Joe describes a primitive (but effective) phishing scheme being tracked by Bleeping Computer. Dave shares news from a Black Hat presentation on phishing stats from Google. The catch of the day is a friendly invitation from Hawaii. Our guest is Michael Gillespie from Emsisoft describing the ID Ransomware project.
Links from today's stories:
- Beware of Emails Asking You to "Confirm Your Unsubscribe" Request
- We keep falling for phishing emails, and Google just revealed why
- ID Ransomware
Michael Gillespie: [00:00:00] If everyone had proper backups, ransomware would never have been a thing - just as simple as that.
Dave Bittner: [00:00:06] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:24] Hi, Dave.
Dave Bittner: [00:00:24] We got some good stories this week. And later in the show, Michael Gillespie from Emsisoft joins us. He's going to describe the ID Ransomware project, and we're also going to get his insights on how users and organizations can protect themselves from these sorts of threats. But first, a word from our sponsors at KnowBe4.
Dave Bittner: [00:00:42] So how do you train people to recognize and resist social engineering? Here are some things people think - test them. And if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or maybe you pass out a gift card to the one who gets the A+ for skepticism in the face of phishing. So how about it? What do you think - carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.
Dave Bittner: [00:01:19] And we are back. Joe, why don't you kick things off for us this week?
Joe Carrigan: [00:01:23] Dave, this week, I have a story from Bleeping Computer.
Dave Bittner: [00:01:25] OK.
Joe Carrigan: [00:01:25] And it's just something they've noticed in their email over there. They have noticed that they've gotten an uptick in a very unsophisticated phishing campaign. And here's how it works. They started receiving these messages that read something like, hey, please click here to confirm your unsubscribe request.
Dave Bittner: [00:01:43] OK.
Joe Carrigan: [00:01:44] There's no mention of what they're on subscribing from. But it looks like one of these messages that you used to get when you would subscribe to a news list and you'd say, OK, I don't want to get this anymore. And you'd click the unsubscribe button, and they'd send you an email to confirm that you were unsubscribing. It was a very convoluted and terrible system.
Dave Bittner: [00:02:01] Right.
Joe Carrigan: [00:02:02] Right?
Dave Bittner: [00:02:03] Right, right (laughter).
Joe Carrigan: [00:02:03] And it looks like it's trying to imitate that from days gone by. And they have some images of these emails in the article, and we'll put a link in the show notes.
Dave Bittner: [00:02:12] Yeah.
Joe Carrigan: [00:02:12] And they look like they're from the same template, from the same toolkit to me. And I'm going to speculate on that later.
Dave Bittner: [00:02:19] OK.
Joe Carrigan: [00:02:20] But the link - the unsubscribe part of the email is actually a mailto link. Right? Now, this is an HTML feature that you used to see all over webpages where, you know, you see, contact the webmaster or email me.
Dave Bittner: [00:02:34] Right.
Joe Carrigan: [00:02:34] And you'd click on a link, and it opens up your native - whatever your default mail client is and populates everything for you with a subject line and a to address.
Dave Bittner: [00:02:44] Yeah.
Joe Carrigan: [00:02:45] And if you are silly enough to click on the link that comes in this email, then it will start a new email for you and try to send it to something like 15 to 20 email addresses.
Dave Bittner: [00:02:56] Email addresses it gets from where?
Joe Carrigan: [00:02:58] From - they're in the HTML in the email that you receive.
Dave Bittner: [00:03:02] Oh.
Joe Carrigan: [00:03:03] So that link is a mailto link with 15 email addresses in it - 15 to 20 email addresses in it. And the subject line is unsubscribe. And that's all that's in there. It's a blank email. In a mailto link, you can fill out other stuff like body and all this other information - cc, bcc...
Dave Bittner: [00:03:20] Right.
Joe Carrigan: [00:03:20] ...If you wanted to. But it's an older thing that you don't really see on the web very much anymore. You still see it from time to time, but it's - because HTML is now permeated into our email system, as well, it's a feature that's available here.
Joe Carrigan: [00:03:33] Now, Bleeping Computer speculates - and I would agree with this assessment, as well - that what this is is an attempt to validate good email addresses. We talked about this a couple months ago with the unsubscribe link, right? When you click on that unsubscribe link, that actually validates that your email address is being used and read and there's a person on the other end. This looks like they're taking some kind of spam list that they bought - maybe they bought a spam list at a steep discount. They're essentially going through, and they're distilling their list down to a more pure product for future campaigns.
