Omega Computer Services

View Original

The Real Cost of Ransomware

See this content in the original post
See this content in the original post

See this content in the original post

FEBRUARY 7, 2020

Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to that data, but that's not the only price you pay if your business is attacked. In this episode of the GEEK FREAKS PODCAST, Ron and Thomas discuss real-life examples of ransomware victims, the repercussions of an attack, how incredibly accessible this malicious software is to hackers and the importance of having protection and a data recovery plan in place.



See this content in the original post

See this content in the original post

See this content in the original post

VIEW TRANSCRIPT >

Ep. 19 Transcript

Ron Welcome to The Geek Freaks Podcast. Your go to destination for answers to the most crucial business technology questions every business owner needs to hear

Music [Intro Music]

Ron With me as not always, but as most of the time. Thomas Darrington how are you Thomas?

Thomas I'm doing all right. How are you?

Ron I'm pretty good. Thanks. I'm getting over my own virus.

Thomas Yeah, yeah. I just got over mine. I have stopped coughing. It's great.

Ron I have not stopped coughing yet, so I really, you and I start talking about this last week and I know that we were supposed to record podcasts and we got sick, so, or I got sick.

Thomas It happens.

Ron So the, yeah, 2020 the year of sickness. Um, as, I think it really has to break down what we're trying to break down today is what the actual expense, our expenses are when you do get attacked with ransomware, right? So everybody says, Oh, I got cyber liability. Uh, it's not a big deal. Well, it's a big deal because there's a lot of other costs indirectly tied to this attack.

Thomas Right. Um, yeah, I was actually very surprised about, uh, all the numbers behind that.

Ron Like how much money you're spending.

Thomas Yeah. Yeah. Like, um, I didn't think that people actually ended up having to spend so much for ransomware attack.

Ron On average last quarter is $41,329.

Thomas Which is crazy to me.

Ron But that's just to pay the hackers.

Thomas Right.

Ron Just to pay the attackers.

Thomas And then you might not still even get your data back.

Ron Yeah. So just outside of that cost, right. So you get ransomware, you have it, you now have now, now you have to either pay for it or restore. So if you don't have a proper, either one is downtime, but if you don't have a proper restore process, it could take a long time.

Thomas Yeah. It could take a real long time.

Ron So the indirect dealer, indirect costs that you got to think in it think of is downtime.

Thomas Right.

Ron So now it's forced, right. We can't do anything about it. Nobody can work. Everything's CryptoLocker, ransomware locked.

Thomas We're just sitting there.

Ron So the direct, the direct cost would be the $43,000 that you got to pay to get it unlocked. And if you right now, there's no guarantee they're going to unlock it. Right? That's the whole big thing too...

Thomas Right. That's correct. And that's the part that's crazy to me, is that people will pay that and then rely on these people who already attacked them to be true to their word. And I was reading that that price has gone up for certain types of ransomware to $288,000.

Ron Uh, what?

Thomas Which is nuts. That's why the average is so much is because, yeah, there's a new group that's doing it. They'll just charge almost 300,000.

Ron What I think is crazy is how much money they're getting paid. Right. So you got Baltimore that's spent millions of dollars. Some local companies spend millions of dollars to try to get paid to get out of this. Right. But again, there's no guarantee they're not nice people to begin with.

Thomas No.

Ron So I guess a indirect costs would be downtime. So now you can't work, you're not servicing your customers. You have staff sitting around...

Thomas You still gotta pay your employees.

Ron So yeah, excuse me. So I guess the, the biggest, the second biggest thing out of that is going to be the reputation too, right? Cause now you have to tell your customers, our data's been breached, we've been breached and we're locked up.

Thomas We're not gonna be able to service you as quickly because we're still getting back on our feet, all this stuff.

Ron And I mean if you walk through it right, and let's say, uh, you're, you're lacl of better terms, you're an insurance agency and you get CryptoLocker and your stuff's on site. You can't serve as anybody.

Thomas Correct.

Ron Because the only thing that that's not affecting is your phone system.

Thomas Correct.

Ron Essentially. Hopefully.

Thomas It's possible though that it could.

Ron Yeah. No, you're right.

Thomas If you're using a VOIP.

Ron So the, now we are learning up to about the, um, the, the, the, the V, the variation of ransomware that goes into the backups and sits there and then it detonates at a certain set of time to ruin your backups. Have you seen the articles about that?

Thomas I have. And that was actually very surprising as well. Um, the shadow copy destruction is just, it's not like, it just prevents you from being able to do anything.

