi:Yeah, it could be a zero day exploit, right?
Prasanna Malaiyandi:There are myriad ways that you can basically find yourself with a
Prasanna Malaiyandi:portal to, to the bad guys, right?
Prasanna Malaiyandi:So that, that's the first thing that has to happen, is someone has to gain
Prasanna Malaiyandi:remote access, usually with escalated privileges, but not necessarily so.
Prasanna Malaiyandi:They might just have a, you know, they might have simply
Prasanna Malaiyandi:leveraged stolen credentials.
Prasanna Malaiyandi:That's another thing.
Prasanna Malaiyandi:They, they leveraged stolen credentials and then you didn't
Prasanna Malaiyandi:have MFA on, you might have had a, a server that's got RDP enabled
Prasanna Malaiyandi:and it's, uh, open to the internet.
Prasanna Malaiyandi:Oh my Lord.
Prasanna Malaiyandi:RDP, the ransomware deployment protocol,
Prasanna Malaiyandi:or you just have insecure systems that are internet facing,
Prasanna Malaiyandi:right?
Prasanna Malaiyandi:How many people have like VMware, ESXI, and then they automatically have it
Prasanna Malaiyandi:available on the internet and boom.
Prasanna Malaiyandi:W. Curtis Preston: Exactly.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:So there, like I said, there, there are myriad ways that you,
Prasanna Malaiyandi:that a bad actor can be given.
Prasanna Malaiyandi:Initial access to one or more, uh, systems.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And there are, and this was, uh, basically you, you referenced this
Prasanna Malaiyandi:earlier, is that there are companies, and again, it's the correct.
Prasanna Malaiyandi:Thing is to call them companies, right?
Prasanna Malaiyandi:There are companies who, this is what they do.
Prasanna Malaiyandi:They call them initial access brokers.
Prasanna Malaiyandi:This is all they do.
Prasanna Malaiyandi:They just get a foothold into an organization and then they say, Hey,
Prasanna Malaiyandi:I've got a foothold into a, b, c company.
Prasanna Malaiyandi:Who wants that?
Prasanna Malaiyandi:And then they bid that on the, you know, on the dark web.
Prasanna Malaiyandi:It just kind of scary when you think about it, right?
Prasanna Malaiyandi:Because it is a specialized role, right?
Prasanna Malaiyandi:That is all they do day in and day out is they try to figure out, how do
Prasanna Malaiyandi:I gain that initial foothold with all these various mechanisms that you talked
Prasanna Malaiyandi:about, Curtis, and then take that and now pass it on to the next person, right?
Prasanna Malaiyandi:And it's their job to now figure out, okay, now what can I do next?
Prasanna Malaiyandi:W. Curtis Preston: Yeah, it's a very specialized world, right?
Prasanna Malaiyandi:Um, because there's sort of three phases.
Prasanna Malaiyandi:There's that initial access, there's a second phase, which is discovery and uh,
Prasanna Malaiyandi:and crawling around trying to do lateral movement, trying to expand the footprint.
Prasanna Malaiyandi:And, um, and, and then that third phase, which is the actual, we're going
Prasanna Malaiyandi:to go and encrypt everything, right?
Prasanna Malaiyandi:The go ahead.
Prasanna Malaiyandi:And that second phase, right?
Prasanna Malaiyandi:Just to touch on it, right?
Prasanna Malaiyandi:Moving laterally and trying to figure out other things, right?
Prasanna Malaiyandi:They're trying to do all of this while staying undetected, right?
Prasanna Malaiyandi:Because the last thing you wanna do is give up that access that you paid for from
Prasanna Malaiyandi:initial access broker, right?
Prasanna Malaiyandi:And so you wanna make sure you stay under the radar of the security team
Prasanna Malaiyandi:or whoever else is out there trying to prevent what you're trying to do.
Prasanna Malaiyandi:W. Curtis Preston: Which is why one of the ways they do well, I would say the
Prasanna Malaiyandi:way that they do that next phase is they use the same tools that you use, right?
Prasanna Malaiyandi:They're downloading cybersecurity tools that are designed to defend,
Prasanna Malaiyandi:but they use them to attack.
Prasanna Malaiyandi:How about Strike is a common
Prasanna Malaiyandi:one
Prasanna Malaiyandi:W. Curtis Preston: yeah.