Joe Carrigan: [00:04:06] I tend to agree with that assessment that Bleeping Computer has. But here's my theory on this. The messages look very similar. The two images in the article, they look very similar. They're just worded a little bit differently, and maybe there's some typing that didn't happen in one that happened in the other. I think this is a phishing kit that somebody's developed, and you're going to start seeing these coming around.
Dave Bittner: [00:04:26] Well - so here's what I wonder. If I hit the unsubscribe button and that sends out 15 to 20 emails...
Joe Carrigan: [00:04:34] Correct.
Dave Bittner: [00:04:35] ...Those are coming from me.
Joe Carrigan: [00:04:36] Correct.
Dave Bittner: [00:04:37] How are the bad guys getting notification as to whether those 15 or 20 emails are good or not?
Joe Carrigan: [00:04:43] The bad guys are the 15 to 20 email addresses. So when you click that link, you're sending 15 to 20 bad guys an email...
Dave Bittner: [00:04:50] From you.
Joe Carrigan: [00:04:51] ...From you.
Dave Bittner: [00:04:52] Oh.
Joe Carrigan: [00:04:52] Right.
Dave Bittner: [00:04:55] OK.
Joe Carrigan: [00:04:55] So that's how this works. Now, why are there 15 to 20 of them? I have a theory about this.
Dave Bittner: [00:04:59] Go on.
Joe Carrigan: [00:04:59] This is a wild theory. But I've never seen this before in something like this. So perhaps the phishing kit developers put their own email addresses into that mailto tag, and these operators who bought it didn't replace them. They just added theirs to it. So essentially, the kit developers are getting all these free hits on good email addresses. I have a prediction on how this is going to get worse.
Dave Bittner: [00:05:24] OK.
Joe Carrigan: [00:05:25] The next kit will have a feature where you can click a link and it will go to a website. The link in the website will then validate the email because it will have a unique code. That's how this is going to get better - I mean, in terms of a more proper phishing campaign. Right? I mean, this is...
Dave Bittner: [00:05:39] The usefulness to them...
Joe Carrigan: [00:05:40] This is a real hack phishing campaign.
Dave Bittner: [00:05:42] Yeah.
Joe Carrigan: [00:05:42] It's very basic and rudimentary. It relies on email. It relies on people sending an email to 20 email addresses. It probably works.
Dave Bittner: [00:05:50] Just to gather up good email addresses...
Joe Carrigan: [00:05:53] Hoover up good email addresses...
Dave Bittner: [00:05:54] ...Which I guess they can then turn around and sell for a fraction of a penny or use for who knows what.
Joe Carrigan: [00:05:59] Use for another campaign, probably.
Dave Bittner: [00:06:01] OK. So the lesson here is...
Joe Carrigan: [00:06:03] Don't click on the link.
Joe Carrigan: [00:06:05] You know, if you didn't ask for it, don't open it. Mark it as spam in your email client. Throw it in the trash. Be done with it.
Dave Bittner: [00:06:12] Especially if it gives you no indication of what it is you're unsubscribing from...
Joe Carrigan: [00:06:16] Yeah, that's the red flag. The picture in the article - one of them just looks like just total amateurs came up with this. Amateur hackers get results, actually.
Dave Bittner: [00:06:25] Well, I can imagine someone going through and just cleaning house one day. You could just - you know, today is the day I'm going to go through and get rid of all these newsletters that I don't want.
Joe Carrigan: [00:06:35] Right, yeah.
Dave Bittner: [00:06:36] And so they're just clicking unsubscribe, unsubscribe...
Joe Carrigan: [00:06:38] Yep.
Dave Bittner: [00:06:38] ...Unsubscribe.
Joe Carrigan: [00:06:39] Yep.
Dave Bittner: [00:06:39] And they hit this one. And it's one of 10 or 20, and...
Joe Carrigan: [00:06:42] Oh, this one wants me to send an email?
Dave Bittner: [00:06:43] ...Kaboom.
Joe Carrigan: [00:06:44] OK, click - off you go.
Dave Bittner: [00:06:46] Right, right. They do a search in their email client for the word unsubscribe.
Joe Carrigan: [00:06:50] Yep.
Dave Bittner: [00:06:50] And off they go.
Joe Carrigan: [00:06:51] Yep.
Dave Bittner: [00:06:52] All right. To me, this one is a combination of both interesting and a bit of a head-scratcher.
