Cyber Security
The cyber security podcast from SE Labs.
Understand cyber security and other security issues. Practical and insightful, our experts have experience in attacking and defending in the physical and digital worlds. Peek behind the curtain with Cyber Security DE:CODED.
Cyber Security
Ransomware | S2E5
Ransomware is feared by businesses all over the world. What happens during and after an attack? We give a unique insight into the experiences of ransomware victims.
- How do organisations react to a ransomware attack?
- We examine the grey area between good and bad apps
Guests on this month's Cyber Security DE:CODED podcast include Jeremy Kirk (The Ransomware Files) and Dennis Batchelder (AppEsteem).
Plus a full bonus interview with Jeremy Kirk.
Security Life Hack from Brian Monkman (NetSecOPEN)!
(Full Show Notes available on our website.)
Simon Edwards 0:01
Welcome to DE:CODED, providing in-depth insight into cyber security. How do organizations react to a ransomware attack? In this special episode, we talk to someone who has unique insight into the effects that ransomware has on businesses. We also examine the gray area between good and bad applications. Our special guests are Jeremy Kirk, from The Ransomware Files podcast, and Dennis Batchelder, from AppEsteem.
Shownotes, including any links mentioned in the show are available at DecodedCyber.com.
Ransomware is on everyone's minds at the moment, it's the type of threat that really focuses the thoughts of people who run businesses. This is because it's such an obviously bad thing with a clear financial penalty attached to it. If you get hit by ransomware, the attackers will attempt to extort a specific amount of money from you. And you then have to clean up afterwards close any loopholes that you find and plan for future attacks. hacks that steal information are clearly bad. You can face huge fines for losing people's personal information. But it's hard to quantify how expensive it is when someone steals your intellectual property. A ransom on the other hand, is a very clear threat that any executive can understand. You don't have to be a business genius to understand that a company paralyzed by lockdown computers is in trouble. And that paying criminals 1000s of pounds or dollars is a bad thing. Jeremy Kirk is an IT journalist with a long history of covering security issues. He runs an excellent podcast called The Ransomware Files in which he talks to victims of ransomware and discusses their experiences. There are some very cautionary tales on his show. And he joins us now to talk about what it's like to get hacked, and to share his observations when dealing with victims. Jeremy, people don't usually want to talk about ransomware is that because they have company policies that stop them discussing it?
Jeremy Kirk 2:12
It could be I mean, some of the organizations I've approached have had active legal cases related to loss of data. I won't name the company, but I know that one had like a pending class action suit, I thought I thought I'd try him anyway, just to see if they would talk about it. But I mean, generally, you know, companies and organizations, they really, especially private companies, and publicly listed companies, they don't want to talk about this. And, you know, I said before, it's like, you know, asking a company about you know, or a person about what was your worst day, you know what it was? And usually it's the day that ransomware strikes. So, you know, some organizations have been more forward than others, however, like, if I take, like the education sector, right? Like, they kind of when I kind of pitch him and say, Hey, would you want to talk about this, you know, with a view to helping other school districts or universities, you know, defend against ransomware recover from ransomware? And oftentimes, they're like, yeah, they see like, the educational component of it. Right. Whereas other companies just see bad PR.
Simon Edwards 3:16
Yeah. So pitching it as a way to help others is quite a good idea, isn't it?
Jeremy Kirk 3:19
Yeah, totally. The whole theme of the podcast, really, it was designed to say, hey, let's look, let's let's try to tackle this problem and learn from each other. It's okay to talk about it. There should be and I say this in every episode, after I do the intro, I said, you know, there should be no shame in, in getting infected. But it's important to share the lessons. And so when I kind of pitch people, I say, yeah, just just listen to it. And I think you'll understand that this isn't about, you know, tell me how you got hacked, right. Like, this is a really niche podcast, I understand the technical details, you know, we can go into that I want to go into that. And this is a view to help other information security practitioners do their defend themselves. And also be fun too. I also like to try to have some humor in it and, you know, some lighter moments, because it is a very topic and you know, people IT teams take it hard when they get infected, you know,
Simon Edwards 4:13
some of the people you've spoken to have had very visceral reactions, that personal stress when their organizations have been hacked.
Jeremy Kirk 4:23
It has totally taken me aback sometimes the stories, you know, of just how, how much it affected them, you know, because I think there's, you know, for IT security teams, it's it's like, you know, point of pride to it's like somebody's just taken what you've built and destroyed it right? And now you have to rebuild it and you're under a lot of stress the company's not operational. You know, there's a lot of stress from above. And I think, you know, I didn't even really realize that because, you know, I'm not like I'm a journalist, you know, I'm not like an incident response person, of just, yeah, just the grass. Have any of all at all and like, you know, I just released the eighth episode. And that resulted, the person I spoke with was a security architect at Travelex when all that went down. And he ended up having a heart condition develop later in the year and had to have surgery. And he attributed, you know, part of that to the stress of just that year. You know, that was one of the most talked about ransomware incidents where it's it. They were infected in New Year's Eve 2019. But it was mostly talked about throughout 2020. But yeah, it was it was hard for him to talk to a guy from MERS who were working on their privilege access management team. And yeah, you know, he was really deeply affected by it, you know,
Simon Edwards 5:42
ransomware can affect the health of a wider group of people to the Wannacry Attack Damage systems in the UK National Health Service, and people who needed surgery, they didn't get it.
Jeremy Kirk 5:53
even you know, even more recently was the county's attack against Ireland's health executive. You know, I mean, they had to call out the reserves to basically help you know, reimage machines, and, you know, so it gets, it gets really hairy, you know, really quick, it's not usually quite that dramatic. There's always that potential because IT systems are at the core of everything we do, including the health system.
Simon Edwards 6:16
Well, and that school district that you reported on where even the Buses couldn't run.