Prasanna Malaiyandi:Cobalt Strike is definitely one of the, uh, most common ones.
Prasanna Malaiyandi:And, uh, there are a number of other tools that they download that, that don't
Prasanna Malaiyandi:initially set off alarms because they're not, it's not like, Hey, hacker tool dot
Prasanna Malaiyandi:exe, it's a tool that you would install.
Prasanna Malaiyandi:And so they, they install these tools and then they go and they,
Prasanna Malaiyandi:they crawl around your organization.
Prasanna Malaiyandi:And it can be very difficult to detect that once they have gained that foothold
Prasanna Malaiyandi:and once they're using the same tools that you might be using to poke around.
Prasanna Malaiyandi:And again, I, I'll go back to that initial access.
Prasanna Malaiyandi:This is why MFA is so important.
Prasanna Malaiyandi:Uh, they could, there are a number of ways that they could get in, but MFA would be
Prasanna Malaiyandi:one of the ways that you would then stop.
Prasanna Malaiyandi:By the way, it, it does appear that the most common way that they get
Prasanna Malaiyandi:in is actually stolen credentials.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And um, which is just really sad.
Prasanna Malaiyandi:Um, but, but it is what It's Right.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Um, and, and so I, I just, this is the thing.
Prasanna Malaiyandi:This is where the, what ransomware is not.
Prasanna Malaiyandi:I just want people to understand that ransomware is not just one
Prasanna Malaiyandi:piece of software that you happen to accidentally download and then
Prasanna Malaiyandi:it affects your entire data center.
Prasanna Malaiyandi:That is absolutely what I, what I, what I used to think it was.
Prasanna Malaiyandi:Uh, it is a very sophisticated series of actions that are taken in series
Prasanna Malaiyandi:different, there may be as many as a dozen pieces of software that are
Prasanna Malaiyandi:installed to affect the ultimate goal that the, the bad actor wants, uh,
Prasanna Malaiyandi:which of course is demanding the ransom.
Prasanna Malaiyandi:I do wonder though.
Prasanna Malaiyandi:Yeah, I do.
Prasanna Malaiyandi:I agree with that.
Prasanna Malaiyandi:Curtis, I also wonder though, if we should really think about sort of two segments
Prasanna Malaiyandi:to, uh, victim segments, if you will.
Prasanna Malaiyandi:One is the enterprise, which I think a hundred percent everything you said makes
Prasanna Malaiyandi:sense.
Prasanna Malaiyandi:I think though, when you think about sort of consumer side.
Prasanna Malaiyandi:I think it might be slightly different in term because you aren't going to have
Prasanna Malaiyandi:all of this individual access, right?
Prasanna Malaiyandi:People spending time on grandma trying to gain access to her laptop, right?
Prasanna Malaiyandi:I think in those cases it's probably more find common vulnerabilities and
Prasanna Malaiyandi:whatever is the quickest and easiest way, and you just go as broad as you
Prasanna Malaiyandi:can because their data may not be as sensitive and as valuable necessarily.
Prasanna Malaiyandi:Or the willingness to pay.
Prasanna Malaiyandi:Or the ability to pay.
Prasanna Malaiyandi:W. Curtis Preston: I do think that
Prasanna Malaiyandi:consumer based.
Prasanna Malaiyandi:Attacks probably are much closer to that initial, I download one piece of software
Prasanna Malaiyandi:and it grabs all my data and boom, right?
Prasanna Malaiyandi:And then tries to reach out to a command and control server.
Prasanna Malaiyandi:Uh, and then it's probably closer to that initial definition than we talked
Prasanna Malaiyandi:about where it's just one single piece of software because there, there really
Prasanna Malaiyandi:isn't anything else, uh, to get out there.
Prasanna Malaiyandi:But that's not necessarily our target market.
Prasanna Malaiyandi:So I wasn't really focusing on that.
Prasanna Malaiyandi:But you know, from a company perspective.
Prasanna Malaiyandi:Uh, you know, or any, any organization perspective, it's going
Prasanna Malaiyandi:to be a very complicated process.
Prasanna Malaiyandi:Uh, and that could go on for months
Prasanna Malaiyandi:I was actually gonna
Prasanna Malaiyandi:W. Curtis Preston: before you actually get a, you know, a big, a big payload.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Just uh, I think if I go back and think about, and it's not ransomware, but just
Prasanna Malaiyandi:talking about this attack vector, because it is common in other places as well.
