Is ransomware getting too fast?
Ryan Kovar: We tried to find the questions that people hadn't answered yet. And one of the things we just couldn't find a lot of evidence on was actually how fast ransomware encrypts. How long do you actually have once ransomware starts?
Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Ryan Kovar joins us. He's a distinguished security strategist at Splunk and the leader of SURGe. He's talking about the speed of ransomware.
Dave Bittner: All right, Joe, before we jump into our stories this week, we've got some follow-up. A listener named Josh wrote in.
Joe Carrigan: Oh, yes. Josh is our email guest of the day.
Dave Bittner: Is that right?
Joe Carrigan: Yes, because he also provided us with our Catch of the Day.
Dave Bittner: OK. Our cup runneth over...
Joe Carrigan: Yes.
Dave Bittner: ...Courtesy of our fine listener, Josh.
Joe Carrigan: Yes.
Dave Bittner: So Josh writes in and says, hi, Joe and Dave. Binge-listening from Pod 1 and almost caught up. Here are a bunch of random, relatable experiences I would like to share. I always thought 2FA was just a big scam by tech giants to get even more info on us. First it started with KBA - that's knowledge-based...
Joe Carrigan: Knowledge-based authentication.
Dave Bittner: Yeah. And I didn't want to give them my elementary school, but I knew I would never remember a lie. So I did.
Joe Carrigan: Right.
Dave Bittner: Then it moved to wanting a phone number. This one threw me sideways, and I resisted giving it to many accounts that still prompt me every login to this day, not that they don't already have it. I did have to give it to BOA because they do SMS authentication frequently.
Joe Carrigan: OK. That's a lot of alphabet.
Dave Bittner: Bank of America, I guess.
Joe Carrigan: Bank of America, yeah, and...
Dave Bittner: Yeah. OK.
Joe Carrigan: ...Text message authentication.
Dave Bittner: Yeah. SMSA is an extra thorn in my side because I work long hours in a facility that has to RF - no cell reception or Wi-Fi.
Joe Carrigan: Right.
Dave Bittner: So I literally have been on a stalemate call with BOA, unable to proceed with getting support on an issue because I cannot confirm the SMS code while sitting at my PC looking at an issue online.
Joe Carrigan: (Laughter) Josh works in a giant Faraday cage, Dave.
Dave Bittner: (Laughter) That's right. As you do.
Joe Carrigan: (Laughter) That's right.
Dave Bittner: Or maybe down in a copper mine (laughter).
Joe Carrigan: Yes. So I want to point out...
Dave Bittner: Yeah.
Joe Carrigan: ...That Josh's fears about them - about tech companies using your phone number are not unfounded. I think Twitter got dinged for this a couple years ago, right?
Dave Bittner: Just - no, just recently.
Joe Carrigan: Just recently.
Dave Bittner: They just settled with - I think it was - they settled with the Federal Trade Commission...
Joe Carrigan: Oh, good.
Dave Bittner: ...For a big pile of money because they were claiming to their users that they needed their phone numbers for security, and the reality was they were using it for ad tracking.
Joe Carrigan: Right. And so Josh's fears are absolutely not unfounded here.
Dave Bittner: Right (laughter).
Joe Carrigan: That is a - not only a perfectly reasonable fear, but a legitimate fear that has actually happened.
Dave Bittner: Yeah. So Josh goes on. He says, like Joe, I do not do any phone banking. It's not that I fear change, it's just that I minimize the attack vectors. If I don't have Cash App, Venmo, Google Pay or give Cumberland Farms access to my bank account to save 10 cents a gallon, I can't lose money when they get breached. Google doesn't have any bank info, so I can't get billed for any Android fleeceware. At work, we have an Excel macro that converts bill of material spreadsheets to a format the accounting database can use, so I constantly have to enable macros.
Joe Carrigan: All right, there's another use case for macros.
Dave Bittner: Yeah. To make things worse, all Office documents are defaulting to need enable editing. So as employees, we're being conditioned to need to enable constantly, which defeats the purpose. LinkedIn pestered me so much about not having a profile pic, I took a screenshot of the empty profile pic and made it my profile pic just to shut them up.
Joe Carrigan: That's awesome (laughter).
Dave Bittner: This I love, yes. That's very clever. Good on you, Josh. You will be proud, though. I recently got a YubiKey and have been enabling that as my 2FA, although I'm pretty upset at some of the roadblocks. Amazon does not have it integrated into their login. You have to use an authenticator app. Also, Yahoo will not let me activate it as my 2FA unless I give them my phone number.
Joe Carrigan: Right.
Dave Bittner: Can I use Joe's press contact to pressure these? LOL.
Joe Carrigan: (Laughter) Yes. I'll see what I can do about that.
Dave Bittner: (Laughter) And then he says, years ago I got an unsolicited tech support phone call for my Windows XP machine. I chuckled and played along. He verbally steered me to some deep-buried system window that had a bunch of warning icons lit. There may have even been red flags. I wish I could remember better. He was explaining how bad this was and how he could fix it for a fee. I felt like I had enough, so I hung up. But apparently, I played dumb pretty well. He immediately called back. I was in shock when I picked it up and he was going full bore on how I needed to fix this.
Joe Carrigan: Yeah.
Dave Bittner: I hung up again, and he proceeded to call three more times. I didn't bother to pick up.
Joe Carrigan: Right. When these tech support scams call, they are persistent.
Dave Bittner: Oh, yeah. If they've got - they think they have a live one on the line...
Joe Carrigan: Yeah.
Dave Bittner: ...They're not giving up.
Joe Carrigan: I mean, I told this story years ago. I may have even had Chris on the show, and - with our system engineer Chris Venghaus - had a guy on there and just messed with the guy for like a day. And then when it came time to enter his credit card information, he turned the internet off on the VM, and the guy was so downtrodden. But the next day the guy calls back, and Chris tells him, look, you called in to the Information Security Institute at Johns Hopkins University. You've been working on a VM all day. That was a brand-new machine. And the guy was insistent that, no, there was a virus in the machine.
