The ransomware game has evolved.
Allan Liska: The ransomware market has changed a lot since 2016, and so I really, really wanted to kind of give an update to kind of what's happening and get it in a condensed, understandable format.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Allan Liska from Recorded Future. We're going to be talking about the evolution of ransomware and his new book "Ransomware: Understand. Prevent. Recover."
Dave Bittner: All right, Joe, before we jump into our stories this week, we have a little bit of follow-up here. Someone wrote in to us. What do they have to say?
Joe Carrigan: They have a question. It's Joan (ph), and she has a question. And she says, hello. My dad received a call supposedly from MasterCard Fraud Department. The scammers asked him for the last four of his Social Security number, which is a common means of identifying people in the U.S., and also asked for a photo and video of him. Why are they asking for the photo and video - any thoughts?
Joe Carrigan: Dave, I have my thoughts. What's your thought?
Dave Bittner: Well, I think first of all, these folks want to gather as much as they can. I think the photo and video - I think there are some fraud departments who ask for this, ask for a photo or video to, you know, align with your license, your driver's license or something like that. I imagine this could be used to mock up a driver's license or something like that. What do you think?
Joe Carrigan: Right. I don't think this is actually from MasterCard Fraud Department. I don't think.
Dave Bittner: Yeah, yeah.
Joe Carrigan: You know, you don't give out information on an outbound call - or an inbound call, rather. So, Joan, one thing I'd say is make sure your father listens to this show or other shows like it.
Joe Carrigan: Another thing as far as the photo and the video is a lot of - like Dave was saying, a lot of companies are starting to ask for these kind of things as identification. It may be the case that these guys are targeting your dad because they've already built a significant dossier on him. They already have a lot of information about him, and they're looking to flesh that out with the last four of his Social Security number and of a photo and a video so that when it comes time for them to try to break into a bank account of his, they have those assets available.
Joe Carrigan: If your dad did provide those things, it's time to probably take some measures about that. If he didn't, you're probably OK. But I would still put some credit monitoring in place and possibly talk to any banks that he has accounts with and let them know that he's being targeted just so that they're on the lookout for it.
Dave Bittner: Yeah, yeah - better safe than sorry for sure. It is an odd request...
Joe Carrigan: It is.
Dave Bittner: ...As you point out. You know, anything inbound, be wary of.
Joe Carrigan: Absolutely.
Dave Bittner: Call them back.
Joe Carrigan: Yeah.
Dave Bittner: Call them back.
Joe Carrigan: It's always OK to hang up and call back - call them back on a number that you know is good by looking it up on the website.
Dave Bittner: Right, right. All right. Well, again, thanks to Joan for writing in to us. We would love to hear from you. You can email us at hackinghumans@thecyberwire.com.
Dave Bittner: Joe, let's jump into our stories this week. What do you have for us?
Joe Carrigan: Dave, it's that time of year again, my least favorite time of year - tax time, Dave.
Dave Bittner: (Laughter) OK, fair enough.
Joe Carrigan: (Singing) It's the most wonderful...
Joe Carrigan: No, it's not wonderful at all.
Dave Bittner: Yeah.
Joe Carrigan: We all have to start looking for those tax documents that come in the mail, and we all have to be on the lookout for these scams. And I have a story here from NerdWallet or an article from NerdWallet. That is a financial services company here in the U.S., and they are - they have a list of the latest IRS scams. And let's just go through this list so that everybody is aware of them.
Joe Carrigan: These are going to be calls that come to you with great frequency this year, I predict. We're going to see - we're going to - a lot of people are going to see these kind of calls coming in.
Joe Carrigan: Here's the first one. We've recalculated your tax refund, and you need to fill out this form. You're going to hear somebody say that. The IRS never recalculates your tax refund. That doesn't happen. That's entirely up to you...
Dave Bittner: OK.
Joe Carrigan: ...As a taxpayer.
Dave Bittner: Right.
Joe Carrigan: OK? They don't do that for you. Here's another one. You need to pay a small fee to get your stimulus check. You don't have to pay any fees to get your stimulus checks. They are either directly deposited, or they're mailed to you.
Dave Bittner: Right.
Joe Carrigan: Here's one that's great. This is not an IRS scam, but it says, we're calling from the FDIC, and we need your bank information. OK, so the FDIC is the Federal Depository Insurance Corporation...
Dave Bittner: Right.
Joe Carrigan: ...Which is a federal organization that insures your deposits at the bank.
Dave Bittner: Yeah.
Joe Carrigan: The only time you'll ever need to talk to them is if you have a bank account at a bank that has failed.
Dave Bittner: Right.
Joe Carrigan: That's the only time you ever need to interact with the FDIC, and that will probably never happen to most people in their lives.
Dave Bittner: Yeah.
Joe Carrigan: It did happen with the savings and loans back in the '80s. Remember that, Dave?
Dave Bittner: I do. I went to high school with some friends whose families suffered some significant financial loss because of that.
Joe Carrigan: Yeah. That was not the FDIC, though. That was the SFLIC.
Dave Bittner: Yeah.