Prasanna Malaiyandi:If I think about like the SolarWinds attack, right?
Prasanna Malaiyandi:They were in their systems for months,
Prasanna Malaiyandi:right?
Prasanna Malaiyandi:W. Curtis Preston: they were part of the, they were actually part of the
Prasanna Malaiyandi:supply chain, as I recall, right?
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:They're very, depending on the size of the fish, right?
Prasanna Malaiyandi:They're very, very there.
Prasanna Malaiyandi:There is a risk reward.
Prasanna Malaiyandi:Um, you know, a trade off, right?
Prasanna Malaiyandi:The longer they can stay in undetected, the more exploration that they can do,
Prasanna Malaiyandi:the bigger the payoff, but the longer they stay in undetected, the greater
Prasanna Malaiyandi:the risk that they will eventually be detected before they can do the payoff.
Prasanna Malaiyandi:So there's a, you know, a big risk reward there.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:W. Curtis Preston: Um, so the other and really important
Prasanna Malaiyandi:thing, and this is why, um.
Prasanna Malaiyandi:This is why some have changing the name of, uh, ransomware and that is that no
Prasanna Malaiyandi:longer, um, is simply encrypting the data and then saying you can have it back if
Prasanna Malaiyandi:you, uh, give us a ransomware no longer.
Prasanna Malaiyandi:Is that the normal mo of the, the ransomware attackers?
Prasanna Malaiyandi:What
Prasanna Malaiyandi:is the normal mo.
Prasanna Malaiyandi:Have evolved, or I would say devolved, but yeah, they have, they have evolved.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:So now they realize, okay, people have backups, they have other systems, right?
Prasanna Malaiyandi:And so I would say before we get to sort of, okay, what is it really now,
Prasanna Malaiyandi:right?
Prasanna Malaiyandi:I think in between what they had started to do was really
Prasanna Malaiyandi:attack those systems, right?
Prasanna Malaiyandi:So it wasn't just encrypt your data,
Prasanna Malaiyandi:W. Curtis Preston: Right.
Prasanna Malaiyandi:But even locally it was like, Hey, now let's start
Prasanna Malaiyandi:going after the backup systems, right?
Prasanna Malaiyandi:Because if you can restore your data, then you don't need us, right?
Prasanna Malaiyandi:You don't need the key.
Prasanna Malaiyandi:W. Curtis Preston: Yeah,
Prasanna Malaiyandi:that, that is a really good point.
Prasanna Malaiyandi:That basically part of that sophisticated ex, you know, um, uh,
Prasanna Malaiyandi:large attack, they are definitely going to go after the backup system.
Prasanna Malaiyandi:They're trying to identify what your backup system, they know the
Prasanna Malaiyandi:vulnerabilities of the different backup systems, and they then
Prasanna Malaiyandi:go after those vulnerabilities.
Prasanna Malaiyandi:And this is.
Prasanna Malaiyandi:Why I talk about, and we'll talk later about changes that you should
Prasanna Malaiyandi:be making to your backup system in order to protect from this.
Prasanna Malaiyandi:This is part of the evolution of the, of these ransomware attackers, is
Prasanna Malaiyandi:first all they had to do was encrypt.
Prasanna Malaiyandi:And then they found out, uh, you know, and people would pay the ransom.
Prasanna Malaiyandi:And then they found that some people had backup and recovery systems
Prasanna Malaiyandi:and disaster recovery systems, and they were stopped, pay the ransom.
Prasanna Malaiyandi:Well, they want people to pay the ransom.
Prasanna Malaiyandi:And so they're like, well, what can we do next?
Prasanna Malaiyandi:And so the next thing they decided to do was attack the backup systems.
Prasanna Malaiyandi:I, I don't think that they listen to this podcast
Prasanna Malaiyandi:or I've read your books, Curtis.
Prasanna Malaiyandi:I'm just saying.
Prasanna Malaiyandi:W. Curtis Preston: Yeah, I don't think so.
Prasanna Malaiyandi:I don't think so.
Prasanna Malaiyandi:They went after specific backup products that had specific vulnerabilities,
Prasanna Malaiyandi:especially Windows based backup products, because Windows was the, you know, or
Prasanna Malaiyandi:it continues to be the prop predominant.