Dave Bittner: Oh, wow.
Joe Carrigan: He was insistent. After Chris had told him everything, he still insisted.
Dave Bittner: Wow. OK. Well, that's committed to the bit, right?
Joe Carrigan: Yes. Yes.
Dave Bittner: All right. So Josh wraps up and says, thanks for all your hard work. Well, Josh, thank you for writing in. We appreciate it. I think Josh's experience here probably mirrors a lot of our listeners.
Joe Carrigan: Yes.
Dave Bittner: We would love to hear from you. You can send us email. It's hackinghumans@thecyberwire.com. All right, Joe. Let's get to our stories here. Why don't you start things off for us?
Joe Carrigan: Dave, my story comes from Leslie DelasBour at KSHB in Kansas City, Mo. You ever been to Kansas City, Mo.?
Dave Bittner: I believe so.
Joe Carrigan: I like Kansas City, Mo.
Dave Bittner: OK.
Joe Carrigan: It's one of my favorite places. There used to be a great place there called the Tapcade, but they closed, thanks to the COVID.
Dave Bittner: Is it a bar and arcade?
Joe Carrigan: Yeah, it was great. And they - and if you went on the right night, they had open mic comedy.
Dave Bittner: (Laughter) OK.
Joe Carrigan: It was fantastic. But they didn't survive the pandemic. I just found that out today.
Dave Bittner: That's too bad.
Joe Carrigan: And I'm really sad about it 'cause I have reason to get out to Kansas City from time to time. So I have friends out there.
Dave Bittner: OK.
Joe Carrigan: Anyway, what's in the news lately, Dave?
Dave Bittner: What isn't in the news lately, Joe?
Joe Carrigan: Yeah, OK, let's not talk about that.
Dave Bittner: Can you be more specific?
Joe Carrigan: Yeah. Shortages, right?
Dave Bittner: Yeah.
Joe Carrigan: If I say shortage, what shortage do you think of?
Dave Bittner: Well, we got all kinds of supply chain issues, but I suppose the one that's making headlines right now is the problems with baby formula.
Joe Carrigan: Right. And this article from Leslie DelasBour is about the baby food shortage and scams that are popping up around it. There is a technology consultant named Burton Kelso out in Kansas City who is quoted heavily in this article. And he says, any time there's a crisis, cybercriminals are always looking for a way they can make money.
Dave Bittner: Yeah.
Joe Carrigan: Right? These guys are going to use the news to make a buck.
Dave Bittner: Yeah.
Joe Carrigan: Hey, that's actually - rolls off the tongue pretty well. I might - they use the news to make a buck.
Dave Bittner: Make it a T-shirt.
Joe Carrigan: Yep. Make a T-shirt.
Dave Bittner: OK.
Joe Carrigan: But, you know, he points out, it doesn't take much to take pictures of baby formula or even just copy them off the web - right? - and set up a website and say, hey, we have tons of baby formula. We're ready to sell it to you. And people will pay for it, and no shipment ever arrives. Or maybe there's a scam onboard where...
Dave Bittner: Just taking advantage of people's desperation...
Joe Carrigan: Yeah.
Dave Bittner: ...Which is literally where we are in some places, where, you know, there's just not enough supply.
Joe Carrigan: Yeah, exactly. There's not enough supply. And, you know, this could be a scam where they send you something in the mail that looks like - so they have a tracking number.
Dave Bittner: Right, right.
Joe Carrigan: Right? And it could be nothing. And then they can - you know, when you dispute the charge, they've already shut down and taken the money and gone. These criminals are taking ads out on Google Search, right? They're buying Google ads 'cause they know that those ads show up above the search results.
Dave Bittner: Right.
Joe Carrigan: Do you remember the good old days of Google, Dave, when the ads were on the right-hand side of the screen?
Dave Bittner: Right. Back when it was steam-powered?
Joe Carrigan: Yes.
Dave Bittner: Yes, I do remember those days. Yes.
Joe Carrigan: Every time you loaded up Google, you heard (imitating steam).
Dave Bittner: Right. Or it was like the computer in the original Star Trek. It was like, working. Yeah. There - you heard solenoids and gears turning.
Joe Carrigan: Right.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: So there are some things you can do to not be scammed here. You know, make sure the online retailer has been around. It's somebody you know. You know, Amazon is a good example of that. Amazon actually does a really good job with customer service. If you call them up and you say...
Dave Bittner: I'm sorry, wait, wait. Call them up? Call up Amazon?
Joe Carrigan: I'm sorry, not call them up.
Dave Bittner: What is this call (laughter)?
Joe Carrigan: You go to their contact page. If you can actually get them to call you, which is actually - they will call you, and you get a customer service rep.
Dave Bittner: Really? OK.
Joe Carrigan: Yeah. Actually, my wife had a problem. We bought an umbrella - right? - for a table - you know, one of those outdoor umbrellas.
Dave Bittner: Yeah.
Joe Carrigan: And she bought the 7-1/2-foot one, and she tried it out, and she said, nope, I need to get the 9-1/2-foot one.
Dave Bittner: OK.
Joe Carrigan: So she tried to return it.
Dave Bittner: Yeah.
Joe Carrigan: But she wanted to return it by - 'cause we weren't at home. So she wanted to take it home and return it over at the Whole Foods, which is something you can do...
Dave Bittner: Right.
Joe Carrigan: ...'Cause Amazon owns Whole Foods now.
Dave Bittner: Right.
Joe Carrigan: But she couldn't find a way in the phone, and - 'cause she was just using her phone to do this - in the app to return it. So she hit the contact button in the app. They called her up, and they said, we can't figure out how to do this. Just keep the other umbrella. Keep the 7-1/2-foot umbrella, and we'll put a credit on your account. And that was it.
Dave Bittner: OK. Happy ending.
Joe Carrigan: Yeah. And, you know, I actually think Amazon does a good job of customer service this way. I mean, when you start talking, like, security issues like Josh was saying, you can scream into the void on that one all day long, and they won't listen to you.
Dave Bittner: Right.
