This episode about what is ransomware is the first in a new series on the topic. The episode explores what it is, how it works, and why it has become such a significant threat to businesses and individuals alike. We discuss the evolution of ransomware attacks, from simple data encryption to sophisticated extortion schemes involving data exfiltration and direct attacks on backup systems. Our conversation highlights the importance of prevention and detection measures, such as robust access controls, limiting internet-facing systems, and monitoring for data exfiltration. We also emphasize the critical role of backup and recovery strategies, including offline and immutable backups, in mitigating the impact of ransomware attacks. Throughout the episode, we provide insights into the complex ransomware threat landscape and offer practical advice for organizations looking to protect their data and systems from this ever-evolving threat.
Speaker:
ATR2500x-USB Microphone & Logitech BRIO: Today on the backup wrap up, we're
Speaker:
starting a new series on ransomware.
Speaker:
Today's episode starts at the beginning by defining the scourge.
Speaker:
What is it?
Speaker:
What isn't it?
Speaker:
Uh, and why it's become such a massive threat to businesses and individuals.
Speaker:
We'll talk about the evolution of ransomware attacks from
Speaker:
simple data encryption to sophisticated extortion schemes.
Speaker:
And discuss the critical importance of prevention and recovery strategies.
Speaker:
In the coming weeks, you'll see many more episodes on this topic.
Speaker:
As we focus, especially on how to prepare yourself, to be able to respond
Speaker:
and recover from a ransomware attack.
Speaker:
By the way, if you have no idea who I am.
Speaker:
I'm W.
Speaker:
Curtis Preston.
Speaker:
AKA Mr.
Speaker:
Backup.
Speaker:
And I've been passionate about backup and recovery for over 30 years.
Speaker:
Ever since I had to tell my boss that there were no backups of Paris.
Speaker:
I don't want that to happen to you.
Speaker:
And that's why I do this.
Speaker:
On this podcast, we turn unappreciated backup admins into cyber recovery heroes.
Speaker:
This is the backup wrap-up.
Speaker:
W. Curtis Preston: Welcome to the backup wrap up.
Speaker:
I'm your host, w Curtis Preston, AKA, Mr.
Speaker:
Backup, and I have with me the person who's helping me to celebrate
Speaker:
my financial freedom from the IRS.
Speaker:
How's it going?
Speaker:
Persona.
Prasanna Malaiyandi:
I am doing well, Curtis.
Prasanna Malaiyandi:
Yeah, congratulations.
Prasanna Malaiyandi:
How does it feel to get, what would you call it, uh, the 10
Prasanna Malaiyandi:
ton elephant off your back?
Prasanna Malaiyandi:
Is that the
Prasanna Malaiyandi:
W. Curtis Preston: Yeah.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
So for those that don't know, like through various things that weren't malfeasance
Prasanna Malaiyandi:
on my part I have owed the IRS money.
Prasanna Malaiyandi:
For the better part of 10 years, two different totally unrelated
Prasanna Malaiyandi:
events I ended up owing them money and I've been paying them, uh, slowly
Prasanna Malaiyandi:
and surely for somewhere in the neighborhood of the last 10 years.
Prasanna Malaiyandi:
And the literally May 1st I.
Prasanna Malaiyandi:
Made the last payment.
Prasanna Malaiyandi:
And so for the first time in my fifties, I don't, I don't owe the IR Rs any money.
Prasanna Malaiyandi:
Um,
Prasanna Malaiyandi:
be in your fifties than your eighties,
Prasanna Malaiyandi:
W. Curtis Preston: yeah, that is true.
Prasanna Malaiyandi:
That is true.
Prasanna Malaiyandi:
That is true.
Prasanna Malaiyandi:
I don't recommend owing the IRS money.
Prasanna Malaiyandi:
They get theirs for sure.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston: Anyway, um, so I wanted for, we've, we've finished
Prasanna Malaiyandi:
our series on cloud disasters and we had the one episode on.
Prasanna Malaiyandi:
The A cloud non-disaster.
Prasanna Malaiyandi:
It was a cloud disaster that had a good, happy ending.
Prasanna Malaiyandi:
Um, and I wanted us to get back to something else that has been very
Prasanna Malaiyandi:
popular with our listeners, which is this, the concept of ransomware.
Prasanna Malaiyandi:
If you are, um.
Prasanna Malaiyandi:
You know, a new listener to the podcast.
Prasanna Malaiyandi:
We have covered ransomware in various ways over the years, and you're going to,
Prasanna Malaiyandi:
uh, this episode will actually follow up.
Prasanna Malaiyandi:
I'm going to be, if you're listening to this now, the previous few episodes will
Prasanna Malaiyandi:
actually be reruns, if you want to call them, of, of, of really good episodes
Prasanna Malaiyandi:
where we had guests on that really know.
Prasanna Malaiyandi:
This, uh, issue of, of, of ransomware and recovering from ransomware.
Prasanna Malaiyandi:
And so I wanted to, um,
Prasanna Malaiyandi:
Do you
Prasanna Malaiyandi:
W. Curtis Preston: we're gonna follow up.
Prasanna Malaiyandi:
What's that?
Prasanna Malaiyandi:
are you gonna put Tony's episode out?
Prasanna Malaiyandi:
W. Curtis Preston: Uh, oh, you know what?
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Uh, yeah.
Prasanna Malaiyandi:
Now that I realize who you're talking about, yes.
Prasanna Malaiyandi:
I will definitely put Tony.
Prasanna Malaiyandi:
So, uh, you know, that's probably was the most popular episode that
Prasanna Malaiyandi:
we had of that timeframe, which was, uh, our friend Tony over at, uh,
Prasanna Malaiyandi:
SPECT Logic and them talking about.
Prasanna Malaiyandi:
How they actually recovered from a ransomware attack.
Prasanna Malaiyandi:
And, um, and we'll, we'll have some stuff coming up where we're
Prasanna Malaiyandi:
gonna be talking about ransomware and different things about how to
Prasanna Malaiyandi:
protect from it and how to, uh, more importantly, how to, I don't know.
