How Ransomware Works: The Five Objectives of Every Attack

you found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we break down how ransomware works.

By examining the five key objectives that attackers follow in nearly every campaign.

My co-author, Dr. Mike Sailor, joins persona in me to walk through the

complete attack lifecycle from gaining that initial foothold to delivering the

dreaded ransomware note we talk about initial access brokers lateral movement.

Command and control or C two communications data exfiltration

and the encryption process itself.

Uh, this is the first in what's going to be a long series discussing

our new book, so buckle up.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr. Backup,

and I've been passionate about backup and recovery for over 30 years, ever since.

I had to tell my boss that there were no backups.

Of the production database we just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the backup wrap up.

I'm your host w Curtis Preston, and I have two people with me today.

We shall start with PSA manana.

Malaiyandi, how's going?

Prasanna I.

Am good.

Curtis, you have to.

Okay.

Really quickly, how was the show last night?

Oh, with, uh, Esh Patel.

Nme Nesh Nesh was good.

He's taping a special in, uh, in April.

Uh, so it was very cool.

I wasn't quite in the front row.

A lot of Indians in the crowd.

And a lot of, a lot of comments about that.

Um, uh, I stood out a bit in the crowd, but it was, it was very cool.

Um, so, so welcome to the show Prasanna.

Thank you, Curtis.

I, it's good to be on the show.

And of course, of course.

We have my book co-author.

And look, Mike, it's right up

here on the

I see it.

You, I, yeah.

I can't, that is, by the way, that is really big.

It's.

It is

it's like, I think it's like 24

by

I was, I was,

the

signs

I was concerned that was actual size, but I'm, I'm glad you, I'm glad you commented.

Yeah.

Yeah.

So those, those are, I think, um.

13 by 17, right?

The ones over.

Yeah.

So by the way, for those of you, uh, you know, if you're listening, you can

watch us on the on, on the tube, uh, by the same name, uh, the backup wrap up.

So this is Doctor Mike Sailor, my co-author.

Welcome to the

show,

Thank you guys.

you're, you're in your new office,

apparently?

am in a new office.

Yes.

Yeah.

Do you wanna, do you wanna talk about what you're

doing over there?

Yeah.

So, uh, I think when, when you and I started the, the book, I was, uh, I was

involved, uh, at a, to a lesser extent with, uh, some North Texas, uh, colleges

and universities helping them with their cybersecurity computer science programs.

Uh, and then over the last couple of months, um, um.

My engagement with Weatherford College in particular, uh, grew into,

uh, now I'm the department chair, uh, over business, computer science

and organizational leadership.

So, uh, I just can't, I can't get enough of, of more to do.

So I'm, I'm, I'm at least succeeding in that

Do you.

gonna say, Mike, that you just like, you just finished your PhD last year,

right?

24.

I was like, okay, 24.

And I was like, okay, it looks like you got addicted to being

in school or being around school.

So you're like, okay, gonna go back.

Except this time I will help set up or run departments and all the

rest, so.

Well, uh, uh, over the last couple years, I've, I've thought about, you know,

what, what does retirement look like?

And, uh, uh, I think I've, uh, I, I've got an idea of retiring as a,

uh, in, in academia somewhere, you know, share, share my war stories and

knowledge with the next generation.

Uh, so that's that.

You know what I'm working towards.

feel free to, you know, I can think of a recommended textbook

for your, for your, uh, for your

class.

a great idea.

anyway, yeah.

Um, I, I, I remember at least one of one of my books.

Uh, I remember finding out that it was a textbook somewhere, which

I thought that was pretty cool.

Right.

Being told that some, that some people are being forced to buy my book.

So, uh, speaking of the book, we are beginning, this is at the very

beginning of a very long series.

We are gonna be talking about this book, literally four years.

What's the title?

we're gonna do like.

A hundred episodes about, because there's so much to talk about in the book.

But basically, uh, we're gonna just talk about the things that we, you know, that

we, that we learned, uh, you know, some of which we, we already knew, but I think

we learned, uh, some things along the way.

And, um, this one, Mike, I thought we would start with that We already did.

Uh, an episode or two, we talked about.

We did the what is Ransomware episode and uh, I also did, um, 'cause we were

waiting to, trying to book you, uh, you know, you're a busy man and uh, we did it.