Jeremy Kirk 6:21
Yeah, yeah. I mean, yeah, drivers, I didn't even know this, you know, because it's been so long since I was in primary school. But yeah, the bus drivers now use like, I don't know, I don't know what they are. But it's like an electronic system now to basically map their route every day, I guess, to, to.
So, yeah, I mean, that was down to and like, you know, lunch systems. And it's like, just like everything that that works, you know, on a on a, you know, a Windows server like, I think in the first episode, yeah, that, you know, the school couldn't didn't have any sort of Tally anymore of like, how much credit was on kids lunch cards and things like that. So it's, like, totally disruptive. And, you know, I think that's one of the key things, too, is that organizations never really realize how bad it's going to be when everything doesn't work, because nobody really thinks in those terms of this sort of total disaster. You know, most people are sort of tangentially aware of ransomware and might, you know, might have kind of heard about it, you know, small businesses too, and things like that, but they don't really understand the gravity of like, what they'd have to do if everything doesn't work.
Simon Edwards 7:35
And that the impact on a small business can be totally disruptive content.
Jeremy Kirk 7:40
Yeah, absolutely. And, you know, small businesses are a big chunk of these kinds of attacks, too. And, yeah, you don't hear about them as much as sort of the bigger ones, I guess, because there's probably a few reasons for that, too, you know, big companies, it's probably more obvious, like universities and hospitals, right? When things don't work, like people are, like, why doesn't this work and so we, you know, it gets, it becomes into the public consciousness really quickly. Whereas smaller businesses not so much like I did a episode on a Australian business that it makes like software to track like supply chain. So say, for instance, Simon, you make yogurt, this company makes the systems that would put the expiry dates on the, on the yogurt tubs. And so if you have to have do like a recall, or whatever, you need to know that that palate, you know, is in West London, and that's the one we have to recall. So they do all that kind of thing called intelligent tracking software. And, you know, they had been hit by ransomware, even before or they had their big incident, but they didn't quite take the remedial remedial steps they needed to take. And then the next time it happened, it was it was really bad. Like, it was everything, like all their databases, and, you know, their ERP systems and like HR and like, you know, the whole the whole nine yards, and, you know, they're just like a successful Australian family owned business, you know, and it's one that I think that one might have gotten a couple of press reports, but, you know, just a lot of these businesses that are behind things that we use or consume every day, you know, they're not necessarily like, you know, who would know by name of an intelligent tracking company that makes it you know, it's just something that's just like so specific, that you probably would never have heard about it. But in their particular case, they were they were Australia's first double extortion victims. So not only did they encrypt their files, but they also started to release them this was a group called PI zone which is called Protect your short for protect your system amigo. Yeah, nice guy.
Simon Edwards 9:52
With these slightly obscure companies, do you think that they are targeted? Or do you think that the attackers are sort of spamming stuff out and then seeing Heat bites and then taking it from that.
Jeremy Kirk 10:02
I think some are intentionally targeted, but I think a lot of them is this is just random, you know, and you have to think of like the whole cybercriminal chain too, right? Because it's like, you've got affiliates using ransomware developed by a main group, you and those affiliates are often getting, they're just buying access credentials from the, you know, the IAB is the initial access brokers. And so those are the people that are just specializing and doing a lot of the fishing and, you know, making, you know, running botnets, you know, doing large scale data collection of infected machines, right? And then sorting it out and going, all right, we've got credentials for you know, I don't know mer, Sc, or we've got a bunch of credentials for Nabisco, or we've got a bunch of credentials for, you know, Chelsea Football team, you know, their back office or whatever, you know, and then, you know, the affiliates are looking through that and gone, yeah, okay, I'll buy those, you know, see what works.
Simon Edwards 10:55
That's something we haven't touched on, at all on this podcast is the the criminal industry that exists behind the headlines, the fact that there are some hackers that do the initial hacking, and then they sell the information to other hackers who continue to do things like maybe what you might call the actual crime of datasets or data destruction.
Jeremy Kirk 11:17
Yeah, yeah, absolutely. All this stuff is just parceled out now. Which is allowed for like a real specialty. So you no longer have to, like, Be the one who, you know, brute force is some companies, you know, RDP that they find. And then, you know, work at that for a couple of days until they can get in, I can just buy that stuff from from somebody. And so it makes it nice and tidy of like, okay, you can already get in it, right. So you can work on the next, you know, the next kind of phase of, of, you know, with ransomware gangs often like, reconnaissance, you know, trying to look for Active Directory, trying to kind of create a network map running all these sort of commands that allow you to get a grasp of like, okay, when I launched this ransomware, right, how, what am I going, what can I hit, where do I need to move into, to perhaps cause, you know, sort of more damage. And then, you know, even though the whole customer service angle to to ransomware of like, once you're infected, you know, you can go to a portal and start having a negotiating chat. And, you know, even on the defensive side, there's a lot of harsh saline to because your IR team comes in your lawyers set up your IR team. Your lawyers may also have a negotiator on tap, to be able to handle that, like an experienced negotiator, you know, who can get the if you are in a position where you must pay to resume your operations. So it's like almost on both sides. There's no real parceling and specialization of these kinds of like skills, you know, that are related to an attack.
Simon Edwards 12:52
Yeah, and I'm thinking that, you know, with the oil pipeline that was hacked, apparently they did pay the ransom. But the decryption software that was provided was too slow. So they ended up restoring from backups anyway. And it made me think that maybe the bad guys can actually compete with each other on the effectiveness of their own tools and their their customer service.
Jeremy Kirk 13:16
Yeah, you're exactly right, Colonial Pipeline. So you know, with Colonial Pipeline, you know, they shut down the pipeline, because the ransomware wasn't in their operational technology part, but it was in everything else. And I think they kind of panicked and paid. And you're exactly right, when the group gave the decryption key back, they discovered quickly that actually, their backups were really were decent. And restoring from those backups is going to be faster than using the key. So like, when you get the key from them. You know, like just like a private key that unlocks either all the computers, all the files, or sometimes there's, you know, there's sort of different keys involved, too. But when you get that back, it's just not and I think a lot of companies don't realize this, either, is that it's not just like me handy. Like, you don't have your house keys, and I have your house keys and I say, Simon, okay, give me 20 pounds, and I'll give you your house keys back and you just walk in and everything's fine. Right? It's more like, I come into your house, you know, remove everything. Right? And then you say, okay, so I mean, I'll give you you know, I'll give you your stuff back. And you're like, you know, I give you the key and you open the house, you're like, well, where's my stuff? And you're like, oh, no, it's more complicated than that. I gotta bring a truck by and put everything back.
