In this crucial episode, we delve into how to protect backups from ransomware, a critical concern for IT professionals and business owners alike. We explore why backup systems are prime targets for cybercriminals and the devastating consequences of a successful attack. Our discussion covers essential strategies to fortify your backups, including implementing immutable storage, using local accounts instead of Active Directory, and employing network segmentation. We also emphasize the importance of robust monitoring systems and regular patching. By understanding the risks and implementing these protective measures, you can significantly enhance your organization's resilience against ransomware attacks. Don't miss this vital information on how to protect backups from ransomware and secure your data's last line of defense.
ATR2500x-USB Microphone & Logitech BRIO: Today on the backup wrap up, we're
starting a new series on ransomware.
Today's episode starts at the beginning by defining the scourge.
What is it?
What isn't it?
Uh, and why it's become such a massive threat to businesses and individuals.
We'll talk about the evolution of ransomware attacks from
simple data encryption to sophisticated extortion schemes.
And discuss the critical importance of prevention and recovery strategies.
In the coming weeks, you'll see many more episodes on this topic.
As we focus, especially on how to prepare yourself, to be able to respond
and recover from a ransomware attack.
By the way, if you have no idea who I am.
I'm W.
Curtis Preston.
AKA Mr.
Backup.
And I've been passionate about backup and recovery for over 30 years.
Ever since I had to tell my boss that there were no backups of Paris.
I don't want that to happen to you.
And that's why I do this.
On this podcast, we turn unappreciated backup admins into cyber recovery heroes.
This is the backup wrap-up.
W. Curtis Preston: Welcome to the backup wrap up.
I'm your host, w Curtis Preston, AKA, Mr.
Backup, and I have with me the person who's helping me to celebrate
my financial freedom from the IRS.
How's it going?
Persona.
I am doing well, Curtis.
Yeah, congratulations.
How does it feel to get, what would you call it, uh, the 10
ton elephant off your back?
Is that the
W. Curtis Preston: Yeah.
Yeah.
So for those that don't know, like through various things that weren't malfeasance
on my part I have owed the IRS money.
For the better part of 10 years, two different totally unrelated
events I ended up owing them money and I've been paying them, uh, slowly
and surely for somewhere in the neighborhood of the last 10 years.
And the literally May 1st I.
Made the last payment.
And so for the first time in my fifties, I don't, I don't owe the IR Rs any money.
Um,
be in your fifties than your eighties,
W. Curtis Preston: yeah, that is true.
That is true.
That is true.
I don't recommend owing the IRS money.
They get theirs for sure.
Yeah.
W. Curtis Preston: Anyway, um, so I wanted for, we've, we've finished
our series on cloud disasters and we had the one episode on.
The A cloud non-disaster.
It was a cloud disaster that had a good, happy ending.
Um, and I wanted us to get back to something else that has been very
popular with our listeners, which is this, the concept of ransomware.
If you are, um.
You know, a new listener to the podcast.
We have covered ransomware in various ways over the years, and you're going to,
uh, this episode will actually follow up.
I'm going to be, if you're listening to this now, the previous few episodes will
actually be reruns, if you want to call them, of, of, of really good episodes
where we had guests on that really know.
This, uh, issue of, of, of ransomware and recovering from ransomware.
And so I wanted to, um,
Do you
W. Curtis Preston: we're gonna follow up.
What's that?
are you gonna put Tony's episode out?
W. Curtis Preston: Uh, oh, you know what?
Yeah.
Uh, yeah.
Now that I realize who you're talking about, yes.
I will definitely put Tony.
So, uh, you know, that's probably was the most popular episode that
we had of that timeframe, which was, uh, our friend Tony over at, uh,
SPECT Logic and them talking about.
How they actually recovered from a ransomware attack.
And, um, and we'll, we'll have some stuff coming up where we're
gonna be talking about ransomware and different things about how to
protect from it and how to, uh, more importantly, how to, I don't know.
More importantly, it's just.
So many people talk about how to protect from it.
