Ransomware Sanctions, OFAC, and the Lazarus Group: A Real Case Study

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

This episode we're gonna give you some bad news, I think.

Uh, and that is, uh, we're gonna talk about ransomware sanctions.

What happens when the group that just encrypted your data and wants a ransom is

actually sanctioned by your government?

Paying them might feel like the only way out, but it could also land

you in actually much worse trouble, like massive fines or even jail

time depending on where you are.

Dr. Mike Saylor joins Persona and me to walk through a real

case involving the Lazarus group.

What OFAC is and why you need to know about it.

If you, if you're in the us, why paying that ransom is

almost never the right call.

So let's keep you outta the hot water.

Okay.

By the way, a little note about me, uh, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been obsessing about backups.

For over 30 years and, uh, ever since, I had to tell my boss that there were no

backups of the database that we just lost.

Since then, I've written five books, a blog and a podcast,

and here we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have a guy with me whose

hair is looking gray every time I see him.

Prasanna Malaiyandi.

How's it going, Prasanna?.

Are you saying I'm old?

saying I'm old?

I'm just saying if fans of the podcast, look back at the original videos.

My hair's been gray since we started.

Yours was Jet Black when we started, and it is,

impact of Curtis on Prasanna.

It could be.

I I agree.

I'll just shave everything.

and then that voice that you may have heard or person you may have

said that would be Dr. Mike Saylor, my co-author on the lovely learning

ransomware Response and Recovery book.

that is out now.

You can order it at your favorite, wherever you get.

And by the way, they're actually doing an audio book.

I'm super excited to listen to someone else say my words.

Ah, can it be, is it the guy, the Sleepy podcast guy?

Oh, no.

I, I actually did the, I actually made a podcast, a recording where I

read a chapter, one of my books, and I read it like Sleepy Podcast guy.

And, I did it for my wife because that's my wife's, the only value she gets in,

in my books is putting her to sleep.

guy is a guy who talks about almost nothing in a very soothing and that's

sometimes what Curtis uses to fall asleep.

yeah.

who you want narrating this book.

but, by the way, thanks for joining us again.

Thanks for having me.

Yeah.

yeah.

Yeah.

we don't need, and then you need to get a cyber insurance company and

potentially investigate whether or not your coverages are sufficient.

that would not be good.

That would not be good.

Now.

Why don't what, Mike, why don't you start out with, this week's

story, what you got for us?

Sure.

so when you experience a cyber event, cyber incident, and there comes a

demand for payment, you know what, for whatever reason, ransom, extortion,

before you make that payment, you've gotta do this analysis of whether

or not you can make that payment.

'cause if you make the payment and the government says, shouldn't have made

that payment, then you're actually gonna be making more payments.

as you get by whatever, government entity that might be.

and so there's some steps you need to go through to, to determine whether or

not, making that payment's even feasible.

and a lot of organizations, I think, may not know, what's

involved with determining that?

so something, something that we were involved in, an incident

we were called to help with.

it was a construction company.

They maintained all of their core proprietary, construction, CAD

drawings and construction plans on a proprietary core system.

And they had this, self-proclaimed, check-in checkout, core system

and the satellite systems where nobody could get to the core.

bad guys couldn't get there, malware couldn't get there, and.

guess what?

Malware got there.

And their systems were down.

And, this was a, this was an organization that, builds hospitals and military

bases and, hundreds of millions of dollars, if not billions of dollars

in ongoing construction projects.

the event happened on a Thursday.

bad guys were nice enough to give us the weekend to figure all this out.

and then Sunday evening into

they're so nice, Mike.

Those bad guys.

And this was, this was, the Lazarus group.

So they've actually got a pretty good, it support, if you decide to work with them,

they'll, they've got a whole department of, help desk and troubleshooting and

technicians to help you get through it.

so all included in the price.

But wait, there's more.

so working with the bad guys, and these guys were in that

environment for a long time.