Y Yeah, we, uh, we, um, um, we did an episode on how DISC

helped, but also hurt, right?

Because the fact that backups are on disc makes them, uh, an easier

target from a ransomware perspective.

Right.

Um, and now we're gonna talk about just, just sort of the, the, the attack.

process the attack methodology, right?

So the title here is, is five objectives of Every Ransomware Attack.

What are they gonna try to do?

Do they almost all follow the same pattern?

To an extent there, there are some that, that may deviate based on

how the ransomware was designed.

Uh, and so there are specific campaigns to do specific things.

Uh, but in general, yeah, they, they do tend to follow, uh, the same process.

Can I chime in on something?

Chime, chime.

the name of this book that you are referring to?

Well, it's of course learning ransomware response and recovery.

Uh, although I appreciate the ability to plug Prasanna, there's already an ad that

plays at the beginning of every episode.

Trust me, I make sure they know the title of this book if they're

listening to this episode.

but yeah, so, and if you're watching it on, on, uh, on YouTube, you get to see

the picture, uh, right up behind me there.

Uh, and, uh, Mike is of course my co-author, so let's talk about

that, that the first thing that they want to do, which, uh, and

let's talk about, let's define.

What an IAB is, right?

And what this has to do with, uh, that first step, which is gaining that

initial access to the environment.

And so that can take a lot of different forms too.

Uh, I think we, we, we often hear about ransomware coming through

an email that you clicked on something or you open something.

Um, but speaking of IABs or initial access brokers, sometimes bad guys simply buy

credentials from some other bad guy.

'cause that's all the, you know, that's the risk.

That's their specialty.

They just harvest credentials and they resell them.

So now I don't, I don't need to rely on a user to interact with

an email with malware in it.

I have the credentials to log in and deploy my malware.

Uh, so how it's initially, uh, deployed sometimes depends.

Uh, so it depends on the, the threat actor.

It depends on the campaign.

And sometimes they may try both.

You know, maybe I bought a bunch of credentials and none of them

work, so now I'm gonna start sending emails or vice versa, right?

I send a bunch of emails and nobody clicks on it.

Well, now I need to go buy, I need to go buy some credentials.

And is like if then I know you have a lot of expertise in this field,

in your sort of experience, how.

Successful.

Is it sort of with the email versus, or how prevalent is the email attack side

of things versus sort of uh, the, buy

credentials.

email is the cheapest and statistically most reliable.

Uh, and then there's the other, there is the third option where bad

guys do you know, they, they, they do an assessment of your environment

looking for vulnerabilities.

They find one they can exploit.

Now they've got access that way without having to do either of the other two.

But, um, statistics with email has, has run pretty consistent over the,

the last man almost couple of decades.

Uh, it's gotten a little bit better.

Well, actually there's a bit of an e ebb and flow because,

uh, traditional email phishing.

We were getting better at as users at detecting, you know, bad, you

know, bad grammar, bad punctuation, like that just doesn't seem right.

I'm not clicking on that.

But now with ai, those emails are written, written, pristine.

And if, and if I can give AI enough history of how you communicate,

I can truly make that email sound like something you would say.

Right, because that's the other, that's the other giveaway with AI is

that it's using language and things like Prasanna doesn't talk that way.

He wouldn't sign his email like that.

So now that's what I'm looking for.

Instead of punctuation, I'm looking for like, you know, a sentence structure

and, and the words you might use.

Well, but ai, if I give it AI enough information, it can, it

can, it can fool a lot of people.

So there's been this like.

Over, you know, prior to, uh, AI being used as a, as a tool, uh, the, the

statistical, the statistical success of email phishing went down a couple

of percentages, uh, percentage points.

But now with ai, it's going back up.

Uh, and so it's, it's usually around between 20 and 25%.

So if I send out a million emails, that's 200,000 people are gonna click on it and,

Really

yeah.

that, that's really

It is.

Well now, now granted, you know, you've gotta, you've gotta

consider all the other things too.

Like maybe I have a good email filter.

And so

Mm-hmm.

don't typically get emails from Prasanna, so that's going into quarantine, right?

So there's, there's other things that would impact that.

Uh, so it does depend on how an environment might, uh, uh, might be

set up to, to, uh, address phishing.