Joe Carrigan: [00:06:56] Yeah.
Dave Bittner: [00:06:57] The delayed gratification, I suppose, is not something we're accustomed to seeing from these sorts of folks. Right?
Joe Carrigan: [00:07:02] No, it's not. But I mean, there are people that do very complex and long-minded campaigns. They take the long view on these things. And like you said, a list of validated email addresses is valuable. If I could sell that list to other spammers, I can probably make good money off that.
Dave Bittner: [00:07:19] Right. And if you can do it in an automated way...
Joe Carrigan: [00:07:21] Right.
Dave Bittner: [00:07:21] ...There's very little effort on your part.
Joe Carrigan: [00:07:23] Even better.
Dave Bittner: [00:07:23] Yeah. OK. Well, my story this week comes to us from Fast Company. This is a story titled "We Keep Falling For Phishing Emails, And Google Just Revealed Why." This is from Rob Pegoraro. He's writing over at Fast Company. This is from the Black Hat security conference, which just wrapped up recently in Las Vegas. And a couple of security researchers from Google - it was Elie Bursztein and, from the University of Florida, a professor Daniela Oliveira. They shared some information that they had gathered up from Google, and this article outlines how Google blocks roughly a hundred million phishing emails every day.
Joe Carrigan: [00:08:05] Right.
Dave Bittner: [00:08:05] And they fall...
Joe Carrigan: [00:08:07] That seems low, doesn't it?
Dave Bittner: [00:08:08] Well, it says they fall into three main categories - highly targeted but low-volume spear phishing...
Joe Carrigan: [00:08:14] OK.
Dave Bittner: [00:08:15] ...Which are aimed at distinct individuals. The next category they call boutique phishing, which targets only a few dozen people. And then there's the automated bulk phishing, which is the stuff that's just the shotgun approach...
Joe Carrigan: [00:08:27] Right.
Dave Bittner: [00:08:27] ...That goes out to everybody. How long do you think a phishing campaign runs for? What is the duration that you think one of these is in operation?
Joe Carrigan: [00:08:37] You're talking about sending out an email to a given email list?
Dave Bittner: [00:08:41] Yeah. I set up a phishing campaign, and I hit the go button on it.
Joe Carrigan: [00:08:45] Thirty minutes.
Dave Bittner: [00:08:46] Thirty minutes - all right.
Joe Carrigan: [00:08:47] That's my guess.
Dave Bittner: [00:08:47] OK. Google says that the boutique campaigns typically run for about seven minutes.
Joe Carrigan: [00:08:52] Seven minutes...
Dave Bittner: [00:08:53] And the bulk operations run for about 13 hours...
Joe Carrigan: [00:08:57] OK.
Dave Bittner: [00:08:57] ...Which is interesting because you can see how that makes the cat-and-mouse game more difficult.
Joe Carrigan: [00:09:02] Right.
Dave Bittner: [00:09:03] If something is only running for seven minutes, it comes and goes.
Joe Carrigan: [00:09:06] Yeah. You can't build a fingerprint off of it - right? - I mean, because by the time you've got the data, the attack is over.
Dave Bittner: [00:09:11] Right. They also said that most of the phishing campaigns target commercial mail services. Your corporate email account is almost five times more likely to receive a phishing email than a plain old Gmail account.
Joe Carrigan: [00:09:23] Right. That's probably because Google has a much better mechanism for catching that phishing email than your corporate email does.
Dave Bittner: [00:09:29] Interesting point. They said that the most common impersonated login pages were for email services - 42%. Twenty-five percent were cloud services, followed by financial institutions, retail and delivery services. It's interesting, too, that they said Google can't identify many phishing emails. They vary enough. They're evolving so quickly and the way that they're composed, the AI isn't quite there yet to be able to...
Joe Carrigan: [00:09:59] Right.
Dave Bittner: [00:09:59] ...Reliably stop them every time.
Joe Carrigan: [00:10:01] Yeah.
Dave Bittner: [00:10:01] When you think about - we've talked about how run-of-the-mill spam is pretty much a solved problem, you know?
Joe Carrigan: [00:10:05] Right.
Dave Bittner: [00:10:06] The old Viagra pills and, you know, those kinds of - those hardly ever make it through anymore.
Joe Carrigan: [00:10:11] Right.
Dave Bittner: [00:10:12] But the phishing stuff still does.