Joe Carrigan: It was the same thing for savings and loans, which were structurally different than banks. Do they still have savings and loans? I don't even know if they do, if they're still around. We're calling to tell you your identity was stolen. You need to buy some gift cards to fix it.
Dave Bittner: (Laughter).
Joe Carrigan: This sounds ridiculous to you and me, Dave...
Dave Bittner: Yes, it does.
Joe Carrigan: ...Because we are steeped in this world. But they're - the reason they make these calls is because they work on some people, right?
Dave Bittner: Yeah, yeah.
Joe Carrigan: Here's another one. This one is actually more feasible, or at least on its face. We'll cancel your Social Security number. That's - yeah. That's scary. You hear that and we're like, uh-oh, you know, they're going to - I need my Social Security number. You shouldn't cancel that.
Dave Bittner: (Laughter).
Joe Carrigan: How else am I going to get my Social Security, or how am I going to get my...
Dave Bittner: Disappear, yeah.
Joe Carrigan: Right.
Dave Bittner: Off the grid. Just poof, you're gone.
Joe Carrigan: Right. This is the Bureau of Tax Enforcement, and we're putting a lien or a levy on your assets. They will never call you to let you know that they're going to do that. If you're getting a lien placed on your assets, you already know. You have been talking to people at the IRS. You've gotten letters. You've gotten all kinds of correspondence from them. It's - you will know if you're going to have a lien. These don't show up out of the blue.
Dave Bittner: Yeah.
Joe Carrigan: OK. All right. If you don't call us back, you'll be arrested. This is a very common tactic used by these guys.
Joe Carrigan: Here's one that's really interesting, No. 8 on this list - use this form, W-8BEN, to give us your personal data. So a W-8BEN is a certificate of foreign status of beneficial ownership for the United States tax withholding. I don't know what that means. I'm not an accountant, but it's a legitimate form from the IRS. But these guys - these guys have altered it so that they ask for a lot more information, including your mother's maiden name, passport numbers and PINs.
Dave Bittner: Oh, wow.
Joe Carrigan: Right. I mean, this is just an identity theft score card here, right?
Dave Bittner: Yeah.
Joe Carrigan: That's all this is.
Dave Bittner: But they make it look like a legitimate form.
Joe Carrigan: But they make it look like a legitimate form. And they send you an email going, hey, you got to fill this form out and we're the IRS. Send it right back to me.
Dave Bittner: Right.
Joe Carrigan: OK. And people do that, and these guys then have access to a lot of things.
Dave Bittner: Yeah.
Joe Carrigan: Here is - I'm going to put a couple of these together here. Click here to see some details about your tax refund or to see your tax script or to take this survey. All of these are just malicious links, right? It's a great way to get, like, some kind of ransomware on your computer. Don't - never. Like we say, never click the link.
Joe Carrigan: And finally, this is a new one, and this one is targeted at - a relatively new one. It's only been around for a couple of years. This was targeted at the student body of the country. You owe the federal student tax, and you have to pay us for it. There is no federal student tax.
Dave Bittner: (Laughter).
Joe Carrigan: In fact, there are tax breaks for being a student. So if you're a student, you actually pay less taxes. There's no taxes for the - I think this preys on students, foreign students in the U.S...
Dave Bittner: Oh, I see.
Joe Carrigan: ...Who are not familiar with the U.S. tax code, you know, people who didn't grow up in it. You know, at Hopkins, we have a large body of foreign national students, right?
Dave Bittner: Sure.
Joe Carrigan: And a lot of universities have that. Some universities don't, but a lot of them do. And when you have a college or university that is - has a large foreign national student body, you already know that's a great place to start your phishing attack, right? And you can just - you know, you already - and you already know the end of everybody's email address, right? It's really easy to determine what their email addresses are.
Dave Bittner: (Laughter) Yeah. And I guess - I mean, a lot of these play off of that feeling that people have about the IRS, which is that it is a big government organization that has a lot of power. It has a lot of enforcement power.
Joe Carrigan: Right.
Dave Bittner: They can - you know, they can make your life miserable (laughter).
Joe Carrigan: They absolutely can.
Dave Bittner: If they want to.
Joe Carrigan: They have their own court system for it.
Dave Bittner: Right, right. And I think also because - you know, you sort of mentioned earlier on, you said I'm not an accountant. Well, few people are. And so...
Joe Carrigan: Right.
Dave Bittner: ...This is an area where it's sort of a double whammy, where you have that real specter of enforcement, but also it's something that people feel like they're out of their element when they're doing, you know, doing their taxes. And they're afraid that they're going to make a mistake. So there's a lot that goes into this.
Joe Carrigan: Yeah.
Dave Bittner: All right, well, we will have a link to that story in the show notes. My story this week comes from the folks over at Hitachi ID, which is a security organization, and they did a survey about ransomware operators trying to recruit people on the inside of companies.
Joe Carrigan: Really?
Dave Bittner: Yeah, so let's talk about this, Joe. What - if someone came to you and said, hey, Joe, we're going to give you some money to provide - and we need your credentials. We need your Hopkins credentials. You know, what - how much (laughter) - what would your price be, Joe (laughter)?
Joe Carrigan: OK, so you already know that I have a price.