Prasanna Malaiyandi:
More importantly, it's just.
Prasanna Malaiyandi:
So many people talk about how to protect from it.
Prasanna Malaiyandi:
They don't talk enough about how to respond to it and how to recover from it.
Prasanna Malaiyandi:
And that's where, uh, you know, our specialty lies.
Prasanna Malaiyandi:
But I Go ahead.
Prasanna Malaiyandi:
You know what I just read in the paper, or not
Prasanna Malaiyandi:
the paper, what I read online today.
Prasanna Malaiyandi:
So insurance companies are now trying to not have companies pay the ransomware
Prasanna Malaiyandi:
and just sort of keep this self.
Prasanna Malaiyandi:
Propagating, uh, issue.
Prasanna Malaiyandi:
Keep going.
Prasanna Malaiyandi:
And so they're actually working to not, or to tell their
Prasanna Malaiyandi:
clients, don't pay the ransom,
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, which is something we've always advised, right?
Prasanna Malaiyandi:
We can't make that decision on behalf of those, uh, people.
Prasanna Malaiyandi:
But obviously it's not a good thing to pay the ransom, right?
Prasanna Malaiyandi:
In some places it may be illegal to pay the ransom.
Prasanna Malaiyandi:
In other places and well, and in all places.
Prasanna Malaiyandi:
I think it emboldens the behavior.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And you're
Prasanna Malaiyandi:
I liken it to my dog where it's like, if you want
Prasanna Malaiyandi:
him to do something, you give him a treat and then he keeps doing it
Prasanna Malaiyandi:
because he keeps expecting the treat and he knows he'll get a treat.
Prasanna Malaiyandi:
W. Curtis Preston: Exactly, uh, yeah, there's a lot of
Prasanna Malaiyandi:
reasons not to pay the ransom.
Prasanna Malaiyandi:
So let's, let's just start with, I.
Prasanna Malaiyandi:
Just talking about what ransomware is and just as importantly what ransomware isn't.
Prasanna Malaiyandi:
So ransomware, um, and, and I'm gonna start with saying
Prasanna Malaiyandi:
that it's, it's a bad term.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
The, the term ransomware suggests that it's software.
Prasanna Malaiyandi:
It, it suggests that it is a piece of software that you accidentally
Prasanna Malaiyandi:
get and boom, you have ransomware.
Prasanna Malaiyandi:
And that's actually what I thought in my early days of, of working with ransomware.
Prasanna Malaiyandi:
If you click the wrong link And then all of a sudden it
Prasanna Malaiyandi:
encrypts
Prasanna Malaiyandi:
everything.
Prasanna Malaiyandi:
yeah,
Prasanna Malaiyandi:
W. Curtis Preston: And, and that isn't really what it is, or at least not from
Prasanna Malaiyandi:
what I can tell, uh, most of the time.
Prasanna Malaiyandi:
But let's just define this concept of ransomware, and it comes from the
Prasanna Malaiyandi:
term ransom, which, where outside of the world of, of it, where, where
Prasanna Malaiyandi:
would we see the word ransom used?
Prasanna Malaiyandi:
Hostage negotiations,
Prasanna Malaiyandi:
W. Curtis Preston: Exactly right.
Prasanna Malaiyandi:
kidnapping.
Prasanna Malaiyandi:
W. Curtis Preston: kid.
Prasanna Malaiyandi:
Yeah, I've taken your kid.
Prasanna Malaiyandi:
And you can have them back for $1 billion.
Prasanna Malaiyandi:
the most famous kidnapping of all time that I know of was
Prasanna Malaiyandi:
the Getty kidnapping, right.
Prasanna Malaiyandi:
So I believe it was, uh, John Paul Getty at the time that he
Prasanna Malaiyandi:
was the richest man in the world.
Prasanna Malaiyandi:
They kidnapped his, um, like grandson and, uh, they demanded probably a
Prasanna Malaiyandi:
million dollars or something like that.
Prasanna Malaiyandi:
He told him to go pound sand, and then they sent him, uh, his grandchild's ear
Prasanna Malaiyandi:
and uh, and he said, fine, you know, I'll, I'll, I'll pay the ransom he got, and
Prasanna Malaiyandi:
he got the, he got his grandchild back.
Prasanna Malaiyandi:
Interestingly enough, I sat next to.
Prasanna Malaiyandi:
I was gonna say,
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, I sat next to the grandson of that grandson on a plane once.
Prasanna Malaiyandi:
His name's Bazar Getty, also, uh, an actor.
Prasanna Malaiyandi:
Um, and, uh, I just randomly asked him if he was related to the Getty
Prasanna Malaiyandi:
family, and he's like, well, you know, the, you know, the guy with
Prasanna Malaiyandi:
the ear that's my grandfather.
Prasanna Malaiyandi:
It's like, wow, that is definitely a connection.
Prasanna Malaiyandi:
Um, yeah, so that's what a ransom is, right?
Prasanna Malaiyandi:
Is is give me, you know, I've got something of yours.
Prasanna Malaiyandi:
And you can have it back if you give me the ransom.
Prasanna Malaiyandi:
And you, you've watched tv.
Prasanna Malaiyandi:
You've watched
Prasanna Malaiyandi:
movies,
Prasanna Malaiyandi:
watch tv.
Prasanna Malaiyandi:
W. Curtis Preston: well you have watched movies.
Prasanna Malaiyandi:
You, you definitely watched YouTube more.
Prasanna Malaiyandi:
What is the general thinking regarding paying the ransom in such movies?
Prasanna Malaiyandi:
The SBI comes in and everyone else, and they're like, don't pay
Prasanna Malaiyandi:
the ransom 'cause you're not gonna see it.
Prasanna Malaiyandi:
And it's just gonna, they're just gonna go and do something else again.
Prasanna Malaiyandi:
W. Curtis Preston: Exactly.
Prasanna Malaiyandi:
Exactly.