Prasanna Malaiyandi:Os that they're attacking in a ransomware attack.
Prasanna Malaiyandi:It's not the only one, but it is a predominant one.
Prasanna Malaiyandi:So they went after backup systems that were based on windows.
Prasanna Malaiyandi:Also backup systems whose backups were all stored on disk.
Prasanna Malaiyandi:'cause those backups are easy to, uh, delete and or encrypt.
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:Um, and.
Prasanna Malaiyandi:The, and we'll, we'll talk more about things, but the idea is to,
Prasanna Malaiyandi:with the backup system, the, the, the quick answer is to make sure
Prasanna Malaiyandi:that your backup system isn't susceptible to those types of attacks.
Prasanna Malaiyandi:We'll talk about that, uh, in another episode.
Prasanna Malaiyandi:That could be an entire episode in and of itself.
Prasanna Malaiyandi:W. Curtis Preston: Yeah, exactly.
Prasanna Malaiyandi:Uh, so what, what happened next?
Prasanna Malaiyandi:yeah.
Prasanna Malaiyandi:So then, okay, they went after a backup system.
Prasanna Malaiyandi:Sometimes they were successful, sometimes they weren't.
Prasanna Malaiyandi:But then they realized just like classic ransomware or classic kidnapping and
Prasanna Malaiyandi:people paying ransom, they're like, Hey, if we actually take your data right.
Prasanna Malaiyandi:Then now you don't have that option to be like, Hey, just
Prasanna Malaiyandi:give me the encryption key.
Prasanna Malaiyandi:You can actually blackmail people and say, by the way, if you don't want me
Prasanna Malaiyandi:to release this information, pay up.
Prasanna Malaiyandi:And it might be sensitive information like the Sony hack where they
Prasanna Malaiyandi:exfiltrated a bunch of data and it was emails about studio, like what studio
Prasanna Malaiyandi:executives were saying and all the rest things you don't want out in public.
Prasanna Malaiyandi:W. Curtis Preston: Right.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:And, and it could be anything.
Prasanna Malaiyandi:I, I think the Sony attack was the first one that I really remember.
Prasanna Malaiyandi:Because it was basically impair, it was embarrassing data.
Prasanna Malaiyandi:There are, um, others where it's like, listen, we have your 11 herbs and spices
Prasanna Malaiyandi:and we're gonna release 'em to the public.
Prasanna Malaiyandi:By the way, the 11 herbs and spices, I'm pretty sure have been
Prasanna Malaiyandi:released, but not by KFC, but, but by other comp or other entities.
Prasanna Malaiyandi:But you know, we have your company's trade secrets.
Prasanna Malaiyandi:We may have, um, proof of you doing things that are actually crimes, right?
Prasanna Malaiyandi:We, you know, um, you know, there are basically, we might have competitive
Prasanna Malaiyandi:information that you don't want given to your closest competitor.
Prasanna Malaiyandi:There are a number of things, and also I'd say the, the, the one
Prasanna Malaiyandi:category of data that we haven't discussed is we have PII, right?
Prasanna Malaiyandi:We have a whole bunch of names and credit card data.
Prasanna Malaiyandi:That we're going to release if you don't pay the ransom.
Prasanna Malaiyandi:I'd say the best example of that would be the Ashley Madison attack.
Prasanna Malaiyandi:I don't remember if that was actually a ransomware attack, but that is an example
Prasanna Malaiyandi:of the kind of thing I'm so Ashley mad.
Prasanna Malaiyandi:So for those that you don't remember, and it's still around amazingly
Prasanna Malaiyandi:enough, Ashley Madison is a website and an organization designed, uh, to
Prasanna Malaiyandi:help people cheat on their spouses.
Prasanna Malaiyandi:And they released a bunch of identities of people that were there.
Prasanna Malaiyandi:There were a number of suicides that followed that, uh, particular incident.
Prasanna Malaiyandi:So it could be personal information, it could be medical information.
Prasanna Malaiyandi:Healthcare records of celebrities or even other folks that
Prasanna Malaiyandi:could be detrimental if released publicly.
Prasanna Malaiyandi:W. Curtis Preston: Right, right.
Prasanna Malaiyandi:And, and put it into your company.
Prasanna Malaiyandi:Amazingly, Ashley Madison, they released all that stuff and one of the things that
Prasanna Malaiyandi:came out was that it turns out that all of the female subscribers were all fake,
Prasanna Malaiyandi:and yet the company still runs.
