A Brief History of Ransomware

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we take a trip down memory lane with Dr. Mike

Saylor, my co-author on learning ransomware response and recovery.

We're talking about a brief history.

Of ransomware from the AIDS Trojan in 1989 to today's sophisticated

double extortion attacks.

You'll hear how ransomware has developed into a multi-billion

dollar criminal enterprise and what changes made that possible.

To know where we are, we need to know how we got here.

Let's listen to a brief history of ransomware.

By the way, if you don't know my history, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that there were no backups of the production

database that we just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into cyber recovery heroes.

This is the backup wrap up.

Welcome to the backup wrap up.

I'm your host, w Curtis Preston.

And with me, as always is my co-host Goldilocks Prasanna

Malaiyandi, how's it going?

It's been a while since I've heard that name.

I'm good, Curtis.

I'm good.

You clearly haven't been going out with our f common friend enough.

Yes, I

have

likes, that, likes to call you that name.

Um, and uh, then we have the opposite of Goldilocks.

We have over here,

No locks.

the, the no no locks.

I like it.

My co-author on the book, learning Ransomware Response and Recovery.

How's it going?

it's going well guys.

Thanks for having me.

So this is this gonna be one of those episodes where, you know,

the two guys with gray hair and the one guy with, with some gray hair.

We're gonna, we're gonna do a little, we're gonna be, do a little bit like

back in the day, you know, when we talk about, uh, ransomware, uh, I, I, I'll

start, you know, we're talking about the evolution of ransomware and I, and I'll

actually go back to my first memory of.

Of a ransomware incident, and it's actually my dad called me that, uh,

a, a business partner of his had had his computer encrypted and they were

asking for, it was, as I recall, back in the day, like one Bitcoin was like.

Like it was under $500 or something, and, and it was under a number

that if it went over that, that it triggered some laws or whatever.

That that's what I remember.

And so he, he had this situation and I remember asking if, if his

friend, you know, had any backups of this computer that had been

taken, and, uh, the answer was no.

Right.

He had, and, and of course, you know, I'm like, I'm like, you're killing me.

Right?

Um, I I, I hate it.

I'm sure you, you have the same thing, Mike, when you're, when you know, we,

we've talked about it in the past, that you get most of your phone calls.

Uh, post facto, right?

Like you, you know, it's like, I've, I've been attacked.

Please help.

And you're like, well, crap.

Did you have any defenses whatsoever?

And the answer is no.

Uh, you know, it, it's a lot better to, to do things in

advance, but, uh, let's go back.

A lot of people seem to think that.

The very first, uh, ransomware was this, uh, this thing called

the AIDS Trojan back in 1989.

Do you, do you agree with that?

Um, that's, that's kind of the first formal attack.

There's, there's probably others that, you know, somebody trying to do something

and it turned out to be, you know, X, Y, Z. But yeah, that's the, that's

probably the, the, the first, uh, large.

Ransomware attack

Yeah.

And that sounds like a really long time ago.

1989. I mean, I was, I was still in college.

Persona

How, how I, I wanna know how much data they

school.

how much data was that back in the days?

Because back then it wasn't like a hundred megabytes.

A lot of

Well, yeah.

This was like one, 1.5 megabytes per per dish.

Um, oh, right, right.

Yeah.

'cause it was on a floppy, it was actually Dr.

Joseph Pop.

Um, yeah.

Um, and it didn't scale.

There wasn't, there was, there was no crypto, there was no internet.

Right.

Uh, so it was very different than what we have today.

Um, and then there's the big growth era that, um, you know, from the eighties

to the, to the mid two thousands.

Uh, how do you think it sort of evolved past, past that initial.

Well, there, there are several, uh, kind of branches off of, uh, malware

that happened, uh, during this period, probably closer to the, the two thousands.

Uh, but I won't, I won't, uh, I won't miss an opportunity to

reference the late 19 hundreds, uh,

uh, the late 19 hundreds was, you know, it was kind of the wild west, uh, from a,

a security perspective because, uh, from.

On, on the professional side, a lot of technology people, a lot of it people,

we were so focused on building and maintaining, uh, with, with really

very little understanding of how bad guys are actually attacking us.

Like how did that actually happen?

How, and then there was no end user training or awareness.

It was just acceptable use.

And you signed something when you, when you started working here,

that you wouldn't use computers for evil, but people still did.

Um.