Prasanna Malaiyandi:
And, and they often do things like demand proof of life.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Um,
Prasanna Malaiyandi:
Hold up the newspaper with today's date.
Prasanna Malaiyandi:
W. Curtis Preston: Exactly right.
Prasanna Malaiyandi:
I want to talk to my kid.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
I want to verify.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And all of this has, uh, they, they have parallels in the, the
Prasanna Malaiyandi:
world of the ransomware, right?
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston: So really, it, this is where the term comes from, is that
Prasanna Malaiyandi:
we're holding your data for ransom.
Prasanna Malaiyandi:
And the, the classic way that that manifested itself was what?
Prasanna Malaiyandi:
They basically would encrypt your data and say, Hey, if you
Prasanna Malaiyandi:
want your data back, then pay us the money and we will give you the encryption key
Prasanna Malaiyandi:
so then you can go unencrypt your data and everything will be back to normal.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, it's interesting.
Prasanna Malaiyandi:
They, they don't steal it, like in the, in the old, in, in the way of the, you
Prasanna Malaiyandi:
know, the, um, uh, of stealing your, your child to, to demand a ransom.
Prasanna Malaiyandi:
They.
Prasanna Malaiyandi:
Steal it right away from you, like right in front of you.
Prasanna Malaiyandi:
It's like, here's your data, but you can't use it.
Prasanna Malaiyandi:
You can't
Prasanna Malaiyandi:
have it.
Prasanna Malaiyandi:
but I think it's also one of those things where it's probably
Prasanna Malaiyandi:
faster and easier for them, right?
Prasanna Malaiyandi:
anD maybe it's also less detectable, right?
Prasanna Malaiyandi:
Because all of a sudden if you're like, Hey, why is my, why am I
Prasanna Malaiyandi:
uploading like 10 terabytes today?
Prasanna Malaiyandi:
W. Curtis Preston: Exactly.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
It, it's super easy and super fast to, to encrypt the data just
Prasanna Malaiyandi:
enough that it's not useful to you.
Prasanna Malaiyandi:
And so they're saying, we'll give you the keys, um, you know,
Prasanna Malaiyandi:
and you can have your data back.
Prasanna Malaiyandi:
That is a traditional ransomware attack.
Prasanna Malaiyandi:
What was that?
Prasanna Malaiyandi:
Hopefully we will
Prasanna Malaiyandi:
give you the keys and you can recover your data.
Prasanna Malaiyandi:
W. Curtis Preston: Right, right.
Prasanna Malaiyandi:
And the idea was that, that, that paying the ransom, you know, historically paying
Prasanna Malaiyandi:
the ransom was only a good idea if you had no backup of your data or if your backup.
Prasanna Malaiyandi:
Was such that it was going to take you so long in order to restore.
Prasanna Malaiyandi:
I, when I think back to one of the most famous ransomware attacks in
Prasanna Malaiyandi:
the last few years was the Colonial pipeline attack, and that one, as I
Prasanna Malaiyandi:
understand it, was that they had a.
Prasanna Malaiyandi:
A backup, right?
Prasanna Malaiyandi:
But they didn't think they could get the backup recovered fast enough.
Prasanna Malaiyandi:
And so they decided to pay the ransom.
Prasanna Malaiyandi:
And, um, and, and so they did both, they did recovery and they paid the ransom,
Prasanna Malaiyandi:
and, which just seems fundamentally wrong, but historically, that was the
Prasanna Malaiyandi:
only reason that you would pay the ransom is if you had no backup or a backup.
Prasanna Malaiyandi:
That was not good enough because.
Prasanna Malaiyandi:
Unencrypting the data or deen encrypting the data was, the idea
Prasanna Malaiyandi:
was that deen encrypting the data was faster than restoring it, right?
Prasanna Malaiyandi:
Yep, yep.
Prasanna Malaiyandi:
And that was worthwhile until sort of the.
Prasanna Malaiyandi:
Ransomware actors, they had poor code quality, right?
Prasanna Malaiyandi:
And so you're putting faith that you are going to pay the ransom
Prasanna Malaiyandi:
and you're going to, going back to our classic example, right?
Prasanna Malaiyandi:
You're gonna get back your kid,
Prasanna Malaiyandi:
W. Curtis Preston: Right.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Except sometimes these ransomware actors,
Prasanna Malaiyandi:
they would write sort of bad code.
Prasanna Malaiyandi:
And when they gave you back the key, like how they actually did the encryption
Prasanna Malaiyandi:
W. Curtis Preston: Right.
Prasanna Malaiyandi:
very sound.
Prasanna Malaiyandi:
And so yeah, it would.
Prasanna Malaiyandi:
Decrypt maybe some of the data, but it wasn't still usable.
Prasanna Malaiyandi:
So that's like paying the ransom and they give back your kid's finger.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Or
Prasanna Malaiyandi:
W. Curtis Preston: Yeah,
Prasanna Malaiyandi:
right.
Prasanna Malaiyandi:
Or
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Or Or they give like a doll of your kid back.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Or whatever it is.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
But it's not what you originally had transacted for.
Prasanna Malaiyandi:
W. Curtis Preston: Here's some videos of your, while we, while we had kidnapped.
Prasanna Malaiyandi:
You have to think about these organizations as very
Prasanna Malaiyandi:
sophisticated businesses.
Prasanna Malaiyandi:
This is not a script kitty.
Prasanna Malaiyandi:
This is not a random piece of software that you download off the internet.
Prasanna Malaiyandi:
This is an organization that is trying to make money for other reasons, right?
Prasanna Malaiyandi:
They're, they want to do things.
Prasanna Malaiyandi:
Sometimes they're state actors, sometimes they're, they're just criminals that are
Prasanna Malaiyandi:
just trying to make a lot of money and.
Prasanna Malaiyandi:
You need to think about what are they going to focus on
Prasanna Malaiyandi:
in terms of software quality?