Dave Bittner: Well, Joe, everybody...
Joe Carrigan: Because my first question is...
Dave Bittner: Everybody has a price (laughter).
Joe Carrigan: My first question is, well, how much money are we talking about here?
Dave Bittner: (Laughter) No, no, Joe. I'm sure upstanding citizen and loyal employee that you are, you would tell them to go pound sand and you would report them to the security folks at Hopkins, right?
Joe Carrigan: I would absolutely do that, yeah. Yeah, there's no amount of money that can - well, I shouldn't say no amount of money, but actually, first off, this presents so many problems to me.
Joe Carrigan: Let's say that I am corruptible - right? - for a price. And that price is big - right? - because I'm going to sacrifice the earning potential I have for the next however many years I'm going to be working - right? - 20 years, let's say. And I'm going to essentially sacrifice that by providing it to somebody else. I'm putting that at risk. I mean, maybe I get away with it, but chances are I won't, right? And because I'm not that lucky, first off. And so the money is going to have to come to me - it's going to be significant. And then I'm going to have to launder that money, I mean, to make it look legit. Yeah.
Dave Bittner: Who needs that kind of work, right?
Joe Carrigan: Right. Who needs that kind of headache? I think it's just easier for me to just continue to - first off, you probably don't have the money to give to get me to give you the access. And second off, I don't want that headache. And third off, I'm going to - I'm actually - and this is the more important thing - I'm actually going to do what's right here. I'm going to absolutely make a phone call to our security department, and then we're going to make a joint contact to the law enforcement. That's what's going to happen.
Dave Bittner: Yeah.
Joe Carrigan: And maybe I will tell you, oh, sure, I'm interested in this. But, you know, there's going to be other people listening on that phone call.
Dave Bittner: Well, these folks in there, they surveyed a hundred IT and security executives. And they found that there's been a 17% increase in the number of employees and executives who've been approached by hackers to assist in ransomware attacks.
Joe Carrigan: That is interesting.
Dave Bittner: They said the majority of these requests came through emails - 59% came through emails. Some were made through phone calls, which seems pretty bold to me.
Joe Carrigan: Right.
Dave Bittner: Twenty-one percent arrived via social media messages. But here's the part that is interesting - most are - I guess, surprising. Most of the employees were offered more than half a million dollars for assisting the attackers. Some were offered up to a million dollars.
Joe Carrigan: Really?
Dave Bittner: We're talking real money here, Joe (laughter).
Joe Carrigan: Yeah.
Dave Bittner: But, you know, I've seen other reports where they've surveyed folks and for your - I guess not executive-level folks and organizations, it was surprisingly low amounts of money that people would be willing to be bribed for to give up their login credentials.
Joe Carrigan: Right.
Dave Bittner: Like a hundred bucks. You know, somebody walking down the street, give me your username and password. I'll give you a hundred bucks. A surprising number of people would be willing to do that.
Joe Carrigan: Right. That seems like a missed opportunity for those people, Dave, (laughter) because they're selling for a hundred bucks something that's valued at half a million, right?
Dave Bittner: Well, and I don't - yeah. I mean...
Joe Carrigan: Not just, of course. But I mean...
Dave Bittner: Right.
Joe Carrigan: You're right. You know, if you're a low-level employee, you're not that vested in the success of a company, right?
Dave Bittner: Yeah.
Joe Carrigan: Yeah. And you may have the feeling that the company's not that vested in your success. And that might be correct. You know, this speaks a lot to corporate culture, I think, and making sure that the people are - feel that they're vested in the company and the success of the company as employees. And, you know, I mean, I don't want to tell anybody how to run their business, but I think you're better off if you genuinely have concern for your employees than if you treat them like cattle.
Dave Bittner: Yeah. Yeah. Well, this survey also said that 49% of the organizations who employees had been approached ultimately fell victim to a ransomware attack, although they're not sure how many were due to insider attacks. So, you know, these organizations were in somebody's crosshairs, and the attempts to go through insiders were part of the way that the bad guys tried to get in. And half the time, the bad guys were successful.
Joe Carrigan: Yeah. Yeah.
Dave Bittner: To me, this speaks to the need to have things in place. First of all, as you say, you know, treat your employees well so that they're on your side and not the bad guys' side. Educate them on these sorts of things. Have a way for them to report these sorts of things. I would say have a way to reward them for reporting these sorts of things, right? Make it a...
Joe Carrigan: That'd be a good - yeah.
Dave Bittner: Incentivize them to report these sort of things.
Joe Carrigan: Exactly. Change the incentives.
Dave Bittner: Yeah. Yeah. But then also, have things in place so that if someone does fall victim to this, you have whatever multifactor authentication or some sort of zero trust thing. You know, you're limiting their access.
Joe Carrigan: Right.
Dave Bittner: Individuals only have access to the things that they absolutely need to have access to. So that if something like this happens, you have multiple layers of defense there to protect yourself. But...
Joe Carrigan: Yeah, I mean, if you - if you're talking about somebody who's doing a ransomware operation in a foreign country - right? - and you have a hardware key multifactor authentication, something like a YubiKey or a Google Titan or something like that, this kind of attack becomes much more difficult, right? It becomes - now I don't need your credentials, but I also need your hardware key to get access to it. Well, if I send my hardware key to Russia...