Joe Carrigan: [00:10:13] Yeah.
Dave Bittner: [00:10:15] Another interesting thing from this presentation they gave, they talked about how the human factors, like whether or not you're in a good mood, really affects your susceptibility to phishing emails.
Joe Carrigan: [00:10:27] And what were the findings about mood versus susceptibility?
Dave Bittner: [00:10:31] If you're in a good mood, you are much more likely to be in a mental mode where you're going to be willing to take risks.
Joe Carrigan: [00:10:38] Right.
Dave Bittner: [00:10:39] So you're more likely to click that link (laughter).
Joe Carrigan: [00:10:41] Right.
Dave Bittner: [00:10:42] Right? Because what's the worst that could happen? I'm in a great mood. I'm having a great day.
Joe Carrigan: [00:10:46] I'm immediately picturing myself in a bad mood going, I'm not doing that (unintelligible).
Dave Bittner: [00:10:50] Right.
Joe Carrigan: [00:10:50] Delete.
Dave Bittner: [00:10:51] You're in a bad mood just from being presented with the link at all...
Joe Carrigan: [00:10:54] Right.
Dave Bittner: [00:10:55] ...In an email. That just puts you in a bad mood.
Joe Carrigan: [00:10:57] That's me (laughter).
Dave Bittner: [00:10:58] Yeah, yeah. And the recommendations they made - ground we've covered before. Most important is just some sort of two-step verification. And as we've talked about here many times, SMS is good. But some other - a physical device or a - using something like Google's Authenticator or Yubico - those sorts of things are even better.
Joe Carrigan: [00:11:16] Those are all much better.
Dave Bittner: [00:11:17] Much, much better, yup. So some interesting stats there from Google courtesy of the folks over at Fast Company. So that is my story this week. Joe, it is time to move on to our Catch of the Day.
Joe Carrigan: [00:11:30] My favorite part of the show.
0:11:31:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:35] So our Catch of the Day this week comes from a listener named Jogious (ph), and I hope I got that right. It's a tricky one. There are many possible pronunciations I can imagine.
Joe Carrigan: [00:11:44] Yes.
Dave Bittner: [00:11:45] So I apologize in advance if I did not get it correct. We do appreciate you sending it in. And this is a message that he received. And it goes like this. (Reading) Aloha. As your affairs, I would like better to find out each other. I search reliable for relations and networks. My name is Katyusha (ph). I positive and sociable the woman. I have no bad habits. I do not smoke, and I do not use spirits. I love to be engaged fitness. If not against throughout hours acquaintances, let to me know. If you want, I can tell to you more about myself. I never was married and do not have the kinder. Please write to me more about you. I wish to fast an acquaintance with you and to find out you better. If you can, please, you have come to me photos. And after, I will send to you mine photos. With impatience, I wait your answer with huge impatience. With the best regards, Katyusha. You think this went through Google Translate or something, Joe (laughter)?
Joe Carrigan: [00:12:37] Could be.
Dave Bittner: [00:12:39] My favorite phrase - I wish to fast an acquaintance with you.
Joe Carrigan: [00:12:42] Right. Where does it talk about spirits? I do not use spirits - right? - i.e. I don't drink.
Dave Bittner: [00:12:47] Right. Right. This is why I'm thinking this was sent through a translator.
Joe Carrigan: [00:12:51] Right.
Dave Bittner: [00:12:52] Yeah. I do not have the kinder. I imagine that means I don't have children...
Joe Carrigan: [00:12:55] Right.
Dave Bittner: [00:12:56] ...As in kindergarten - that sort of thing.
Joe Carrigan: [00:12:58] But why? Why kinder?
Dave Bittner: [00:13:00] I don't know.
Joe Carrigan: [00:13:01] That's weird.
Dave Bittner: [00:13:01] Yeah.
Joe Carrigan: [00:13:02] Anyway, it's a great one.
Dave Bittner: [00:13:03] Yeah.
Joe Carrigan: [00:13:04] (Laughter) I love this one.
Dave Bittner: [00:13:05] Yeah. Yeah, short and sweet, simple. Thank you to Jogious for sending it into us. Again, apologies if I got the name wrong. All right, well, that is our Catch of the Day. Coming up next, we've got Michael Gillespie from Emsisoft joining us. He's going to describe the ID Ransomware project, and we're going to get his insights on how users and organizations can best protect themselves from the threats we talk about here.