I mean, I, I remember walking into a data center and there's a guy in

there with a computer making, uh, um.

Satellite cards, clone satellite cards.

He was selling 'em out the back door, like in the middle of the data center.

And he is like, what?

Uh, and I'm like, well, you're not supposed one, it's illegal.

Uh, and two, you're using company property to do that.

But at the same time, bad guys were starting to realize that, um, when,

when you've got these low end criminals, they're looking for the tools.

Well, what if I infected the tool?

And then that got downloaded to the criminal and then it got dispersed

through the criminal enterprise, and now I've got, you know, it was just a, it

was like a. Uh, multi-level marketing, uh, without the inquiry recruitment.

Um, and then you get into the two thousands and technology starts to evolve.

Computers are getting, you know, beefier and faster, and, uh, Internet's getting

faster, which is really what hindered a lot of bad guy, you know, bad guy

activity back in the day is the dial up.

They're like, well, you can't do much.

Uh, but now with, with the, the, the, the broadband and, uh, even fiber, um.

Uh, overseas, uh, bad guys are doing a lot more because the capabilities there that

the, the hardware, the, the horsepower, the, the bandwidth, it's all there.

Um, and then the tools are getting better and really they're just stealing from it.

Operations tools, you know, the.

The, the companies are putting out tools to help us do our, our real job better.

You know, uh, manage a network, troubleshoot a network, and the

bad guys are like, oh, those are great reconnaissance tools.

Those are great deployment tools.

You know, if I can find the, the Microsoft server that disperses patches and I

just put my malware on that, then it'll, you know, I can disperse my malware.

Uh, so.

That's a consistent thing that I, that I learned about with you, with

the book, is that, that consistently tools that have a good use, right.

Uh, were then misused

sure.

bad, right?

Yeah.

Uh, does, does Crypto Locker fit into that?

Because I know that was a big change.

Um, or was CryptoLocker always a, a bad, a bad

Yeah, I, I think just the name, uh, crypto Locker.

Even if it was intended to be good, they should have picked a different name.

Uh, it sounds bad, but No, it was, it was always bad.

yeah.

I think maybe one of the tools you're thinking about Curtis,

that I've seen is like, I think, Mike, you probably know Cobalt

Strike, I think is.

The one that's commonly used for deploying and detecting.

But Mike, one other question.

I know you talked about sort of

computers getting beefier and faster, the internet and broadband.

Is there also anything like that you saw around that time as companies

start to produce more data?

Everything started to sort of become online rather than having

paper records and other things.

Things started to become more collaborative in nature with the

technologies and other pieces there that maybe might have started to lead

to more ransomware attacks and other

Sure.

And, and what's scary about really good, bad guys is they do their analysis on how.

Companies and their employees are using technology.

So if you really look and, and do an analysis like today of, of the average

employee or computer user, and then you, you design your attack, uh, strategy

around that higher percentage of success.

So taking, taking your question back to the late 19 hundreds, uh, it was,

it was centralized computing, right?

So it was client server, you know, we, maybe we had a dumb terminal,

but all the data was centralized and we could protect that.

We could do better at protecting that.

And then as hardware, uh, became more, uh, affordable, so now I can put a,

a, like a, a, a thick, what we call a thick client or a a, a desktop, right?

It's got a hard drive and.

Everything I need, I can put it on your desk.

Well that became decentralized computing because now you know, Bob and accounting

is saving stuff on Bob and Accounting's computer, not necessarily the server.

And that that was because network bandwidth.

So we're using a token ring or old coax and it's, man, it takes forever to

load that file when it's on the server.

I'm just gonna keep it here on my desktop.

Right.

So it's not getting backed up probably.

Uh, and it's not where it needs to be.

Well then bad guys doing that analysis are like, well, I'm gonna stop

attacking the network and the server.

I'm gonna start attacking these end user computers.

And that's where a lot of these like floppy drive and email, uh, um, uh,

driven attacks came from is because bad guys understood that that's

where the valuable stuff in the, in the higher likelihood of success.

Alright, well now we've got laptops and mobile phones.

Well, bad guys were like, well, I don't even have to attack the company anymore.

I just need to figure out where this dude lives and hack his wireless,

or steal his phone out of his car, or, you know, borrow his laptop or,

you know, or, or, or infect the kid.

You know, the kids use their, the parents' computers too, so I just

need to get the kid to go to a website to download some stuff.