Prasanna Malaiyandi:
The thing they're gonna focus on is making sure that the data gets
Prasanna Malaiyandi:
encrypted and making sure that you can't decrypt it without their help.
Prasanna Malaiyandi:
They're not necessarily that focused on that second half,
Prasanna Malaiyandi:
which is the the decryption part.
Prasanna Malaiyandi:
You could make some argument that maybe they want it to work because
Prasanna Malaiyandi:
they want to have a reputation as.
Prasanna Malaiyandi:
An organization that does get the data back if you actually pay
Prasanna Malaiyandi:
the ransom, but the, you know,
Prasanna Malaiyandi:
yeah, or the other thing is it may not be very fast, right?
Prasanna Malaiyandi:
So
Prasanna Malaiyandi:
you might get all your data back, but it might take you a month
Prasanna Malaiyandi:
W. Curtis Preston: Exactly.
Prasanna Malaiyandi:
Exactly.
Prasanna Malaiyandi:
Um, so go ahead.
Prasanna Malaiyandi:
I know you talked about, uh, these organizations, right?
Prasanna Malaiyandi:
By which you mean the ransomware actors.
Prasanna Malaiyandi:
Who are kind of well organized.
Prasanna Malaiyandi:
I think the other thing to also mention is it's no longer just a
Prasanna Malaiyandi:
single organization necessarily, right?
Prasanna Malaiyandi:
You have ransomware as a service where you have these people who have all these
Prasanna Malaiyandi:
tools and capabilities and they provided as a service just like you might use AWS
Prasanna Malaiyandi:
as a service to host your application.
Prasanna Malaiyandi:
They provide all the infrastructure tooling for all these other
Prasanna Malaiyandi:
organizations to now start.
Prasanna Malaiyandi:
Um.
Prasanna Malaiyandi:
Attacking other companies and also encrypting their data.
Prasanna Malaiyandi:
W. Curtis Preston: Right.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
And, and actually I want to get into that in, in a little bit,
Prasanna Malaiyandi:
um, what I want to, and that, that everything you said is, is correct.
Prasanna Malaiyandi:
Um, let's talk a little bit about what ransomware is not
Prasanna Malaiyandi:
what is ransomware, not Curtis.
Prasanna Malaiyandi:
W. Curtis Preston: So it, well, it's not just a piece of software that downloads
Prasanna Malaiyandi:
and, you know, magic happens, right?
Prasanna Malaiyandi:
Um, the, the, the process of getting infected with ransomware is actually
Prasanna Malaiyandi:
a very manual process with many steps.
Prasanna Malaiyandi:
And, uh, and, and they are steps that are being manually driven by a human
Prasanna Malaiyandi:
being somewhere else in the world.
Prasanna Malaiyandi:
And.
Prasanna Malaiyandi:
The, the idea is that there is that initial access.
Prasanna Malaiyandi:
There is, uh, that, that, you know, that basically the, the initial breach, which
Prasanna Malaiyandi:
could be via a number of mechanisms.
Prasanna Malaiyandi:
It could be, uh, old school phishing.
Prasanna Malaiyandi:
It could be something that you download.
Prasanna Malaiyandi:
Uh, it, it quite possibly will be something that you download, that
Prasanna Malaiyandi:
you get via email, an attachment that you open that you shouldn't have.
Prasanna Malaiyandi:
What was the, what was the thing you said?
Prasanna Malaiyandi:
Yeah, it could be a zero day exploit, right?
Prasanna Malaiyandi:
There are myriad ways that you can basically find yourself with a
Prasanna Malaiyandi:
portal to, to the bad guys, right?
Prasanna Malaiyandi:
So that, that's the first thing that has to happen, is someone has to gain
Prasanna Malaiyandi:
remote access, usually with escalated privileges, but not necessarily so.
Prasanna Malaiyandi:
They might just have a, you know, they might have simply
Prasanna Malaiyandi:
leveraged stolen credentials.
Prasanna Malaiyandi:
That's another thing.
Prasanna Malaiyandi:
They, they leveraged stolen credentials and then you didn't
Prasanna Malaiyandi:
have MFA on, you might have had a, a server that's got RDP enabled
Prasanna Malaiyandi:
and it's, uh, open to the internet.
Prasanna Malaiyandi:
Oh my Lord.
Prasanna Malaiyandi:
RDP, the ransomware deployment protocol,
Prasanna Malaiyandi:
or you just have insecure systems that are internet facing,
Prasanna Malaiyandi:
right?
Prasanna Malaiyandi:
How many people have like VMware, ESXI, and then they automatically have it
Prasanna Malaiyandi:
available on the internet and boom.
Prasanna Malaiyandi:
W. Curtis Preston: Exactly.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
So there, like I said, there, there are myriad ways that you,
Prasanna Malaiyandi:
that a bad actor can be given.
Prasanna Malaiyandi:
Initial access to one or more, uh, systems.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And there are, and this was, uh, basically you, you referenced this
Prasanna Malaiyandi:
earlier, is that there are companies, and again, it's the correct.
Prasanna Malaiyandi:
Thing is to call them companies, right?
Prasanna Malaiyandi:
There are companies who, this is what they do.
Prasanna Malaiyandi:
They call them initial access brokers.
Prasanna Malaiyandi:
This is all they do.
Prasanna Malaiyandi:
They just get a foothold into an organization and then they say, Hey,
Prasanna Malaiyandi:
I've got a foothold into a, b, c company.
Prasanna Malaiyandi:
Who wants that?
Prasanna Malaiyandi:
And then they bid that on the, you know, on the dark web.
Prasanna Malaiyandi:
It just kind of scary when you think about it, right?
Prasanna Malaiyandi:
Because it is a specialized role, right?
Prasanna Malaiyandi:
That is all they do day in and day out is they try to figure out, how do
Prasanna Malaiyandi:
I gain that initial foothold with all these various mechanisms that you talked
Prasanna Malaiyandi:
about, Curtis, and then take that and now pass it on to the next person, right?