Ron So as they, I guess as you go through this process even further, so now we've been a CryptoLocker, w whatever, whatever the case is, whatever this variance is. So now we're paying them to, um, to get the encryption key, the D encryption key, let's say, and then now we have to deal with a lack of downtime with our employees.

Thomas Right.

Ron I mean, if we had to do it here, it'd be 15, 16 people sitting around twiddling their thumbs.

Thomas Just waiting for it to get taken care of it.

Ron Yeah. So then from there you have the, um, the reputation. So now you have to notify your customers. I guess my other, the other big thing would be the liability of it. What did they get if they got anything before they encrypted? Did they take anything? Now you have to explain that and hope that nothing gets out there.

Thomas Right. All the potential data breach issues.

Ron Yeah. That's the other thing I think that goes untalked about right. We always talk about preparing or you know, the stopping it. But once it happens, it's, who knows, right. Especially with the way that the things are coming in now. I mean we see a lot of them come in via email, but now they're coming in from Facebook. They're coming in from other websites that you may go to everyday through, through code injection.

Thomas Yeah. Yeah. And it's a, I dunno, it's interesting because you'll see like the notes that they send that says, Hey, your data's been encrypted. And then one of the, uh, the notes that I was reading said, don't send us any like personal information or any like important documents or anything. Just send us these random documents that are encrypted and we'll show you how to that we can unencrypt them. So they like do it on like a good faith kind of thing. Like we'll show you, but then you still have no guarantee.

Ron Well, I guess it'd be bad for business, right? So you got that one variant that you're not decrypting that's bad for business. Right. If you got to do it so you can get the money. So then you can get the reputation of, yeah, these, these guys are the ones that are serious. I mean, I guess they're taking Bitcoin though, so you can't track it down. You can't do anything with it.

Thomas Yeah, yeah. I dunno. It's just nuts.

Ron So I guess the other thing that we all have to realize as people that work in tech and the people that use tech is it's not going to change. It's not going to get better. It's not going to like, they're not going to stop. So we have to then cover every avenue we can of, you know, protection. So the way we do things is we protect at the edge with the firewall. Then we have SentinelOne on the machines. And then we have all the fanciness on the firewall that does all the packets. But besides that, you know, somebody could actually just bring it in from the device.

Thomas Customer education as well. Yeah. You have to make sure that the employees are not clicking the links are not, uh, responding to things that seem fishy.

Ron That goes, I mean, it's a perfect example of what happened a couple of weeks ago. We had somebody that gave up their Office 365 stuff and didn't say anything for 10 days. Right. Like I get and that's the, the users get shamed, you know, they feel bad. There's, there's emotion tied to that when you make a mistake like that. And I think people need to understand if something happens like that, they need to immediately address it.

Thomas Yeah, yeah, absolutely. Cause the faster we can get to it, the faster it just stops. There's no concern.

Ron So, so now, so now we've been Cryptolockered we know of the loss of reputation, reputation because we're telling them all our customers. Then we have the downtime of our staff. What's the restore process look like on, on any of this?

Thomas So if you're relying on them, they have to provide the decryption key and go through their process to decrypt your files.

Ron And I'm imagining that's not fast.

Thomas Uh, it's not, it also often has like a 50% success rate, which is not great. I guess all your really important files.

Ron I guess it's better than starting from scratch though.

Thomas If you get a, you know, if you have a really good team on your side though, that has a good defense in place, they've got your backups offsite, are separate from being able to get crypto. And then instead of having to go through that process at all, you can just restore, you might lose a day of work.

Ron And I think that's something to think about too. So if you are backing up your system and it is on the network, it's legitimately on the network and you, that machine can be seen by the network. And it can also be CryptoLockered.

Thomas Right.

Ron Or ransomwared, whatever. I keep saying CryptoLocker cause it was the first one.

Thomas Right.

Ron But it can be infected. And I think people tend to overlook that as an issue. Well, if your backups get encrypted, you can't restore.

Thomas Yeah.

Ron End of story.

Thomas Or if they get destroyed, like we were talking about.

Ron Yeah, yeah. That's, it's only gonna get more complicated and it's only gonna get more of a moneymaker and these people have to be making hundreds of millions of dollars.

Thomas Right.

Ron It's just there was a hospital where I got anything. It was an egg before I say the state, it's going to be wrong, so I'm not gonna say it. Um, there's a hospital that got CryptoLockered and patients. There was real world ramification for patients because they could not access chart information because everything's electronical, electronical, [laughs] electronic in a hospital.

Thomas So I know the city of New Orleans also got attacked and their whole infrastructure was shutdown.

Ron Like I want to say they spent millions of dollars.