But in general, between 20 and 25% delivery.

Alright, so that's just, it made it to your inbox.

Now of the 20, 25%, another 20, 25% interact with the email.

So out of, out of 200,000 now you've got, what, 40, 40,000 people

actually opening the email of those?

Some, another subset would actually, you know, if it asked for credentials,

they would give credentials.

Uh, so it, out of a million emails, you're probably looking

at, you know, maybe 20, 30,000.

Uh, actually, actually interacting with it and potentially, you know,

causing an infection or giving away their, their login credentials.

Well,

Of course.

given how.

Of course when you're saying the word phishing, for those that you

know, 'cause we're saying it out loud, this is phishing pH, right?

P-H-I-S-A-I-S-H-I-N-E.

Right.

Um, and, uh, you know, referring to this idea of sending something

out, you're fishing, right?

You're, you're sending a bunch of stuff out.

Hoping that you get a bite.

And, and the thing is, like everything else, and we're gonna say this a million

times over the, you know, over these episodes is they, they have to, they

only have to be right once, right?

They only have to get one person right to click on the, on that, on that

email and, uh, and, and enter the, the, uh, the credentials and then

boom, they're in

And, and on that note, it's funny that, you know, companies, companies

do these phishing exercises and they're like, you know, out of a hundred

people, only two people clicked.

And that's great.

I'm like, no, it's still two people.

That's all they need.

They just need one, right?

It used to be a hundred percent, but.

So we're, we're, we're trying to, we're trying to cover a lot in this half hour.

So obviously the first thing they could do is, is to get in, right?

To get some kind of, uh, either, you know, you talked a little

bit about vulnerabilities.

Uh, we've covered some of the vulnerabilities that happen, uh, and

then also, but I think would, would you agree that the most common way

is, is essentially stolen credentials?

Is that the most common way that people get into

environments?

Uh, that is the most common successful path.

Yes.

Yeah.

Yeah, that makes sense.

Okay.

And then obviously there, there are things like vulnerabilities

that they can, they can exploit.

Those are just, they're more work, I think.

Right.

Um, and, and many of those vulnerabilities require.

I, I think this is hand in hand, right?

So many of the vulnerabilities require that you're already

in the environment, right?

So the, if, if you have a vulnerability on your internal email server,

but that internal email server is accessible via the internet,

then you, you've gotta be inside.

Um, does that

sound

Well, I am just gonna go back to my favorite word it, uh, or phrase.

It depends.

And so, so the, the initial part of this, whether it's identifying

a vulnerability on your perimeter.

Uh, buying, uh, uh, credentials or phishing, almost all of that is automated

because bad guys are lazy and they've, they've figured out the, you know,

the secret way of, of doing a job.

So that first phase is almost all automated, and a lot of times the bad

guy doesn't know that they compromise somebody until it phones home.

And we'll get to that in a minute, but.

Things like, um, you know, there were, there was a recent, uh,

zero day with Fortinet firewalls.

There's a, there's uh, there was a zero day with, um, load balancers.

There was a zero day with some cloud services.

All of those things, I mean, bad guys are, are keeping an eye on, on, on that stuff.

Uh, and, and, and jumping on the opportunity to configure.

You know, scripted attacks to take advantage of those things.

And so it's, it's when those vulnerabilities get exploited and

they get alerted like, Hey, this, that your sub your, your script or your

attack was successful, that's when they start applying actual effort.

Um, so.

Right.

Yep.

sense.

Yeah.

Yeah.

So let's talk about, so once they're in, right, so then what are we,

what are they gonna do at that

point?

So the next part is understanding what they, what they caught, right?

So, you know, you, you got something on the, on your line and you're

like, this is gonna be a huge fish.

And, you know, it turns out to, to be, you know, a little, little

sunfish, uh uh, or a minnow.

But, and I, and I say minnow because in some cases what you

have is really just bait or a stepping stone for the next thing.

But yeah, reconnaissance and understanding what, uh, what you've, what you've

gained access to is the next step, because maybe it's something they

don't wanna spend any more time on.

Um, you know, it's, it's grandma's knitting shop.

Uh, you know what, what, what's a value there?

Uh, versus Oh yeah, I don't have time to mess with that.

I'd rather spend, you know, the 10 hours that, that I've, that I've got to.