Simon Edwards 14:38
And I've stored all the bits across across the UK in different different parts of the country. So it's gonna take quite a long time to get it all there.
Jeremy Kirk 14:44
Exactly. So when you get the key material, right, this is just like really raw kind of stuff. And it's not like it's not like optimized for quick restoration, like your backups would be right. Your backups are all you know, most backup providers can do that. pretty quickly, you know, depending on what your sort of architecture is. So I think, you know, if I were to tell a company something, it's like, don't think you just pay and everything goes back to normal. That's not it at all, you know, it may be still weeks and weeks of work to get things up and running, if you pay and then you've got all those steal all those costs, in addition to the ransom all those normal recovery costs that you would, you know, have after attack of that sort of magnitude.
Simon Edwards 15:29
So talking about payment, should companies pay? Have you spoken to any who regretted it or think that they did the right thing?
Jeremy Kirk 15:36
Well, that is a that is a fantastic question. And you know, what, I've not been able to get an organization that has paid the ransom, or at least one that submitted to it. Right, right. Well, actually, they were all the ones were very open. And all the people in the episodes were very open about it, so that you know, they didn't pay but Travelex did pay an episode eight, but I didn't directly speak with people at Travelex now. Like we know, they paid because that was the reporting and also what the our evil gang said. You know, I think there's a lot of shame around it. And I think like, look, you know, there should be no shame in it. But the important thing to think about, like, Would you pay or not pay is that you need to sort of think about under what conditions that would be something that you would have to do prior to this happening. And so I'll give you kind of like an example. Right? Like, say, for instance, like, so you have backups, or you think you have good backups, and you get infected, and then suddenly, your team goes through and figures out oh, wait, these backups are, you know, they're just corrupted, or maybe the ransomware gang got to them was able to delete them. And you have to kind of think about like, Okay, well say only 10% of your backups are corrupted, right? Or kind of kind of trashed, or like, Would you pay in that instance? It's like, well, that kind of depends on what what data was on it. So you need to callus to kind of like have tiers of like, how, what's your, what's your crown jewels? As they say, you know, what's the value of your data? And how much you know, would you need? Would you potentially pay to get it back? So it'd be if you have like, you're gonna lose 10%. And corruption, actually, it's usually about 30% to like corruptions and other problems, easily say, like, no, no, we don't have to pay, you know, we can we can take the hit of the lost data, or whatever. But all these things need to be thought about before, you know, because gangs are running counters, saying like, you know, we're gonna double your double your ransom, you know, if you if you don't pay within this number of days, and so it's good to be able to, like, get a lay of like, well, what's the sort of damage? And you know, how bad is it going to be? I mean, generally, you know, you shouldn't pay any, but I went to a Gartner session, actually, a couple of days ago, here in Sydney, and one of their experts on ransomware was saying, you know, at the end of the day, it's, you know, it's a business decision, you know, and it's this made by the board of a company, you know, and they have to take into account of like, how long they're going to be disrupted, how long they're going to be down. And you he kind of advise security practitioners, he's, like, look like, you know, it's not going to be up to you and whether to pay or not, like, that's not your decision, like your role is to be basically be impartial, and, you know, give a give a tally of the damage and your recommendation on how quickly you'll be up and running. You know, it's certainly a moral question, though, to these gangs, who now have, you know, some of them that hundreds of millions of dollars, right, and they've been able to, you know, buy bugs, you know, by zero day bugs, there's, there's, there's strong evidence that, you know, they might have been buying zero day exploits and zero day bugs. And that's, that's pretty scary. You know, it's not just like taking advantage of the low hanging fruit, it's like, because I think of Casaya. In this instance, so because because say it was aware of all the bugs that the our evil gang used, most of them, most of them, they were worn three months prior, and they were racing the patch, but then somehow are evil figured out figured out some of the same ones and even some different ones. And then did that attack, you know? So everybody's like, how they figure this out, right? Like, how did they figure out these bugs? And, you know, we still don't really know,
Simon Edwards 19:30
that's interesting, because I was when I was thinking about reasons why you shouldn't pay I was thinking less about the business decisions and more about the moral question. And I hadn't considered that they will use some of the funds that they appropriate to actually improve their skills and their reach. So it just becomes worse. And of course, you also don't know if they're going to come back at you again, if they've if they found that you are a payer. Maybe they still have a backdoor into your systems and they can hit you, too. Nice. So maybe there's a more practical reason not to pay as well.
Jeremy Kirk 20:04
Yeah, yeah, you're absolutely right. In fact, at the Gartner session, I think they said that if you're hit, once, there's an 80% chance, you're gonna get hit either by the same gang provide a different one. Like, really quickly. In fact, some of these have been turned into kind of like pitched battles, right, like, literally, there's IR people trying to kick them out of the system, and they're getting back in, or they're, they've gotten some other foothold, and that they're able to use and so it's an actual kind of, like, you know, sort of cyber battle to get the ransomware people out. But yeah, you know, it's those, the adversaries are just they're very good now, you know, and they're professionalized. And, yeah, like I said, it's like, they can fund, you know, they can buy bugs. And, you know, that's just puts it on a whole other level, especially when you talk about like, so, you know, defense for SMBs. It's just something like, you know, it's like, you probably, if you're not doing the basics, right, you don't have a chance, you know,
Simon Edwards 21:04
given given the sophistication of the sort of cyber criminal underworld, we've got to wonder if they work totally in isolation from other criminal elements, or whether, if you are some big mafia boss, you might decide that the future isn't heroin anymore, it's going to be cyber. And some of these guys are under the control of some people who will do more real world nasty things like people smuggling for example. So then if you are paying a ransom, what you're doing is paying into some pretty disgusting criminal organizations.