Prasanna Malaiyandi:
And it's their job to now figure out, okay, now what can I do next?
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, it's a very specialized world, right?
Prasanna Malaiyandi:
Um, because there's sort of three phases.
Prasanna Malaiyandi:
There's that initial access, there's a second phase, which is discovery and uh,
Prasanna Malaiyandi:
and crawling around trying to do lateral movement, trying to expand the footprint.
Prasanna Malaiyandi:
And, um, and, and then that third phase, which is the actual, we're going
Prasanna Malaiyandi:
to go and encrypt everything, right?
Prasanna Malaiyandi:
The go ahead.
Prasanna Malaiyandi:
And that second phase, right?
Prasanna Malaiyandi:
Just to touch on it, right?
Prasanna Malaiyandi:
Moving laterally and trying to figure out other things, right?
Prasanna Malaiyandi:
They're trying to do all of this while staying undetected, right?
Prasanna Malaiyandi:
Because the last thing you wanna do is give up that access that you paid for from
Prasanna Malaiyandi:
initial access broker, right?
Prasanna Malaiyandi:
And so you wanna make sure you stay under the radar of the security team
Prasanna Malaiyandi:
or whoever else is out there trying to prevent what you're trying to do.
Prasanna Malaiyandi:
W. Curtis Preston: Which is why one of the ways they do well, I would say the
Prasanna Malaiyandi:
way that they do that next phase is they use the same tools that you use, right?
Prasanna Malaiyandi:
They're downloading cybersecurity tools that are designed to defend,
Prasanna Malaiyandi:
but they use them to attack.
Prasanna Malaiyandi:
How about Strike is a common
Prasanna Malaiyandi:
one
Prasanna Malaiyandi:
W. Curtis Preston: yeah.
Prasanna Malaiyandi:
Cobalt Strike is definitely one of the, uh, most common ones.
Prasanna Malaiyandi:
And, uh, there are a number of other tools that they download that, that don't
Prasanna Malaiyandi:
initially set off alarms because they're not, it's not like, Hey, hacker tool dot
Prasanna Malaiyandi:
exe, it's a tool that you would install.
Prasanna Malaiyandi:
And so they, they install these tools and then they go and they,
Prasanna Malaiyandi:
they crawl around your organization.
Prasanna Malaiyandi:
And it can be very difficult to detect that once they have gained that foothold
Prasanna Malaiyandi:
and once they're using the same tools that you might be using to poke around.
Prasanna Malaiyandi:
And again, I, I'll go back to that initial access.
Prasanna Malaiyandi:
This is why MFA is so important.
Prasanna Malaiyandi:
Uh, they could, there are a number of ways that they could get in, but MFA would be
Prasanna Malaiyandi:
one of the ways that you would then stop.
Prasanna Malaiyandi:
By the way, it, it does appear that the most common way that they get
Prasanna Malaiyandi:
in is actually stolen credentials.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And um, which is just really sad.
Prasanna Malaiyandi:
Um, but, but it is what It's Right.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Um, and, and so I, I just, this is the thing.
Prasanna Malaiyandi:
This is where the, what ransomware is not.
Prasanna Malaiyandi:
I just want people to understand that ransomware is not just one
Prasanna Malaiyandi:
piece of software that you happen to accidentally download and then
Prasanna Malaiyandi:
it affects your entire data center.
Prasanna Malaiyandi:
That is absolutely what I, what I, what I used to think it was.
Prasanna Malaiyandi:
Uh, it is a very sophisticated series of actions that are taken in series
Prasanna Malaiyandi:
different, there may be as many as a dozen pieces of software that are
Prasanna Malaiyandi:
installed to affect the ultimate goal that the, the bad actor wants, uh,
Prasanna Malaiyandi:
which of course is demanding the ransom.
Prasanna Malaiyandi:
I do wonder though.
Prasanna Malaiyandi:
Yeah, I do.
Prasanna Malaiyandi:
I agree with that.
Prasanna Malaiyandi:
Curtis, I also wonder though, if we should really think about sort of two segments
Prasanna Malaiyandi:
to, uh, victim segments, if you will.
Prasanna Malaiyandi:
One is the enterprise, which I think a hundred percent everything you said makes
Prasanna Malaiyandi:
sense.
Prasanna Malaiyandi:
I think though, when you think about sort of consumer side.
Prasanna Malaiyandi:
I think it might be slightly different in term because you aren't going to have
Prasanna Malaiyandi:
all of this individual access, right?
Prasanna Malaiyandi:
People spending time on grandma trying to gain access to her laptop, right?
Prasanna Malaiyandi:
I think in those cases it's probably more find common vulnerabilities and
Prasanna Malaiyandi:
whatever is the quickest and easiest way, and you just go as broad as you
Prasanna Malaiyandi:
can because their data may not be as sensitive and as valuable necessarily.
Prasanna Malaiyandi:
Or the willingness to pay.
Prasanna Malaiyandi:
Or the ability to pay.
Prasanna Malaiyandi:
W. Curtis Preston: I do think that
Prasanna Malaiyandi:
consumer based.
Prasanna Malaiyandi:
Attacks probably are much closer to that initial, I download one piece of software
Prasanna Malaiyandi:
and it grabs all my data and boom, right?
Prasanna Malaiyandi:
And then tries to reach out to a command and control server.
Prasanna Malaiyandi:
Uh, and then it's probably closer to that initial definition than we talked
Prasanna Malaiyandi:
about where it's just one single piece of software because there, there really
Prasanna Malaiyandi:
isn't anything else, uh, to get out there.
Prasanna Malaiyandi:
But that's not necessarily our target market.
Prasanna Malaiyandi:
So I wasn't really focusing on that.
Prasanna Malaiyandi:
But you know, from a company perspective.
Prasanna Malaiyandi:
Uh, you know, or any, any organization perspective, it's going
Prasanna Malaiyandi:
to be a very complicated process.