Look at the next thing that that just told me got compromised.

So I'm gonna go see what that is.

Um, and so it's a little bit about, uh, you know, you just

have to be less valuable or, um, more protected than your neighbor.

Um,

Yeah.

so

It is that thing about not

outrunning the

yep, you just have to faster than the other guy.

Just have to run the other guy.

And Mike are the people who do this sort of second level analysis, is that

the same person who did the initial access broker and got in initially?

Or is this sort of, they got in and now they just hand things over?

Because I've heard that there are like multiple Prasannas sometimes involved in a

ransomware

sure.

Yeah, there's, there's different threat actors, uh, initial access brokers.

That's just their job.

Uh, so they're either collecting or, or buying and reselling credentials.

'cause sometimes, you know, maybe they'll go buy, you know, a million

credentials and then they'll validate them and then sell them as validated

credentials, which can bring more money.

Versus just saying, I've got a lot of, you know, credentials and selling them.

'cause I don't know if they're valid or not.

So, initial access brokers, that's a job that's, that's, that's a bad guy's career.

That's all they do.

And so.

Uh, sometimes there is continued interaction, so maybe I sold you

some credentials for this target and one or two of them work, uh,

but maybe some of them don't.

So I may come back to you and say, Hey, you know, what else do

you have related to this company?

What else can you find?

Go back out to your, your network and, and see if you can buy or

get updated credentials, however you got them the first time.

And, and then this, the, but the, the, the lateral movement and the recon

that still can be automated, right?

Like, uh, once they're, once something gets installed, it can sort of

poke

It often is,

out

it

there.

certainly often is, uh, the malware is designed to go

and look for specific things.

Like it'll say, you know, look for all the Microsoft Office related, you know,

document, spreadsheet, PowerPoint, uh, and then give me a count and a

file size for all of those things.

'cause if they're all like.

You know, 10 or 15 k, probably not interested in those, but if you've

got a, a two or three meg spreadsheet, probably interested in that.

Uh, and, and maybe even the file name, you know, financial forecast

for 2026, I probably want that.

Or, uh, uh, uh, cyber

Password

Absolutely.

Or cybersecurity, uh, insurance program details.

Right.

Uh, so I want that.

Well then maybe.

Insurance,

Maybe there's photos or backup files, you know, your, your Veeam backup file types,

um, um, your accounting system file types.

So it's gonna be pre-programmed to go look for this stuff, inventory it, uh, and then

give that back to me so I can determine the value of what I've access to.

But it's also gonna look for what other things does this device have access to?

Do I have, am I mapped to a network drive?

Uh, do I have credentials to a, a cloud environment?

You know, is, is there.

Um, um, I'm trying to, uh, I'm trying to remember the, the Microsoft service

that runs that, that maintains your, your credentials across, uh, different apps

you mean, uh, like inter ID

active

intra, but then there's a, there's actually a service, uh, that runs on a, a

Windows machine that, that manages that.

So it's gonna look for that too, like what services are running.

Right.

Um, so yeah, that, that, that kind of stuff is automated.

That's what happened to Target.

And there's other, there's other malware too.

Like, uh, back in the day when, when the target was mostly credit card

numbers, the malware would be scripted to identify, uh, point of sale systems.

And so it, it could get in through the, the HVAC system and it will

automatically crawl through the network until it finds and, and it interrogates

each device it gets access to.

Are you a POS?

No.

Then it'll move on and sometimes even clean up after itself.

Um.

Uh, until it finds the target scada uh, you know, what, what happened

to, uh, the Iran, uh, centrifuge?

It's very similar that malware looked for cent.

What, what is a centrifuge?

Uh, and it would only, uh, you know, uh, detonate, uh, when it, when it

found what it was scripted to look for.

And Mike, as it's doing the searches, is it hopping from device

to device and doing searches kind of like spreading like a worm?

Or is it just using that initial access point

No, it wants to,

to sort

it wants to spread because the other objective of malware's persistence.

So, uh, and, and I, and I, I've seen this in, in practice because

we often get asked to, uh.

To compromise or test the, the security of an environment.

One of the ways we do that is custom malware.

Uh, and so when, when we infect one machine, we want that machine to help

us infect other machines and antivirus, especially with custom malware, it usually

takes antivirus a week to determine that.