Dave Bittner: Right (laughter).
Joe Carrigan: ...Or to India or something, I'm not going to be able to work. And I'm going to have to go to IT and say I've lost my device, at which point they deactivate it. They should deactivate it. So, I mean, multifactor authentication, particularly the hardware multifactor authentication, goes a long way here. I think that protects you.
Joe Carrigan: Another thing I want to say about this is it's interesting that they're offering $500,000 to a million dollars for this. That speaks to the profits that these guys are making from this, that they're willing to make this kind of an investment in initial access. Remarkable. Because they know they're going to walk away with a lot of money.
Dave Bittner: Yeah, absolutely. Well, do the right thing - resist.
Joe Carrigan: Yep. Resist.
Dave Bittner: You don't want this kind of trouble.
Joe Carrigan: Report.
Dave Bittner: Yeah. Like you said, it's - this is - I mean, you can see how it'd be tempting for someone, but it seems to me like you're headed down a really bad path, and it's probably not going to end well for you. So...
Joe Carrigan: Right.
Dave Bittner: ...Do the right thing. All right, we'll have a link to that story in the show notes as well.
Dave Bittner: Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Michael (ph), who writes, I feel like I have failed in my mission in life.
Joe Carrigan: Don't feel that way, Michael.
Joe Carrigan: On the bright side, I just told the CEO of a large organization that she needs to force all of her employees to listen to "Hacking Humans" from now on.
Joe Carrigan: Well, see, there you go. You're a raging success in my book.
Dave Bittner: There's an upside, yeah.
Joe Carrigan: Right?
Dave Bittner: You're a winner, Michael. You're a winner in our book. Yeah.
Joe Carrigan: Right.
Dave Bittner: All right.
Joe Carrigan: So Michael sends us this text that he got from somebody he knows. And it's from - this is not a scam text. Well, this is a scam - a text about a scam.
Dave Bittner: OK.
Joe Carrigan: So, Dave, I'm going to have you read this.
Dave Bittner: It says, someone used my name in an email to scam counselors at my office using the gift card scam. Someone bought $2,000 worth and another person fell for it. I assume someone hacked something of mine. Any recommendations on how to tighten up my security or identify a scammer?
Joe Carrigan: So this is somebody asking for help from somebody who's in the industry, which is great, right?
Dave Bittner: Yeah.
Joe Carrigan: You know, we all in this industry have to do everything we can to help people understand the nature of the scams that people are going to use to target you. This is remarkable that somebody bought $2,000 worth of gift cards in a gift card scam.
Joe Carrigan: I would say to this person, chances are you didn't get hacked. You got impersonated. I would do an audit of all of the - you know, just look around your office or look around all your accounts and see if any of them have been compromised. Look at the emails that were sent to the victims of the scam.
Joe Carrigan: And remember that - these people are victims of a crime. They're not - you know, they're not stupid. They didn't fall for it because they're dumb. They fell for it because they're people and they were trying to help what they thought was you out. And these people took advantage of - these criminals took advantage of that.
Dave Bittner: Right.
Joe Carrigan: It's an unfortunate case, but I think, you know, there are much larger losses that could happen here.
Dave Bittner: Yeah.
Joe Carrigan: So I would recommend - definitely recommend social engineering training for everybody at your organization because this really doesn't target your organization. It targets the employees of the organization, right? These two employees that got scammed out of gift card money spent their own money on that, right? It's - you know, this is tough.
Dave Bittner: Yeah, it's interesting. It says, someone used my name in an email to scam folks at the office.
Joe Carrigan: Right.
Dave Bittner: I wonder if they just used this person's name. Did they use this person's actual email address? The reason I ask that is because that could be the difference between impersonation and someone, say, credential stuffing to get into someone's email account and actually send emails from their account. So another...
Joe Carrigan: Yeah. You need to do an analysis on this to see if these emails were actually sent from your account or if they were just spoofed being sent from your account. Or frequently, we see people just open up a Gmail account, change the name on the Gmail account to your name and then send emails from it.
Joe Carrigan: I mean, I actually fell for one that was sent in person - by somebody impersonating my boss from some random Gmail account. And I replied to the email, said, yeah, I'm in the office. I'll be right down.
Dave Bittner: Yeah. So again, if - just use multifactor on all your email accounts and a reminder to...
Joe Carrigan: Right. That will stop anybody from getting into them. But it won't stop people from impersonating your email address, though, and it won't stop people from sending in emails from Gmail accounts that they just open up. So that's - the only solution there is social engineering training.
Dave Bittner: So if they're using credential stuffing, just, again, a reminder to not reuse the same credentials in multiple places. And if you use a password manager, password managers will have your back on this kind of thing. They'll tell you when you're reusing things. They'll tell you when you're logging in to a website that isn't the website you think you're logging in to. So...
Joe Carrigan: Yeah.
Dave Bittner: You know, we sound like a broken record sometimes, but there's a reason. And all of those things that we mentioned would help prevent something like this.
Joe Carrigan: Absolutely.