Joe Carrigan: But they do that well, I think. And they actually do their internal security pretty well as well.
Dave Bittner: Yeah.
Joe Carrigan: I'll say that. But remember, one of my - I'm digressing as I normally do, but I want everybody to remember security and privacy are not the same thing.
Dave Bittner: Right. Right.
Joe Carrigan: Make sure you can find a little bit of history about this company. Right? We all know walmart.com, amazon.com, but joesbabyformula.com, right? Maybe you want to look at when that name was registered. Right? If it was registered a week ago, that kind of sounds like a scam. Right? There are other things as well. People might be selling baby formula on social media. So look at the profile of the person, right? Be wary of this. First off, I don't know that I would buy baby formula from somebody on social media. There's a lot of, like, yard sale sites and things like that on, like, Facebook and things. One of the rules they have is no food products - not even pet food - because there's no guarantee that what you're getting is safe...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? You know, there's not some wacko on there doing something. And they just want to eliminate that liability. And I wouldn't buy baby formula from somebody online in a marketplace like Facebook Marketplace. I just wouldn't do that.
Dave Bittner: Yeah. But I think we also need to put ourselves in the mindset of someone who's in a desperate situation. If the shelves are bare at their local store...
Joe Carrigan: That is an excellent point, Dave.
Dave Bittner: ...And they have to feed their baby...
Joe Carrigan: Yeah.
Dave Bittner: ...You can imagine someone being in this position of desperation and seeing something pop up and saying, well, this is the option I have.
Joe Carrigan: Right. Yep. That's a good point.
Dave Bittner: You know, you and I are both in a situation where we could get in our car and...
Joe Carrigan: Right.
Dave Bittner: ...Drive wherever we needed to go...
Joe Carrigan: Correct.
Dave Bittner: ...To get the baby formula...
Joe Carrigan: That's correct.
Dave Bittner: ...Right? And...
Joe Carrigan: If you live in inner city Baltimore, which is essentially a food desert to...
Dave Bittner: Yeah.
Joe Carrigan: ...Begin with, now you have to go find baby formula.
Dave Bittner: Right.
Joe Carrigan: That's tough.
Dave Bittner: Lots of people don't have those resources...
Joe Carrigan: Yeah.
Dave Bittner: ...Available, so just need to keep that in mind.
Joe Carrigan: Yeah.
Dave Bittner: Yeah. Anything else?
Joe Carrigan: Yeah. Watch out for getting strange demands, like, for payment - like gift cards or cryptocurrency.
Dave Bittner: (Laughter) Right.
Joe Carrigan: That's somebody that's not in your neighborhood (laughter).
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: They're overseas just scamming you out of your gift cards and cryptocurrency. That's what's going to happen.
Dave Bittner: Yeah.
Joe Carrigan: Stay vigilant. The important thing here is to recognize that this is a vulnerability that you have. I think just putting yourself in that mindset - like, I need to get baby formula. I mean, because I cannot think of something more fundamentally urgent than the need to feed your child...
Dave Bittner: Right.
Joe Carrigan: ...Right? And the fact that there's a shortage going on right now, this presents a real opportunity for these scammers. People just need to be mindful that not everybody out there is a nice person. There are scammers out there who are going to take advantage of this opportunity, and they really don't care who they hurt while they're doing it.
Dave Bittner: Yeah. No, it's a good reminder.
Joe Carrigan: Yeah.
Dave Bittner: And, you know, I would say also reach out. If you have folks who have infants - or friends who have infants, rather, just reach out to them and remind them of this sort of thing. Check in with them...
Joe Carrigan: Right.
Dave Bittner: ...Right? How you doing? Do - is there anything I can do to help? Can I be the one who goes on that car trip to get the formula for you...
Joe Carrigan: Right.
Dave Bittner: ...Because I have the bandwidth and the means to do so?
Joe Carrigan: Agreed. Yeah, it's always good to help somebody near you.
Dave Bittner: Yeah.
Joe Carrigan: I think that's the best thing you can do in terms of charity...
Dave Bittner: Yeah.
Joe Carrigan: ...Is you - if you see a need that you can fulfill, fulfill that need.
Dave Bittner: Absolutely. All right. Well, we will have a link to that story in the show notes.
Dave Bittner: My story this week comes from Information Age. This is an interesting one. It's titled "The Three Most Dangerous Types of Internal Users to be Aware of." And it's written by a gentleman named Nic Sarginson, who is a principal solutions engineer at Yubico.
Joe Carrigan: OK.
Dave Bittner: Those are the ones who make the two-factor authentication hardware keys that you and I are fans of (laughter).
Joe Carrigan: The YubiKeys.
Dave Bittner: That's right, the YubiKeys. And this is really - it's sort of a mindset issue. And I think it's a - there's some good information here. It talks about how IT teams need to be aware of the different kinds of people who are in their organization. And there are three types of users here that Nic Sarginson wants people to be mindful of.
Joe Carrigan: Is one of them a know-it-all?
Dave Bittner: No. No, Joe, you're not on this list.
Joe Carrigan: OK.
(LAUGHTER)
Joe Carrigan: That's why I was asking, Dave.
Dave Bittner: I know. I know. There are the cautious users, the traditionalist users and the overachieving users.
Joe Carrigan: Ah.
Dave Bittner: So we're going to go through each of these, one at a time.
Joe Carrigan: OK.
Dave Bittner: The cautious users are willing to comply with new protocol changes, but they need some time to adjust. They may need more gentle encouragement than the typical user. They take more of a wait-and-see approach to new cybersecurity changes. And this article points out this may be because they're afraid the changes could disrupt their workflow. And the problem with these people is if you have a security issue - let's say a patch or something like that - that needs immediate attention, these are the ones who are going to let everyone else do it first...
Joe Carrigan: Right.
Dave Bittner: ...To make sure it doesn't blow up in their face.
Joe Carrigan: Yes.
Dave Bittner: You know, this reminds me - back in my previous life in the broadcast world, doing video editing and all that kind of stuff, there was a rule with software updates for, you know, like, the video editing packages that we used professionally. It was never upgrade in the middle of a project...