Dave Bittner: [00:13:27] But first, a word from our sponsors at KnowBe4. Let's return to our sponsor KnowBe4's question, carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks - don't do that. Approach your people like the grown-ups they are and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives at KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:14:20] Joe, I recently had the pleasure of speaking with Michael Gillespie. He's from Emsisoft, and he also runs the ID Ransomware website, doing some really good stuff here. Here's my interview with Mike Gillespie.
Michael Gillespie: [00:14:32] ID Ransomware is a website that I built - goodness - over 3 years ago now. It's flown. Its primary purpose is identifying a ransomware. And this came out of a need from being a volunteer on the Bleeping Computer forums mostly. The forums would get completely swamped with people, you know, opening new topics. And it kind of became chaos with, like, hey, my files have this extension, and this is the ransom note. What hit me? Can I get my files back? Everything between me and the moderators was, like, canned responses. Oh, well, you have this extension, so it's most likely this ransomware; here's a link to an article about it - and very canned responses over and over. And, well, my profession is I'm a programmer, so what do I do? I automate.
Dave Bittner: [00:15:18] Well, walk us through what exactly goes on. How does it function?
Michael Gillespie: [00:15:22] When you get to the website, basically, it just asks you to upload the ransom note and one of the files that the ransomware encrypted. And you just upload both of those pieces of information. I, of course, recommend you upload something nonprivate if you can. I don't keep the files around, but, you know, just for general purposes, you shouldn't be uploading personal information somewhere anyway.
Dave Bittner: [00:15:44] Right.
Michael Gillespie: [00:15:45] And then my website does a lot of cross-referencing, you know, checking the file extension, checking the name of the ransom note, all the email addresses or Bitcoin addresses or maybe onion addresses in the note. Also, some ransomware leave, like, a file marker. Like, for example, TeslaCrypt left a file marker saying DEADBEEF at the beginning of the file. Some other ransomware have, like, more in-depth detection. I have, like, a special code just to detect that one ransomware. So there's also other sources I pull from. There's, like, a ransomware tracker. That's a external project by someone that they track, like, all the command center URLs. I cross-reference with that. And it's a big beast. It's got a lot of stuff under the hood for detection.
Dave Bittner: [00:16:30] And what's the likelihood that you'll be able to ID something that someone sends to you?
Michael Gillespie: [00:16:35] It's probably up in the, like, 90% to 95% with identification. The challenge is that there are - well, in the last few years especially, there's been additional challenges with ransomware, like, mimicking each other. So that does add an extra layer of complexity. But I do have, like, a whole false-positive engine that I built for that purpose. I mean, you can just upload just the ransom note or just an encrypted file, but the best accuracy is definitely uploading both so that it can do its false positives and try to figure that out better.
Dave Bittner: [00:17:10] And then once you've IDed something, do you offer advice for folks on how they might either be able to decrypt or proceed?
Michael Gillespie: [00:17:18] Yep. So there are basically a couple of different - I call them statuses. The best case, of course, is - congratulations, this is a decryptable ransomware. You know, it's known to be decryptable. Here's a link to an article showing how to use a decrypter. Then there's the - sorry, this has been analyzed by experts as not decryptable. It's recommended you back up your files in case something changes in the future. Then there's, like, the unknown. There are a lot of ransomware that - you know, it might be something that's really new. So I don't know if it's decryptable or not, or no one in the industry has either had the time or published an analysis on it, whether it's secure or not. And then there's also kind of a gray area. There's a - I have a possible status that's kind of like, this is decryptable under certain circumstances. So there's, like, certain ransomware that's like - sometimes it forgets to delete the key file, but you've got to get lucky. Or sometimes it's like, law enforcement seized the server, and they got some of the keys but not every key. So it's kind of like - you might get lucky. It might be decryptable.
Dave Bittner: [00:18:24] Now, in the years that you've been tracking ransomware, what sort of changes have you seen? How has it evolved?
Michael Gillespie: [00:18:31] I definitely say they keep getting more creative. Like, in general, like I mentioned, they keep mimicking each other, which gets very, very annoying. There's probably, like, a hundred different ransomware that just use the extension .locked. So those are, like, not unique, so I can't identify them very well. And then also, they keep adding more - I want to say - features. So like, for example, a recent one that's been really prolific is STOP djvu. That one, they started packaging passwords stealers - so like, adding other malware with it. They add it to a botnet or, like, a banking Trojan. So they're kind of getting more creative. And even just a ransomware I analyzed last week that I'm breaking currently, they kind of took liberty and invented their own crypto block mode, which was very odd to reverse.