Dave Bittner: Again, thank you for - our listener, Michael, for sending that in to us. We would love to hear from you. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Allan Liska, someone I've known for a while now and have interviewed multiple times. He is a threat analyst over at Recorded Future, also a book author. And his most recent book is titled "Ransomware: Understand. Prevent. Recover." Allan literally wrote the book when it comes to ransomware. So here's my conversation with Allan Liska.
Allan Liska: I really wanted to get in on the young adult trilogy thing and hopefully for a large movie deal, you know, with a famous young actor portraying the lead DFIR analyst. So we have the original book, this book, and then I'm sure in five years, I'll do another book because they don't work. No, in all seriousness (laughter)...
Dave Bittner: It seems like a solid plan, Allan.
Allan Liska: Thank you. Thank you. I got to have a retirement plan somehow. And if it's - a movie studio aim for the rights to my book, great.
Allan Liska: In all seriousness, I co-authored the book with Tim Gallo back in 2016, and the ransomware kind of market has changed a lot since 2016. And ransomware attacks have changed dramatically. Some of the defenses that are needed have changed. And so I really, really wanted to kind of give an update to kind of what's happening and get it in a condensed, understandable format.
Allan Liska: I really - if any publishers are listening, I really wanted to write a book on the history of ransomware and not have any technical stuff, but nobody really wants to hear the story of ransomware from me. They just want to know how they can protect themselves from me. So this was an option, and I was really excited and happy to do it.
Allan Liska: And ActualTech media and Recorded Future have been really great, making the book freely available to anybody who wants it. You can also, of course, buy it on Amazon. But if you want the PDF version, it's free to anybody. And I think that's amazing.
Dave Bittner: So what are some of the key things that have changed in between your first ransomware book and this one?
Allan Liska: Two really big things are big game hunting - so instead of - you know, when I wrote in 2016 - or when we wrote in 2016, ransomware was single machine, encrypt that machine, and then you're done. It was still a big problem for organizations because they were getting hit a lot. You know, so those single machines kind of added up, whereas today, it's encrypting thousands of machines at the same time. And, of course, with that comes a much more hefty ransom involved. And then there's also the idea of that extra extortion, the double and triple extortion, of leaking files, which wasn't the case.
Allan Liska: And, you know, and I'll also throw in ransomware as a service has made it a lot easier for anybody to kind of get into the ransomware game, whereas in 2016, you had to have some level of technical skills - not much, but you had to have some. Now, really, there's handbooks. There's guides that are available. You know, ransomware actors brag about how easy their ransomware is to install once you get in the network. And so that really does make a big difference.
Dave Bittner: Yeah. It strikes me how much this vertical, I guess we could call it, has really professionalized itself - that, you know, it's not just, you know, the kids in the, you know, in the AV club who are doing this. I mean, these are serious organizations.
Allan Liska: Right. Absolutely. I mean, you know, when we talk about the growth of ransomware, it's not just that ransomware itself has gotten bigger, but the ransomware inc., if you will, has gotten bigger and that, you know, now you have ransomware groups that hire professional negotiators. Well, not professional - they hire at least English-speaking negotiators. Let's say that. You know, they hire developers to build out their ransomware. They hire initial access brokers to gain that first footing, you know, and then buy the access from them. So there's this whole sort of set of cottage industries that have sprung up in support of ransomware, and part of that is just because ransomware makes so much money. Right now, outside of, possibly, business email compromise, ransomware is the most profitable, by far, cybercriminal activity.
Dave Bittner: So what has changed, then, in this updated book in terms of your recommended approaches for people to prevent this and deal with it if they do find themselves falling victim to it?
Allan Liska: You know, it's funny because some of the things just haven't changed. People just haven't started doing them yet. So, you know, some of the things like - you need better asset management, you need better vulnerability management, right? That's kind of - we've - you know, you've been doing this for a long time. I've been doing this for a long time. We've been saying that for 20-plus years. That still is - kind of needs to be done. Network segmentation - that was in the first book, and that's still highly recommended now, even more so with, you know, mass deployment of ransomware.
Allan Liska: Some of the things that are different, though - really focusing on improving your incident response and disaster recovery plans. So, you know, before, your incident response was on a single machine, right? So you could have kind of a loose-based incident response or a loose-based disaster recovery 'cause you were only recovering for one thing. So if it wasn't fully up to date or whatever, it wasn't the end of the world.
Allan Liska: Now you need an updated incident response plan and disaster recovery plan because you need to take into account the fact that you're not down one machine, but you're down a thousand machines. And how are you going to respond? How are you going to get services back online? How are you going to prioritize that, especially when, once it happens, every other part of your organization is going to tell you that they need to be a top priority? So, you know, you need to have that in advance.
Allan Liska: Ransomware negotiators weren't a thing when we wrote the last book - so discussing when you need to hire a ransomware negotiator and, you know, if you're going to have to pay the ransom, why it's so important to have a good ransomware negotiator in there instead of trying to do it yourself.
Allan Liska: Double, triple, quadruple extortion wasn't a thing - how to prepare for that, how to handle the fact that you're going to have a whole lot of bad news coming your way, possibly for weeks or months at a time depending on, you know, whether you pay the ransom and how long the ransomware actor kind of strings out the release of files.
