VIEW TRANSCRIPT >

EP 27 Transcript

Ron: (00:01) Hello, no special guests today. Just me, Ron Harris here to talk to you about once again, ransomware. So over the course of probably the last three weeks, we've seen an outbreak in ransomware being, well trying to be delivered to customers and potential customers. Well we actually picked up a prospect that we've been working with for a while because their, um, network was ransomwared. So it kind of brought it up. And I figured we should talk about it now because seeing everything that's going on in the world, uh, they're only going to keep trying to pivot on nasty things going on in this world to get clicks. So now it was COVID last month. Now it's probably social injustice now. So just keep in mind when you're clicking on things and getting emails from people you don't know, you probably don't want to click those, right.

Ron: (00:57) Um, because that's what they're hoping for. So the two I want to talk about is one was, um, a smaller organization. They were CryptoLockered and I keep saying CryptoLocker, cause it's generic term, they were hit with it's called Mr. Dec. It comes in through, um, Port 3389 which is the RDP port. So if you're remoting in and out, this is a brilliant attack too, because everybody's working from home and a lot of people use a remote desktop to remote in. So what's happening is this Mr. Dec is being delivered, uh, via email or even just through the open port on 3389 and again, you do not want to leave that port open. You want to obscure that port as much as possible, right? Or close it all down together and connect in through a VPN and then remote desktop in to your session, never, ever, ever do you want to leave that port open to the internet because that's how Mr. Dec gets delivered to your network. So they were able to push the payload, um, into the network and they had access to the network for anywhere between 12 hours and 24 hours. And in that 24 hours, they were able to, uh, use the administrator password that they have compromised and go into the backup server and delete the backups. So now you're at a point where you don't have, um, backups to restore from, and now you're going to then, well, what they did do is delete the logs and then they backed out of the system and encrypted it. Um, they didn't take anything in this case, they just wanted their money. So they ran their tools and they started to encrypt all the information on the network. Now it would be one thing to come in on a Monday morning and say, Hey, um, you know, we had, we got CryptoLocker.

Ron: (02:53) You want to call it CryptoLocker that I can't do that. Uh, we keep getting ransomware or we got ransomwared over the weekend. We're going to restore and we'll be on our way. Right? But in this case, there was no backups. So there was no cloud. There was no replication offsite. There was no buddy taking jump drives home. It was just an onsite backup that was deleted and left no ability to restore. So they had to go through the process of paying the ransom. Now here's where it gets tricky because your heart says don't pay the ransom and just kind of rebuild. But it's incredibly hard when everything is gone, everything is gone. You have to look at avenues, right? To get your business back up and running and serving your customers and making money. But that comes with a sum. Now they're going to give you the decryption key right now. This is a big, I guess, a moral question that you have for these nameless, faceless people, wherever they are in the world. Are they going to give you the decryption key after you pay the ransom?

Speaker 2: (03:51) Now my head says yes. And all the examples I've seen and been a part of had said, yes, the decryption codes work. And we were able to decrypt whatever we needed to decrypt. Um, but yeah, they're a business, so they have to, right. So if you get involved with Mr. Dec CryptoLocker, um, you know, whatever the different variants are and they crypto your or take, uh, yeah, they encrypt your data and they don't give you the key after you pay it. Then it's going to get, you know, it's going to spread like wildfire that, Hey, you're not going to pay the 22 or the $20,000, $50,000, whatever it is to get your data back. Right. And that's just, that's just going to become what the internet says, and you're not going to want to do it. And these security providers and remediation teams are gonna say, Hey, you're not going to get paid if we pay this ransomware. So we just need to start over. So it's in their best business interest because this is what, this is, this isn't a malicious hack. This isn't a hack the planet type situation. This is a business. And it's billions of dollars a year into these, I would call them companies some sophisticated, some not so sophisticated, but still a business entity. They make anywhere between, I would probably say $2,000 to $50,000 on a recovery.

Ron: (05:12) Right. And they don't do anything. The hard work's all done through that getting access. So once they get access, whether it's emails or RDP or anything like that, that the work is done, encrypt and wait and get paid. Now, the way you pay these things is through Bitcoins that are untrackable. That's the reason of them, right? It's a, it's a cryptocurrency that is used throughout the world and it's valued very high. And it's kind of, if you don't know what you're doing with it or how to use it or how to get it, it becomes a very tedious thing. So if anything does happen to you, partner with someone, partner with a remediation team and MSP a use, whoever you're working with to handle that, because it's not, um, I want to say for the faint of heart, you have to understand how it works, how wallets work, where do you buy a Bitcoin, you know, fractions of Bitcoins or full Bitcoins, whatever the case is, you just have to be ready to understand that.