And so, I mean, there's any number of tactics and strategy.

Once bad guys really, uh, uh, understand how their targets use technology.

So I think what I think what happened there, there were two things that happened

in the, the early two thousands, right?

Uh, so we have the, the invention of Bitcoin right?

In 2008.

And we have the invention of, uh, CryptoLocker in 2013.

And do you want to explain how those two really together,

uh, I think poured ga poured.

Gas on this

fire?

Is That the analogy I was looking

That's a good one.

And it, and boy, it became a fire.

So, uh, Bitcoin and, and, and really any, any, any of any of that, that,

uh, anonymizing technology that, that happened in the, in the, probably 2010

is when it probably got really popular.

Um.

Well, you know, I mentioned, I've mentioned in previous, uh, conversations

that bad guys are kind of risk averse.

You know, these types of criminals are not the ones that are gonna

walk into a gas station and rob them at point blank, right?

With a gun.

They're, that's not the kind of criminal they are.

They're, they sit behind a keyboard thinking I'm protected

or, or at least disconnected from this crime to some degree.

So there's a mentality around that and wow, now, now you're telling

me I can, I can get paid kind of anonymously and nobody can track it.

And initially you couldn't, uh, there wasn't real good understanding of

even how this whole, you know, Bitcoin and, uh, cryptocurrency worked, uh,

especially from a law like getting law enforcement to understand that at the

time, good luck and so bad guys were like, I'm, I'm gonna start charging.

You know, uh, holding ransom with Bitcoin or, um, you know, leveraging extortion,

uh, you know, uh, attacks with Bitcoin and I can get paid and spend Bitcoin,

uh, with some level of anonymity.

And so, yeah, that, that was, uh, that was probably a, a one of the

bigger, uh, advents of, of hacker or bad guy, uh, um, evolution.

That, that, that probably sparked a good spike in the.

And, and what role, what role did, uh, crypto Locker pay in

So Crypto Locker was, uh, kind of the, the,

I.

the foundation for a lot of the attacks that bad guys are lazy.

So, I'm gonna take, I'm gonna take this, this framework,

and I'm just gonna tweak it.

In a lot of cases, what we saw was, you know, a attack, a used, you know, crypto

locker plus maybe some other stuff.

And, and it was hard coded with, you know, my, my, uh.

Uh, my, my crypto wallet, uh, you know, all the, all the financial,

like, you just need to click here and it pays and it's all hard coded.

Alright?

And, and then that, that developed a signature.

So antivirus, anti antivirus at the time, they didn't really have

anti malware back then, but, so now there's a signature for that.

But if I take that exact same payload and I just tweak it, and that

tweak could just be changing the.

The Bitcoin wallet, uh, and, and the email address, and I'm just gonna use

what you used and deploy it as my own.

But now it's got its own signature, so I'm gonna get past the

antivirus for at least a week.

Um, but yeah, that became the, the foundation, uh, upon which, uh, an

entire ransomware, um, empire was built.

It.

It's almost a little like script kitties.

Right, where you just take something, you copy it, you tweak it, you use it, but

you don't really fully understand what's going on, or it's not anything unique

from

You know, that that was some of it, but then, you know, that there were, there

were threat actors that built entire, like criminal enterprises around this.

Uh, so I mean, and, and what I, I truly mean, they've got HR and marketing and

sales and tech support and engineers.

And I mean, some of these, some of these groups are, you know,

50 plus employees, uh, and they think they're doing a normal job.

They just come to work and do accounting.

They don't know where the money's necessarily coming from.

Uh, and, or maybe in some cases they're working for a, a criminal organization.

And then I think the next phase, uh, is when we start seeing

nation states get involved, right?

Um, and we start seeing tools like WannaCry and not Petia.

Do you want to talk a little bit about that sort of era and then,

and then I think right after that is sort of our current era,

but what, what happened in that

Well, um, probably starting about the same time that, that Bitcoin became popular.

Um.

Uh, pretty much every cri uh, criminal enterprise, even, you know, drug cartels,

uh, white collar crime, espionage, all those, uh, started to see the value in

understanding and, and conducting cyber, uh, crime as a, either as, uh, uh, an

alternate source of income, another threat of income, or a way of facilitating

Side gig.

Right.