Thomas Yeah. A lot of money, a lot of money and a lot of government time just to get files backed up and get everything restored.

Ron Well and I think that it goes a little bit further to think that, you know, this isn't the as it should be. It should be in the front of people's minds that this is a real world issue and it's impacting everything everyday. If you don't have a good spam filter or a good education wrapped around these emails that are coming in or education wrapped around like, Hey, you should probably run something by somebody before you click it or enter in your Office 365 information. Like there's, there's things that you can do as a business owner or even as a worker to stop this threat because it's not foolproof. It can come in. Like I was saying, it can come in from an attachment from another email account that maybe you trust and they just, you know, whatever the case is they're in.

Thomas A miscellaneous USB that you found lying on the ground.

Ron Oh, that's brutal. I bet people do that too.

Thomas Yeah.

Ron So let's talk about why they're doing it and how they're doing it. Right. So you and I ran across an interesting article based on basically ransomware as a service.

Thomas This was insane to me. I had, I know everything's being provided as a service now, but to think that like the negative sides of the internet are being provided as a service. I dunno. I was just very surprised.

Ron I don't think I'm as surprised as I am. Like, like, um, I guess not like it's not, it would, I would assume it is.

Thomas Well for me the, the surprise wasn't that it existed. Yeah, it was how organized it, how professional.

Ron It's like Amazon.

Thomas Yeah.

Ron Yeah. It's crazy.

Thomas Like they had, they have packages, they have like costs associated with the packages.

Ron They have undetectableness. Um, yeah. What was the other one that you and I were talking about? Claims to be fully undetectable are misleading. Only indicate two possible anti detection capabilities. However, none of these avoidance techniques give the ransomware true FUD capabilities. So like it's scary to me. I mean I, I've had people ask me like, why do you think they're doing it? They're doing it for money. There's no other reason to do it.

Thomas No. They sell it as a service. And then those people who take that and make their own little package of delivery then get their, you know, X amount of money back.

Ron So then you go to this website and you say, I want this ransomware. I want this variant of it. Maybe it's a new one that's not hit everything yet. So then you, Tom has purchased this, you put it in your PayPal, you buy it, now you have a fully accessible ransomware toolkit.

Thomas Correct. So then now you really customized to how I want it delivered to what I want attached to what I want it to do.

Ron So then you have to figure out a way to deliver it.

Thomas Yup.

Ron So then that's either via email or script on a website.

Thomas Yeah.

Ron And so once you've delivered it, now you own the decryption tool. So now the money is going into an account that I'm assuming that you've set up.

Thomas That's correct. Yup.

Ron So not only, it's not like Russia or China or whatever, it's anybody. It can be me to you down the street, you know? And I think that's crazy to think that it's so accessible and easy to get to. Right. I think that's the most shocking part. It's not shocking that there's an as a service for sure. Shocking like me and you could just dial it up and be like, here we go.

Thomas Yeah. And how like I, I don't want to say it's reasonable cause it seems weird to talk about. But how reasonably priced it was.

Ron Does it show the pricing?

Thomas It does, um, for one of the services and it wasn't like the most full proof. Like this is the best service, but it was still, they offered a lot and their high end package...

Ron $349.

Thomas Yeah.

Ron Hey, what's up for $349 for a gold account to get a virus. You can get a diamond account for 895 a month.

Thomas Yeah.

Ron But really that's not that much money. When you're charging $42,000 to restore, you hit gold once baby it's paying.

Thomas Now some of these have like caps because the, the people providing the service still have like an in with them. So there's a cap on how much they can actually like make off of it.

Ron So okay. So I'm, I buy you buy a virus, you deploy it. I get it. I have a bank, whatever the case is and now it's going to cost me 50 grand.

Thomas Yeah.

Ron So then this company now is going to be like, okay, I'm going to take a percentage of your 50 grand.

Thomas Yeah.

Ron Holy sh*t. It's very complicated. It's not just like Tommy in the basement writing a script and here we go.

Thomas But it's also simple in the fact that I can just go to this site and just do it.

Ron But now you're just doing it to be a bad actor. You're not doing it for, I mean I guess you're going to make some money, but you're not going to be getting rich.

Thomas Yeah. So you pay for the service and then they get a little bit of a cut. But then in the end, uh, they were saying that the total net profit for one person was like 10 to $12,000 per attack.

Ron Per attack. Per successful attack.

Thomas Correct. There's a cap on how many people can affect. So it's, it's offered just like any other type of software. So it's like 50 people, you know, you're, you're the bare bottom or up to 250 people if you want to buy the diamond subscription.

Ron So that's, that's based on your attack, your threat plane there.