Ron: (06:05) And it's, it can be a daunting task. So, um, so yeah, so they, they were able to get their data back and decrypted and, uh, standing up a new domain and all that other fun stuff. So that's good, right? At the end of the day, that's good, but paying the 30 or $40,000 is not good for business. Now, this is where your cyber liability policy comes into play. You're gonna want, no matter what, you're going to want small business, medium business, enterprise business, five people, 10 people. You're going to want some sort of cyber liability coverage for this event. It's not going to get any easier to spot these or any easier to stop these, it's going to happen. Now we, as an I.T. team or Managed Service Provider can do everything we can to slow them down, but they always, always, always, always use other humans to infiltrate the network.

Ron: (06:56) Whether it's a, you know, a physical thing where they're saying, Hey, Ron, here's a jump drive, go and take this jump drive. It's free. You're gonna love it. It's going to be the best jump drive ever. And you take it and you plug it in your computer whammo, right? Or, Hey, a COVID-19 information click here for the PPP. Cool. You click there. Boom. You got it. Oh, Facebook whats up? We're scrolling through Facebook. Oh, code injection. You got it. Right. Or you type in the wrong domain, you know, girl Scouts instead of girl scout or whatever the case is, they park a domain, their code injection. You have it. Now you have to be able to manage that, right? So whether you do it through another partner or a remediation team or whatever, you want to have cyber liability to go back, you want to have cyber liability insurance to pay that fee.

Ron: (07:45) Now your, your, um, deductible is probably going to be much less than what you're going to get hit with. And on top of that, you're looking at at least at least two to three days of downtime. If not more, if not more, depending on how big the network is, how spread out it is, is it local to the region? Is it across the country? Because again, if, if I have a VPN connection to a computer in California, and a computer in Florida and a computer in Colorado and a computer in Montana, and I get it here in little old Kalamazoo, Michigan, and we're all seeing each other, they also are going to get it right. So it's going to hit them. It's going to encrypt their machine. So what's that look like for remediation? Are you backing up the end points? Are you backing up the server or do you have to pay the ransom?

Ron: (08:31) Do you have to get eyes on it? There's a lot of things that come in play. When you start talking about remediation, that's why you want to get that cyber liability. So they can then partner with remediation team to help you go through these. I want to call them hoops or these challenges that may arise through this process because it's not, it's not going to end. I wish I could sit here and say, it's over, we've beat the cybercriminals, but it's not going to happen. They are a smarter and they don't sleep. And they're always changing what they're doing. Um, so if you're listening to this podcast right now, and maybe you're a five person company thinking, nah this is not going to happen to me or this could never, why would they want this? It's not about why it's not about the information in this case.

Ron: (09:16) They want the money. A five person company let's say is doing a couple million dollars a year in business, very profitable, running like a well oiled, well oiled machine can get the parking brake pulled on this adventure because you get, you get encrypted, right? And it's two, three, four, five days of downtime. It's a reputation thing. Now, what, what is the business? So let's say it's a, it's a doctor's office. And they've been in your system for 24 hours, and now they're pulling company or client information. That's a big deal. That is going to pull the parking brake on the highway. You're now profitable business is now looking at some turbulent waters, get the cyber liability, get a proper I.T. partner and take a stance on security. You have to, you cannot wait. Just today it was announced that our, one of our local colleges, Michigan State University was hit and they pulled some information off a server, uh, pertaining to students, uh, stuff going on inside of the university.

Ron: (10:19) And they are not going to give them the decryption key until they pay a very large ransom. And if they don't pay the ransom, essentially, uh, essentially extortion, they're going to start leaking documents. Now who knows what's in these documents, you've seen it in the past with, uh, all kinds of people. Um, uh, man, I'm trying to think Fox, I think had some stuff go on blast. No Sony did when they were releasing a movie from North Korea, um, stuff like that happens now, probably not a big deal for MSU. They'll figure it out. They'll pay the ransom. They probably have cyber liability insurance. So they're going to move down the road, but it just shows that it doesn't matter what it is. This is a, this is to them it's no different than knocking on your door and trying to sell you a candy bar.