Allan Liska: And then, you know, really, there's a whole chapter dedicated to protecting your domain controller because that wasn't as big a deal. When they're landing on a single machine, not as big of a deal to have to worry about them getting credentials and getting to the domain controller. But now that's kind of critical to any ransomware operation, so it has to be critical to any ransomware defense.
Dave Bittner: You know, in the past five years, I think it's fair to say that more and more of the things we do with our computers have shifted to the cloud. How does that reality affect the ransomware situation? Is it a mixed blessing there?
Allan Liska: You know, yes and no. It depends on your cloud provider 'cause cloud providers are being targeted by ransomware groups. We know that ransomware groups are - you know, have written special versions of their software that target ESXi and Linux. So, you know, even if you have your own internal cloud, you could potentially be vulnerable.
Allan Liska: And ransomware groups love going after ESXi because they know that they can take down that one server, but they can take down a hundred servers, you know, with one ransom. And like with a lot of different ransomware groups, the decryptors for ESXi, the ESXi variants, often suck. And so we've seen some organizations pay the ransom and then find out they can't actually decrypt some of their ESXi servers 'cause the images are too big and the ransomware decryptor can't deal with it. And, you know, so, you know, the incident response company has to spend hours and hours trying to see if they can rewrite the decryptor in order to get these - deal with these large images. So that is a real - you know, so that is a real concern. And that's just internally.
Allan Liska: What happens when they go after your cloud provider, your cloud provider gets encrypted - and we've seen this happen over and over again - and they've got all of your data, like, you know, your backups with the cloud provider. What do you do in a case like that? How do you respond to that? And you need to be able to take that into account as part of your planning, knowing, hey, here's - I have data here, here, here, here, here, and here's what's going to happen if that data gets encrypted. What is my backup plan in those cases? What can I do?
Dave Bittner: Yeah, you know, it's - I remember when ransomware was the new kid on the block - that, you know, the solid advice was make sure that you have robust backups, make sure you have multiple backups, test your backups. To what degree does that advice still hold up in today's environment?
Allan Liska: So absolutely, you know, that sort of 3-2-1 rule - have three copies, two copies stored on different media, one of which is offline - is still really important for recovery, but that doesn't take into account the fact that a whole bunch of your data probably has been stolen during the attack. And so you kind of have to - you still need the backups, but that can only be one part of the plan. That can't be the full, this is how I recover from a ransomware attack attitude.
Dave Bittner: What about, you know, encrypting your data, you know, keeping stuff that's data at rest - having that encrypted so that if they are able to grab it, it takes away that extortion component? Is that viable?
Allan Liska: Yes and no. It absolutely is viable, but one thing you have to keep in mind is that one of the things that ransomware groups do is when they get in, they elevate their privileges. They're looking for admin access, they're looking for - you know, whether it's local admin or domain admin. And so if they're grabbing your files to exfil as a domain administrator, they've probably decrypted the files. And so, yes, it helps, and - but just bear in mind that that, again, just like anything else, that one thing is not a panacea. Those encrypted files may be taken off in an unencrypted format.
Dave Bittner: You know, the other thing that I think about when it comes to ransomware is that the headlines have been dominated by these big events, you know, where a health care center gets shut down and large dollar amounts - those sorts of things. But I think it's easy to lose sight of to what degree are those smaller attacks still happening for those small - small and medium-sized businesses - have they continued to be the targets to the degree that they were before? Is it still - to what degree are they still under threat, even though they're not getting the attention they might have gotten in the beginning?
Allan Liska: We're seeing a growth in small and medium-sized businesses being hit with ransomware. So that is not going down. That's going up. And they tend to be smaller ransom demands - you know, 100,000, which is a lot to a small business - don't get me wrong - but compared to some of the bigger numbers that we've seen, you know, they're smaller.
Allan Liska: The problem is they don't make the news, right? You know, I mean, even sometimes they don't make local news. And so nobody knows exactly how big that problem is. We're pretty confident that it is a growing problem, you know, and there's anecdotal evidence to suggest that it is. But without public reporting, without, you know, any kind of real analysis, it's very hard for us to say for sure how big or small the problem is.
Allan Liska: But part of that is the, you know, the growth in that third and fourth tier of ransomware group that maybe aren't going after the bigger targets. They're going after these smaller targets and getting smaller ransoms and hoping to fly under the radar, get out of the way of all of the law enforcement agencies that are looking for ransomware groups right now.
Dave Bittner: Where do you think we're headed here? I mean, do you think that - you know, we've seen certainly the beginnings of efforts for diplomatic pressure on some of, you know, the nations that are allowing this to happen within their borders. Do you suppose we're going to see more movement there, or are you expecting for the foreseeable future more of the same?
Allan Liska: So I don't think we've seen an impact yet, but I do think the fact that we've seen 16 law enforcement actions this year - or in 2021 - compared to, you know, not even half that in the previous four years, I think that sends a strong signal to the ransomware groups that we're taking this seriously. We're looking at ways to disrupt it.