Um, and so what we see in, in the evolution of that, and because a lot of

organized crime is tied into, uh, state crime, uh, so, um, uh, nation state

governments, um, and, and there really aren't very many that are excluded from,

from this, but as, as organized crime gets more involved with cyber crime, the nation

states also become more interested and.

A lot of those, um, suspect nation states, they conduct their own

cyber crime illegitimate campaigns as well.

And well, what, what?

For, for reasons.

Uh, is it for reasons other than state interests or is it just

like, is it you, you understand what I'm saying?

Right.

Are they doing this to further the.

The aims of the country, or is this just

Well sometimes it, and, and this goes into geopolitics.

So company A, country A may affect, uh, a cyber incident in country B for

the benefit of country D. So that.

Hmm.

It somehow manipulates a relationship with Country D over maybe a deal

or some other political thing.

So, I mean, it's just another, it's another strategy in their chess game.

Uh,

But was, is

this any different though, Mike, than previously?

Like, I'm sure even before this time period that we're talking about,

there were probably nation states that were attacking other nation

states at a technology level, and so is what really changed here is

it became more prevalent and more destructive, I would say, and more

So destructive is, is just a, uh, that's an outcome.

So, and that depends on, on the campaign, a lot of cyber from

a nation state perspective is, is all intelligence gathered?

Uh, and so, uh, with intelligence, the moment you take action

on it, you, you lose that.

It is no longer intelligence.

Right?

Um, and if, if you affect damage, uh, while you're collecting intelligence, then

you're cut off from future collection.

Now, there, there are always, uh, uh, opportunities to determine,

well, there, there's no, uh, there's no future value in this.

So now I, I can, um, you know, be destructive.

Uh, and, and we saw that with, uh.

With the Iranian, uh, centrifuges back in the day.

Um, but for sure, uh, nation states have always, uh, looked for ways of collecting

intelligence and cyber in cyber crime and cyber crime through, uh, organized crime.

Uh, it's been a, a, a significant evolution of that.

Um, an example, so in the US we got pretty, um.

I pretty good at identifying nation state attacks from China.

And so as an IT practitioner, I can go, well, that, that

looks like traffic from China.

We're not gonna, we're not gonna allow that.

Uh, so we, we develop firewall rules.

We block traffic.

We don't buy hardware from China.

We don't subscribe to software from China, right?

So we we're getting better at that.

Well, then what China did was hire a bunch of domestic.

Organized crime, uh, you know, gangs and, and, and bad guys.

And they taught those guys how to be hackers and they funded

them and gave them tools and now they're attacking us domestically.

And well, we can't block everything domestically, so our

effectiveness has gone down.

Um, and then if you look at.

You know, North Korea actually getting people hired within an organization.

Well you now you've given them access.

They don't have to, they don't have to hack or do, I mean,

they're, they're sitting at a desk with access you gave them.

Uh, and so now they're a true insider threat.

Um, so all of that is

Yeah.

and, now they can deploy ransomware from their desk and then just walk

out and hop on a plane and go home.

Right?

You, you touched on something there, Mike, that that comes up.

It's come up a lot on the pod, and that is this, this idea

of the, the insider threat.

Right?

Um, and I, I talk a lot about insider threats, both from a. From a rogue

admin who is, is just, he's just pissed off or he's, he's financially

incentivized to do something.

Or like in this case, you're talking about literally they are a plant.

And I've had at least a handful of people who suggest that I am

crying wolf, that I am exaggerating that this is just the boogeyman.

Uh, and it's just, uh, I, I use it as a way to scare

people into doing good backups.

What do you think about that?

Uh, it's, it's not the boogeyman and I think it happens more often

than, than we, we hear about.

Uh, I think one of the most recent significant ones I've heard about

is, uh, I can't remember if it was SpaceX or or Tesla, but it was one

of Elon, Elon Musk's, uh, companies, bad guys, actually propositioned an

employee to help them deploy malware in that environment in exchange for

a percentage of the ransom wells.

Well, that's huge and.

There are any number of ways to identify that target.

It's no different than than intelligence targeting.

If I'm gonna go to, you know, some foreign country and try to get an

important person to become an asset for me to, you know, be a double agent or

an agent of mine, I'm gonna do homework.

Uh, and, and we've done this to some degree in, in our services,

out to clients, uh, when, when we try to determine, uh.

The, the effectiveness of security training for employees.

Uh, if I'm gonna target a facility, you know, maybe I do, you know, some

open source intelligence, all the, of all the employees that work there.