Prasanna Malaiyandi:
Uh, and that could go on for months
Prasanna Malaiyandi:
I was actually gonna
Prasanna Malaiyandi:
W. Curtis Preston: before you actually get a, you know, a big, a big payload.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Just uh, I think if I go back and think about, and it's not ransomware, but just
Prasanna Malaiyandi:
talking about this attack vector, because it is common in other places as well.
Prasanna Malaiyandi:
If I think about like the SolarWinds attack, right?
Prasanna Malaiyandi:
They were in their systems for months,
Prasanna Malaiyandi:
right?
Prasanna Malaiyandi:
W. Curtis Preston: they were part of the, they were actually part of the
Prasanna Malaiyandi:
supply chain, as I recall, right?
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
They're very, depending on the size of the fish, right?
Prasanna Malaiyandi:
They're very, very there.
Prasanna Malaiyandi:
There is a risk reward.
Prasanna Malaiyandi:
Um, you know, a trade off, right?
Prasanna Malaiyandi:
The longer they can stay in undetected, the more exploration that they can do,
Prasanna Malaiyandi:
the bigger the payoff, but the longer they stay in undetected, the greater
Prasanna Malaiyandi:
the risk that they will eventually be detected before they can do the payoff.
Prasanna Malaiyandi:
So there's a, you know, a big risk reward there.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston: Um, so the other and really important
Prasanna Malaiyandi:
thing, and this is why, um.
Prasanna Malaiyandi:
This is why some have changing the name of, uh, ransomware and that is that no
Prasanna Malaiyandi:
longer, um, is simply encrypting the data and then saying you can have it back if
Prasanna Malaiyandi:
you, uh, give us a ransomware no longer.
Prasanna Malaiyandi:
Is that the normal mo of the, the ransomware attackers?
Prasanna Malaiyandi:
What
Prasanna Malaiyandi:
is the normal mo.
Prasanna Malaiyandi:
Have evolved, or I would say devolved, but yeah, they have, they have evolved.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
So now they realize, okay, people have backups, they have other systems, right?
Prasanna Malaiyandi:
And so I would say before we get to sort of, okay, what is it really now,
Prasanna Malaiyandi:
right?
Prasanna Malaiyandi:
I think in between what they had started to do was really
Prasanna Malaiyandi:
attack those systems, right?
Prasanna Malaiyandi:
So it wasn't just encrypt your data,
Prasanna Malaiyandi:
W. Curtis Preston: Right.
Prasanna Malaiyandi:
But even locally it was like, Hey, now let's start
Prasanna Malaiyandi:
going after the backup systems, right?
Prasanna Malaiyandi:
Because if you can restore your data, then you don't need us, right?
Prasanna Malaiyandi:
You don't need the key.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah,
Prasanna Malaiyandi:
that, that is a really good point.
Prasanna Malaiyandi:
That basically part of that sophisticated ex, you know, um, uh,
Prasanna Malaiyandi:
large attack, they are definitely going to go after the backup system.
Prasanna Malaiyandi:
They're trying to identify what your backup system, they know the
Prasanna Malaiyandi:
vulnerabilities of the different backup systems, and they then
Prasanna Malaiyandi:
go after those vulnerabilities.
Prasanna Malaiyandi:
And this is.
Prasanna Malaiyandi:
Why I talk about, and we'll talk later about changes that you should
Prasanna Malaiyandi:
be making to your backup system in order to protect from this.
Prasanna Malaiyandi:
This is part of the evolution of the, of these ransomware attackers, is
Prasanna Malaiyandi:
first all they had to do was encrypt.
Prasanna Malaiyandi:
And then they found out, uh, you know, and people would pay the ransom.
Prasanna Malaiyandi:
And then they found that some people had backup and recovery systems
Prasanna Malaiyandi:
and disaster recovery systems, and they were stopped, pay the ransom.
Prasanna Malaiyandi:
Well, they want people to pay the ransom.
Prasanna Malaiyandi:
And so they're like, well, what can we do next?
Prasanna Malaiyandi:
And so the next thing they decided to do was attack the backup systems.
Prasanna Malaiyandi:
I, I don't think that they listen to this podcast
Prasanna Malaiyandi:
or I've read your books, Curtis.
Prasanna Malaiyandi:
I'm just saying.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, I don't think so.
Prasanna Malaiyandi:
I don't think so.
Prasanna Malaiyandi:
They went after specific backup products that had specific vulnerabilities,
Prasanna Malaiyandi:
especially Windows based backup products, because Windows was the, you know, or
Prasanna Malaiyandi:
it continues to be the prop predominant.
Prasanna Malaiyandi:
Os that they're attacking in a ransomware attack.
Prasanna Malaiyandi:
It's not the only one, but it is a predominant one.
Prasanna Malaiyandi:
So they went after backup systems that were based on windows.
Prasanna Malaiyandi:
Also backup systems whose backups were all stored on disk.
Prasanna Malaiyandi:
'cause those backups are easy to, uh, delete and or encrypt.
Prasanna Malaiyandi:
Right?
Prasanna Malaiyandi:
Um, and.
Prasanna Malaiyandi:
The, and we'll, we'll talk more about things, but the idea is to,
Prasanna Malaiyandi:
with the backup system, the, the, the quick answer is to make sure
Prasanna Malaiyandi:
that your backup system isn't susceptible to those types of attacks.
Prasanna Malaiyandi:
We'll talk about that, uh, in another episode.
Prasanna Malaiyandi:
That could be an entire episode in and of itself.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, exactly.
Prasanna Malaiyandi:
Uh, so what, what happened next?
Prasanna Malaiyandi:
yeah.
Prasanna Malaiyandi:
So then, okay, they went after a backup system.
Prasanna Malaiyandi:
Sometimes they were successful, sometimes they weren't.
Prasanna Malaiyandi:
But then they realized just like classic ransomware or classic kidnapping and
Prasanna Malaiyandi:
people paying ransom, they're like, Hey, if we actually take your data right.