So they knew, and oddly enough, they knew more about this organization's

insurance company than the company did.

and so when they presented the ransom demand, it was very well aligned

with how much insurance coverage they had, which was also nice.

but the company didn't know they had that much insurance, so they were

demanding a lower, look, we don't have that much insurance, but the

bad guys were like, yeah, you do.

and alright, so now we're.

We're negotiating primarily based on the executive management's desire to

get this taken care of and recovered by Monday so that we can continue work.

And there we don't have to tell anybody that there was any of these impacts.

We don't want our reputation impacted.

We don't want these contracts to be canceled.

We just want this, we just want to get through this.

And they wanted to pay the ransom.

And so it, Sunday night into Monday, negotiating, I initially directly with the

threat actors, just going back and forth, turned out to be, pretty swell guys.

that they like small talk and, very amenable to, to ideas and op, options.

and we got down to the point where, all right, I think this

is a, this is the best we can do.

And taking that to management.

And they were like, all right, we can do this.

said, but should you do this?

they're like, what do you mean?

we know who these bad guys are and I'm pretty sure they're a sanctioned group.

So making this payment is going to possibly, in, result in some federal.

Penalties, so what do we do now?

And that brings us to the kind of the topic of our discussion today with

handle, dealing with threat actors that, that are, potentially sanctioned, from

Yeah,

quote

and go ahead.

but it's like the company just wants their data back and they just

wanna make this problem go away.

Like why should they be?

Like jumping through these hoops or potential hoops, I'm guessing, to

avoid these fines when all they wanna do is pay the guy and be done with it.

You were just a pebble in the stream, in the criminal ecosystem.

I actually wrote a paper in my, graduate school about, the sophisticated organ

organized cyber crime that facilitates all these other traditional crimes.

And so ransomware is one of those crimes where they're just collecting

money that's then gonna go towards arms deals or human trafficking or, buying

up more avocado farms in Mexico, to, to, to impact the price of produce.

and so at a kind of a global ecosystem level has to.

Understand the flow of criminal assets and they've identified

certain criminal elements like the Lazarus group as an example.

when they receive where does it go?

is it parties and Lamborghinis or is it some of that?

Plus they give money to the, to the other bad guys that do other bad things.

And if the

I,

or the regulatory body decides, we need to limit these guys getting those

kind of, that kind of funding because it's gonna end up other places, then

they put them on that sanction list.

I think that's a really good point that you're making there, Mike, because I

don't think people think about that a lot.

I think they think about these, ransomware groups as ransomware groups.

And what you're saying is the ransomware, entity is quite

possibly, and even probably.

Just one cog in a much bigger wheel that it, that has to

do with all sorts of crime.

That could have a lot to do with.

Yeah.

It's essentially a business unit.

And what it could be is it could be, it's essentially the, it could be the.

The, what's the word?

What's the word?

I'm looking?

It could be the most profitable, but yeah, it could be a cash cow.

Thank you.

Thank you.

Prasanna.

it could be the cash cow that's helping to fund, much more scary parts of

the organization, which may involve drugs, which may involve, murder

and physical harm to other people.

And, property, the, and also terrorism, right?

that they could be.

Doing this just as a way to fund terrorism, which.

by design is a money losing, business unit, right?

You spend a lot of money to blow stuff up.

you got a lot of turnover, for sad reasons.

and so it's that kind of the point that you're making, right?

Is that, that these ransomware organizations, you shouldn't

think about them just by that.

You have to think about them as part of a bigger organization.

Is that about right?

It is, and there's a show out now and I'm.

I am having trouble remembering the name of it.

But, the last couple episodes I've watched, it was a guy in treasury, who

was reviewing these, these red flag reports, transactions of a certain

type over a certain amount in a certain period of time, trigger these reports.

And he was reviewing those reports and found some commonalities.

turns out a lot of them were shell companies, but he followed the money and.

The money led to a terrorist attack on an airline.

And absolutely.

people that, that are in that field with that skillset are the ones who are

advising, these different government agencies on who to sanction and the

trends or the behavior of some of these groups and how they spend their money

or donate or transact their money.

Yep.

So it makes sense that we don't want to fund.

These organizations are right, who are now gonna take the money

and use it for other things.