Dave Bittner: [00:19:25] Do you have any sense for the spectrum of sophistication of the actors that you're dealing with here?
Michael Gillespie: [00:19:30] I mean, I have seen definitely a lot of cases of pretty sophisticated actors, especially the ones that are targeting certain organizations - you know, the ones that actually go - are in a network, not just the spray-and-pray sending out email spam. But once they actually get remoted into the server, those are usually the more dangerous bad guys.
Dave Bittner: [00:19:52] Now, in terms of folks best protecting themselves from ransomware, what's your advice?
Michael Gillespie: [00:19:57] Backups. Backups, backups, backups, backups, backups - freakin' backups.
Dave Bittner: [00:20:03] I get the feeling that you're recommending backups here, Michael (laughter).
Michael Gillespie: [00:20:07] Yes. That is the No. 1 thing. There's basically two factors in terms of why ransomware still even is a thing. If everyone had proper backups, ransomware would never have been a thing - just simple as that. There'd be no profit for it because everyone would just be like, hit the restore button. That's how it should be. The second factor, of course, is the whole controversy of paying the bad guys. That's what keeps them going. But there'd be no reason to pay them if you had backups.
Dave Bittner: [00:20:40] Do you have any sympathy for some of these larger, you know, underfunded organizations? I'm thinking of, you know, city governments and so forth who find themselves either with insufficient backups or unreliable backups? And they're doing the best they can. But sometimes I guess they decide that the cheapest way out is to pay the ransom.
Michael Gillespie: [00:21:01] That is a very complicated subject, of course.
Dave Bittner: [00:21:04] Yeah.
Michael Gillespie: [00:21:04] Being in - I've been in IT for - goodness - since, like, 2006. And I also work for a company that services small-to-medium business and residential. And I get everywhere from the spectrum of - grandma doesn't know how to back up her stuff - to, you know, a small business who - you know, the IT manager is trying to push for certain infrastructure, and it's just not getting budgeted. To my core, I'm like, sorry. There's no excuse for not having backups in 2019. I mean, cloud storage is - I don't want to say it's dirt cheap. Depending on your needs - I mean, for grandma, you can get her a free Dropbox with 10 gigs of backup space for nothing. Or you can get, you know, Carbonite or OneDrive or something that's, like, two to five bucks a month.
Dave Bittner: [00:21:49] Right.
Michael Gillespie: [00:21:50] It's very affordable for residential for sure. But in terms of business, it kind of irks me, especially certain industries where the data is your business. Like, for example, I kind of went on a rant a few months ago on, like, the photography industry. I run into that all the time where photographers get hit by ransomware and they have absolutely no backups. And it just - it blows my mind. Your entire business model is taking and storing digital pictures for your clients, and you can't have the tenacity to buy a hundred-dollar backup terabyte drive and just back up that wedding's photos as soon as you finish the shoot? That just irks me.
Dave Bittner: [00:22:33] What about the sophistication of some of the ransomware strains that try to hunt down your backups and encrypt those, as well?
Michael Gillespie: [00:22:41] That is definitely a reason that you should have an offsite backup, such as a cloud backup. Most good cloud backups - I know for certain Carbonite, Dropbox and Google Drive have a revision system to where if - you know, for example, if you get hit by ransomware and it uploads your encrypted files and overwrites your backup, Carbonite actually has a way that you can roll back to a week ago. So they have, like, set-in revisions. That would definitely be - if you're looking into a cloud provider, I'd definitely look in to make sure they have that feature.
Dave Bittner: [00:23:18] You bring up a good point. It's something we talk about on this show quite a bit, which is - you know, those of us who have some abilities, you know, in the technical realm, looking out for our friends and family - you know, I think about my parents, for example, and just, you know, going in there behind the scenes and setting them up for success.
Michael Gillespie: [00:23:37] Yep. I've had to do that for some of my family, as well. And I know it's - as the IT guy in the family, sometimes, it's a little annoying. You know, you go to Thanksgiving dinner, and Grandma's asking you weird computer questions. You're like...
Dave Bittner: [00:23:49] Right.
Michael Gillespie: [00:23:52] But yeah, at the end of the day - I mean, at a minimum, at least just set them up on, you know, like, Dropbox or, like - Windows 10 really forces the OneDrive down your throat, so just embrace it for her.