They don't talk enough about how to respond to it and how to recover from it.
And that's where, uh, you know, our specialty lies.
But I Go ahead.
You know what I just read in the paper, or not
the paper, what I read online today.
So insurance companies are now trying to not have companies pay the ransomware
and just sort of keep this self.
Propagating, uh, issue.
Keep going.
And so they're actually working to not, or to tell their
clients, don't pay the ransom,
W. Curtis Preston: Yeah, which is something we've always advised, right?
We can't make that decision on behalf of those, uh, people.
But obviously it's not a good thing to pay the ransom, right?
In some places it may be illegal to pay the ransom.
In other places and well, and in all places.
I think it emboldens the behavior.
Right.
And you're
I liken it to my dog where it's like, if you want
him to do something, you give him a treat and then he keeps doing it
because he keeps expecting the treat and he knows he'll get a treat.
W. Curtis Preston: Exactly, uh, yeah, there's a lot of
reasons not to pay the ransom.
So let's, let's just start with, I.
Just talking about what ransomware is and just as importantly what ransomware isn't.
So ransomware, um, and, and I'm gonna start with saying
that it's, it's a bad term.
Right.
The, the term ransomware suggests that it's software.
It, it suggests that it is a piece of software that you accidentally
get and boom, you have ransomware.
And that's actually what I thought in my early days of, of working with ransomware.
If you click the wrong link And then all of a sudden it
encrypts
everything.
yeah,
W. Curtis Preston: And, and that isn't really what it is, or at least not from
what I can tell, uh, most of the time.
But let's just define this concept of ransomware, and it comes from the
term ransom, which, where outside of the world of, of it, where, where
would we see the word ransom used?
Hostage negotiations,
W. Curtis Preston: Exactly right.
kidnapping.
W. Curtis Preston: kid.
Yeah, I've taken your kid.
And you can have them back for $1 billion.
the most famous kidnapping of all time that I know of was
the Getty kidnapping, right.
So I believe it was, uh, John Paul Getty at the time that he
was the richest man in the world.
They kidnapped his, um, like grandson and, uh, they demanded probably a
million dollars or something like that.
He told him to go pound sand, and then they sent him, uh, his grandchild's ear
and uh, and he said, fine, you know, I'll, I'll, I'll pay the ransom he got, and
he got the, he got his grandchild back.
Interestingly enough, I sat next to.
I was gonna say,
W. Curtis Preston: Yeah, I sat next to the grandson of that grandson on a plane once.
His name's Bazar Getty, also, uh, an actor.
Um, and, uh, I just randomly asked him if he was related to the Getty
family, and he's like, well, you know, the, you know, the guy with
the ear that's my grandfather.
It's like, wow, that is definitely a connection.
Um, yeah, so that's what a ransom is, right?
Is is give me, you know, I've got something of yours.
And you can have it back if you give me the ransom.
And you, you've watched tv.
You've watched
movies,
watch tv.
W. Curtis Preston: well you have watched movies.
You, you definitely watched YouTube more.
What is the general thinking regarding paying the ransom in such movies?
The SBI comes in and everyone else, and they're like, don't pay
the ransom 'cause you're not gonna see it.
And it's just gonna, they're just gonna go and do something else again.
W. Curtis Preston: Exactly.
Exactly.
And, and they often do things like demand proof of life.
Right.
Um,
Hold up the newspaper with today's date.
W. Curtis Preston: Exactly right.
I want to talk to my kid.
Right.
I want to verify.
Right.
And all of this has, uh, they, they have parallels in the, the
world of the ransomware, right?
Yeah.
W. Curtis Preston: So really, it, this is where the term comes from, is that
we're holding your data for ransom.
And the, the classic way that that manifested itself was what?
They basically would encrypt your data and say, Hey, if you
want your data back, then pay us the money and we will give you the encryption key
so then you can go unencrypt your data and everything will be back to normal.