That's malware.

Well, then it updates the software, the, the signatures on this computer,

and then our malware gets scraped.

What's gonna do that sequentially?

And that gives us time then to tweak our malware and redeploy it on

those threads that are still open.

Uh, so a no, absolutely it wants to spread, um, and maintain

some level of persistence.

All right, so we, so we got in, we're spreading around, and then what's

So when it has that inventory or a good understanding of, of, uh, or it, it's

achieved whatever it was designed to do, it's saying it's gonna phone home,

it's gonna go, you know, Hey bad guys.

Here's what you've got.

Uh, lemme know what's next.

Uh, and that, that then leaves it up to the bad guy to determine, all right,

well, and I, I say that some, some malware is just scripted to, to detonate on

everything whenever it gets access to it.

So it'll just, it doesn't care.

It doesn't care if you're, if your grandma's yarn shop or a, uh, an oil

and gas company, the moment you get infected, it just starts encrypting stuff.

Uh, so there's that.

And so that goes back to the, it depends, but, uh.

In, in most sophisticated attacks, it's gonna phone home and give them an idea of

what they've got access to so that the bad guys could then determine, 'cause maybe

I don't wanna detonate the ransomware, maybe I wanna maintain some access and

start doing more recon and EA drop.

Yeah, maybe.

Yeah, maybe you, you don't, you don't quite have the golden

goose that

Okay.

for, but maybe you've got, you can do a more manual lateral movement

and

Yep.

right.

Uh, something that's controlled by a human rather than, uh,

than a

And so we would consider that more of an advanced persistence.

So it's not an automated persistence, it's a, it's a, it's a human driven

persistence where they're gonna pivot and listen and, and maybe modify.

But yeah,

the deter advanced persistent threat,

right, is

I didn't wanna call it an A PT 'cause a lot of times those are

nation state driven, but I like the advanced persistence part of that.

Uh.

But yeah, so it's gonna call, it's gonna phone home, and then it's gonna wait

to determine if, uh, bad guys wanna do anything else or, or modify the attack.

So when you say phone home, could you provide a little bit more details?

'cause it's not like it's gonna like pick up the phone or just be like, Hey, I'm

just gonna ping this IP or send a message.

Right.

Or an SMS.

Right.

What do you mean by

phone

So ahead of the com, uh, ahead of the campaign, bad guys will typically

rent, uh, servers out on the dark net, so the compromised machines, uh, uh.

Um, a virtual machine, they don't care if it gets blown away or compromised

in the future, and they'll, they'll hold that lease for a period of time,

usually a couple of days a week, sometimes only a few hours, and then

they will pre-configure the malware with the IP address or the host and

the host name of that, what we would consider a command and control server.

It's what the bad guys are commanding and controlling their attack from.

So they deploy the, the, the malware.

When it calls home, it knows to call back to that command and control.

Server, and that's where that information's gonna come from.

That's also where the, if, if it, if ransomware is part of the

attack, that's how they're gonna, uh, negotiate the, the keys, the

encryption keys, the public private keys

Hmm.

back in the day.

That's also why your Ransom note said you have 72 hours to reply to this.

Well, it's because they we're only gonna lease that server for 72 hours and at

the end of 72 hours when it gets blown away, we'll, so do your encryption keys.

So, yeah.

So, uh, that, that's evolved a bit today.

Uh, some, um, some ransomware don't do the negotiation.

It's just hard coded with how it's gonna encrypt.

Uh, and, and that's one of the ways that, um, law enforcement's helping

victims combat ransomware is because if, you know, if the FBI helped company

A and it was ransomware strain, a. Uh, and then you get infected with the

same ransomware strain, they may be able to use a decryption key from some

other victim to help you with yours.

Hmm.

so again, it, it depends, uh, it depends on how the ransomware was, was built

and that encryption was designed, but that's, that phone home goes

back to that command control server.

So in this episode we're, we're covering what I'm gonna call a traditional

ransomware attack, but gonna add what has become more traditional.

'cause it's not, it wasn't covered in the initial five

steps that we're talking about.

And I'm gonna talk a little bit about exfiltration, or I want you to talk a

little bit about exfiltration, right?

Because.