And I find the one that's, you know, getting divorced, he's got bad credit,

um, maybe he had an accident recently and he's got some medical bills.

Well, I'm gonna offer that guy some money in exchange for helping me out.

And I can tell you 100% of the time that we've done that, uh,

they've accepted the money.

Interesting.

Yeah, it, uh, again, that reminds me, uh, when I worked at the bank

back, back in, back in the eighties.

Um, and, uh, no, I guess technically that was the early nineties.

Not in the eighties.

In the eighties I was still in high school.

Um, but.

I, we, we, we would do, you know.

Employee orientation and, and regular cyber train, you know,

ear early cyber training.

It wasn't really cyber training, just information security training.

Right.

And one of the things that we consistently told people repeatedly,

no one from us will ever, ever, ever call you and ask you for your password.

Right.

And if it is, it's, it's a bad guy.

Right.

And then we would then next week call them and ask them for their password and, um.

The percentage of people that would give us their password was was was

way higher than we would've liked.

My, my favorite one was I walked around an environment and I, I went to, to FedEx

Kinko's, and I printed out some little postcards that said, uh, uh, update,

you know, it had some graphics on it.

Update our new help desk phone number.

Is, you know, whatever this phone number is, uh, call us with any, any tech

support needs, or if you need, you know, the printer needs paper or whatever.

Here's the new phone number.

And we, we walked, we piggybacked into an environment and we put those pa,

those postcards on everybody's desks.

The very next day we called them and said, Hey, this is, you know,

this is Mike from Tech Support.

We're having issues with your account.

I need you to reset your password, uh, and I can help you with that over the phone.

They're like, I'm not.

Giving you that.

I'm like, so that was one.

Well, then we did have some people calling us and when they called us,

we would ask for their credentials.

And they're like, I'm not giving, I was told not to give you that.

And we're like, Hey, you called us.

You called me.

Right.

So yeah, there's, there's a lot of different ways to game that.

Yeah.

So let's talk about sort of where we are now.

Um, and the, I I think there's sort of two big things, right?

Which we talk about ransomware as a service, which, you

know, Raz, RAAS, right?

Uh, you want to talk about that, and then also.

What double extortion is and how that's become kind of, uh, the SOP at this

Yeah, so ransomware as a service is, is just a business.

Um, so, you know, it's like a, a franchise.

Uh, and so you can buy into ransomware as a service.

Uh, as, as an entrepreneur, you don't really have to be technical at all.

Uh, you just have to be careful.

Uh, that, you know, you're not, you know, the first time you get

a, a good check, you're not buying flashy cars in, in a brand new house,

uh, while you're on unemployment.

Um, so there's ransomware as a service.

Uh, you know, bad guys set that up so that they just get a piece of it.

Uh, but really it's you, uh, taking all the risk, uh, and, and getting the money.

So, um, anybody can do that.

You let me, let me, let me ask you make sure, go ahead.

We'll go ahead.

Persona.

Why Mike, just that last sentence, you part, you said, right where it's

the bad guys take a cut, but you take

on all the risk.

How?

How is like, I'm assuming that the ransomware as a service

guys offer the service.

They have all the infrastructure.

They have all the connections, they are doing everything.

Why is it you as the entrepreneur who ends up taking that

So the way that works is, so let, let's give a real world example.

So let's, let's say you wanna start a lemonade stand, but you don't know

how to make lemonade or build a stand.

Uh, so,

Are you

so, so,

Or you

don't know what water is, but

a lemonade stand as a service.

So I paid Curtis $10,000.

And Curtis builds me a lemonade stand and makes me a lemonade and sets up

a bank account for me and puts it all out of the curb and says, good luck.

And then he's, he's done.

He washes his hands of it.

He's made his money, he made his 10 grand.

Whatever you make off of your l your, your lemonade stand is all

yours, but it's all connected to you.

You're standing there, it's your bank account, right?

Uh, and so everything after Curtis is setting all that

up for you, it's all on you.

But isn't ransomware as a certain, sorry, just walking through what

you had said, but they still have all the infrastructure, everything

else that

They set it all up for you.

They, they?

Okay.

And then they hand off and

I actually, I'm really glad you you, because I just assumed that when you

did ransomware as a service, you, so you're saying they're literally

setting up a ransomware system for

and control.

to use.

Configuring the, the ransomware talking to you about how you want this to work.