Thomas Correct.

Ron That's crazy to me.

Thomas But you have to have a like a really good additional plan for the, that bulk because they're going to spend a lot more money and trying to get back at you. Then that smaller, smaller group, they're just going to try to pay it and get it taken care of.

Ron So you can buy the ghostly locker for $3.99 a month. Um, you get a dashboard, you get unlimited bills, builds, you know, uh, offline encryption, customer custom disc encryption, custom file encryption, and you get 24 by seven support. Holy, it's a business baby business.

Thomas It's a business. Exactly. It sounds like we're advertising it, but it's just...

Ron I think people were, were, we are kind of advertising it, but we're doing it so people understand that it's not, it's not like a, a Russian guy behind a keyboard doing all this nefarious stuff that everybody wants us to believe it's anybody.

Thomas Which is, that's, that's the part that just blows my mind.

Ron Oh yeah. That's crazy.

Thomas To me it's so organized. It's so easily I will easily accessible is you still have to know a little bit.

Ron Oh, you got to get in that dark web.

Thomas Yeah, exactly.

Ron So I guess if we're going to take anything away from this, it's that you have to have the proper protection.

Thomas Correct.

Ron You have to have the proper things in place. So if you get, if you get CryptoLocker it are locked or encrypted, whatever the whatever the Varian is going to ghost ghostly or whatever it is, um, you should have a backup disaster recovery plan in place.

Thomas Correct.

Ron With yourself or your provider or whoever's handling your it stuff. What's the, what's the, the first thing that we have to restore? What gets us back to serving our customers quicker? How big are these files? How long is this going to take? You have to test all this stuff so you know what's going on. But the other key indicator that doesn't get a lot of play and a lot of love is just traditional antivirus now, right? Absolutely. It's not going to stop everything. We use SentinelOne, which is an EDR, so it's considered a next gen antivirus that learns. So we don't have the waiting time of traditional antivirus, but I think everybody should invest a little bit of money and time into learning what their security practices are and what their restoration practices are. I mean, it's, it's not going to stop.

Thomas No, not at all. It's getting more complicated while also being more easily accessible.

Ron So it's only going to get worse.

Thomas Correct.

Ron It's going to be no different than spam at some point where it's just kind of happening. So, well that's a, yeah, that's, I mean, that's how they're getting in. Right? So they have to, they have to use some type of way to facilitate what's going on.

Thomas Yup.

Ron Um, there was another thing I wanted to touch on on this list, man, there's this, to me, this is mind numbing, how easy this is.

Thomas Yeah. Yeah. And one of the things you mentioned, we use SentinelOne, and I guess it's, I'm going to rep us a little bit, but the SentinelOne that we use actually has pretty advanced detection for that stuff. I was reading a little bit about it from those articles and it was just talking about how it detects like the, for example, the shadow copy deletion.

Ron Yeah.

Thomas Like it prevents that immediately. So it will detect any changes that are happening to shadow copy and then lock that door.

Ron Yeah, I mean it's, it's different in the way that it's not going to let it run and be like, Oh, you're doing bad stuff after you ran for a bit. You've been doing bad stuff, so I'm going to stop. No, it's going to stop it dead in its tracks. That's why we switched to it. Right. I mean, it's expensive, but it's worth its weight.

Thomas Yeah, yeah, absolutely.

Ron So the other thing that we, you and I were sending articles back and forth with cyber liability insurance. You know, some people just like, I don't care. I get cyber liability insurance, it's gonna pay off. But I think the thing that we need to understand is it's not going to, in every instance.

Thomas That's the thing that I find a little depressing about. The whole situation is, uh, you pay all this money and with all this expectation that it's going to be covered and all your time loss is going to be covered, any data loss is going to be covered and then you find out that one little thing was out of the place and it just wipes your whole thing.

Ron So I guess, and I'm not the person to speak on this, so I could be completely wrong, but this is what I've been reading, is that if you, if your ducks aren't in a row for certain things, then that cyber liability insurance policy is not going to pay out in full or pay out at all.

Thomas Correct.

Ron So people are under the guise of yeah I got cyber liability policy. Nothing can happen to me. And I think it's just a falsehood. It's just more of a, I got something else and hopefully it pays off, but...

Thomas It's like extra security, but it's like air quotes right now. But yeah, it's a, you know, it's any insurance policy. They're going to do their best to protect themselves while also, you know, they're, they're going to try to help you with your interest, but if you're not doing the things properly that they outlined for you, they're not going to cover it.