Dave Bittner: [00:24:05] Joe, what do you think?
Joe Carrigan: [00:24:07] I like what Michael's doing.
Dave Bittner: [00:24:08] Yeah.
Joe Carrigan: [00:24:08] I'm a big fan. I like the fact that you can go there. You can upload some samples. He's got a false-positive engine. That's great. And then he points you in direction of free decrypters. There's also a site nomoreransom.org, which does a similar thing - that offers decrypters. I think you can download them directly from there. I like that Michael's site will go through the process of IDing the ransomware for you and telling you what the strain is and running a lot of analytics on the data that you give it.
Dave Bittner: [00:24:35] He's one of those folks out there who's helping make the internet a better place...
Joe Carrigan: [00:24:40] Right.
Dave Bittner: [00:24:40] ...For the rest of us...
Joe Carrigan: [00:24:41] Yeah.
Dave Bittner: [00:24:42] ...Using his skills, his technical skills.
Joe Carrigan: [00:24:44] Absolutely. He's doing good work.
Dave Bittner: [00:24:46] Yeah. And...
Joe Carrigan: [00:24:46] We appreciate it.
Dave Bittner: [00:24:47] ...Also helping people when they're at a moment when they're probably not feeling very good about things.
Joe Carrigan: [00:24:52] No. Interesting about - what was it? - the Tesla ransomware he was talking about had a file tag in the beginning, DEADBEEF. That is a very old thing. It's the words you can spell with hexadecimal characters. So it's - I don't know if that has any bearing on anything. I just think it's interesting.
Dave Bittner: [00:25:10] It's just an old hacker...
Joe Carrigan: [00:25:11] Yeah, it's an old hacker thing.
Dave Bittner: [00:25:12] ...Thing from back in the day. Yeah, that is interesting.
Joe Carrigan: [00:25:14] I totally see how mimicking can be frustrating - the mimicking that goes on in that marketplace can be frustrating because, particularly when you're trying to identify these strains of ransomware and they start mimicking each other or maybe even just copying code from each other, that's going to make that job a little more difficult. And I think I have to agree with what Michael said that the first four rules of computing are back up, back up, back up and back up.
Dave Bittner: [00:25:38] (Laughter) Right.
Joe Carrigan: [00:25:39] I actually am a user of OneDrive, Google Drive. And I used to be user of Dropbox, as well; I don't have an account with them anymore that I pay for. But I was working today with Audacity, which creates a whole bunch of files for every change you make to any audio file you're working with. And then if you undo it, it deletes those files that it just created. And every time I undid a change, I got a warning from OneDrive that said, hey, you just deleted a bunch of files. Did you mean to do that? Right? You'd get that if you got a bunch of files deleted or encrypted, as well.
Dave Bittner: [00:26:13] Right.
Joe Carrigan: [00:26:13] You can roll back 30 days with OneDrive, as well, and all the other products that Michael had mentioned.
Dave Bittner: [00:26:18] I guess the point is that these days, with the availability of online data, it's really cost-effective to back up online. You combine that with higher-speed connectivity.
Joe Carrigan: [00:26:31] Right.
Dave Bittner: [00:26:32] People's connection to the net are faster.
Joe Carrigan: [00:26:33] Yeah.
Dave Bittner: [00:26:33] So it makes it practical to store your stuff online.
Joe Carrigan: [00:26:36] It does. And you can get it anywhere, as well. Whatever these cloud storage solutions, they have multiple-platform solutions. So you can get your data on your Android device or your Apple device or your laptop - doesn't matter. You can have access to your data - that and you get protection from ransomware if you put all your data in the cloud. Why wouldn't you do that?
Dave Bittner: [00:26:54] Yeah. And you can use more than one.
Joe Carrigan: [00:26:56] That's right.
Dave Bittner: [00:26:57] Right. All right. Well, again, thanks to Michael Gillespie from Emsisoft for joining us and all the work he's doing there at...
Joe Carrigan: [00:27:04] Yeah, thanks for the work, Michael. That's amazing.
Dave Bittner: [00:27:05] ...The ID Ransomware site. Good stuff - nice to have folks like that out there.
Joe Carrigan: [00:27:09] Yep.
Dave Bittner: [00:27:10] That is our podcast. We want to thank our sponsors at KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training.
Dave Bittner: [00:27:29] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:27:54] And I'm Joe Carrigan.
Dave Bittner: [00:27:55] Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.