Do you want it just to infect and encrypt and, you know,

pray that they pay the ransom?

Do you want double extortion with a, a website set up?

You know, there's, there's all these different packages,

uh, that you could buy.

Uh, some of 'em come with postcards.

Uh.

that, that's actually now I'm actually really, I I had always

assumed it was like it was different.

I thought

that that's, I thought the same

yeah.

So, so this really is very similar to, I'm gonna say Microsoft 365, so

that they, they set this thing up for you than what you do with it is

up to you.

Right.

They, they know how to set it up.

They know how to configure it and, and put it together, but then you

are going to use it to do bad things.

a degree.

I mean, you don't, you don't typically interact with it after,

so they're gonna set it up.

You know, they're, they're gonna populate the tool with a million

email addresses or a target list.

Uh, they're gonna design the payload, they're gonna help

you set up your Bitcoin wallet.

Uh, they're gonna rent the server and they're gonna tell you when,

when, and how to push the button.

And that's it.

You don't, you don't get in there and change anything.

You're not logging into anything.

You're just sitting back waiting, you know, looking at your Bitcoin

wallet to see when money hits.

That's it.

And what, what are you, what are you providing?

Are you literally just giving them money or are you saying,

Hey, here's a list of people

that I,

fundamentally, it's just money.

But you can, you can work with them to customize your attack.

Yep.

Could be a former employer, but that hasn't disabled your access yet.

'cause that happens a lot.

Um, it could be some political group that you don't like.

It could be a whole country, it could be a whole industry.

Uh, or you could just say, I'm leaving it up to you guys as

the expert to target whoever you think is gonna make me some money.

But then like all the infrastructure that spun up.

All the setup, that's sort of You

own it

You own it, but you really don't touch it.

Yeah, yeah, exactly.

Okay.

It's all tied to your Bitcoin wallet and,

And that's why you say, because it's tied to your Bitcoin wallet, that's why you say

you're taking the risk.

So if, if somebody figures out, uh,

you

how to cover their tracks.

You know, they're gonna, they're gonna rent a server that accesses another

rental server, that accesses another rent server to help set up your command and

control server, which is also rented.

And, and all those things only have a life of, you know, 72 hours to, to a week.

Um, and that's how long you're, you're paying for, you know, you,

however much money you pay in is, you know, gives you a period of time

to collect as much money as you can.

So

they're more like infra,

Go ahead.

they're more like infrastructure expertise.

Yep.

So they know how to, and it's all, you know, it's all virtual infrastructure.

Yep.

Yeah.

And what percentage of do you think modern attacks are using

that type of idea versus set?

Just running your

own

gonna, I'm gonna create some buckets again.

So one bucket is the entrepreneur that's doing ransomware as a service as business.

And the other bucket is other criminal actors that are using ransomware

as a service, as a component of their criminal enterprise.

So you've got real criminals that are doing other stuff, and nation state actors

are good at this because they'll use ransomware infections as a distraction.

Right?

So I'm gonna infect.

A Department of Defense contractor with ransomware if I can.

And while they're focusing on recovering from this ransomware,

we're gonna do this other attack.

So they don't really care about the ransomware or if you pay a ransomware

or not, they're just using it so that you're not focused on something else.

That, uh, denial of service attacks were, we're used that way in the past.

Now you were there, there were two

The buck, the bucket one was the entrepreneur.

And bucket

Oh, right, okay.

Yep, yep.

Got it.

you know, uh, sophisticated threat, threat actor that's using it as a,

In term in terms of number of attacks or percentages of attacks, how do you

see that splitting between those two

uh, the, the entrepreneur is much smaller.

Uh, very few and far between of people that just wanna push

a button to make some money.

'cause if you understood the risk.

For the record, I wanna push a button and make some money, but I

just don't want to, I don't want to break crimes or I don't want to do

Break the law.

Yeah.

doing that.

Um, anyway, um, so let's talk about what double extortion is and what, you know,

why, why did it happen in the first place?

Uh, and then, you know, and, and.

You know, what does it mean to, to a, a, a victim,

So the, the double extortion, um, tactics started to evolve as more and

more victims stopped paying the ransom.

Or stopped communicating with the threat actor to begin with.

So, uh, there are some threat actors that your ransomware note says You

have, you know, two days to reach out to us before we post your information

on our wall of shame or whatever.