But I know Mike, you mentioned fines, right?

Federal penalties and other things like that in comparison to

the ransom that they're paying.

What does that look like?

Is it like 10 times the amount of whatever they paid?

Or is it not just monetary penalties, but is there other types of penalties

associated with that, like auditing or other compliance efforts?

There could be, financial penalties, are typically the iceberg.

and sometimes it's enough to put you outta business, right?

So it, they'll consume the rest of your insurance.

we've talked about cyber insurance, but then there's usually this

corporate insurance umbrella.

and if you can't.

Make a payment plan or address the rest of it, then you may have to

declare bankruptcy or grab a business.

some examples, that I looked up a minute ago from a proportionate perspective,

one company paid just over half a million dollars, to the US Treasury,

because they made, 2100 transactions to San Sanction government, entities

or, organizations in sanctioned, parts of the world, another one $98,000

penalty for $9,000 in transactions.

Wow.

that's more than 10 x. That's interesting.

$3 million ransom to a sanctioned organization that could be 30 to 300

million in, penalties from the government.

Now, the government.

it also un unfortunately, depends on who you are as a company.

so like Colonial Pipeline as an example, they didn't, they paid a ransom, but

they went through the OFAC process, to determine if the bad guys were

sanctioned, even if they were sanctioned.

There is an, an exception process.

It takes longer, to go through that process.

But if you're one of these too big to fail or critical infrastructure.

organizations, the government's probably gonna be more lenient or give

you a pass on making that payment.

'cause you could impact the, the critical infrastructure of the economy in the US

if you couldn't go back into business.

you, you just dropped a name, which I don't think we've actually even

mentioned yet in this episode.

And that would be ofac, who is ofac?

OFAC is the Office of Foreign Asset Control.

It's a part of the treasury, treasury Department in the us.

and treasury in the US would be the one that primarily tracks, transactions,

especially with foreign assets and making sure that bad guys aren't getting, money,

to fund their illegitimate activities.

but Mike, here's a question.

Most of these ransomware payments come in Bitcoin, right?

yep.

And usually with Bitcoin you don't know who.

The destination account wallet really belongs to technically, right?

That's the entire purpose.

That bad guys use it.

How can they prove that it was a certain organization that's on the sanction

list and not some other organization that you're paying money for?

And how does that like weave together?

Yep.

Bitcoin allows you to be a little more anonymous.

But the idea of your wallet is not, so I don't know who owns that wallet,

but I can track that wallet, So that money came into that wallet.

Money went out of that wallet, and I can track where it

came from and where it goes.

And so transaction out goes to wallet B. That transaction got

split into multiple things.

I can see all those transactions, those wallet IDs also.

And so they're simply, following the money, they may not be

able to put a name on it.

Eventually they will.

'cause someone's going to, show up in person, to pay for something

with Bitcoin or go to a bank to, to convert that to cash to go.

And so there, there are always the, the exit from the Bitcoin transaction

into the, physical world is where.

we're able to put faces and names to things and then track it backwards.

who did, who do you know?

Who'd you get paid from?

that kind of thing.

It's less about sort of the Lazarus group as like an entity and more from like

the wallet perspective, if you will.

They just use Lazarus group as like on the sanction as referring to say,

Hey, here are all these other wallets.

and once you be, become consistent with the wallet you use, that's

another, behavioral baseline.

So now we know that the Lazarus group always uses this Bitcoin

or the set of Bitcoin wallets.

and so they've become known and.

From that perspective, then, obviously they're bad guys and they're causing

damage economically to companies in the us so they're gonna get attention.

And so as the US government investigates that group in their Bitcoin wallets,

and those transac, those IDs, they can then see, where does that money go next?

Is that to their employees, their mules, their affiliates?

is it somewhere specific, parts of the world as an example?

and then at some point, do those transactions then interact with other

known bad guy, wallets and transactions?

And so building that, that map of transactions, that ecosystem is

the exercise they go through and they maintain it pretty often.

because bad guys do fall out of favor.

and so they could say, they're not sanctioned now because they're not

giving money to those bad guys now.

so go ahead and pay 'em now.