Joe Carrigan: Right.
Dave Bittner: ...Right?
Joe Carrigan: Yeah.
Dave Bittner: The problem was, you were always in the middle of a project (laughter).
Joe Carrigan: Yes, of course.
Dave Bittner: So - but I - so I understand this mindset, right? And I kind of take this approach with operating system updates. You know, let's say Apple comes out with a OS update for my iPhone or my Mac or something like that. I will usually wait a couple days to see whose devices get bricked first...
Joe Carrigan: Right.
Dave Bittner: ...Right (laughter)?
Joe Carrigan: I think waiting a couple days is OK.
Dave Bittner: Yeah.
Joe Carrigan: Waiting a month - not OK.
Dave Bittner: Yeah.
Joe Carrigan: And I'll throw another reason why these users are cautious. You said cybersecurity policy. Very often - and I've seen this happen in my career a bunch of times.
Dave Bittner: Yeah.
Joe Carrigan: Somebody says, here's the new way we're doing things, right? And there is a certain percentage of the population - and sometimes I've been in that percentage - that says, this is not going to last.
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: This will be gone inside of a month.
Dave Bittner: Right.
Joe Carrigan: And lo and behold, they're right. So they don't even waste their time and effort doing it...
Dave Bittner: Oh.
Joe Carrigan: ...Until they're certain that this process is going to be the new way of doing things. You know what? I understand that mindset.
Dave Bittner: Yeah.
Joe Carrigan: I think that's valid. But when it comes to cybersecurity things, we're going to start using two-factor authentication or multi-factor authentication. Everybody's going to have a YubiKey. OK.
Dave Bittner: Right.
Joe Carrigan: Now it's time to get on board. We're doing this, right?
Dave Bittner: (Laughter) Right, right. Yeah. So the second group of users are traditionalists. And this article says these users may ignore cyber training sessions, emails from IT or avoid learning new authentication processes, seeing these as unnecessary. Traditionalist users are generally hostile to change and often do not trust IT help desks, thinking that the processes for asking for help are too time-consuming. Because they do not engage with understanding how these new changes will directly impact their everyday workloads, some may either wait until the last minute before integrating the new security changes or resist altogether.
Joe Carrigan: Maybe this sounds more like what I was just describing.
Dave Bittner: Yeah, I think it's kind of...
Joe Carrigan: It's somewhere in between.
Dave Bittner: ...Yeah, kind of close to that. Yeah. But I see - I certainly - I think we all know these people...
Joe Carrigan: Yes.
Dave Bittner: Right?
Joe Carrigan: I call them the belligerents.
Dave Bittner: (Laughter) And then the last group is the overachieving users. It says these users may unintentionally cause issues by taking IT security into their own hands. And...
Joe Carrigan: (Laughter) This is the know-it-all, Dave.
Dave Bittner: ...May feel they are too advanced to need help.
Joe Carrigan: I am in this article (laughter).
Dave Bittner: Like traditionalists, overachievers may ignore cyber training sessions, emails from IT or avoid learning new authentication processes, seeing these as below their skill level. You're awfully quiet over there, Joe.
Joe Carrigan: No, I'm laughing.
Dave Bittner: (Laughter) However, this group of users is often overlooked when an assessment is performed as, through their own experiences, they may feel that the resources within the organization are not adequate. Being overachievers, they feel frustrated when IT help desks ask lower-level questions when trying to follow up or are not prompt enough to respond to their requests for help.
Joe Carrigan: Yeah, have you tried turning it off and back on again?
Dave Bittner: Yeah. This can lead these users to take it upon themselves to fix the problem - for example, mistakenly downloading viruses or malicious software posing as a credible IT resource.
Joe Carrigan: Oh, now that is not me.
Dave Bittner: Although unintentional - that's what they all say, Joe.
Joe Carrigan: Right.
Dave Bittner: Although unintentional, such mistakes may weaken the overall cybersecurity boundaries and undo or go against the new security policies their IT teams were wanting to implement. See, yeah, these folks are the ones who are - the ones who say, well, surely these rules don't mean me.
Joe Carrigan: (Laughter) See, that does sound like me, Dave.
Dave Bittner: (Laughter) I mean...
Joe Carrigan: That's the most Joe thing I think you've ever...
Dave Bittner: Yeah, yeah. I mean, I'm sure, I mean, everybody else has these issues. But...
Joe Carrigan: I do have some tools that I like to download and install on my computer, but these are tools that I trust and they're tools that - and every time I do this, whenever - I've just gotten into this habit. Even though I have a virus scanner on my machine...
Dave Bittner: Yeah.
Joe Carrigan: ...When I download any tool that I'm about to install, the first thing I do is put it up on VirusTotal and see what VirusTotal tells me...
Dave Bittner: Right.
Joe Carrigan: ...Which is a great website, by the way. You can upload anything. In fact, most of the time, you actually don't have to go through the process of uploading it. Your web browser creates a hash of it, and it sees that that hash is already in the database and then just gives you a report on it.
Dave Bittner: Yeah.
Joe Carrigan: So it's really fast if you've - if you're scanning software that is already in their database.
Dave Bittner: Yeah. Well, this article points out that the key here is communicating with your users.
Joe Carrigan: Correct.
Dave Bittner: And I agree with this.
Joe Carrigan: Yes.
Dave Bittner: In fact, I'll - a story I'll share from my own life is - you know, we do security awareness training with our team here at the CyberWire. And I was pushing back on a little bit of it, particularly the social engineering stuff for me, personally, because I thought to myself, you know, I'm kind of up on social engineering stuff. I host a show about social engineering (laughter)...
Joe Carrigan: Right.
Dave Bittner: ...You know? So how is this worth my time? And it was explained to me, well, yes, you may know, you know - you are probably ahead of the average person or user or employee when it comes to this stuff. However, there is value in us, as a company, being able to say that every single one of our employees has been through this training.
Joe Carrigan: Correct.