Prasanna Malaiyandi:
Then now you don't have that option to be like, Hey, just
Prasanna Malaiyandi:
give me the encryption key.
Prasanna Malaiyandi:
You can actually blackmail people and say, by the way, if you don't want me
Prasanna Malaiyandi:
to release this information, pay up.
Prasanna Malaiyandi:
And it might be sensitive information like the Sony hack where they
Prasanna Malaiyandi:
exfiltrated a bunch of data and it was emails about studio, like what studio
Prasanna Malaiyandi:
executives were saying and all the rest things you don't want out in public.
Prasanna Malaiyandi:
W. Curtis Preston: Right.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
And, and it could be anything.
Prasanna Malaiyandi:
I, I think the Sony attack was the first one that I really remember.
Prasanna Malaiyandi:
Because it was basically impair, it was embarrassing data.
Prasanna Malaiyandi:
There are, um, others where it's like, listen, we have your 11 herbs and spices
Prasanna Malaiyandi:
and we're gonna release 'em to the public.
Prasanna Malaiyandi:
By the way, the 11 herbs and spices, I'm pretty sure have been
Prasanna Malaiyandi:
released, but not by KFC, but, but by other comp or other entities.
Prasanna Malaiyandi:
But you know, we have your company's trade secrets.
Prasanna Malaiyandi:
We may have, um, proof of you doing things that are actually crimes, right?
Prasanna Malaiyandi:
We, you know, um, you know, there are basically, we might have competitive
Prasanna Malaiyandi:
information that you don't want given to your closest competitor.
Prasanna Malaiyandi:
There are a number of things, and also I'd say the, the, the one
Prasanna Malaiyandi:
category of data that we haven't discussed is we have PII, right?
Prasanna Malaiyandi:
We have a whole bunch of names and credit card data.
Prasanna Malaiyandi:
That we're going to release if you don't pay the ransom.
Prasanna Malaiyandi:
I'd say the best example of that would be the Ashley Madison attack.
Prasanna Malaiyandi:
I don't remember if that was actually a ransomware attack, but that is an example
Prasanna Malaiyandi:
of the kind of thing I'm so Ashley mad.
Prasanna Malaiyandi:
So for those that you don't remember, and it's still around amazingly
Prasanna Malaiyandi:
enough, Ashley Madison is a website and an organization designed, uh, to
Prasanna Malaiyandi:
help people cheat on their spouses.
Prasanna Malaiyandi:
And they released a bunch of identities of people that were there.
Prasanna Malaiyandi:
There were a number of suicides that followed that, uh, particular incident.
Prasanna Malaiyandi:
So it could be personal information, it could be medical information.
Prasanna Malaiyandi:
Healthcare records of celebrities or even other folks that
Prasanna Malaiyandi:
could be detrimental if released publicly.
Prasanna Malaiyandi:
W. Curtis Preston: Right, right.
Prasanna Malaiyandi:
And, and put it into your company.
Prasanna Malaiyandi:
Amazingly, Ashley Madison, they released all that stuff and one of the things that
Prasanna Malaiyandi:
came out was that it turns out that all of the female subscribers were all fake,
Prasanna Malaiyandi:
and yet the company still runs.
Prasanna Malaiyandi:
The company is still out there and people are still paying memberships.
Prasanna Malaiyandi:
But, um, yeah, so that's, that is an important.
Prasanna Malaiyandi:
Change in how the, the ransomware folks are operating.
Prasanna Malaiyandi:
Uh, basically, this is why many people are now starting to call it extortion
Prasanna Malaiyandi:
wear rather than just ransomware, because they're saying that we, we
Prasanna Malaiyandi:
literally have stolen your data and we are going to release it to the
Prasanna Malaiyandi:
public if you don't give us the ransom.
Prasanna Malaiyandi:
And here's my question.
Prasanna Malaiyandi:
Let's just say I've got the best, the absolute best.
Prasanna Malaiyandi:
Backup and disaster recovery system in the world.
Prasanna Malaiyandi:
I've got a button that I can press and five seconds later, my entire
Prasanna Malaiyandi:
environment is recovered without incident.
Prasanna Malaiyandi:
How well will that help me with an extortion attack?
Prasanna Malaiyandi:
It wouldn't
Prasanna Malaiyandi:
W. Curtis Preston: Not at
Prasanna Malaiyandi:
all.
Prasanna Malaiyandi:
That's the worst.
Prasanna Malaiyandi:
That's the worst part.
Prasanna Malaiyandi:
I this whole thing.
Prasanna Malaiyandi:
well, and this is my problem.
Prasanna Malaiyandi:
I know we had talked about comparing classic ransomware to digital ransomware.
Prasanna Malaiyandi:
W. Curtis Preston: Mm-Hmm.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
In classic ransomware, you pay the ransom.
Prasanna Malaiyandi:
They may or may not return the person, but if they return the
Prasanna Malaiyandi:
person, you know you're good
Prasanna Malaiyandi:
W. Curtis Preston: Right.
Prasanna Malaiyandi:
Prasanna Malaiyandi: in digital ransomware.
Prasanna Malaiyandi:
Even if you pay the ransom to give you back the encryption keys, they
Prasanna Malaiyandi:
still have that original data.
Prasanna Malaiyandi:
They could decide in a year, Hey, I'm gonna release this and embarrass you.
Prasanna Malaiyandi:
They could decide, Hey, I'm just gonna release
Prasanna Malaiyandi:
this anyway.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
And.
Prasanna Malaiyandi:
If there's no honor among thieves, right,
Prasanna Malaiyandi:
W. Curtis Preston: Right.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
how can you trust that they will do the right thing?
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, you, you can, you can't, which is really why the only
Prasanna Malaiyandi:
defense to this type of ransomware is to not let it happen in the first place.
Prasanna Malaiyandi:
Which is why I think that people should be focusing a lot more on the
Prasanna Malaiyandi:
prevention of exfiltration, right?
Prasanna Malaiyandi:
Exfiltration is just a very fancy word for sucking the data
Prasanna Malaiyandi:
out of your company, right?