W. Curtis Preston: Yeah, it's interesting.
They, they don't steal it, like in the, in the old, in, in the way of the, you
know, the, um, uh, of stealing your, your child to, to demand a ransom.
They.
Steal it right away from you, like right in front of you.
It's like, here's your data, but you can't use it.
You can't
have it.
but I think it's also one of those things where it's probably
faster and easier for them, right?
anD maybe it's also less detectable, right?
Because all of a sudden if you're like, Hey, why is my, why am I
uploading like 10 terabytes today?
W. Curtis Preston: Exactly.
Yeah.
It, it's super easy and super fast to, to encrypt the data just
enough that it's not useful to you.
And so they're saying, we'll give you the keys, um, you know,
and you can have your data back.
That is a traditional ransomware attack.
What was that?
Hopefully we will
give you the keys and you can recover your data.
W. Curtis Preston: Right, right.
And the idea was that, that, that paying the ransom, you know, historically paying
the ransom was only a good idea if you had no backup of your data or if your backup.
Was such that it was going to take you so long in order to restore.
I, when I think back to one of the most famous ransomware attacks in
the last few years was the Colonial pipeline attack, and that one, as I
understand it, was that they had a.
A backup, right?
But they didn't think they could get the backup recovered fast enough.
And so they decided to pay the ransom.
And, um, and, and so they did both, they did recovery and they paid the ransom,
and, which just seems fundamentally wrong, but historically, that was the
only reason that you would pay the ransom is if you had no backup or a backup.
That was not good enough because.
Unencrypting the data or deen encrypting the data was, the idea
was that deen encrypting the data was faster than restoring it, right?
Yep, yep.
And that was worthwhile until sort of the.
Ransomware actors, they had poor code quality, right?
And so you're putting faith that you are going to pay the ransom
and you're going to, going back to our classic example, right?
You're gonna get back your kid,
W. Curtis Preston: Right.
Yeah.
Except sometimes these ransomware actors,
they would write sort of bad code.
And when they gave you back the key, like how they actually did the encryption
W. Curtis Preston: Right.
very sound.
And so yeah, it would.
Decrypt maybe some of the data, but it wasn't still usable.
So that's like paying the ransom and they give back your kid's finger.
Right.
Or
W. Curtis Preston: Yeah,
right.
Or
Right.
Or Or they give like a doll of your kid back.
Right.
Or whatever it is.
Right.
But it's not what you originally had transacted for.
W. Curtis Preston: Here's some videos of your, while we, while we had kidnapped.
You have to think about these organizations as very
sophisticated businesses.
This is not a script kitty.
This is not a random piece of software that you download off the internet.
This is an organization that is trying to make money for other reasons, right?
They're, they want to do things.
Sometimes they're state actors, sometimes they're, they're just criminals that are
just trying to make a lot of money and.
You need to think about what are they going to focus on
in terms of software quality?
The thing they're gonna focus on is making sure that the data gets
encrypted and making sure that you can't decrypt it without their help.
They're not necessarily that focused on that second half,
which is the the decryption part.
You could make some argument that maybe they want it to work because
they want to have a reputation as.
An organization that does get the data back if you actually pay
the ransom, but the, you know,
yeah, or the other thing is it may not be very fast, right?
So
you might get all your data back, but it might take you a month
W. Curtis Preston: Exactly.
Exactly.
Um, so go ahead.
I know you talked about, uh, these organizations, right?
By which you mean the ransomware actors.
Who are kind of well organized.
I think the other thing to also mention is it's no longer just a
single organization necessarily, right?
You have ransomware as a service where you have these people who have all these
tools and capabilities and they provided as a service just like you might use AWS
as a service to host your application.
They provide all the infrastructure tooling for all these other
organizations to now start.
Um.
Attacking other companies and also encrypting their data.
W. Curtis Preston: Right.
Yeah.
And, and actually I want to get into that in, in a little bit,
um, what I want to, and that, that everything you said is, is correct.
Um, let's talk a little bit about what ransomware is not
what is ransomware, not Curtis.