Jeremy Kirk 21:39
Yeah, yeah. I mean, you're absolutely right. Yeah. You never know what what other bad actors are even expanding into. Yeah, you're in you're funding an industry that's very destructive to your peers. I mean, you know, it's just, I think I listened to a podcast, it was my MIT, it was called the extortion economy. But it was about ransomware. And it was a terrific kind of miniseries. And it starts off with like, a tale of what happened in like kidnappings were really prevalent in Italy in the 70s. And finally, Italy said, Okay, nobody, nobody can pay ransoms. And so, two things happen. There were some absolute tragedies because of that. And then secondly, kidnapping went away. Like it just it just faded. So, you know, the question has been, you know, for policymakers is like, Well, should countries ban ransom payments? And I was initially, I was kind of like, well, it seems like a logical way to nip it in the bud. And it would. But at the same time, it's like, well, if if a company pays a ransom, right, to prevent itself from going out of business, and having 30 People made redundant, and then having to face prosecutors, right? Because they paid a ransom to try to save their business. And we're all expending, you know, court time, and prosecutors prosecuting a company that was just trying to save itself. It just doesn't make sense. It just breaks down really quickly. So I really, I think the only path really is just to encourage organizations like to do the best that they can on the budgets, that they have to at least get rid of the low hanging fruit and make it make it harder, right? Because right now, we're really at a situation where if you, if you make it a little bit hard, they'll probably go away and just find somebody else who's a little bit easier. So once that all kind of improves, you know, you know, hopefully, it will start but I think we're really years and years away from this problem going away in a meaningful way.
Simon Edwards 23:44
How to how to the attacks, generally starts just from the people that you've talked to, is it always fishing or are there other ways?
Jeremy Kirk 23:54
Yeah, it's a lot of phishing and malicious emails. So yeah, capturing credentials through phishing attacks. You know, sending malicious links that lead people to phishing sites, I mean, just sending people, you know, invoices that are actually you know, malware macros, like macros, like turn off macros, if you don't have to use macros, just don't use macros. We'll come back to the 90s Yeah, it's just one of those things. You know, it's often like targeting people like in HR and, you know, people or, you know, in departments like that, that deal with like a high volume of emails and just trying to get somebody to, you know, open something up. And I mean, that's been, I think, in like at least three or four of the episodes, that's just been it. It's just been a phishing email with malicious attachment. That is a Trojan downloader that calls out to another server to download something else. They move around for a while. It's usually that says like an initial access broker, you know, the download like an E motet, or, you know what was emotet or trick bot, you know, those were two notorious botnets that were often the initial piece of malware on a machine And that later led to because then they the trick bot and the motet people sold off those, you know, hacked boxes to the ransomware, folks, and then they would come in, in ransom people. So, you know, it's just, it's very, it's very much a lot of the same sort of stuff. And you know, of course, like zero day vulnerabilities. I mean, you know, there was, you know, I mentioned like Travelex, right, it looks like Travelex never actually confirmed how they were infected. But there was very strong evidence, they did have unpatched pulse, secure VPNs. And so you know, this was, this was in early 2020. So it actually it was just kind of prior to the pandemic. But you know, when the pandemic happened, a lot of companies just had to, like expand their VPNs. And so that just created a very, you know, wide attack surface. And a lot of those like, I think it was like fortunate Paul secure, Palo Alto, a lot of those VPN products had vulnerabilities that were discovered, and the patching just wasn't as fast as it needed to be. So that's a, you know, another thing everybody knows, you know, patch, you know, patch quickly, but it's easy to say it, it's much harder to do it, because every organization's is different and complex, and has their own, you know, their own things going on.
Simon Edwards 26:17
It's the classic advice, isn't it. Run antivirus, patches systems... You know, it's that five easy things that you can do to secure yourself. But actually, they're not always that easy to do?
Jeremy Kirk 26:27
Yeah, not at all.
Simon Edwards 26:29
But you know, people can get all wound up about ransomware being a type of threat, but it's not really it's a payload. And so when we're talking about your router, or any other element of your infrastructure, you as long as you know, there's a risk, you can make decisions to mitigate those risks, because you can have defense in depth. So for example, if because you work in computer security reporting, you may feel that you might be a target, and you've got this router, and you don't have control of it. And you know, Jeremy that this router, probably has some vulnerabilities in it. So how can you protect yourself? Well, one way would be to put a second router on the inside. And this is another thing you've got to plug in. But if you think that you're at risk, it's a very inexpensive way to create a demilitarized zone, something that people used to do in the old days with firewalls before next generation firewalls. And this means that if there's a vulnerability in your router, someone who's automating the attacks, they can take over your first router. But the chances that they will then automatically scan from that router, find your other one, find exploit a vulnerability in that as well automatically is super, super low. So for about $20, you can mitigate that threat. And then when we talk about ransomware, people aren't just out there pushing ransomware they are doing full on hacking attacks is a full attack chain to take you all the way down to that point where you can run some code on an endpoint and that would be ransomware. In this case, or maybe a data wiper, or maybe just exfiltrate data silently. If people followed best practices in general for cyber hygiene. Not only would they kind of fix their ransomware problem, where they would fix all sorts of other cyber security issues as well.
Jeremy Kirk 28:24
Yeah, yeah, entirely, entirely. Yeah, I'd agree with that.
Simon Edwards 28:29
I was like, I'd written the script there. But that was.