Dave Bittner: So, if you need to, come at it from that point of view. And once it was explained to me that way, I was like, oh, OK. You know, I see. This is how I can contribute to the success of my organization by doing this.
Joe Carrigan: Right.
Dave Bittner: It's not so much about me learning this stuff. It's about being a team player...
Joe Carrigan: Right.
Dave Bittner: ...You know, all that kind of stuff.
Joe Carrigan: Yeah.
Dave Bittner: And then, you know, I got my hackles down, and I wasn't so belligerent about it (laughter).
Joe Carrigan: It is - people in our position, particularly about the social engineering training you're talking about or about cybersecurity training - if I was on the receiving end of cybersecurity training, I'd be like, do you know who I am, right?
Dave Bittner: Yeah.
Joe Carrigan: But that - that's the wrong attitude to have. Even - you know, especially - even though, yeah, we may know things, but for all the reasons you say, don't feel insulted about this...
Dave Bittner: Right.
Joe Carrigan: ...OK? There's things that have to happen.
Dave Bittner: Yeah. Yes.
Joe Carrigan: By the way, I want to say Nic Sarginson is indistinguishable from James Spader.
Dave Bittner: (Laughter) OK.
Joe Carrigan: I was looking at the bottom of the article. They have a picture of Nic.
Dave Bittner: Yeah.
Joe Carrigan: And I'm like, why is James Spader in this article?
Dave Bittner: (Laughter) OK, the very handsome and lovable James Spader, right?
Joe Carrigan: Yes.
Dave Bittner: (Laughter) Right. We will have a link to this story in the show notes. I think this is a good one, one of those ones that's probably worth sharing around with some of your IT folks - a good article here from Information Age.
Dave Bittner: All right, Joe, those are our stories. It is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Josh - this is the same Josh - and he writes, this is a girl I know. Her account must have been hacked. It was either hacked or cloned. This is a Facebook messenger exchange. They even photoshopped the check with her fairly recent address. The grammar is a little bit off. The date format of the check is not in the normal one we use here in the U.S. I look for this a lot in a fake social media account, and I had a little fun with it. But I think they got bored. So, Dave, why don't you read this exchange?
Dave Bittner: All right. So this starts out - it's a message from someone claiming to be a woman named Erica (ph). And it says, hello, have you heard about the DHHS financial support program going on now?
Joe Carrigan: No. Are there any good bennies?
Dave Bittner: Department of Health and Women's Services for Home Care and Family Support - I got approved for 13,900 form the program. If you want, I can share you the link to apply.
Joe Carrigan: Yes, please.
Dave Bittner: And then they share the link, and it says, click the link. Say, I would like to apply for the program. Message them now because I don't when it going to end.
Joe Carrigan: (Laughter) Show me a receipt of the money you got.
Dave Bittner: And then there's a check.
Joe Carrigan: There's a check. Now, we'll get to the check.
Dave Bittner: A picture of a check. All right.
Joe Carrigan: In then back, he says, nice. Now you can pay me back the $500 I loaned you for that cosmetic procedure.
Dave Bittner: I already used mine to pay my old bills and get a new apartment.
Joe Carrigan: All in two days? Plus, remember, no one will rent to you since you burned down your last apartment.
Dave Bittner: (Laughter).
Joe Carrigan: But, Dave, I want you to take a look at this check.
Dave Bittner: Yeah, OK.
Joe Carrigan: It's in the next picture down in the script.
Dave Bittner: Oh, all right. All right. Oh, yeah, there it is.
Joe Carrigan: It...
Dave Bittner: Now, that is some high-quality Photoshop work, Joe (laughter).
Joe Carrigan: That's right. This looks like someone who downloaded GIMP or maybe just used Windows Paint...
Dave Bittner: Yeah.
Joe Carrigan: ...And typed some name. Like, that - I think that's Times New Roman font.
Dave Bittner: Yeah, yeah.
Joe Carrigan: And it looks like a Chase check, like, that somebody just had a picture of and put this in there.
Dave Bittner: Yeah. Wow (laughter).
Joe Carrigan: It's ridiculous. It's really bad. It's really awesome though. I love it. And thank you for sending that in, Josh, I really appreciate it. This is a good one.
Dave Bittner: Yeah. Yeah, absolutely. All right. Well, we would love to hear from you. If you have something you'd like for us to consider for our Catch of the Day, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Ryan Kovar. He is a distinguished security strategist at Splunk. And we were talking about ransomware. Here's my conversation with Ryan Kovar.
Ryan Kovar: The reason we decided to investigate this question around ransomware encryption speeds is, frankly, it was a question we didn't have an answer on, which sounds like a pretty easy place to start. But when we kind of looked at the world of ransomware and what our team focuses on - which is non-traditional, strategic cybersecurity research - we tried to find the questions that people hadn't answered yet. And one of the things we just couldn't find a lot of evidence on was actually how fast ransomware encrypts. We hear a lot about the dwell time. We hear a lot about the number of dollars behind each encryption and decryption and negotiations. But one of the things we just had a question on was, well, how long do you actually have once ransomware starts? And oddly enough, when we started investigating, the only place that we could find actual sort of pseudoscientific evidence was from ransomware families themselves. So we decided that was a pretty good place to start. And that's where the research began.
Dave Bittner: Yeah, that's interesting. I mean, when the folks who are out there, you know, selling some of these ransomware packages as a service - is that part of their value proposition, that they tell you, hey, we're faster than the competition?
Ryan Kovar: Actually, a hundred percent. LockBit ransomware - when you go on to their onion site, they actually have this beautiful chart where they cite the system specs that they use. They actually provide the binaries of each ransomware family that they tested against and then the encryption speed and the worming capabilities of all the other 30 families they tested against. Not surprisingly, LockBit comes out on top for their testing, but that's actually a bit of future research we're doing, which will be a one-on-one comparison.
Dave Bittner: And so let's walk down this path together here. I mean, how did you go about testing this?