Allan Liska: To the best of my knowledge, it's not having an impact yet, but it's really, really hard to determine that because a lot of what we have are trailing indicators. So, you know, we know what the ransomware situation looked like last month or, you know, two months ago but not necessarily right now, today. And so what I would say is that we're heading in the right direction. We're definitely seeing - with these law enforcement actions, we're definitely seeing a lot of the smaller, those third- and fourth-tier groups, starting to drop out and realize now it's not worth the effort.
Allan Liska: And I think we've seen some big wins this year. Like, you know, I know a lot of people are convinced that REvil and BlackMatter will come back after the FBI released most wanted posters for them. I'm not so sure that that's true. You know, it's one of those things where ransomware operators have been able to operate with impunity for so long that I think, you know, kind of like the - what's the old joke? They were, you know, ingesting the smell of their farts or whatever a little bit too much...
Dave Bittner: (Laughter) Right.
Allan Liska: ...Where they started to believe they were invincible. I've worked for intelligence agencies before. When you have now 30 intelligence agencies with a framework for how to find you and how to take you down, even if you're in Russia or one of the other noncooperating countries - you know, it's easy for somebody who's conducting ransomware attacks to avoid scrutiny by a jackass like me. It's much, much harder to avoid scrutiny from 30 intelligence agencies that decided that suddenly you're very important.
Dave Bittner: Yeah. Well, and I mean, you've made the point on social media, I think only half-jokingly, that, you know, folks should go look at the purchases of exotic automobiles in these countries, that there's - you - those are pretty strong dots to connect.
Allan Liska: Right, exactly. I mean, they're not subtle with how they spend their money. So...
Dave Bittner: Yeah.
Allan Liska: ...Whether it's fancy cars, nice houses, whatever else that we've seen, all of the things that we see when we do these raids, you know, outside of Russia, when they're in Russia, they're doing the same thing. And so there's a lot that governments who want to track them can track them.
Allan Liska: And again, I'm not saying that you send in an assassination team or anything like that. I'm absolutely not saying that. But I'm saying if you start producing information saying, hey, here you are. This is you. We know who you are, and we're watching you, maybe that doesn't slow some of them down. But I think for a lot of them, then that starts to change the balance of, OK, maybe this is no longer worth it. Maybe I should take the fact that Russia's not going to arrest me and just keep the millions I've made and retire. And if that's - you know, that's not a great outcome, but if it stops the ransomware attacks, then it's a - you know, then it's a good enough outcome for us.
Dave Bittner: You know, this being the "Recorded Future" podcast, I'd be remiss if I didn't ask you, what part does threat intelligence play in an organization's defenses for ransomware?
Allan Liska: So one of the benefits of the sort of the big-game-hunting ransomware attacks is that you now have multiple opportunities to stop the ransomware attacker. So you have that initial access, you have - while they're moving around the network. You have the data exfiltration. And you even have, like, hey, here are the things they're going to do right before they deploy the ransomware. So you have all of these different ways to detect them, but you need to know what to look for.
Allan Liska: And that's one of the ways that Recorded Future and other intelligence, you know, providers offer you is, you know, here's the Cobalt Strike things you should be looking for. You know, here are the indicators - whether it's IPs, domains, whatever - that we're seeing with ransomware groups. Here are the movements. Here's how they move around the network. Here are the tools they use even when they're living off the land. Like, look for these commands being run. So really, for that threat-hunting mission, threat intelligence can be really important.
Allan Liska: And then right now, because so much data is dumped on these ransomware extortion sites - you know, I like to say that, you know, basically every ransomware attack has now become a third-party attack because when they're dumping data from a victim organization, they're also dumping all of the information from the organizations that that org does business with. And so knowing, hey, have I been caught up in one of these ransomware attacks, and knowing sometimes before the victim will tell you about it can be really important. So kind of understanding that and allowing you to prepare for that kind of - which is an unfortunate eventuality.
Dave Bittner: What do you hope people take away from the book, someone who's finished reading it? What are the take-homes there that you're looking for?
Allan Liska: So I think the big thing is, you know, a few things. One, you're going to be more successful in recovering from a ransomware attack if you prepare for it. If you have an honest assessment of kind of what your weaknesses are and are prepared for those weaknesses, even if you can't do anything to remediate them at that time - I'm reading a great book right now called "The Scout Mindset" that talks about, you know, the Scout versus the soldier mindset, and it's really fascinating. And I keep relating that back to preparing for a ransomware attack, where too many organizations are like, no, no, we're good. We have everything covered and don't want to have that honest assessment. You need to have that honest assessment ahead of time so that you can properly prepare. And then when you start the recovery process, should that come along, you'll know what you need to do.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, the ransomware game really has changed and evolved over the past half-decade or so. This is one of the things I was talking about at a conference last year or the year before - I can't remember. It may have been two years ago. COVID has absolutely shortened my time memory. It's...
Dave Bittner: (Laughter) Right.
Joe Carrigan: I have absolutely no idea when things happen. But, you know, these things have gone from low-level attacks against individuals up to large organizations being targeted - this big game hunting, as Allan calls it. It has become a huge criminal industry - huge - so much so that they're hiring all over the place.