Jeremy Kirk 28:33
Yeah, yeah. Look, I mean, I think like, at least we're kind of lucky that the ransomware actors moved on from consumers to like, like, probably eight or nine years ago, my father in law got hit by ransomware. And a, I think they wanted like, I don't know, $300 or something, and he didn't pay last part about he was a University. Professor, I think he lost part of something. But generally, he was kind of unscathed. But I mean, I guess like, you know, I mean, that's, that's really, you know, kind of that was, it was kind of terrible. I mean, consumers, you know, to kind of hit consumers, at least with companies. I mean, you know, they can better defend themselves, you know,
Simon Edwards 29:12
but they've got more value as well, haven't they? Because when I speak to consumers, which I have to admit, isn't that often, they will often say, Well, why do I need to care about VPNs? Or antivirus? I haven't got anything worthwhile. Now, they're wrong, because there's plenty that they do have. But if your average person loses their laptop, is usually the concern is about the physical value of that system, not their data.
Jeremy Kirk 29:36
Yes, yes. Yeah. Yeah. So consumers probably
Simon Edwards 29:39
aren't the best target for ransomware attackers because they don't have the funds. And they don't have the motivation to pay.
Jeremy Kirk 29:46
Yeah, exactly. And they figured that out around like, What 2015 2014 15 They're like, Wait, we can attack companies and get a whole lot more dosh.
Simon Edwards 29:59
But they just they Efficient businesses. As you mentioned earlier, they've they've split their roles. They split their risk. So the people who are doing the the initial attacks, that's the high risk part because you can be detected. Well, they're not then doing the extortion. So they're less exposed, and they're just being more efficient in the background.
Jeremy Kirk 30:18
Yeah, yeah, totally, totally
Simon Edwards 30:22
ransomware groups. So we've got these groups of people who are doing the extortions. How can we attribute those? Or should we not bother? Should we just focus on protection and not worried that it's this group or that group?
Jeremy Kirk 30:36
Yeah, that's a really good question, right? Because it's a real just soup of gang names, right. And I would say, like, you know, you can do both, and other people do this too, right. So attribution is important, because you do want to try to keep track of the groups and what they're doing, and try to get as much as you can, from possible associations, like a lot of this stuff is like, really, really murky, though. But I think one thing that's been quite encouraging is that, you know, ransomware actors have pretty bad OpSec. Right. And so it's worth like, really kind of digging into it. Because I know with, you know, Casaya, for instance, you know, there was someone, someone indicted, for the Casaya attack, and also for the one in Texas to, and I forget, which is which, now, but one guy's in Russia, and another guy was actually actually arrested in Poland. And extradited to, I believe, I believe to Texas, I believe, is Texas, the guy was, like, I was caught. So there's always a chance of attaching like real names to these to these people. And, you know, we've seen like, particularly, you know, the United States has filed indictments against, you know, state sponsored, you know, Intel, like, just Intel actually not even state sponsored, but intelligence agents for, you know, Russia and China alleged intelligence agents for doing various cyber attacks. So, I think, you know, especially with resources, and like, kind of like the five eyes, like the fact that, you know, we saw even with the recovery of colonial pipelines, they recovered part of the ransom, right, they make all kinds of mistakes, and it might be possible to those mistakes may lead to identities, they may lead to recovery of ransoms paid, which is wonderful. You know, but they do kind of change, and they kind of morph, but it's important to, you know, like, Mandia does a lot of research. And I mean, there's lots of, I shouldn't just call out Mandia. But I mean, there's a lot of threat, intelligent companies that studied the methods that they use to, like, on a technical level. And that's pretty important for, you know, defense to, because when they're starting to do something new, and that can be caught somewhere in that, you know, chain of things that ransomware actors to, it can give a little bit of an edge to defenders and hopefully be able to shut it down, you know, sort of automatically, you know, there's a lot of stuff going on with I don't know, if your company, you know, does this kind of testing with the EDR software. And, you know, now it's like XDR. Yeah,
Simon Edwards 33:17
we specialize in that, actually.
Jeremy Kirk 33:19
Oh terrific. So you know, a whole lot about this, but you know, it's really amazing compared to say, a decade ago, what can be done now, you know, as far as like, Okay, we've detected something and the mitre attack frame, and a mitre attack framework that this group, you know, that this group is known for this, so we can go all right, shut off that endpoint. You know, and that's gonna save, you know, a lot of organizations to it, it only gets better as well, too. It can get more refined. And there's a lot of just customization available, I think, insecure device. But I'll let you actually I'll ask you that, you know, what do you think? I shouldn't be asking you rather than blathering on here. Tell me about it. How's it different from, say, 2010?
Simon Edwards 34:02
Well, the full attack chain is really important. And as you say, with the mitre attack framework, what they did was to look at the different attack groups, and to kind of classify the tactics and the kind of tools that they use to achieve their goals. So if you talk about a PT three, for example, they may start off with a phishing email and then do this do that escalate privileges, do keylogging, whatever, you've got this kind of playbook, where they got all these different playbooks for different groups. And they can be quite similar because even in 2020, the way of hacking a system in principle is pretty much the same as it is today. It's just the details change. The types of zero does that kind of thing. But when you're doing a test, the way that we do the test is we look at those different groups and we say well, we're going to pretend to be the sandworm group or or dragonfly versions one and two, or something else or add something else you have these see theories, we can say, well, this firewall or this EDR product, handled, maybe the initial part of the attack quite well. But if we were able to get through to the point of escalating privileges, then it stopped noticing what we're doing, or this product spotted everything in the attack chain. So if you use it in the real world, and attackers continue to work in a kind of similar way to how they have for the last 20 years, so probably will do, then there's pretty good chance that this product will detect some stages of that attack, and then you'll know that you've been compromised.