Ryan Kovar: Sure. Well, the first thing we did is we started off with a hypothesis, which is, why are we even bother doing this? And part of what we wanted to determine was, do organizations have enough time to respond once a ransomware encryption starts, meaning can you get in and, you know, turn off the computer or reboot it or run some sort of AV test or something to remove the ransomware? And that was kind of where we started. So the first thing we found was, on average, according to the Mandiant M-Trends Report of 2021, ransomware families have about three - or, sorry, ransomware adversaries spend about three days dwell time on a system. So - or on the network. So they have a pretty long time in a network before they actually execute the ransomware binary.
Ryan Kovar: So we started there and tried to figure out, OK, well, once they've done that, how fast do you have once they execute the ransomware binary? And to do that, we wanted to make sure we had some good blind testing or, rather, scientific testing. So we set up two different operating systems - Windows 10 and, I believe, the newest version of Windows operating system for Server. And once we actually ran those, we put them in two different specs for each operating system. So we had four different spec systems - a high-spec system and a low-spec system - by operating system, which is a lot of systems, now that I say that out loud.
Dave Bittner: (Laughter).
Ryan Kovar: Finally, we took a variety of ransomware families, and then we took - from those ransomware families, we took 10 ransomware binaries associated with each family, as identified by Windows Defender AV and VirusTotal. So we ended up having a hundred ransomware binaries from 10 separate families that we ran across four different systems of different varieties, and then we used median and mean to kind of average that all out and find out what was the average ransomware encryption per family and then just overall ransomware speed.
Dave Bittner: Wow, that's a lot (laughter).
Ryan Kovar: Yeah, it was months of work.
Dave Bittner: So - well, let's dig into some of the results, then. I mean, what are some of the things that stood out to you?
Ryan Kovar: The most fascinating thing to me was - let me bring up my notes here, so I don't miss anything - that the average time to encrypt for - across a corpus of all files was 42 minutes and 52 seconds. So that's - one other thing, this is against about a hundred thousand files or about 53 gigs of data. These files were taken from a open source repository of DOCX and, you know, Windows documents, PowerPoint documents, text files - very much representative of a normal person's desktop. And so the median time for all these ransomware variants was 42 minutes and 52 seconds, but that could be anywhere from 4 minutes and 3 - about - basically, 4 minutes or 3 1/2 hours in between individual samples. So that was one of the fun findings that we had.
Ryan Kovar: Another one was that we were really expecting that hardware speeds and capabilities would show a linear increase. So, you know, if a ransomware sample takes 10 minutes to encrypt on a slow processor and slow memory, that it would take maybe 5 minutes if we doubled the capacity. And that wasn't always true. Some of the ransomware binaries weren't able to actually take full advantage of multithreaded processors or increased memory or other hardware specs. So that was one of the other interesting findings we had.
Dave Bittner: Yeah, that's interesting. I mean, is this a case where they're - they tend to stay, you know, CPU-bound? Are they not checking out to see if you have, you know, GPU horsepower at your disposal?
Ryan Kovar: That appears to be our hypothesis going forward. One thing I will say is we intentionally tried to not use the skills of reverse engineer on this. Part of the team that I run, SURGe, we have a fun tagline - a blue collar for the blue team. And there's so many great reports written by incredible reverse engineers with IDA Pro screenshots and all these wonderful things. But a lot of times, for the average blue teamer, that doesn't really resonate for them or they don't know how to read those. So what we wanted to do is make sure we didn't introduce that sort of knowledge bias into the research and just did this of what we could observe. So some things we did miss a greater view on is, you know, was it trying to access GPUs? But what we did see, if we gave GPU processor cycles available, they didn't take it, or if they had more CPUs, they didn't always utilize them.
Dave Bittner: So, I mean, is this a case where having, you know, the latest, greatest, most powerful system might not be to your advantage if someone hits you with ransomware?
Ryan Kovar: It really depends on the ransomware variant, from what we can tell.
Dave Bittner: Yeah.
Ryan Kovar: Some were able to use the faster processors. Some weren't. For the most part, I would say the faster your systems, the faster you would encrypt it. But, you know, as one person pointed out, if you have a hundred thousand files and the last one gets encrypted at 3 hours and the first one gets encrypted in 3 seconds, you're still encrypted. So it doesn't really matter.
Dave Bittner: Yeah. So what does this indicate to you in terms of detection? Is it the sort of thing where you're going to have great benefit by having something in place that is looking for encryption taking place on your system, for example?
Ryan Kovar: My personal belief is no. What - I think what this helps defenders find is that - you know, I'm a big fan of history. And if you look at World War II and the Pacific theater for America, one of the big things we did as a military was the island-hopping campaign. And you don't try to tackle tough nuts you can't crack. And I think what we see here is this research gives that fundamental data and knowledge to an organization to say, hey, if we have, you know, a hundred cyber bucks and we can spend them anywhere, once encryption starts, it's kind of like gangrene on a limb. You're probably going to lose that system. So where can you actually start defending more effectively?
Ryan Kovar: And for me, what this research reveals is that you can move left of that boom, as we would say, right? So instead of focusing detections just on finding ransomware - which still has a lot of value; I'm not knocking that - but I would argue that there's a lot more benefits to an organization by moving left and trying to find ransomware operators before they come in and actually place the ransomware binary, which is one of the new things that we kind of - I wouldn't say new, but one of the things we really identified as we broke our own biases on this research is modern ransomware adversaries pretty much emulate the nation-state APT adversaries that I've spent my career defending against. And so they do reconnaissance. They do lateral movement. They establish persistence using a wide variety of tools, like Cobalt Strike. And by the time they actually get to the point of running a ransomware binary, they bring that ransomware binary over as the very last step.
Ryan Kovar: So there's a great piece of work by CERT New Zealand. They released a white paper earlier this year where they have something like 13 different stages of the ransomware life cycle. And you can actually identify, detect and mitigate and defend against that ransomware adversary of any of those 13 places before they get to running ransomware. So that's really what I come out of this with, is it's - hopefully this research and this data gives network defenders the confidence to move left and try to find these adversaries before they actually execute the ransomware binary.