W. Curtis Preston: So it, well, it's not just a piece of software that downloads
and, you know, magic happens, right?
Um, the, the, the process of getting infected with ransomware is actually
a very manual process with many steps.
And, uh, and, and they are steps that are being manually driven by a human
being somewhere else in the world.
And.
The, the idea is that there is that initial access.
There is, uh, that, that, you know, that basically the, the initial breach, which
could be via a number of mechanisms.
It could be, uh, old school phishing.
It could be something that you download.
Uh, it, it quite possibly will be something that you download, that
you get via email, an attachment that you open that you shouldn't have.
What was the, what was the thing you said?
Yeah, it could be a zero day exploit, right?
There are myriad ways that you can basically find yourself with a
portal to, to the bad guys, right?
So that, that's the first thing that has to happen, is someone has to gain
remote access, usually with escalated privileges, but not necessarily so.
They might just have a, you know, they might have simply
leveraged stolen credentials.
That's another thing.
They, they leveraged stolen credentials and then you didn't
have MFA on, you might have had a, a server that's got RDP enabled
and it's, uh, open to the internet.
Oh my Lord.
RDP, the ransomware deployment protocol,
or you just have insecure systems that are internet facing,
right?
How many people have like VMware, ESXI, and then they automatically have it
available on the internet and boom.
W. Curtis Preston: Exactly.
Yeah.
So there, like I said, there, there are myriad ways that you,
that a bad actor can be given.
Initial access to one or more, uh, systems.
Right.
And there are, and this was, uh, basically you, you referenced this
earlier, is that there are companies, and again, it's the correct.
Thing is to call them companies, right?
There are companies who, this is what they do.
They call them initial access brokers.
This is all they do.
They just get a foothold into an organization and then they say, Hey,
I've got a foothold into a, b, c company.
Who wants that?
And then they bid that on the, you know, on the dark web.
It just kind of scary when you think about it, right?
Because it is a specialized role, right?
That is all they do day in and day out is they try to figure out, how do
I gain that initial foothold with all these various mechanisms that you talked
about, Curtis, and then take that and now pass it on to the next person, right?
And it's their job to now figure out, okay, now what can I do next?
W. Curtis Preston: Yeah, it's a very specialized world, right?
Um, because there's sort of three phases.
There's that initial access, there's a second phase, which is discovery and uh,
and crawling around trying to do lateral movement, trying to expand the footprint.
And, um, and, and then that third phase, which is the actual, we're going
to go and encrypt everything, right?
The go ahead.
And that second phase, right?
Just to touch on it, right?
Moving laterally and trying to figure out other things, right?
They're trying to do all of this while staying undetected, right?
Because the last thing you wanna do is give up that access that you paid for from
initial access broker, right?
And so you wanna make sure you stay under the radar of the security team
or whoever else is out there trying to prevent what you're trying to do.
W. Curtis Preston: Which is why one of the ways they do well, I would say the
way that they do that next phase is they use the same tools that you use, right?
They're downloading cybersecurity tools that are designed to defend,
but they use them to attack.
How about Strike is a common
one
W. Curtis Preston: yeah.
Cobalt Strike is definitely one of the, uh, most common ones.
And, uh, there are a number of other tools that they download that, that don't
initially set off alarms because they're not, it's not like, Hey, hacker tool dot
exe, it's a tool that you would install.
And so they, they install these tools and then they go and they,
they crawl around your organization.
And it can be very difficult to detect that once they have gained that foothold
and once they're using the same tools that you might be using to poke around.
And again, I, I'll go back to that initial access.
This is why MFA is so important.
Uh, they could, there are a number of ways that they could get in, but MFA would be
one of the ways that you would then stop.
By the way, it, it does appear that the most common way that they get
in is actually stolen credentials.
Right.
And um, which is just really sad.
Um, but, but it is what It's Right.
Yeah.
Yeah.
Um, and, and so I, I just, this is the thing.
This is where the, what ransomware is not.
I just want people to understand that ransomware is not just one
piece of software that you happen to accidentally download and then
it affects your entire data center.