It's okay to pay 'em now, that may change.

so yeah, it's, they track the ID based on known, known owners.

known, wallet custodians, if you will.

and then who they do business with, who they transact with.

So I, I took a look around and I saw that, the UK and

Australia have two very similar.

Organizations, the UK has the Office of Financial Sanctions Implementation or.

Oi, I think OFAC easier to say.

and the Minister for Foreign Affairs in Australia said, we're responsible for

designating sanctioned entities making payments that these groups can lead up to

10 years in prison, which is different.

they're saying, They're saying in the US that you can actually

get jail time for violations.

We don't have a lot of example of that, and I think this is one of

those, this may happen to you, I think.

I think the biggest lesson here is just.

we're not drawing a line in the sand per se.

We're not saying, hey, paying a ransom, is illegal.

We're saying it may be illegal depending on what organization that we're talking

about, where that is, what you know and what, like the point you were making.

Depending on the day of the week, it sounds like whether or not this entity

is, sanctioned, and if you do make payments to a sanctioned organization.

That could get you into a lot of hot water, which may include

fines, it may include jail time, depends on where you're at.

but it's just something that I don't think a lot of people think about when

they're considering paying a ransom.

And I think this is what Mike had earlier talked about in this

construction example, right?

The construction company.

You need an expert like Mike, who understands these nuances rather than if

you try to do this on your own or oh yeah, I'll just go ahead and pay the ransom.

You don't understand all the rep repercussions because.

You never deal with this, right?

It's not your standard day-to-day things versus someone who's trained

in this space and understands it, knows what all to look out for.

Speaking of that real quick, one of the other things that we, I

think we may have talked on it, we bring it up in the book for sure.

If you a ransom, if you pay once, you're gonna pay again.

that, that guy's, they, they know this, in this case, a lot of bad guys, will

just sell whatever it is that allowed them access to compromise your environment.

They're gonna sell that to somebody else.

in this case, they paid the ransom and they got clearance to pay the

ransom, because of their size and the impact it would have on the economy.

so they got an exception to pay the ransom the very next day.

I kid you not the very next day.

They contacted the comp, bad guys contacted the company and

said, for another $800,000, we promise to leave you alone.

And they made that, that, that offer because what the company didn't realize

is the bad guys had three dormant back doors into their environment

they could trigger at any time.

We found those fortunately, and we had them all sealed off and

we told the company, you don't need to pay the extra 800,000.

so we, but bad guys will do that.

And the percentage of attacks within six months of paying ransom is close to 70%.

It's

Yeah, because it.

Wow.

something like that.

Because all you're doing by paying the ran and let's just put this on the thing.

We are not a fan of paying the ransom.

In case that's not obvious, right.

the whole point of the book, right?

The whole point of your job is to help people not pay the ransom.

and just put that on the record.

We are not a fan of paying the ransomware, having this whole

episode where we're talking about.

Potentially paying their ransom, but potential ramifications.

But we think it's a bad idea.

And this is one of those reasons, because the only thing you do, but,

not the only thing, but one of the things that you do by paying a ransom

is you say, Hey, I pay ransoms.

And

And it's

no recourse of recovery, but to pay ransom and have bad guys help me

yeah, exactly.

and you, anybody who's ever watched any show, any movie.

Whereas somebody's kidnapped, what do they tell you?

Don't negotiate with the terrorists.

Don't pay the ransom.

don't do that.

It's the same position.

We're saying

movie, they do pay the

they do end up paying the ransom and then they put the, they take the bag and then

they, we told you not to go out and put the stuff in and then, and then you got

the dead girl at the end of the movie.

That's what happens in the movie.

so yeah, I, I lost a, I lost, I had a trail.

I hit him.

I had a trail of thought.

I don't know where it went.

Paying the ransom ahead of getting proof of life.

Don't pay the ran because of secondary tax.

Yeah.

So by you, you've, you've used this phrase a few times in this episode.

what do you mean by that?

getting proof of life.