So you've got a couple of days to go, Hey, I, I realize you got me, uh, what's next?

And then you can draw that out and, and, uh, a negotiator will help you draw that

out till you figure out what to do and, and have some, some time to respond.

Um, but.

Uh, in the evolution of ransomware in this, in this, uh, in this

particular crime, uh, a lot of people were like, so what?

You, you encrypted my, my computer?

I've got a backup, or, it wasn't anything important, so I don't care.

Um, well, now you're, you, you, you might get a subsequent email that says,

but I got all your photos, uh, photos of you and your girlfriend, or photos of.

You know, you and on that vacation with somebody else, or you know

what, whatever else I can do to try and, you know, turn the screws to

try and get you to pay something.

So maybe it was, maybe it was a thousand dollars ransom and you

weren't gonna pay that, but will you pay, you know, $300, $300?

So I don't release this data.

Um, and that's actually gotten worse too because now I can use AI to

manipulate photos I took from your computer to make it look like anything.

And so that's, you know, unfortunately that's kind of what's been going on

with, with kids thinking their, their, their life is over 'cause someone's

got some manipulated picture of them.

But, uh, that's where, that's where it started.

I'm not gonna pay the ransom.

Oh, well, will you pay me something so that I don't release

this information to the public?

Do you know if bad actors have some sort of automation or tools?

Because I'm sure there are these huge troves of data that they've

exfiltrated from all these

various victims, and to go through it piece by piece may

be complicated and time cons.

And so are you aware of any tools or other things to sort of sort filter

Well, ai, AI for sure will do that today, but in the past, uh, they

were just scripts like, you know, using, using Python or PowerShell

or even before PowerShell, um, you know, like some c plus.

Uh, scripts.

Uh, so, and, and you make a good point, and sometimes that

double extortion is, is flipped.

So they will, they will, in some cases, uh, exfil data to determine whether

or not you're even a valuable target.

Uh, right.

And then, and then

Hmm.

encrypt you and then determine if, if, if data they've got of any value, but.

through that phase at a time.

And this, you know, we, we talked about the five phases in, in another episode,

but when, when they exfil data, when they, when it calls home and says, here

was what I found, to your point, uh, if they found a lot, it could take some time.

And we did, we did an incident response once where.

Uh, it was a company that does, uh, surveys, right?

So you sign up and say, I wanna do surveys and free surveys.

You do, you earn points, and then with the points you earn, you can

buy gift cards and things like that.

So that's your participation in the survey thing.

Well, so bad guys, uh, were able to compromise the laptop of a marketing

person that worked for the survey company.

That marketing person's job is to go out to big companies like Pepsi and

Coke and Frito-Lay and go, Hey, uh.

We can do surveys to, to help you develop your new product or change your

marketing or your, your advertising, uh, or, or the way that product looks.

And so when I do that, uh, and the company says, great, I wanna, I wanna participate.

Well, here's a, here's a an FTP site where you upload your, your marketing material.

And then we take that and embed it in surveys.

And then those surveys go out to a million people, bad guy,

compromised marketing guy's laptop.

And he maintained access to that for almost seven months, like six,

a little over six months until he understood what he had access to.

Well then, given what he understood, he crafted his attack by using laptops

access to the FTP site, waiting for, let's just say, Pepsi, to upload

graphics and files, and then infecting those files so that they went and

got embedded in a million surveys.

And then, so, yeah.

Uh, so it, it, it's all, it, it all depends on, uh, the threat actor,

um, the, the target, the victim, and the data that, and, and even, um, we

call it business process compromise.

So the bad guys are in your environment enough or in your

system enough to understand.

How things work and the value of access that you've given them.

So they've, they've compromised your process in order to inject

themselves, uh, into that process for the success of their, their attack.

Like if they, if these people weren't evil, I'd be like, they sound amazing.

Because half the time people in companies don't understand

their own business processes

and the fact that you have these criminals tearing it apart

Now.

Now granted, I mean, if you were able to, to work from home in your underwear and

eat pizza, kick back on your, in your lazy chair, and you know your laptop's in your

lap and you're just like, you know what?

I'm gonna take a nap.

I may work a little later.

I'll work tonight.

I'll work tomorrow.

And the incentive is, I made a million dollars.

Right?

So that's, that's why there's their, their incentives, their, uh, their,

their mentality is a lot different than your traditional, uh, employee.