That is absolutely what I, what I, what I used to think it was.
Uh, it is a very sophisticated series of actions that are taken in series
different, there may be as many as a dozen pieces of software that are
installed to affect the ultimate goal that the, the bad actor wants, uh,
which of course is demanding the ransom.
I do wonder though.
Yeah, I do.
I agree with that.
Curtis, I also wonder though, if we should really think about sort of two segments
to, uh, victim segments, if you will.
One is the enterprise, which I think a hundred percent everything you said makes
sense.
I think though, when you think about sort of consumer side.
I think it might be slightly different in term because you aren't going to have
all of this individual access, right?
People spending time on grandma trying to gain access to her laptop, right?
I think in those cases it's probably more find common vulnerabilities and
whatever is the quickest and easiest way, and you just go as broad as you
can because their data may not be as sensitive and as valuable necessarily.
Or the willingness to pay.
Or the ability to pay.
W. Curtis Preston: I do think that
consumer based.
Attacks probably are much closer to that initial, I download one piece of software
and it grabs all my data and boom, right?
And then tries to reach out to a command and control server.
Uh, and then it's probably closer to that initial definition than we talked
about where it's just one single piece of software because there, there really
isn't anything else, uh, to get out there.
But that's not necessarily our target market.
So I wasn't really focusing on that.
But you know, from a company perspective.
Uh, you know, or any, any organization perspective, it's going
to be a very complicated process.
Uh, and that could go on for months
I was actually gonna
W. Curtis Preston: before you actually get a, you know, a big, a big payload.
Yeah.
Yeah.
Just uh, I think if I go back and think about, and it's not ransomware, but just
talking about this attack vector, because it is common in other places as well.
If I think about like the SolarWinds attack, right?
They were in their systems for months,
right?
W. Curtis Preston: they were part of the, they were actually part of the
supply chain, as I recall, right?
Yeah.
Yeah.
They're very, depending on the size of the fish, right?
They're very, very there.
There is a risk reward.
Um, you know, a trade off, right?
The longer they can stay in undetected, the more exploration that they can do,
the bigger the payoff, but the longer they stay in undetected, the greater
the risk that they will eventually be detected before they can do the payoff.
So there's a, you know, a big risk reward there.
Yeah.
W. Curtis Preston: Um, so the other and really important
thing, and this is why, um.
This is why some have changing the name of, uh, ransomware and that is that no
longer, um, is simply encrypting the data and then saying you can have it back if
you, uh, give us a ransomware no longer.
Is that the normal mo of the, the ransomware attackers?
What
is the normal mo.
Have evolved, or I would say devolved, but yeah, they have, they have evolved.
Right.
Yeah.
So now they realize, okay, people have backups, they have other systems, right?
And so I would say before we get to sort of, okay, what is it really now,
right?
I think in between what they had started to do was really
attack those systems, right?
So it wasn't just encrypt your data,
W. Curtis Preston: Right.
But even locally it was like, Hey, now let's start
going after the backup systems, right?
Because if you can restore your data, then you don't need us, right?
You don't need the key.
W. Curtis Preston: Yeah,
that, that is a really good point.
That basically part of that sophisticated ex, you know, um, uh,
large attack, they are definitely going to go after the backup system.
They're trying to identify what your backup system, they know the
vulnerabilities of the different backup systems, and they then
go after those vulnerabilities.
And this is.
Why I talk about, and we'll talk later about changes that you should
be making to your backup system in order to protect from this.
This is part of the evolution of the, of these ransomware attackers, is
first all they had to do was encrypt.
And then they found out, uh, you know, and people would pay the ransom.
And then they found that some people had backup and recovery systems
and disaster recovery systems, and they were stopped, pay the ransom.
Well, they want people to pay the ransom.
And so they're like, well, what can we do next?
And so the next thing they decided to do was attack the backup systems.
I, I don't think that they listen to this podcast
or I've read your books, Curtis.
I'm just saying.