So similar to, kinetic real world.

That's my kinetic use again, if look at the current, The current kidnapping

in California, bad guys keep asking for money, but they have yet to indicate

at all that lady is still alive.

very similarly, why would I pay a ransom to bad guys that encrypted

my stuff if they can't prove.

They can unencrypt my stuff.

in that construction example I gave earlier, they paid the ransom.

but only after sending the bad guys, a variety of different encrypted files to

prove that they could unencrypt them.

what they didn't choose is were files, on this core engineering, CAD system.

They felt if I sent those to them to decrypt, then they

would have my proprietary, blueprints for this military base.

So they didn't send them those to prove that they could decrypt.

Bad guys showed and were able to evidence that they could decrypt the files.

They did send normal Word documents, They paid the ransom, they got the

decryption key, and it did not work.

On the important stuff,

work on their core engineering documents.

hey.

But remember, bad guys were like, Hey, we're here to help.

Call us if you have any problems.

And they worked on that for almost a week with the bad guys to try and

manipulate or give them different versions of this decryption key,

decryption tool, to decrypt these files, and it just wouldn't happen.

So they, they completely lost their entire repository of engineering diagrams.

And they never had a backup.

And they never had a backup.

oh.

Hey, I just, That's just sad, by the way, or, we've been talking about

OFAC a lot, how do you do that?

OFAC has a sanction search tool, right?

Just Google OFAC sanction search or whatever entity you're dealing

with in your country, right?

Just Google that and they've got, here it is, sanction search dot ofac dores.gov.

By the way, treasury is also who runs, the Secret Service, as I recall, right?

So they do that.

They do, counterfeit.

Secret Service.

Yep.

Yeah.

Yeah.

real quick, from an incident response perspective, normal companies, people

that, that have never had to deal with bad guys and aren't trained,

should never interact with bad guys.

if you get a ransom.

on your screen, it says, contact us at this address and don't do it.

If you get a phone call, an email demanding whatever, don't

interact with them at all.

Don't say, stop contacting me.

Don't say, take a hike.

We've got good backups.

don't interact with them at all.

And there's a lot of reasons for that.

That's maybe another whole podcast.

But, I'll add to that then.

So first, don't ever interact with 'em.

Second, call your insurance company and your legal counsel next, because

in most cases, the legal, the legal company, your legal advisor's gonna

tell you, one, don't these people.

But second, everything you do after you contact your legal counsel is now

potentially covered under privilege.

Right.

then call your insurance company with your legal counsel.

Insurance company knows how to.

Deal with this.

they've dealt with ransomware probably 10 times a day at this point.

you've got, they've got negotiators.

they can help you with the OFAC process.

And, one of the things that a lot of organizations don't realize because

they haven't had to go through it, is Bitcoin's not easy to get.

so if you don't have insurance and you're not involving them and you

think, I'm just gonna pay $3 million in Bitcoin, good 'cause normal people

can only get, I think, one and a half or two Bitcoin every couple of weeks.

It's not Now, it's not a fun process.

rely on your insurance company.

they've got experts that do this all the time, and they can help you

through the process and advise you.

So at the end of the day, if you paid the ransom and the treasury knocks on your

door and says, you, you paid bad guys.

You're like, Hey, I went.

I involved my legal counsel and my they both, said it was okay to do it.

So let's add some more people to this conversation.

So we will, I'll add to the list of action items.

Is the only way that you're going to, not pay the ransom, what would that be?

Prasanna.

To have backups,

Yeah.

further.

chicken

it's specifically what kind of backups?

recoverable backups,

yeah, but just another word I'm looking for here.

Immutable.

There we go.

There we go.

Immutable backups.

Mike has taken over my, badge as backup person.

Yeah.

So

my

that's the,

but I don't do that.

I gotta buy, I gotta buy four of 'em apparently.

the, I really gotta get some more merch, but the we talk a lot about

this and I'm not gonna spend a ton of time here, but the whole purpose

of this podcast, the backup wrap up, is to help you have better backups.

And one of the things that you have to have is truly immutable backups.