Ron: (11:00) If that door opens, you're buying a candy bar, right? So that's all they're looking for. Knocking on the doors, anybody there knocking on doors, anybody there now with this Mr. Dec attack, it is very convenient because a number, you know, millions and millions and not even a number, a millions and millions of people are working from home. And if you don't have a secure way for them to access the network or to get back into the network or to even, um, work securely, there's going to be issues. Um, this, Mr. Dec attack goes in through the RDP port and hits your network. Bingo, Bango they're in, you know, it could also be from the end point. So let's say you're doing, I'm a bring your own device. So I'm working from home on my Windows machine that maybe doesn't have proper antivirus. And I am connected through the VPN because I have to work well uh, Tommy, my eight year old son hopped up on Facebook, got a little something, something on there, and now it's spreading through the work network, right? So even as you're working from home and maybe it is all, be it secure depending on the device you're using, you still have to be careful, careful. This is what is going to be, you know, I would say now's the time to invest in a partnership to look at the partnerships you have, make sure you have offsite backups, make sure your backups are good. Make sure your password policies, even for your, uh, part providers and partners is strong. Have that conversation. Don't be afraid as a company to ask the hard questions. And maybe it's, it's nothing you understand, but you'll know bullshit when you hear bullshit, right? That's how it comes down to it. If you can ask a provider and say, Hey, what's our cloud backup strategy?

Ron: (12:39) And they say, well [noises], you don't have one. It's just how it goes. Here at Omega, what we do is everybody gets a replication offsite, right? It doesn't matter how big the customer is or how small the customer is. You're getting a cloud replication. It's, it's part of our package just for that, because I don't want to have that conversation with you. There's only two things in the world I can't give a business back. And that's their time that I either they're down or not working and their data, something that you've been growing and harvesting for years and years and years could just be gone like that. Just think about that. You could be in a 20, 30, 40 year old business that has 20, 30, 40 year old, 30 to 40 years worth of information just sitting there on a server. Maybe it's not backed up.

Ron: (13:33) Maybe it is. Maybe you're sometimes taking jump drives home. Maybe you're sometimes swapping out hard drives. You gotta remove this sometimes you guys have to do it, or you have to find a partner that does it automatically and handles it for you. It's not a, with everything that's going on in the world. Um, with everything that we're seeing, these attacks are happening at a rapid pace, and they're not going to slow down. They're going to keep praying on everything. That's horrible. That's going on in this world because we're curious. We want to learn more. And that's what those emails are going to be. Now's also the time to look at your antivirus and to get some type of end user training, like a KnowBe4 or any phishing simulation you could get. Microsoft has one that you can pay for. If you have an Office 365 account.

(14:17) KnowBe4 is platform agnostic. So you don't need to have Gmail or Office 365 to use it. Anybody can use it. We resell it. We use it. I use it on my staff. Um, I think once a month, um, and we get some people, right? I even get some technicians because they look that good and nothing happens. You get thrown into some training and you move on down the road, but you'll learn from it. We don't want you to be scared to click on things. We want you to be educated before you click on things, because these emails look right and they look good. Yes. I want to click on this. Of course I ordered this FedEx package or this UPS package where I want to view my receipt. Of course I do. Or I do want to understand what's going on with the pandemic or, Oh, I do want to see what's going on with, um, the current political climate.

Ron: (15:04) I want to know everything because that's just human nature and you're going to see it coming. It's going to come very quickly at us and we have to be prepared. So now's the time to start asking those questions to your provider. Do I have a cloud backup strategy? Are you testing my backups? When was the last time you tested my backup? Do I have antivirus? Um, have we been scanned? Is it always scanning? What type of antivirus is it? What's our password policy. Do we have a password policy? Hey Bob, have we ever changed our passwords? These are questions you start, you have to start to ask, not just for yourself, but for your business, for everything you've worked for for years. And it pains me to see people that go through this process and just partner with somebody and they say, yep, I got you.

Ron: (15:45) And then it turns out they don't have you. And then I'm sitting in a boardroom with them, just thinking, jeepers, I don't want to be here. I don't want these people to be going through this. It's just a terrible situation. So protect yourself, protect your business, protect your data, do everything you can. And if you guys anybody listen to this, has questions want to talk about it, don't hesitate to reach out we're here. Uh, we have a lot of great tools that we use that we'd love to share with you guys. Um, again, be safe, everybody wear your masks, do the right thing, stand up, love each other. We'll see you around. Thanks.