W. Curtis Preston: Yeah, I don't think so.
I don't think so.
They went after specific backup products that had specific vulnerabilities,
especially Windows based backup products, because Windows was the, you know, or
it continues to be the prop predominant.
Os that they're attacking in a ransomware attack.
It's not the only one, but it is a predominant one.
So they went after backup systems that were based on windows.
Also backup systems whose backups were all stored on disk.
'cause those backups are easy to, uh, delete and or encrypt.
Right?
Um, and.
The, and we'll, we'll talk more about things, but the idea is to,
with the backup system, the, the, the quick answer is to make sure
that your backup system isn't susceptible to those types of attacks.
We'll talk about that, uh, in another episode.
That could be an entire episode in and of itself.
W. Curtis Preston: Yeah, exactly.
Uh, so what, what happened next?
yeah.
So then, okay, they went after a backup system.
Sometimes they were successful, sometimes they weren't.
But then they realized just like classic ransomware or classic kidnapping and
people paying ransom, they're like, Hey, if we actually take your data right.
Then now you don't have that option to be like, Hey, just
give me the encryption key.
You can actually blackmail people and say, by the way, if you don't want me
to release this information, pay up.
And it might be sensitive information like the Sony hack where they
exfiltrated a bunch of data and it was emails about studio, like what studio
executives were saying and all the rest things you don't want out in public.
W. Curtis Preston: Right.
Yeah.
And, and it could be anything.
I, I think the Sony attack was the first one that I really remember.
Because it was basically impair, it was embarrassing data.
There are, um, others where it's like, listen, we have your 11 herbs and spices
and we're gonna release 'em to the public.
By the way, the 11 herbs and spices, I'm pretty sure have been
released, but not by KFC, but, but by other comp or other entities.
But you know, we have your company's trade secrets.
We may have, um, proof of you doing things that are actually crimes, right?
We, you know, um, you know, there are basically, we might have competitive
information that you don't want given to your closest competitor.
There are a number of things, and also I'd say the, the, the one
category of data that we haven't discussed is we have PII, right?
We have a whole bunch of names and credit card data.
That we're going to release if you don't pay the ransom.
I'd say the best example of that would be the Ashley Madison attack.
I don't remember if that was actually a ransomware attack, but that is an example
of the kind of thing I'm so Ashley mad.
So for those that you don't remember, and it's still around amazingly
enough, Ashley Madison is a website and an organization designed, uh, to
help people cheat on their spouses.
And they released a bunch of identities of people that were there.
There were a number of suicides that followed that, uh, particular incident.
So it could be personal information, it could be medical information.
Healthcare records of celebrities or even other folks that
could be detrimental if released publicly.
W. Curtis Preston: Right, right.
And, and put it into your company.
Amazingly, Ashley Madison, they released all that stuff and one of the things that
came out was that it turns out that all of the female subscribers were all fake,
and yet the company still runs.
The company is still out there and people are still paying memberships.
But, um, yeah, so that's, that is an important.
Change in how the, the ransomware folks are operating.
Uh, basically, this is why many people are now starting to call it extortion
wear rather than just ransomware, because they're saying that we, we
literally have stolen your data and we are going to release it to the
public if you don't give us the ransom.
And here's my question.
Let's just say I've got the best, the absolute best.
Backup and disaster recovery system in the world.
I've got a button that I can press and five seconds later, my entire
environment is recovered without incident.
How well will that help me with an extortion attack?
It wouldn't
W. Curtis Preston: Not at
all.
That's the worst.
That's the worst part.
I this whole thing.
well, and this is my problem.
I know we had talked about comparing classic ransomware to digital ransomware.
W. Curtis Preston: Mm-Hmm.
Right.
In classic ransomware, you pay the ransom.
They may or may not return the person, but if they return the
person, you know you're good
W. Curtis Preston: Right.
Prasanna Malaiyandi: in digital ransomware.
Even if you pay the ransom to give you back the encryption keys, they
still have that original data.