I, think, uh, what, what do you think do, do you have any stats that talk

about the percentage of ransomware attacks that have become double

extortion

It is in,

Where, where

they're stealing

it's definitely increasing, especially with those that are not just automated

attacks and what I mean, and, and so there's, there's, there's this

development of kind of two, two generic.

I am gonna, I'm gonna classify those two generic, uh, ransomware types of attacks.

There's the, the low end attacks.

And within those low end attacks, you, you have a variety of threat actors.

Some of them are just entrepreneurs, and what I mean by that is bad guys

are developing ransomware as a service.

So there's ransomware, they're, they have the email list, maybe

they have access or credentials.

But you as the entrepreneur don't have to be technical at all.

You just go to the dark net, you pay 'em $30,000, and they will

launch a ransomware campaign on your behalf and deposit money for you.

They'll take some off the top.

There's good tech support and customer service, all those things.

Well, so that's low.

That's, that's on the generic low end attack because the ransomware

as a service provider and you as an entrepreneur, you don't care.

To go and access the environment and poke around and see what else they have.

You just wanna, you just wanna return on your investment and you

wanna play the statistics, right?

So there's that.

The other kind of generic low end attack is true bad guys, but they've just

simply automated the ransomware and they don't, they have zero empathy for you.

I mean, they could, they could, uh, ransomware in a completely encrypt

a kids' hospital for all they care.

They just want to automate.

They have,

have now in, in some, in most of those cases, they, they did feel

bad and they, they unencrypted it.

Uh, and I think mostly because other bad guys threatened them.

It's kind of like, you know, the, the child predators going to prison

and the other prisoners, uh, taking out anyway, so those threat actors

don't really care what they have.

They're just, again, playing the numbers that.

Out of a hundred people, they encrypt.

Some subset of that is gonna pay some amount of money in ransom, and

that's how they make their money.

Uh, and so they're kind of the bottom feeders as far as ransomware goes.

Well, then you get into the other group, and that's the more

sophisticated ransomware, uh, gangs.

Uh, and those are the ones that really care about, uh,

what they're getting access to.

And they realize that most of, uh, victims today are using backups or.

They don't have the money to pay any amount of ransom, and they're

just gonna go with, you know, accept what they've lost and, you

know, go buy another computer.

So these guys realize that, uh, fewer people are paying ransom,

and if a ransom is paid, that actually increases the risk to them.

'cause now they're on the FBI list.

Uh, you know, Interpols looking for them or, or whatever the case may be.

And, and bad guys are lazy, but they're also risk averse.

That's why they're doing all this stuff over the internet.

So what they are doing is, is increasing, um, their tactics at exfiltrating

your data so that if you don't pay the ransom, they can use those pictures or

those files or that data as a second attempt at getting you to pay something.

Um, in the event that you weren't gonna pay the ransom.

Right, and so Prasanna.

And sort of Mike, that last category that you talked about, um, there a

certain type of victim that they target, like large organizations or select

types of people, like celebrities, or is it kind of more the spray and pray

and then figure it out by looking at

each?

So, um.

The, the double extortion really only starts, well backing

up to answer your question.

It's still a variety of attack, uh, strategies.

So, so there's the spray and pray, and then there's the

recon and then the call home.

And then they go, Hey, this company is worth double

extorting, and they will do it.

So any company that's of value to a threat actor in that second

category, that more advanced category.

Any victim that's worth continuing their attack, they will, they

will exfiltrate data from.

So that could be a, a credit union, it could be a school.

Um, in general terms, back to your question about what type of targets,

if they are gonna target somebody specific, they will likely target

somebody that's regulated like a health, healthcare, or financial institution

or a, uh, a school district or, um,

Where they've got real

penalties If data like

personal data

Yep.

And so maybe the school or the hospital doesn't want to pay the ransom.

Alright, so now they're getting double extorted and they still don't wanna pay.

Well, now threat actors are getting pretty good at figuring out who they report to.

So they'll, they'll reach out to their board or the regulator like the health

and human ser, uh, services auditor or.

The state, uh, or their insurance carrier and say, Hey, your, your

client's not wanting to pay.

Um, but this could be bad for them.

Uh, and they do have insurance and so why don't we, why don't we negotiate?

Uh, and so on, on the good guy side, there's actually a full-time

job of ransomware and negotiating.