Jeremy Kirk 35:34
That's really interesting. And so I assume that no product does everything perfectly. Right. And so I guess the question is, without, without naming names of like, I mean, is it is it do you have what goes into the decision of like, what EDR product to use? Or what should you think about, I guess,
Simon Edwards 35:55
well, there's a whole bunch of things. But if you are a large organization, the first thing you might consider is price, you would consider whether or not it's a competent product, and a lot of companies just look at that top right quarter of the Gartner Magic Quadrant, so helps them get their short gets a shopping list sort of shortened down a bit. And then you might look at what your staff already know. So for example, just to use a company name, randomly, let's just say that your firewall is a fortunate firewall, and you use a Fortinet email gateway. When it comes to choosing endpoints product or some something else, you might be biased towards choosing fortunate because your staff are already familiar with the products. And maybe by having things combined in that way. Things will connect better, and you'll have an XDR kind of solution. All in one hit. Yeah, so it's not always about price. It's not always about effectiveness, and nothing is ever 100%. But what we do find is some of the top tier products do very well. So when you see the reports on our website, generally people are in the high 90s. And partially, that's because some of the companies that we test with aren't very good. And we don't then publish those reports, because they don't want us to. And in some cases, they're quite new companies who are trying to establish their product. And they use us as a kind of quality assurance service. So we come in, so we'll actually guys, you missed all of this. But here's what you can do to help fix it. So
Jeremy Kirk 37:33
so they kind of they kind of use you as like an auditor, like almost before. Yeah, that's interesting.
Simon Edwards 37:39
Yeah, because we're, we're testing like, hackers, were basically behaving in exactly the same way as the bad guys. But we're not bad. So that's the main differences. Hopefully, we're not going to jail at some stage. How do companies try to prevent ransomware? Is it all security product related? Or what about, say, staff awareness?
Jeremy Kirk 38:02
So we did just just a chat about like phishing, training and things that how different companies deal with like, repeat offenders like Right, like employees that don't they just continually get fooled by phishing emails, which was a really interesting discussion, actually. The TLDR is like, yeah, some companies just fire people who repeatedly fail. That kind of training, which I've found really kind of WoW, kind of tech kind of taken aback by that.
Simon Edwards 38:27
That's terrible, because they're just trying to do their jobs.
Jeremy Kirk 38:30
Yeah, that's what I think, too. And I also think, you know, a second point, it's like, Well, look, if somebody gets fished, there's a whole lot of other points. And that sort of Kill Chain, right. Like, and if you're just blaming, how it started, right, and not catching any of the 25 things that happened afterwards? That's on you. Security team. Right?
Simon Edwards 38:51
Yeah, that's exactly right. That's the the full attack chain thing that we were just talking about?
Jeremy Kirk 38:55
Yeah, yeah. So if you're not catching it, if you're not using anything to catch any of those other signs, that's probably on you then, because the technology is out there. And look, it's not cheap, either. I mean, realize, like, these good is, you know, these types of your products are really expensive, and definitely out of the reach of a lot of businesses that, you know, SMBs you know, they probably aren't going to make such an investment, you know, in it. I mean, sometimes in like hindsight, I think if like, you know, a company went out of business, and you say, Well, would you spend it now? And they probably would have been like, yeah, definitely, you know, but I guess it's hard, there's still kind of a barrier of like, Do you realize that this could be an existential event for your company? And then of course, we've got the scenario where, you know, the attack has come from somebody else in your organization, like, their, their email account has been hacked. So actually, it's not even like, you know, I've done a bit of domain, you know, kind of spoof type of typosquatting domain spoofing and you know, you didn't catch the extra zero or whatever or Oh, You know, in the domain name, and now I still do, it's like, no your the hackers are using somebody else in your organization's legitimate email address and delivering you something that perhaps you even expected. Like, look, look at BTC. Like those, those people sit around for weeks and observe communication patterns between people in companies before they actually do something.
Simon Edwards 40:23
We do BEC testing. So when we test email services, we do exactly that we set up an organization, that's the target. And then we have real customers and suppliers. And we also have typo squatting, equivalence and other things. And we do consultancy, too. So we've I've been in a situation where I've been into an organization, and I've seen their compromised email accounts. And to be quite honest, Jeremy, it's not that hard to do. And some of the basic stuff that the attackers do include email forwarding rules. So you know, every time you receive a statement of work, or whatever, I get to have a copy of that appear in my Gmail account in another country. And then I know when the invoices are due, and I know what the invoices look like, and I can then send you an invoice for 100,000 euros or whatever. And you will pay it and then I'm happy.
Jeremy Kirk 41:16
Yeah, yeah, I know that that's one of the tips that they say is like, well be sure. Can you turn off email forwarding and some, some of the Microsoft products are?
Simon Edwards 41:26
Well, yeah, you have to go looking for it. So you go into your settings in Google or Microsoft, and you'll see the forwarding rules. And you would go, Well, why is that there? You disable it. But it's another auditing job, you know, do you as the user you responsible for that? Or is it the admin? And in office 365, you can actually disable email forwarding is a feature. Yeah. Which probably these days is quite a good idea.
Jeremy Kirk 41:53
Yeah, yeah, entirely. Because a lot of it is yeah, it's just, it's just process based, right? It's like, you've already got the technology to stop some of this stuff. And also, just like, the usual like, Okay, well, if you get an invoice over a certain amount, you've got to make a phone call to that, you know, supplier and, you know, verify the account numbers. And, you know, just taking more time, it's like, you don't even need any technology to go, I'm just gonna run this bank account number by because we noticed that it changed from the ones that we typically use and doing that, I mean, somewhat, so much of it is just literally like a different account number that nobody noticed.
Simon Edwards 42:32
I think it's fair to say that most of us believe that ransomware is a bad thing. But concepts like good and bad are subjective. Ransomware represents a threat to us and our businesses, our bank accounts. But as with many areas of life, the idea that something is definitely bad or definitely completely good, is overly simple. We see this with the software, we run on our personal and business computers, you might consider Microsoft Word or Outlook to be good, meaning that you want to use them. Although I know a few people who believe Excel to be evil incarnate, but we're talking about do you definitely intend to have those applications on your computer. And many people do want Microsoft Office programs like Outlook, PowerPoint, and so on. So we can generalize and say that they are inverted commas, good. Ransomware is almost certainly something you don't want to find on your system, unless you're a researcher playing with it in a protected environment. So in those circumstances, we can label ransomware, as inverted commas, bad. But there is a less certain area between these two very clear standards, a gray zone where you might want an app, but end up with something more or less than you bargained for. These are the potentially unwanted applications or pillars. And they can play psychological tricks to persuade you to install them. Dennis Batchelder, is president of episteme, which focuses on certifying the sorts of apps that you might want to have installed on your computer. And he's also the CEO of the anti malware testing standards organization. So he's very focused on helping you and businesses work safely with your computers. And dentists in the security industry. We hear terms like potentially unwanted applications, anything could be potentially unwanted, couldn't it?