Ron No. And I think that people need to look at the, the, you know, look at your policy and make sure the stuff is covered. That's great. But also look at what you're doing, right. Are you getting training? Do you have the proper things to put in place antivirus, a nice firewall, um, backup, a nice backup schedule, something off site, and they're very inexpensive, very, very inexpensive. I think you can do a backup plan now through some of the smaller providers for, you know, a couple hundred bucks a month.

Thomas Really?

Ron Yeah. But that's, it's more personal side. When you get a business, it gets a little bit expensive. I mean, who's not to say you're not going to get CryptoLocker at home right at the other or whatever ransomware.

Thomas All those family photos and everything. Just getting wrapped up.

Ron: I couldn't imagine what would happen if I got something at home. Yeah. I mean, everything's connected. I got that NAZ, I wedding photos, kid photos, anything on there. It would be gone and I don't have backups of it...

Thomas Which would suck.

Ron See you later alligator and have to pay the money. I don't know. I just think that there's a lot of misinformation out there and we're probably not helping it because we probably not experts in this arena. Um, you know, I think it's, it's, it's a high time and it's a change. You know, 2020 is a new year. I think everybody needs to look from a security side of it to say, what am I doing? What makes sense, what doesn't make sense and go from there.

Thomas Right. You can at least start a discussion on it and have people think about it, read some articles for themselves.

Ron And I think it's got, you know, now that it's having real world implementation and implementations, I can't talk implications, jeez. Implications that, uh, it's starting to be like a bigger deal.

Thomas Yeah.

Ron Boston had a big ransomware, New Orleans had a big ransomware, local cities around us had ransomware. One of the local companies went out of business.

Thomas Yeah.

Ron Cause they're like, Oh, the insurance company will take care of it. But then the insurance company couldn't, and now they're facing federal charges cause a bunch of PHI could've been exposed. There's, there's so many things to think about and it's not just, uh, like a, like a S a S like, as I say, a silver spoon. But that's not the case. Um, like one size fits all solution.

Thomas Sure.

Ron It's not, it's just you have to do so many things to make sure you're covered.

Thomas You really have to be invested in your cybersecurity.

Ron Yeah. I think to yourself, to a point, you have to be, no matter how big your company is, or no matter how big or your, I mean, your house is or whatever the case is, they gotta be ready for it. You know, it's, it's a very interesting thing and it costs a ton of money. 42 grand to get decrypted right now.

Thomas And that's just the average. Like I said, there's some people that are 288,000.

Ron That's nuts. Yeah. And that's out of your pocket.

Thomas Yeah. There's no way that they wouldn't go after the other. They're not like looking to get into my house.

Ron But you don't know man. Yeah. You can click on that link and get it now. Now me that made that virus that I bought offline now I've encrypted you. I'm about to make some cheese.

Thomas I gotta watch all my links from you now.

Ron Yeah, dude, it's crazy. Yeah, and I think that the more people talk about it in, the more they're aware that it is, you know, a multipronged situation. It's not just, it's coming to an email, it's coming in jump drives, it's coming in websites, it's coming in scripts. It's coming in anywhere. Physical things now, like you said, back to the jump drives, you can go to an event, grab a jump drive.

Thomas They just hand them out all over the place.

Ron I mean, I'd take them.

Thomas I work for X company. Here you go.

Ron Yeah, no, it's not good out there. So in conclusion, everybody CYA, get a backup offsite back up. Get an antivirus that's gonna do its job. Um, make sure your spam filters tuned in. Don't click on links you don't know, don't put your credentials in websites that don't seem to be a up to snuff because it's going to happen.

Thomas Yeah. And if you have an IT guy and you just don't know, ask him.

Ron Yeah. Don't hesitate to have that conversation. And if you don't have one and you want to ask questions, don't hesitate to reach out to us. Um, because we, we are lucky enough to have a lot of great tools in our, in our tool set here and that, uh, can help somebody out. So, um, any parting shots on ransomware before I go and purchase it in ransomware your house?

Thomas Uh, please don't.

Ron Okay, since you said please I guess I won't. Nah I've, it's scary, man. Yeah. All right. Nothing we can do about it. All right,

Thomas Watch those links.

Ron Yeah. Do you know, so the Microsoft released a new rule for Office 365 because people were white listing malicious senders.

Thomas Really?

Ron So now they just basically released the statements saying you can white list it, but we're still not going to let it through.

Thomas Nice.

Ron Yeah, that's what I said. I was like, Oh, well everybody have a good day. Thanks for listening. This is the Geek Freaks Podcast. Thanks, Thomas.

Thomas Thank you.

Music [Outro Music].


See this search field in the original post

See this form in the original post

See this form in the original post

See this form in the original post

See this content in the original post