Prasanna Malaiyandi:The company is still out there and people are still paying memberships.
Prasanna Malaiyandi:But, um, yeah, so that's, that is an important.
Prasanna Malaiyandi:Change in how the, the ransomware folks are operating.
Prasanna Malaiyandi:Uh, basically, this is why many people are now starting to call it extortion
Prasanna Malaiyandi:wear rather than just ransomware, because they're saying that we, we
Prasanna Malaiyandi:literally have stolen your data and we are going to release it to the
Prasanna Malaiyandi:public if you don't give us the ransom.
Prasanna Malaiyandi:And here's my question.
Prasanna Malaiyandi:Let's just say I've got the best, the absolute best.
Prasanna Malaiyandi:Backup and disaster recovery system in the world.
Prasanna Malaiyandi:I've got a button that I can press and five seconds later, my entire
Prasanna Malaiyandi:environment is recovered without incident.
Prasanna Malaiyandi:How well will that help me with an extortion attack?
Prasanna Malaiyandi:It wouldn't
Prasanna Malaiyandi:W. Curtis Preston: Not at
Prasanna Malaiyandi:all.
Prasanna Malaiyandi:That's the worst.
Prasanna Malaiyandi:That's the worst part.
Prasanna Malaiyandi:I this whole thing.
Prasanna Malaiyandi:well, and this is my problem.
Prasanna Malaiyandi:I know we had talked about comparing classic ransomware to digital ransomware.
Prasanna Malaiyandi:W. Curtis Preston: Mm-Hmm.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:In classic ransomware, you pay the ransom.
Prasanna Malaiyandi:They may or may not return the person, but if they return the
Prasanna Malaiyandi:person, you know you're good
Prasanna Malaiyandi:W. Curtis Preston: Right.
Prasanna Malaiyandi:Prasanna Malaiyandi: in digital ransomware.
Prasanna Malaiyandi:Even if you pay the ransom to give you back the encryption keys, they
Prasanna Malaiyandi:still have that original data.
Prasanna Malaiyandi:They could decide in a year, Hey, I'm gonna release this and embarrass you.
Prasanna Malaiyandi:They could decide, Hey, I'm just gonna release
Prasanna Malaiyandi:this anyway.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And.
Prasanna Malaiyandi:If there's no honor among thieves, right,
Prasanna Malaiyandi:W. Curtis Preston: Right.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:how can you trust that they will do the right thing?
Prasanna Malaiyandi:W. Curtis Preston: Yeah, you, you can, you can't, which is really why the only
Prasanna Malaiyandi:defense to this type of ransomware is to not let it happen in the first place.
Prasanna Malaiyandi:Which is why I think that people should be focusing a lot more on the
Prasanna Malaiyandi:prevention of exfiltration, right?
Prasanna Malaiyandi:Exfiltration is just a very fancy word for sucking the data
Prasanna Malaiyandi:out of your company, right?
Prasanna Malaiyandi:Um, and there are ways, there are ways to do that, but they are not.
Prasanna Malaiyandi:Easy and they come with a lot of false positives, et cetera, et cetera.
Prasanna Malaiyandi:So not everybody is that, um, hot on it.
Prasanna Malaiyandi:And I just think it's something that we need to continue to work on.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Or detection also,
Prasanna Malaiyandi:right?
Prasanna Malaiyandi:W. Curtis Preston: Yes, yes.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Well, yeah, detecting it, detecting that you've got the ransomware detecting
Prasanna Malaiyandi:that the exfiltration is happening.
Prasanna Malaiyandi:Stopping the exfiltration, right?
Prasanna Malaiyandi:Because a lot of the exfiltration is all sent to like the same place right there.
Prasanna Malaiyandi:There's certain websites and things that, um, it's like, why are we
Prasanna Malaiyandi:sending data to what is like mega sum?
Prasanna Malaiyandi:And there's some big file sharing site.
Prasanna Malaiyandi:Like you, you should block all access to all, like, file
Prasanna Malaiyandi:sharing sites like that, right?
Prasanna Malaiyandi:Um, and then if you, if you have a legitimate need for that.
Prasanna Malaiyandi:Then, um, you open it up, but chances are you probably don't.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:W. Curtis Preston: Yeah.