Prasanna Malaiyandi:
Um, and there are ways, there are ways to do that, but they are not.
Prasanna Malaiyandi:
Easy and they come with a lot of false positives, et cetera, et cetera.
Prasanna Malaiyandi:
So not everybody is that, um, hot on it.
Prasanna Malaiyandi:
And I just think it's something that we need to continue to work on.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Or detection also,
Prasanna Malaiyandi:
right?
Prasanna Malaiyandi:
W. Curtis Preston: Yes, yes.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Well, yeah, detecting it, detecting that you've got the ransomware detecting
Prasanna Malaiyandi:
that the exfiltration is happening.
Prasanna Malaiyandi:
Stopping the exfiltration, right?
Prasanna Malaiyandi:
Because a lot of the exfiltration is all sent to like the same place right there.
Prasanna Malaiyandi:
There's certain websites and things that, um, it's like, why are we
Prasanna Malaiyandi:
sending data to what is like mega sum?
Prasanna Malaiyandi:
And there's some big file sharing site.
Prasanna Malaiyandi:
Like you, you should block all access to all, like, file
Prasanna Malaiyandi:
sharing sites like that, right?
Prasanna Malaiyandi:
Um, and then if you, if you have a legitimate need for that.
Prasanna Malaiyandi:
Then, um, you open it up, but chances are you probably don't.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah.
Prasanna Malaiyandi:
Um, so that's just a brief overview of what ransomware is, what it isn't,
Prasanna Malaiyandi:
how it's evolved, uh, in terms, and by the way, just a final thing regarding
Prasanna Malaiyandi:
the whole exfiltration thing, talk, talking about part two and part three.
Prasanna Malaiyandi:
Not only have they gone directly attacking the backup systems in order to.
Prasanna Malaiyandi:
Basically take them out of the war.
Prasanna Malaiyandi:
The, that's not what I, that's not what I meant to take them, to take to, to take
Prasanna Malaiyandi:
them away from you as a weapon in the war.
Prasanna Malaiyandi:
I, I don't know, I'm mixing metaphors here, but they're also, they've discovered
Prasanna Malaiyandi:
that it is a source for exfiltration.
Prasanna Malaiyandi:
So if they can gain, uh, unrestricted access to the backup
Prasanna Malaiyandi:
system, then um, they can do that.
Prasanna Malaiyandi:
And by the way, if, if you, if you're.
Prasanna Malaiyandi:
This is your first episode.
Prasanna Malaiyandi:
You really should go back a couple episodes and listen to that episode
Prasanna Malaiyandi:
with Dwayne Lalo, uh, where, where it's talking about a red team P person, and
Prasanna Malaiyandi:
he talked about just how great it is if you can gain access to a backup system.
Prasanna Malaiyandi:
He, he was like, I love backup systems.
Prasanna Malaiyandi:
Right.
Prasanna Malaiyandi:
Yeah, that was a great episode.
Prasanna Malaiyandi:
Any final thoughts?
Prasanna Malaiyandi:
No, I think, yeah, we covered sort of what's ransomware,
Prasanna Malaiyandi:
what isn't, and yeah, like you said, Curtis, at the beginning I was also
Prasanna Malaiyandi:
thinking, oh, it's just software installed that someone drops onto your system.
Prasanna Malaiyandi:
But really it's this lengthy process that happens in order to
Prasanna Malaiyandi:
be able to gain that foothold.
Prasanna Malaiyandi:
And so,
Prasanna Malaiyandi:
W. Curtis Preston: Yeah.
Prasanna Malaiyandi:
And I, and I, I do think that maybe that's the way it's,
Prasanna Malaiyandi:
that's the way it started, right?
Prasanna Malaiyandi:
It was an initial piece of software that you just happened to download
Prasanna Malaiyandi:
and it would encrypt your data, boom.
Prasanna Malaiyandi:
And then, and then, and reach out to the person so that they could, uh, do that.
Prasanna Malaiyandi:
But that's not going to work in a large organization, right?
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
W. Curtis Preston: So they, so their attack evolved as well, right?
Prasanna Malaiyandi:
So they've evolved over the time to go after a bigger, bigger, and bigger fish.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
Well, and I think also that a lot of the security infrastructure has
Prasanna Malaiyandi:
also evolved, and so the ransomware attackers are also evolving.
Prasanna Malaiyandi:
In turn, it's like a cat and mouse game.
Prasanna Malaiyandi:
W. Curtis Preston: Exactly.
Prasanna Malaiyandi:
Um, and, and you know, you have to be right all the time.
Prasanna Malaiyandi:
They only have to be right once, unfortunately.
Prasanna Malaiyandi:
All right.
Prasanna Malaiyandi:
Well thanks for having a chat.
Prasanna Malaiyandi:
Yeah.
Prasanna Malaiyandi:
It was good.
Prasanna Malaiyandi:
I enjoy these.
Prasanna Malaiyandi:
I'm excited for this new series.
Prasanna Malaiyandi:
I.
Prasanna Malaiyandi:
W. Curtis Preston: Yeah, me too.
Prasanna Malaiyandi:
Thanks to our listeners, uh, we'd be nothing without you.
Prasanna Malaiyandi:
Make sure to subscribe so that you don't miss an episode.
Prasanna Malaiyandi:
That is a wrap,
Prasanna Malaiyandi:
The backup wrap up is written, recorded and produced by me w Curtis Preston.
Prasanna Malaiyandi:
If you need backup or Dr.
Prasanna Malaiyandi:
Consulting content generation or expert witness work,
Prasanna Malaiyandi:
check out backup central.com.
Prasanna Malaiyandi:
You can also find links from my O'Reilly Books on the same website.
Prasanna Malaiyandi:
Remember, this is an independent podcast and any opinions that you
Prasanna Malaiyandi:
hear are those of the speaker.
Prasanna Malaiyandi:
And not necessarily an employer.
Prasanna Malaiyandi:
Thanks for listening.