Dennis Batchelder 44:28
So let's break up software into three categories. You have stuff that criminals build that you don't want on your machine effort, we'll call that malware, or even unwanted stuff that we know is bad. And then there's stuff that we know is good things that is wanted on your machine that you want because you're trying to get something done. And then there's this in between category, which is I'm not sure I want to check it out. I want to test it. And that could be potentially unwanted if it's trying to take advantage of a consumer you as a consumer, right?
Simon Edwards 44:57
So if I'm the user and I want to download With WinZip, or some other kind of useful utility, and my antivirus tells me that it's potentially unwanted. Why is it doing that? What's actually going on?
Dennis Batchelder 45:09
Imagine you go to a download site and you want to get WinZip. There are plenty of enterprising companies out there who try and say, I want to make a buck while you download WinZip. So I'm going to bundle my software with WinZip. So that when you install WinZip, you'll be asked, Hey, would you also like this free piece of software? Or would you like to try this out? And then you'll get a screen? The user gets a screen that says, Do you want to also install this other software? You're gonna love it? It's free, that could be potentially unwanted.
Simon Edwards 45:39
But wouldn't I just say no to all those extras, you could, in fact,
Dennis Batchelder 45:43
if it's done correctly, and it's wanted software, it you can easily say no, and you won't get tricked. And that's the ideal case is that you got offered something else? You say no, and everybody says fine, and the installation moves on, and you get what you were looking for. You could say yes, as well. And you might be surprised, hey, I got this extra bonus app that I didn't even know it was gonna get. That would be the good case, the bad case would be install this or you know, puppies will die. Right, uninstall this because your computer is going to have problems.
Simon Edwards 46:15
So you could have a situation where users are being coerced into installing software that they don't want.
Dennis Batchelder 46:21
So I would say that users users could be tricked, coerced, threatened, fooled, scared in some way into installing the software.
Simon Edwards 46:34
Do you remember the fake antivirus software? Is that an extreme example of unwanted or potentially unwanted applications?
Dennis Batchelder 46:42
Yeah, I would call the fake antivirus where they were they and we should talk about the difference between unwanted and potentially something that's unwanted. And something you know, is bad. So fake antivirus is a great case, someone's offering you that they are an anti virus product. But yet, it doesn't detect malware, that is an example of fake AV that they're trying to take your money to get something that they don't deliver,
Simon Edwards 47:06
where they're going to say you have 1000 viruses on your computer, and it's going to cost you $35 to clear them off. But there aren't actually any viruses on your computer. So
Dennis Batchelder 47:15
either there's no viruses on your computer, or they don't clear anything off. Right, and either case is bad. And they cheated you and that makes it unwanted. A potentially unwanted app would be an antivirus product that says Oh, you got all these bad things and alarms you like unfairly alarms you to pay for a product scares, you first shows you all these bad things with a computer and then charges you to fix them without offering to fix it for
Simon Edwards 47:41
free. And people should care about this. Because in the obvious case, they can lose money. But what about the WinZip situation does it really matter if they install some software that they don't really need?
Dennis Batchelder 47:52
It's possible that that software that they installed is going to scare them later. And so those bits that try and get on your machine, there's us there's this whole ecosystem that takes place behind that, that WinZip application where someone's trying to make money off from a consumer.
Simon Edwards 48:08
So really, the principle is, just don't trick the user. If you're being dishonest at that early stage, you might do more dishonest things later,
Dennis Batchelder 48:18
right? If you trick the user get on the machine, or the the consumer got fooled to get that software installed, you can generally expect it's not going to be a well behaved application if they had a full year to get there.
Simon Edwards 48:30
So you've downloaded your WinZip or whatever software, and you've started installing it. And you may see some options to continue to install these other applications that you don't necessarily want. Where do you draw the line between what's Okay, and what's not? Okay.
Dennis Batchelder 48:45
Yeah, that's a great question. So if if when you're installing an application, and it has an advertisement that says, Hey, would you like to try this and it's not in your flow of installing, like it's off on the side, then that's pretty much okay, behavior. It's just an advertising that's taking place where it gets tricky is where you insert that offer into the flow of installing the program. So you think you're accepting the licensing agreement or the privacy policy, but really, you're accepting to install this other software?
Simon Edwards 49:20
Is that just a case of lazy users clicking Next, Next Next? Or is it more devious than that?
Dennis Batchelder 49:26
Yeah, I think humans have this vulnerability. We all have this vulnerability where we when we install software, we rely on muscle memory just to get through the process. I mean, we wanted something, we want to get it on the box. We've done it 100 times before we just hit next, next next, because we know it doesn't matter. We're just going to finish it at the end of the day. And so these a lot of companies, these potentially build potentially unwanted apps who take advantage of this vulnerability and people who just want to get through the process and they get their extra software installed them on their machine. Do you ever see
Simon Edwards 50:02
cultural differences being exploited or at least misunderstood here? Say the color green might mean go for some and red might mean stop or watch out. But in others red might be encouraging.
Dennis Batchelder 50:13
Yeah, I think colors make a difference in different cultures. But pretty much what we see in the unwanted space. And the potentially unwanted space is when when someone is flashing a lot of red color in front of you, that app is showing lots of red they're generally trying to drive you into into buying something or coercing you or tricking you into buying something.