Prasanna Malaiyandi:Um, so that's just a brief overview of what ransomware is, what it isn't,
Prasanna Malaiyandi:how it's evolved, uh, in terms, and by the way, just a final thing regarding
Prasanna Malaiyandi:the whole exfiltration thing, talk, talking about part two and part three.
Prasanna Malaiyandi:Not only have they gone directly attacking the backup systems in order to.
Prasanna Malaiyandi:Basically take them out of the war.
Prasanna Malaiyandi:The, that's not what I, that's not what I meant to take them, to take to, to take
Prasanna Malaiyandi:them away from you as a weapon in the war.
Prasanna Malaiyandi:I, I don't know, I'm mixing metaphors here, but they're also, they've discovered
Prasanna Malaiyandi:that it is a source for exfiltration.
Prasanna Malaiyandi:So if they can gain, uh, unrestricted access to the backup
Prasanna Malaiyandi:system, then um, they can do that.
Prasanna Malaiyandi:And by the way, if, if you, if you're.
Prasanna Malaiyandi:This is your first episode.
Prasanna Malaiyandi:You really should go back a couple episodes and listen to that episode
Prasanna Malaiyandi:with Dwayne Lalo, uh, where, where it's talking about a red team P person, and
Prasanna Malaiyandi:he talked about just how great it is if you can gain access to a backup system.
Prasanna Malaiyandi:He, he was like, I love backup systems.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:Yeah, that was a great episode.
Prasanna Malaiyandi:Any final thoughts?
Prasanna Malaiyandi:No, I think, yeah, we covered sort of what's ransomware,
Prasanna Malaiyandi:what isn't, and yeah, like you said, Curtis, at the beginning I was also
Prasanna Malaiyandi:thinking, oh, it's just software installed that someone drops onto your system.
Prasanna Malaiyandi:But really it's this lengthy process that happens in order to
Prasanna Malaiyandi:be able to gain that foothold.
Prasanna Malaiyandi:And so,
Prasanna Malaiyandi:W. Curtis Preston: Yeah.
Prasanna Malaiyandi:And I, and I, I do think that maybe that's the way it's,
Prasanna Malaiyandi:that's the way it started, right?
Prasanna Malaiyandi:It was an initial piece of software that you just happened to download
Prasanna Malaiyandi:and it would encrypt your data, boom.
Prasanna Malaiyandi:And then, and then, and reach out to the person so that they could, uh, do that.
Prasanna Malaiyandi:But that's not going to work in a large organization, right?
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:W. Curtis Preston: So they, so their attack evolved as well, right?
Prasanna Malaiyandi:So they've evolved over the time to go after a bigger, bigger, and bigger fish.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:Well, and I think also that a lot of the security infrastructure has
Prasanna Malaiyandi:also evolved, and so the ransomware attackers are also evolving.
Prasanna Malaiyandi:In turn, it's like a cat and mouse game.
Prasanna Malaiyandi:W. Curtis Preston: Exactly.
Prasanna Malaiyandi:Um, and, and you know, you have to be right all the time.
Prasanna Malaiyandi:They only have to be right once, unfortunately.
Prasanna Malaiyandi:All right.
Prasanna Malaiyandi:Well thanks for having a chat.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:It was good.
Prasanna Malaiyandi:I enjoy these.
Prasanna Malaiyandi:I'm excited for this new series.
Prasanna Malaiyandi:I.
Prasanna Malaiyandi:W. Curtis Preston: Yeah, me too.
Prasanna Malaiyandi:Thanks to our listeners, uh, we'd be nothing without you.
Prasanna Malaiyandi:Make sure to subscribe so that you don't miss an episode.
Prasanna Malaiyandi:That is a wrap,
Prasanna Malaiyandi:The backup wrap up is written, recorded and produced by me w Curtis Preston.
Prasanna Malaiyandi:If you need backup or Dr.
Prasanna Malaiyandi:Consulting content generation or expert witness work,
Prasanna Malaiyandi:check out backup central.com.
Prasanna Malaiyandi:You can also find links from my O'Reilly Books on the same website.
Prasanna Malaiyandi:Remember, this is an independent podcast and any opinions that you
Prasanna Malaiyandi:hear are those of the speaker.
Prasanna Malaiyandi:And not necessarily an employer.
Prasanna Malaiyandi:Thanks for listening.