Uh, and I got to sit with one of those guys once and that was pretty out.

So, um, so, you know, the, the title of this episode was like five, you know,

the, the five objectives, and I'm gonna say five objectives of every ransomware.

I, I'm, I'm not sure every ransomware does exfiltration, but we'll, we'll

add that as sort of a 5.5, right?

Like you said, it's like an advanced, uh, way to.

To, to do that, but let's say that, and they are gonna do, if they're gonna

do exfiltration, they're gonna do that before they do the next step, which

is the big payload, which is what?

Oh, the encryption.

Yep.

Yeah.

I mean, this is, this is, you know what I'm gonna call

old school ransomware, right?

Um, and this is obviously, that is the whole point of a ransomware

attack, or at least the initial whole point of a ransomware

attack is this is how they hold.

'cause they're not literally stealing your data, They're gonna encrypt the data,

uh, so that you, it's like it was stolen.

It's like they took it away from you and they're holding a gun to its

head.

Yep.

And along those lines too, uh, not to get too far ahead when, when your, your

date is encrypted and you're talking to bad guys, which I don't recommend, you

should have good backups, so you don't have ever have to talk to bad guys.

Yeah,

no

Uh, but, but when you do and the bad guys are like, pay us money,

and you'll, you know, we will, we'll help you decco your data.

Uh, the first thing you need to do is, is similar to a, a real life,

uh, ransom is you want proof of life.

So you will send them examples of all these different types of files you have

from all the different devices you have so that they can prove that they can

decrypt those, um, before you pay them.

Yeah.

I was just gonna ask that question.

I was like, why wouldn't they just encrypt your data and.

Without ever knowing a key and have people pay the ransomware, like

there's no

Mm-hmm.

that they're gonna be

honest.

Yep.

And you know that they're bad guys, so they don't have to be, but they are also

in a business, so they, they want to be, uh, so that, especially when you're

working with an insurance company, if they, if they know that you're a,

a threat actor, that doesn't care.

Um, then they're not gonna negotiate with you, but if you do

Yeah, because.

People that do this on a regular basis, like yourself, like you

get to know certain groups, right?

You get to know certain threat actors in how they behave.

And are, are there, are there groups where they've established this as

a, as a, practice where they're, where they just don't care and, and

so, you

Yep,

you might

behave differently

are.

Uh, so a lot of the, um.

Eastern European, uh, middle Eastern and Northern African, uh, uh, threat

actors, they just, they don't care.

They're just playing the numbers and they don't.

That's region of

the

It is, it is.

And, and, and going back to those two buckets, the, the low end

bucket with the entrepreneurs, almost all of those are in the us.

Hmm.

Interesting.

They caught one, uh, they caught

America.

years ago in Florida and.

And this goes back to, you know, there's, there's a, you know, you need

to watch enough bad guy video movies to know how to behave as a bad guy.

And this guy didn't.

So as soon as he started making money, he bought a big house and flashy cars.

And that's,

Um.

that's, what tipped him off.

So, yeah.

Mike, so those three regions that you previously mentioned, you have

any stats around what percentage of ransomware attacks come from

those areas?

I don't, but it's, uh, it wouldn't be hard to find.

In fact, the UN does an annual report on cyber.

Um, and that's probably a good place to loop.

Okay,

Interesting.

link it in the podcast

Yeah.

and and of course the final step of the five steps, uh, not including

the fifth and a half step, uh, is delivering the ransomware note.

And how, how does this, is this still the, the old school of like,

it just shows up on a screen?

Uh, not, not usually.

Um, back in the day, it would, it would come up as a banner or they would

change the background of your desktop so that that's, you know, it's on every

screen that you've got, uh, today.

Um, 'cause that, that seemed, that, that, that is viewed as kind of, um, elementary,

uh, by, by more sophisticated hackers.

That's kind of a newbie thing.

Like, look what I did.

Uh, so most ransomware today will put a text file in every folder

that it encrypted something in.

So there'll be a text file on your desktop, there'll be a text file

in my documents, there'll be a text file everywhere, uh, and that it's

the same text file, but that is, and it'll say, you know, ransomware

note dot, you know, whatever.

Um, and in that,

Read me.

Read me on

a

Yep.