So let me, and about this final phase here where there is a

significant amount of exfiltration happening and then double extortion.

What do you think about comments that.

I think we got some of them when we were, uh, tech editing the book.

And I, I get them occasionally online, and that is, well since, you know, since

uh, most of the ransomware attacks now have exfiltration as part of it, you know,

what's even the point of, of having a good backup and DR system if they're, if you're

ultimately gonna end up paying the ransom anyway, uh, because of double extortion.

What do you think about that idea?

Uh, I think it's, that's probably the wrong, uh, the

wrong mindset, uh, to start with.

Uh.

If you don't have good backups and you get ransomware regardless of

the bad guy, steal your data or not, you're not able to continue your

business and without good backups.

There are, there are solid statistics over the last several years of how

many businesses fail because they can't recover from a ransomware because they

don't have good backups and it, it's not just recovering to operations, it's

recovering from all the legal stuff too.

So depending on your organization and the data that they got, you

could get sued out of existence.

Uh, you, you could get regulated out of existence.

You could lose that contract, you could lose your ability to do business in

a state or with a particular vendor.

Um, so I mean, that, that's huge.

You've gotta do your own risk analysis and know yourself, uh, in

order to, to make that determination.

But, uh, I will say that.

There's a lot of different approaches to protecting your

data, so segmentation, encryption.

'cause if bad guys steal your data, it's an encrypt and it's encrypted.

They're not gonna spend a whole lot of time trying.

They're, they're lazy, remember?

So they, they're, they're like, I'll, I'll run some tools that I've got to

see if I can get through it, but they're not gonna spend a whole, they're not

gonna buy new tools or invest in a whole lot to, to try and break it.

Unless

they know it's valuable, like your last.

Uh, let's move on to the next victim.

Yeah.

for sure, um, an organization truly needs to, to understand the value of their

data, where their data is, uh, the impact it's gonna have if it is compromised.

And you've gotta take that approach these days because it's gonna happen.

So you need to plan for how are we gonna respond when it does happen?

And that's a lot of what our book talks about.

Uh, it's not about some hypothetical situation.

It's going to happen.

Right.

And, and, and you know, ransomware, you know, ransomware attacks are

literally one of the reasons why you need a backup and DR system.

Uh, all the other reasons are still there, right.

We just need to, we just need to add, you know, there was an entire

chapter in the book about how to defend the backup system from.

Cyber attacks.

Right.

Um, and it, and it's actually relatively easy.

It's easier than, than defending the primary thing.

'cause really all we have to do is just make sure they can't delete it.

Right.

Um, I mean, there are other things we, we wanna do, but the thing we have

to do is we have to make sure that the, that the backups are immutable.

That, that, that they can't attack them.

Right.

So, um, there's really not too much that you need to do to do a backup system that

you shouldn't have been doing already.

I just think that.

Cyber attacks in general are, they're making a lot of us just do the

things that we were supposed to do.

Uh, you know, it's sort of like when, you know, when there was COVID and

people were washing their hands, right?

Well, you're supposed to do that anyway.

well, I'll tell you, I didn't wear a helmet riding my

bike until I bumped my head.

Pretty good.

Yeah, I, I, you know, I used to, you know, when I was a kid, I rode my bike a lot

and, uh, I, I remember one time, right, and I, nobody, nobody wore helmets, but we

didn't know what a helmet was back then.

And I remember being on the sidewalk, there was this big box, like a, like

I'm talking like a three by three.

Foot box that was blocking the sidewalk.

And I, in my infinite wisdom, said, I'm gonna blast through this thing

'cause it's a cardboard box.

That did not work out as I had planned.

Did you not think there's a reason that someone has a cardboard box

in the middle of the sidewalk?

The, the 13-year-old Curtis clearly did not.

And, uh, the, you know, that, that thing of, uh, when, when a. What is it?

It would, a unstoppable force meets an immovable object.

Yeah.

Yeah.

What was in the

I I went a whole bunch of stuff.

All I know is the box did not move.

I went flying over the, flying over the box and I did not have a helmet.

So anyway, don't be cur, you know, the little stick figures,

you know, Curtis is the thing.

Don't

beat, don't be a Curtis

Yeah.

That's the lesson from today's.

All right, well, thanks Mike for another great episode.

Look forward to the next one.

All right, and thanks persona again, always with the good questions.

For what I did, nothing.

You good, aura?

All right.

Uh, that is a wrap