Dave Bittner: You know, my recollection is that we've seen reports along the way that a lot of the decryptors for these ransomware packages are kind of substandard, that, you know, it seems like maybe that's not where they put their energy and their effort. I know that wasn't the focus of your research here. But I'm curious if you have any insights on that.
Ryan Kovar: I love to have more insights on that. That's actually one of the places we're looking at for putting more research in over the next year. There are some difficulties of just having to have an active ransomware encryption and bitcoin to pay ransomware decryptions. But it's somewhere that we're looking forward to experimenting in the next year.
Dave Bittner: I see. So what are the take-homes here? - I mean, recommendations in terms of people preparing themselves, their organizations against the threat of ransomware. Based on what you've learned here, what are you recommending?
Ryan Kovar: Really comes down to a couple key points, if I can be so brief. The first is that at the end of the day, you're not going to probably stop ransomware once it starts. So you need to have a good recovery plan, or, you need to have a good prevention and detection plan. And this data that we're providing in the report gives you that evidence to have that tough conversation. A lot of folks want to say, let's stop this in the middle. I would argue you can't. So move left, or move right.
Ryan Kovar: We talked to some organizations, and they said, hey, this really helped us make that decision of, we're going to invest a lot of time and money in insurance and recovery and disaster recovery and backups. And we're also going to put a lot more work on hunting and detections for our threat intel team and hunting team before. And they're just kind of abandoning this idea that once ransomware starts, they can stop it. And if that's the only thing people get out of this research, I think that's a huge advantage.
Dave Bittner: Help me understand - when a ransomware team, you know, gets access to an organization's network and they decide that it's time to, you know, throw the switch and start encrypting things, do they try to hit multiple systems simultaneously, or are they, as you said, sort of island hopping? Are they doing one at a time? Is it a parallel thing, or is it serial?
Ryan Kovar: So this is a fantastic question because it kind of struck to some of the biases that I started the research with, along with the actual primary author of the research, Shannon Davis. And one of the things we both kind of went into this with is, oh, ransomware worms. And what we're going to find here is all this ransomware that kind of moves laterally across SMB or is actively going to be finding vulnerabilities.
Ryan Kovar: And in the samples we tested, we actually didn't see a lot of worming. And so as we started to figure out how does this ransomware spread in a network, we started reading a lot of incident response reports, looking online, following Twitter threads, talking to friends who have fought and defended against ransomware attacks. And the reality is, in a modern-day ransomware incident, adversaries come in using spear phishing or a typical vulnerability or something similar to that. They use valid credentials to enter a network. They do internal reconnaissance. They move laterally using PsExec, all sorts of tools like that that you would expect. And then they find the data that is most valuable to an organization.
Ryan Kovar: And the way I've described this before is it's kind of like someone rigging a building to blow. You don't put one giant bomb in the middle of the building. You find all the key supports of the building, and you put on smaller bombs. And in this case, the ransomware binaries are actually being deployed on key systems to have that key data that they're trying to encrypt. They're no longer just trying to encrypt everything on every hard drive. That still happens. But more specifically, the larger ransomware events that we're hearing about in the news - it's that they're encrypting the file server or the payment server or the development server, and then they're doing this double bounty, right?
Ryan Kovar: They're encrypting, and then they're exfilling that data and they're saying, you either pay us to decrypt your system, and if you don't do that, then we'll decrypt it ourselves, and we'll blackmail you with your data being released publicly. And that's only valuable if they're getting the data that has the most value to an organization. So to make that a little bit more concise, you know, they're no longer just doing every system on every hard drive in the whole company. They're being very tactical and specific and taking the data that's most strategically valuable to an organization.
Dave Bittner: You know, I have to say, it seems to me like - or it sounds to me like you and your colleagues here really got a lot out of this particular effort. Like, you know, not only did you get a lot of information, but it sounds like you guys had a little bit of fun as well.
Ryan Kovar: It was an absolute blast. And one of the things we love doing - we have a motto on our team - fail less. And it's not meant to be negative. But what it's meant to say is, you know, every day you fail a little bit as a blue teamer. And your entire goal is tomorrow you wake up, and you do a little bit better at what you missed. And this research kind of did that for us. We had these biases going in that ransomware was unsophisticated or that it wormed, and that's the only way it spread, and that ransomware was either incredible or horrible. And most of those got blown away in the work that we did, which is the fun part about doing, you know, actual scientific research.
Ryan Kovar: The outside of it was we also came with all these areas that we're really intrigued in working on. As I said, Shannon Davis leads this research, but he's also working with one of our new employees, Kelcie Bourne. And they're looking at - one of the things we found was ransomware wasn't always packed. And, in fact, as we looked more and more at ransomware and talked to other people, we found a lot of folks have also been finding that ransomware is no longer packed. My bias, once again, coming from a nation-state world, ransomware - or sorry, malware was always packed or had a packer used to confuse the compiling of the software.
Ryan Kovar: Well, this means that a lot of the detections that we've been avoiding for malware for years are actually now back in play, possibly with ransomware. And so we have this huge corpus of data. And Kelcie and Shannon are working through - can we use new fuzzy hashing algorithms to actually detect unpacked malware? Can we find out how much ransomware is actually packed or not packed? - all sorts of areas like that that we're kind of excited to go into.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Dave, I've always wondered how long it takes ransomware to actually do its physical damage.
Dave Bittner: You mean like the compression process, the encryption process?
Joe Carrigan: Yeah, the encryption process.
Dave Bittner: Yeah.
Joe Carrigan: This study answers something that is important that I had - I have been wondering about this for a very long time.
Dave Bittner: OK.
Joe Carrigan: And again, I'm fascinated by this kind of stuff. I've got to get this report and read it. LockBit has marketing data about their product and their competitors' product on their onion site.
Dave Bittner: Right.
Joe Carrigan: That's amazing to me.
Dave Bittner: Yeah.
Joe Carrigan: I mean, I was - I shouldn't be amazed by it. We've been saying these guys are essentially corporations - large corporations. They're criminal enterprises...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? They run like businesses, except their products are illegal.