Simon Edwards 50:36
Alright, so So red is making someone feel anxious. It's a warning.
Dennis Batchelder 50:40
Yeah, it's a warning for them. Just like a traffic light means stop, or an alarm or you see on the side of the road, you'll see a sign in either orange or red that says danger ahead or detour coming.
Simon Edwards 50:52
Let's take the average internet user. Well, they're like a lamb to the slaughter. There are all these apps out there trying to trick them. And what can they do not to be tricked to keep their money and to avoid bits of almost malware running on their systems?
Dennis Batchelder 51:05
Yeah, I think the first thing that that a user needs to do is make sure his antivirus is up to date. And I would Secondly, check and make sure that antivirus is actually pretty good at fighting POA. Several AVS out there do not really spend any effort in fighting potentially unwanted software.
Simon Edwards 51:28
But why not? Surely they can just block everything that isn't definitely good. What's the problem?
Dennis Batchelder 51:32
And it's difficult to decide what's good or what's bad. It's really easy with malware, because they're criminals and they trying to hide who they are. But with with software developed by reputable companies, or companies who have signing certificates, and they don't hide who they are, they say I built this software, it gets more tricky, because now the AV has to worry about might they be sued if they detect this this app,
Simon Edwards 51:57
right. So there are potentially legal issues involved. There, there
Dennis Batchelder 52:01
might be legal issues involved. In fact, if you go back 10 years in this industry, there were an awful lot of lawsuits from companies suing antivirus companies for detecting their software or restricting their business in some way. And that was, I think, probably because in those earlier days, there were not really good rules put in place about what's considered potentially unwanted versus what's unwanted, versus what's malware versus what's clean. And so every company was kind of doing it themselves, the antivirus companies were doing their best to protect their customers. And, and these other applications didn't like that. Alright, especially when they felt like it was unjustified.
Simon Edwards 52:42
We've talked a bit about false positives in the first series of this podcast. This is when security products make mistakes, and falsely accused legitimate objects as being malicious. When an antivirus detects a potentially unwanted piece of software, and the person who wrote that software is not happy about it, they would claim that's a false positive, right?
Dennis Batchelder 53:04
Yeah, the third party would generally say you're detecting me by mistake. And they may be right, it really depends what they're doing. And so what we believe is that an antivirus company has a responsibility if they're going to detect a third party app that has a valid signature. It's not written by a malicious author who's trying to hide who he is, they should have a reason and they should be able to share that reason with the vendor for why they're detecting them.
Simon Edwards 53:28
Do the antivirus vendors usually have some kind of process whereby they can get the kind of feedback.
Dennis Batchelder 53:33
So the antivirus vendors generally have a way to respond. They might take months to respond, they might give a form answer, or they might be really good and diligent and saying, Hey, mister vendor, change these three or four things, and your app will be good to go. And not every not every AV is at the same level. How are you involved in all this? What Apple's team does is Apple's team tries to develop a generally accepted set of rules about what's considered unwanted software and what's considered potentially unwanted software. And what we hope to do and we is to work with the vendors to make sure that they build apps that are wanted. And if they build apps that are unwanted, then the antivirus companies won't detect them. So we teach those companies how to build their apps in ways that are not tricking users taking advantage of the consumers or trying to scare them. And so we work hard with them and certify their apps. And then we bring those apps to the antivirus companies and say, these come from vendors who are willing to work with you and change their apps and we've checked them and we think they're doing everything necessary that you shouldn't detect them
Simon Edwards 54:47
so they get a badge for good behavior. And that gives them an advantage with the antivirus companies.
Dennis Batchelder 54:52
I don't know if the antivirus companies would think it gives them an advantage. I think that any vendor could do do all this stuff without us just fine. It's just there's a whole bunch of antivirus companies out there. And we understand all their different rules.
Simon Edwards 55:07
You're doing the work for some of the antivirus companies in a way. Yeah. So
Dennis Batchelder 55:11
right we, what we do for the vendor is we help them understand all the different rules from all the antivirus companies so they can make the right decisions about what to do. And we're helping the antivirus companies because we've cleaned them up. And now now that vendor doesn't have to contact that antivirus company, they just talked to us instead. And they can save time as well. So we've added an efficiency into the system with his badge with a certification.
Simon Edwards 55:38
So you've taken the heat out of the conversations between the ones that aren't doing it on purpose. They're not suing straightaway, because they have better communication going on with everybody. And the ones who are totally bad. Well, they know that they're bad. And you're saying that they're bad, and they're getting blocked? And that's not really, there's not really much more to say about that.
Dennis Batchelder 55:56
So now those vendors, even if they didn't get an answer back from the antivirus, and they think they need to sue, they can come to us and get an answer from us about why their app is being detected. And we can help them get it right. And we also have a receptor list where we can put the apps that won't change or aren't changing on that list. And all antivirus companies detect those apps.
Simon Edwards 56:20
And now just before we finish it security life hack time. At the end of each episode, we give a special security tip that works for real people in the real world for work and in their personal lives. This episode's life hacker is longtime security expert and firewall whisperer, Brian Monkman.
Brian Monkman 56:39
One of the things that really jumped out at me was practicing losing your phone and laptop, I can tell you from personal experience that, you know, not that I physically lost them. But I lost things from the point of view of, I suddenly couldn't get it get access, or I needed to make some changes to things It wasn't sure, you know, that that sort of thing. And most of the vendors have laptops, phones, and so on, have really good tools built into their platforms to facilitate recovery. But it's really stressful to be learning that stuff when you actually need it. So I would strongly recommend that you practice it and get familiar with tools before you actually need it, you'll find that recovery will go a lot smoother, smoother, taken from someone who's learned the hard way.
Simon Edwards 57:42
Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. We also have a free email newsletter. Sign up on our website, where you'll also find this episode's show notes, and bonus episodes featuring full length interviews with our guests. Just visit DecodedCyber.com and that's it. Thank you for listening, and we hope to see you again soon.