They could decide in a year, Hey, I'm gonna release this and embarrass you.
They could decide, Hey, I'm just gonna release
this anyway.
Right.
And.
If there's no honor among thieves, right,
W. Curtis Preston: Right.
Right.
how can you trust that they will do the right thing?
W. Curtis Preston: Yeah, you, you can, you can't, which is really why the only
defense to this type of ransomware is to not let it happen in the first place.
Which is why I think that people should be focusing a lot more on the
prevention of exfiltration, right?
Exfiltration is just a very fancy word for sucking the data
out of your company, right?
Um, and there are ways, there are ways to do that, but they are not.
Easy and they come with a lot of false positives, et cetera, et cetera.
So not everybody is that, um, hot on it.
And I just think it's something that we need to continue to work on.
Yeah.
Or detection also,
right?
W. Curtis Preston: Yes, yes.
Yeah.
Well, yeah, detecting it, detecting that you've got the ransomware detecting
that the exfiltration is happening.
Stopping the exfiltration, right?
Because a lot of the exfiltration is all sent to like the same place right there.
There's certain websites and things that, um, it's like, why are we
sending data to what is like mega sum?
And there's some big file sharing site.
Like you, you should block all access to all, like, file
sharing sites like that, right?
Um, and then if you, if you have a legitimate need for that.
Then, um, you open it up, but chances are you probably don't.
Yeah.
W. Curtis Preston: Yeah.
Um, so that's just a brief overview of what ransomware is, what it isn't,
how it's evolved, uh, in terms, and by the way, just a final thing regarding
the whole exfiltration thing, talk, talking about part two and part three.
Not only have they gone directly attacking the backup systems in order to.
Basically take them out of the war.
The, that's not what I, that's not what I meant to take them, to take to, to take
them away from you as a weapon in the war.
I, I don't know, I'm mixing metaphors here, but they're also, they've discovered
that it is a source for exfiltration.
So if they can gain, uh, unrestricted access to the backup
system, then um, they can do that.
And by the way, if, if you, if you're.
This is your first episode.
You really should go back a couple episodes and listen to that episode
with Dwayne Lalo, uh, where, where it's talking about a red team P person, and
he talked about just how great it is if you can gain access to a backup system.
He, he was like, I love backup systems.
Right.
Yeah, that was a great episode.
Any final thoughts?
No, I think, yeah, we covered sort of what's ransomware,
what isn't, and yeah, like you said, Curtis, at the beginning I was also
thinking, oh, it's just software installed that someone drops onto your system.
But really it's this lengthy process that happens in order to
be able to gain that foothold.
And so,
W. Curtis Preston: Yeah.
And I, and I, I do think that maybe that's the way it's,
that's the way it started, right?
It was an initial piece of software that you just happened to download
and it would encrypt your data, boom.
And then, and then, and reach out to the person so that they could, uh, do that.
But that's not going to work in a large organization, right?
Yeah.
W. Curtis Preston: So they, so their attack evolved as well, right?
So they've evolved over the time to go after a bigger, bigger, and bigger fish.
Yeah.
Well, and I think also that a lot of the security infrastructure has
also evolved, and so the ransomware attackers are also evolving.
In turn, it's like a cat and mouse game.
W. Curtis Preston: Exactly.
Um, and, and you know, you have to be right all the time.
They only have to be right once, unfortunately.
All right.
Well thanks for having a chat.
Yeah.
It was good.
I enjoy these.
I'm excited for this new series.
I.
W. Curtis Preston: Yeah, me too.
Thanks to our listeners, uh, we'd be nothing without you.
Make sure to subscribe so that you don't miss an episode.
That is a wrap,
The backup wrap up is written, recorded and produced by me w Curtis Preston.
If you need backup or Dr.
Consulting content generation or expert witness work,
check out backup central.com.
You can also find links from my O'Reilly Books on the same website.
Remember, this is an independent podcast and any opinions that you
hear are those of the speaker.
And not necessarily an employer.
Thanks for listening.