Dave Bittner: Yeah.
Joe Carrigan: Your story was a great example about the magnitude of this industry. It's - in terms of losses, it goes BEC and then ransomware. You know, BEC is a highly targeted, focused attack that really relies on really good social engineering. Ransomware has a lot more of a technical angle to it. But, you know, these guys have people to handle it, you know?
Dave Bittner: Yeah.
Joe Carrigan: So what do people do? Prevention is a big deal. I mean, Roger Grimes was talking about that on our show last week, right? And here Allan is talking about the same kind of things. And prevention is still the same issues, Allan is saying, about - it's still the basics. We're not doing things like asset management, vulnerability management, network segmentation. You know, those kind of things, when you don't do them, have huge impacts.
Dave Bittner: Yeah.
Joe Carrigan: You know, a ransomware attack used to be just an incident. Now it's a disaster, right? It's something that merits a disaster recovery plan, and that has to be good. Also, that has to not be just sitting on your computers because if it is, chances are it's going to be encrypted. You better print that thing out, have it sitting on your shelf.
Dave Bittner: Right.
Joe Carrigan: Allan mentioned ESXi, and a lot of our listeners are - may not be technical listeners, so let me explain what ESXi is. It's an operating system by VMware that is their server-based operating system. So when you want to build a massive machine that's going to host a lot of these virtual machines, you're going to use an operating system like ESXi. There are other things out there. They're called hypervisors, but it's the server OS. And if you can encrypt one ESXi machine - right? - one of these machines running this operating system, you can literally encrypt hundreds of virtual machines at once. I mean, that can destroy somebody.
Dave Bittner: Yeah.
Joe Carrigan: There was a company. I can't remember the name of the company. It was a source code management provider that I had a small business with. And we had our code with this company, and these guys got hacked in - somebody got their Amazon cloud credentials. It wasn't a ransomware attack. It was a wiper attack. And they threatened these guys with ransom and saying, we're going to delete your products there. And they didn't pay the ransom, and these guys just deleted everything, including the source code for my company from the repository. Now, we all had backups of it, so it was OK.
Dave Bittner: Wow.
Joe Carrigan: But that company was gone. That company was shut down and destroyed in one day by a malicious actor who just had access to their cloud resources.
Dave Bittner: Yeah.
Joe Carrigan: Imagine having your - all your virtual machines in a cloud encrypted and not being able to get it back. And the great part about this, according to Allan, is that the decryptors, in his words, suck for ESXi. They're not good descriptors, you know...
Dave Bittner: (Laughter) Right.
Joe Carrigan: ...Because ESXi is not windows. It's not - I mean, it's I think it's a Linux variant, right? I'm not exactly sure about it. But it's its own operating system that requires its own development skills. And a lot - and, you know, that may be lacking in this economy of ransomware. It might not be there.
Joe Carrigan: Big targets make big news. Small targets don't. You know, when I talk about - when I give talk to people about cybersecurity and why they should be concerned even though they're a small company, I don't - I talk about - you know, I ask people, tell me some of the data breaches. And they all name all the big data breaches. But, you know, nobody ever mentions the Broadway Deli (ph), which was a small business out in California, I think, that was absolutely shut down because of lawsuits that followed from a credit card breach that they had. They were a small business and couldn't stand that onslaught of lawsuits. They filed for bankruptcy.
Dave Bittner: Yeah.
Joe Carrigan: So, I mean, that's what happens to small businesses when they get hit by these things. They don't recover. They just shut down.
Dave Bittner: Yeah. I saw a similar one I remember a couple years ago. It was a small doctor's office, small group of doctors, half a dozen doctors or so. They got hit by ransomware, and the best pathway for them was to simply shut down the practice.
Joe Carrigan: Right. Yeah.
Dave Bittner: And that's what they did.
Joe Carrigan: A lot of those doctors retired, right?
Dave Bittner: Yep. Yep.
Joe Carrigan: Yep. They just said, you know what? This is the impetus we need to finally just go on and retire, which - it's a shame, you know? It's absolutely a shame that this happens. One of the things that does give me a ray of hope in this is - I like what Allan says here - 30 intelligence agencies make a good task force for finding these guys.
(LAUGHTER)
Dave Bittner: Right.
Joe Carrigan: You know, and that's an excellent point. You know, I have a lot of pessimism when it comes to bringing these guys to justice, particularly when they live in countries that will not extradite people to us or maybe do not have the infrastructure to do so. But when you think about the full weight and observation power of not just American, but also, like, British and Five Eyes intelligence agencies, if they - and they're starting to take this threat a lot more seriously because it is becoming such a large international problem. And I like that Allan is optimistic that people like REvil are not coming back, that they're just going to take their money and sit there and enjoy it.
Dave Bittner: Yeah.
Joe Carrigan: Maybe do something else. OK, I agree that's not an ideal situation, but no more ransomware is a good thing.
Dave Bittner: (Laughter) All right. Well, our thanks once again to Allan Liska for joining us. Always a pleasure to chat with him. He is from Recorded Future. We do appreciate him taking the time for us. Again, the title of the book is "Ransomware: Understand. Prevent. Recover."
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.