Unfortunately, immutable is.

Has become one of those words that is just thrown around like a marketing term,

and it's very much not a marketing term.

The backups are either it should be a binary condition, right?

Like pregnant or dead, right?

You're either pregnant or you're not pregnant.

You're either dead or you're not dead, right?

it, you're either immutable or you're not immutable.

Unfortunately, it is a bit of a, of a pendulum.

No, not, no, not the word.

What's the word I was looking for there?

Spectrum.

Yeah, thank you.

It's a spectrum, right?

And, but the.

The standard by which I judge whether or not it's immutable.

If it's truly immutable, then even you cannot delete it.

even if you wanted to, if that's how immutable your

backups are, then I'm happy.

If it's anything less than that, then I have questions.

I'm not saying it's wrong, I'm just saying I have questions.

And I know companies where it's it's immutable.

Unless you call in and super authenticate yourself again, I have

questions, the, there are, I can think of some types of immutable,

it's immutable unless you have root.

If you have root, then we can turn off the immutable flag and

then we can delete the files.

That's not, that's really not that immutable.

That's barely security by obscurity.

Because

real, real quick, that construction example I gave

yeah.

did that the Wednesday before the attack.

Wednesday before the attack, back backup.

Bad men took his first vacation ever.

By the way.

He was like number one suspicious person on the list when this happened.

But he took

I bet.

vacation ever.

and the first thing that bad guys did at just after midnight, Thursday,

Wednesday night, in the Thursday morning is they forensically scrubbed

all of their backups because they had his root, root credentials.

And then starting at, four or five o'clock in the morning is when they started,

they used the domain controller to script the, the release of ransomware across

the entire environment at the same time.

It just hurts.

you gave me another flashback, Mike, and that is going all the way back.

31 years.

when, my daughter was born and I took a day off, I had one of those jobs that,

I was the backup guy at this MBNA at this, big giant credit card company.

And I took my first day off 'cause I never took days off.

And I took a day off because my daughter was born and I was in, the hospital.

my wife's hospital room.

My daughter was born, and she was actually in the nicu.

she was actually healthy.

But it's a long story.

I'm standing in the hospital room with my wife.

With our baby and the phone.

And now again, for the children in the room.

We didn't have cell phones back then.

Okay.

And the phone, the table phone, it's a phone.

It's like a cell phone, but it's tied to the wall.

And it was on the table next to my wife's hospital bed.

And that phone rang.

And it's yeah, it's for you.

And they hand me the phone and they're like, yeah, we have this, this big

restore that we need your help with.

And I'm just like.

And I remember saying it is.

Is it this process documented?

Because even back then, I believed in documentation.

Is this pro, is this process documented?

They said, yes.

did you follow the documentation?

Did you, are there any questions about the documentation?

They go, oh, we haven't actually tried to follow the

documentation we just called you.

'cause it was a bigger store.

And I just hung up.

I was like, yeah, I'm here because like you.

Mike, I believe earlier, I don't know if that was, the other episode

or this episode where you talked about when your daughter calls,

you're gonna answer the phone.

Yeah.

My, the daughter at that point, my wife obviously her health, we have

this new tiny little baby and then they're gonna call me and ask me

about restored some empty squat file.

so what's the lesson we.

Curtis, newborn daughter or a restore in doing your

Yeah, it's a question.

It's a good question, but I think that, the whole point here we've been talking

about, we talked about ofac, similar organizations in your country, in your,

whatever your country happens to be.

is that paying a ransom?

First off is never a good idea for a long list of reasons.

And second, it potentially may be, e either a crime or sanctionable.

It might not be a crime, but it might be something that could subject your

company fines and you could potentially be, liable for jail time depending on your

country and how they enforce such things.

and what we would much rather.

Have you do is just have, when I say just have immutable backups,

an incident response plan, disaster recovery plan so that you're able

to respond, and not pay the ransom.

What's that Prasanna Sure.

Can I add one thing?

Add

insurance too.

and have cyber insurance.

Absolutely.

you have any final thoughts, Mike?