Dave Bittner: Right.
Joe Carrigan: That's all.
Dave Bittner: Right.
Joe Carrigan: Lots of testing here. I mean, they tested a hundred variants of ransomware on four different kinds of computers. That's got to be at least four different - or 400 ransomware tests. That's a lot of data for this kind of study, I would think.
Dave Bittner: Yeah.
Joe Carrigan: Good work on this study. And those range in time from taking anywhere from 4 minutes to 3 hours - 4 minutes for a ransomware attack to be finished on a computer.
Dave Bittner: That's a bathroom break, Joe (laughter).
Joe Carrigan: Yeah, that's - that is remarkably fast.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Now, granted, that's probably an outlier.
Dave Bittner: Yeah.
Joe Carrigan: But, I mean, that could be...
Dave Bittner: Still, 3 hours...
Joe Carrigan: Right.
Dave Bittner: I mean, if you have a kick in at 1 in the morning...
Joe Carrigan: Yeah.
Dave Bittner: ...While someone's asleep or...
Joe Carrigan: Right.
Dave Bittner: ...Out of the office.
Joe Carrigan: And that's when these guys do this.
Dave Bittner: Yeah.
Joe Carrigan: Because Ryan is talking about how these guys operate. You know, they're in your network. They're doing the reconnaissance.
Dave Bittner: Right.
Joe Carrigan: They know what your schedule is.
Dave Bittner: Yeah.
Joe Carrigan: They know all this stuff. You're going to show up in the morning, and that's when your files are going to be encrypted...
Dave Bittner: Right.
Joe Carrigan: ...Right? Some of these ransomware developers are not taking advantage of, like, multithreading CPUs or GPUs. These guys are producing barely-sufficient software...
Dave Bittner: (Laughter).
Joe Carrigan: ...All right? That's an agile design principle.
Dave Bittner: Are you shaming the ransomware developers, Joe?
Joe Carrigan: No, no, no.
Dave Bittner: (Laughter).
Joe Carrigan: No, actually, it's - barely-sufficient software sounds like it might be a bad thing...
Dave Bittner: Oh.
Joe Carrigan: ...But it's actually a good thing...
Dave Bittner: Oh, OK (laughter).
Joe Carrigan: ...Right? You want the software that you have to spend the minimal amount of money developing that does the work...
Dave Bittner: Oh, I see. OK.
Joe Carrigan: ...Right?
Dave Bittner: Yeah.
Joe Carrigan: It's an agile development principle.
Dave Bittner: I see.
Joe Carrigan: That's what these guys are doing.
Dave Bittner: Got you.
Joe Carrigan: Again, we're seeing them following the best practices of the industry...
Dave Bittner: Right.
Joe Carrigan: ...And producing software that does the job for the least amount of effort.
Dave Bittner: Ah.
Joe Carrigan: It's great. I mean, well, it's not great. These guys are horrible, horrible people.
Dave Bittner: (Laughter).
Joe Carrigan: About stopping the encryption in process - one file encrypted is going to be bad on some level. You know, and it's not going to take any time at all to encrypt one file. The exfiltration part of it - I don't know if it happens before or after - Ryan says it in his interview. He seems to - in this interview, he seems to indicate that they'll exfiltrate the encrypted data and then decrypt it. If they're in there for a short period of time, probably. But if they're in there for a month, they've already got the data.
Dave Bittner: Right.
Joe Carrigan: They never encrypted it. I think he's absolutely right when he says you need to move to the left of this event. And I hate that term, move to the left.
Dave Bittner: Yeah?
Joe Carrigan: It's very jargony.
Dave Bittner: Yeah.
Joe Carrigan: But, I mean, the first couple times I heard it, I didn't know what it meant...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? It just means get out in front of it, right? And on the timeline - you're looking at the timeline flowing from left to right...
Dave Bittner: Yeah.
Joe Carrigan: ...You need to be out in front of this before it happens.
Dave Bittner: They say left of boom.
Joe Carrigan: Left of boom, exactly.
Dave Bittner: Yeah.
Joe Carrigan: These guys are doing everything the APTs do, and encryption is just the last stage in the breach. And this is a breach, just about every time. If somebody has breached your network, you have no guarantee they haven't exfiltrated tons of data, even if they just - they're just doing a ransomware attack.
Dave Bittner: Yeah.
Joe Carrigan: You have no - unless you can forensically demonstrate that didn't happen and unless you have the logs that show that - and even if you do have the logs, they may have gone through and changed the logs.
Joe Carrigan: This is interesting. Ransomware doesn't really worm. You know, worming is a malicious behavior from software that allows it to move around the network on its own. You know, generally, viruses require somebody to move a file and then activate that file or use that file for them to run...
Dave Bittner: Yeah.
Joe Carrigan: ...And then spread. But once they've been activated, they spread on their own. But worms - worms don't require the human interaction. And ransomware doesn't work like that, according to this study - installed individually by each person on - or by the people on the computers they want to encrypt.
Dave Bittner: Right.
Joe Carrigan: I think that's very interesting. And I think the key point is - of this study is you are not going to stop ransomware once it starts. It's - by that time, it's too late. You've - you're now in the recovery phase.
Dave Bittner: Yeah. So part of your planning needs to be, what do we do if we get hit by ransomware?
Joe Carrigan: Right.
Dave Bittner: What's plan B?
Joe Carrigan: Right. And Ryan makes an excellent point here. He says you have two choices. You can move to the left and try to prevent it, or you can move to the right and just recover - right? - which - those are your options. Apparently, stopping it right in the middle of it happening is not really a good option.
Dave Bittner: Yeah. And I'd also add, those two are not mutually exclusive.
Joe Carrigan: They are not mutually exclusive, I would agree. You can do both. As we say in the old security marketing industry, belt and suspenders...
Dave Bittner: Right.
Joe Carrigan: ...Fashion faux pas but a security must.
Dave Bittner: (Laughter) There you go.
Dave Bittner: All right. Well, our thanks to Ryan Kovar from Splunk for joining us. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