Mike, I had a question.

So you said that it'll go encrypt data, but of course it can't encrypt operating

system files, otherwise the system

would

And they don't want the system to crash.

They want you to be able to open it up and see the ransom note

yeah,

and see your encrypted data.

so.

then does it ignore certain extension types and certain directories?

So potentially, could I put all my personal documents in the window sub

folder be safe, or are they smarter

than that?

Some of them are pretty smart and they don't even care what the file's called

because they will look at the, uh.

The file header to determine what, so you could call your, you could

call your spreadsheet, um, a DLL file, you know, you could rename it.

I'm gonna trick them, right?

Uh, so it could be, you know, passwords, dll, and put it in your Windows directory.

The ransomware is gonna scan those files, not based on their file name

and extension, but file header flags.

So the file header flag is what the operating windows, particularly

whenever you click on a file.

It doesn't always care what the extension is, as long as the file header, uh, flag

tells the operating system what, what application to use to open that file.

And if it still says, I need to open this in a spreadsheet, then

mal the malware will find it.

But to your back to your point, yeah.

It, it, it, it, uh, it excludes, uh, system operatings operating system files.

because it, like you said, it wants it the system to be alive so you

can find those files and realize

your system's

of the, one of the, one of the quick, uh, ways to respond to ransomware

several years ago was that, uh, there was a particular ransomware.

So one of the things that, that I asked if when someone calls and says, I think

I've ransomware, I like, can you tell me anything about what it might be?

So tell me what the ransomware note says.

Tell me what the extension is.

And there is a ransomware type that does not look in your trash can.

So I'm like, delete everything you care about, highlight it, hit delete,

and as long as it's in your trash can, it's safe for for ransomware.

Interesting.

Interesting.

so, uh, one question I forgot to ask.

During the encryption phase, when I think about encryption, uh, like I

think that that seems like it would be a very resource intensive process.

That

Yep.

a while, but what I'm hearing repeatedly is that they, they're actually able

to encrypt data pretty quickly.

Is that.

Is that

It, it is, um, but not without notice.

So if, if you're paying any attention at all to your computer while you're

using it, you know the mouse hesitates, you're typing, but nothing is, you

know, you've typed the word but it hasn't shown up on the screen yet.

Um, your email.

It isn't coming in.

Your network is slow.

Um, things like that are good, are good indications that

something else is going on.

Um, so even though they've gotten better as far as the encryption

a algorithms, it's still math.

And math takes a lot of processing and, and memory.

Uh, and so if you're paying attention at all, uh, you should be able to determine

that something weird's happening.

Um, and that's, uh, any, any relatively recent, uh.

And a virus and a malware, uh, solution that you can put on your computer will,

will help you figure that out too.

So you

Interesting.

wanna have all your files on deathly slow, spinning media as far away from possible

with a network throttle put on it.

I, I don't think that's a, I don't think that's a valid recommendation there.

Prasanna.

Um, all right, well, we wanted this to be a, a quick, you know,

overview of the five steps, right?

Let's just review them.

We want, the ransomware wants to get installed, undetected wants to move

laterally around, do some recon, figure out what, what it's dealing with.

It's gonna phone home, let the bad guys know what's going on.

Encrypt everything.

Somewhere between those last two steps, they will probably be looking, possibly

be looking at some exfiltration.

And then once it's done, the encryption, it's gonna deliver the

ransomware note and then everything happens from that point on.

Um, so, uh, we got a lot to cover and uh, I just want to thank you for, um,

on the

Hey, anytime.

And I think some, just some add-on, uh, thoughts for, uh, future discussion is,

you know, when, when a bad guy ex fills your data and you, you decide not to

pay for them not to release your data.

They, they've got things like wallet, they've got a wall of shame, uh, so that

everybody knows you were compromised.

They're then willing to sell.

They become an access broker, right?

So now they're selling access to your environment, to somebody else.

And so there's some, there's some pretty solid statistics that if

you get hit once you're gonna hit, you're gonna get hit again.

Yeah.

Yeah.

These are the depressing things.

Ah, thanks Mike.

Thanks Mike.

Prasanna.

No, this is good.

I'm excited for the a hundred episodes.

Yeah.

It's only gonna take us two years.

All right.

Uh, that is a wrap.

I.