I have a joke.

Okay.

son goes to mom and says, mom, I'm sick.

I just, I'm sick.

And mom says, it's really not that bad.

You got two options.

You're either gonna get better or you're gonna get worse.

And if you get worse, you got two options.

You're gonna get better or you're gonna die.

And if you die, you got two options.

You're gonna go to heaven, you're gonna get hell.

if you go to hell, you got two options.

Original or extra crispy.

That's quite the joke.

That's quite the joke, Mike.

so ba Basically she was saying other things are gonna get

better, they're gonna get worse.

If they get better, great.

If they get

Yeah.

options.

so those are your final thoughts regarding paying the ransom.

Yeah,

Okay.

don't

All right.

Yeah.

advisor.

Find a friend that knows something, or multiple friends that knows

something about something.

Yeah.

spread the grief.

and don't do it by yourself and don't think you need to.

I know a lot of, people that build their.

Their IT environment are very proud of it.

and they wanna, they feel like they've, they're responsible and they have

to put this fire out by themselves.

I don't know any firefighter that's gonna go at it by themselves unless

they're a pyro, but, don't be a pyro.

and man, there, that just reminded me of, I think it was an insurance

company at some point in the past where it said, Bob did this.

Bob did that.

Bob ended up in the ditch.

Don't beat Bob.

Don't be Bob in the ditch.

yeah.

yeah.

go ahead.

Go ahead.

Yeah.

I know it's late in the day for us here, but

I.

tomorrow when you have a minute, Google, local people you can talk to

and a lot of those organizations will.

like a law firm.

They'll, they'll do a free consultation.

In fact, there

Right.

law firms, there's one here in, it's, I think they're a national firm,

but they're headquartered in Dallas, I think it's called Spencer Fa.

they have a cybersecurity, group.

That's all they do is incident response breach stuff.

And they do $0 retainers.

So they get all the deconfliction and paperwork outta the way, and you've got

your attorney when something bad happens.

You've got a piece of paper that says they're gonna answer the

phone when you call 'em because you got something going on.

I think when came on the podcast, many.

You mentioned also like sometimes the FBI does in their area, don't they do

some trainings or get togethers and other things like that around some of this?

there are, the FBI and the Secret Service both have this, networking.

Club.

I know I'm minimizing it and I don't mean to be disrespectful in doing so,

but like the FBI has a program called the InfraGard, and there are, there

is an InfraGard chapter everywhere.

There is a FBI field office.

so go to the FBI's, go to the it's infragard.org.

You can sign up to be a member.

and in doing so, you get to rub elbows with FBI agents and make friends.

You don't have to do that.

Just call your local FBI office and say, Hey, I work for a small business,

I'd like to get to know you guys.

And very often they'll buy you coffee and, exchange phone numbers and.

Now you've got a Contact Secret Service.

Very similarly they've got, electronic crimes Task force, kind of group that

you can join in tech in north Texas.

It's called the North Texas Cyber Fraud Task Force.

and so those are events where you get to, in infra regard too, they have trainings

and so a vendor or some, some member will speak on some topic and then the agency

will give an update on cyber crime or.

Terrorism or whatever it is.

so for those two agencies, those types of groups to belong to.

and there's others too, depending on what your needs are.

DEA has one, department of Justice has one.

A lot of local district attorneys have, like Citizen Academy type,

things you can participate in.

But the point, and you don't have to do all those.

The point is reach out to all those different groups and make friends,

get a phone number, so that when you have a bad day or you're having

a bad day, you know who to call.

Do they start all those meetings with?

We're the government and we're here to help.

No.

very often they start the meeting with, we are the government, but

I am here to talk with you and,

Okay.

I say is my own opinion and not, whatever.

Oh, okay.

Yeah.

All right.

good questions today.

Prasanna.

I try Curtis.

See, I'm stepping up my game.

Hey, we, oh.

This is just a game to you.

Anyway, thank.

All right, thanks.

Thanks for being on today, Mike.

Thanks, Prasanna.

This was

Thanks everybody.

All right, and that is a wrap.