Ransomware: Examples, prevention and mitigating the damage

Transcript - Ransomware: Examples, prevention and mitigating the damage

Earl Duby: Hey, welcome back, everyone, to the March episode of CISO Insights, which just happens to be our five-year anniversary for anyone who's been there from the beginning. Thanks for hanging in there with us and for all the new people we picked up along the way. Glad to have you. So yeah, five years ago we started this, Dan and I, right before Covid hit.

Dan, how does it feel? Five years?

Dan Lohrmann: It feels great, Earl. It's great to be back and I'm actually coming to you all today from Washington, D.C., actually, I'm a little different background -- most people who see this show, know this. I'm at the State and Local Cybersecurity Summit, for Billington Cybersecurity, and it feels great to be back.

And I just want to start today's topic of ransomware. And I know we're going to, Earl's going to host it, but I just want to say it's interesting. I've got state and local leaders on the stage tomorrow. It may seem like this topic of ransomware is not as sexy as it used to be. Maybe not front and center, but it's still a really hot topic here.

A lot of these are Chatham House rules, meaning some things that I've been hearing the last couple days, I can't share. Some of it. I can, I do want to kick it off with this one quote that's just grabbed me. I just did a blog for Government Technology magazine from really talking about Black Fog's report on ransomware, their annual report, and it ends this way. We kicked off 2025 with a record breaking 92 disclosed ransomware attacks in January, 21% increase over last year -- the highest we recorded since we began tracking [00:02:00] ransomware in 2020, which is when we started the show, and we counted 32 different ransomware groups behind the attacks with Ransomware Hub leading the way.

So, this is a really important topic today. It's great to be back. It's great to come in the context of what's going on around the world right now.

Duby: Yeah, that's the amazing thing about ransomware, is usually things come and go pretty quickly in cyberspace, but ransomware is like this thing that just keeps hanging around like a bad cough or something.

It just, we just can't get rid of it. And every year it seems as though it'll be at the top of the most prevalent cyberattack. So, it's interesting. We've been talking about it for years, and here we are having another episode about it. And I'm sure we're going to get into some pretty interesting innovations that are going on in the space.

And I'm really excited about this episode because many years ago I picked up this book right here, and I read this book and I was like, 'Wow, this is pretty cool."' And I heard the author on another podcast, and now we actually get to get them on our show. So, I really am excited about that. Plus, we have two people from Verizon on the show.

The annual data breach report [Verizon Data Breach Investigations Report]. These are a couple of stellar people that contribute to that report. So, we have what I would call a star-studded episode here today. So, I'm really excited to dig into that. With that let's bring in our first guest, and then we'll have him introduce himself. And so, let's start with Allan and then we'll work through the rest of our guests.

Allan Liska: Hey, how y'all doing today? Congratulations on five years. That's pretty amazing. My name's Allan Liska. I'm a ransomware researcher at Recorded Future, and I've been studying ransomware since 2014, so 11+ years now.

Duby: Fantastic. Alright, can we bring in Erika?

Erika Gifford: Hi, congratulations. This is an incredible accomplishment. I'm Erika Gifford. I'm an associate director with VTRAC [Verizon Threat Research Advisory Center]. I run the Rapid Response Retainer team. My background is 12 years Naval Intelligence. When I got out of the Navy, my first soiree into the civilian life as a contractor was going through the Army's top-layer architecture and putting in cybersecurity.

And this was in the late nineties. I'm dating myself. I also built out and ran the GE Capital CRC for three years, which is where I met Earl. And I've done things like overhaul SOCs, like the DHS D SOC and SOC inserts for global corporations. So, I have a little bit of experience doing all of this and I am one of the contributors to the DBIR, I do some of the crunching for them so the real geniuses can take over and create the publication that we all know and love.

Lohrmann: All right, and Darrin.

Darrin Kimes: Yeah. Hi. Hello everyone. Darrin Kimes here. Congratulations on five years. Honored to be here. I'm a consultant with the Verizon Threat Research Advisory Center, or VT as we call it. I work in cyberthreat intelligence and do research on topics such as ransomware, data collection and analysis threat actor discovery.

Some threat hunting from time to time, and on a rare occasion, I pitch in with some one-off forensics cases. I've only been at Verizon for about two years now. Prior to Verizon, I spent 25 years as a special agent with the United States Secret Service, with the majority of that time in the Chicago field office. There during the times not engaged in the service's protective operations, I worked in an electronic crimes task force, where I performed digital forensics in support of federal, state and local criminal investigations. I really appreciate the opportunity to be here with everyone today.

Duby: All right, so this is, as you can see, we have a lot of experts here and we're going to dig into what's new in ransomware, but just- shout out to the audience, if you have any questions, throw them in the chat. And we're, as we usually do, we'll work through as many as we can, and we want it to be as insightful for you as we can possibly make it. So, with that, I want to start with Allan. I showed your book up front here, so you've literally written the book on ransomware. You've actually written a couple books on ransomware. I've been noticing that the encryption piece seems to be not used as often anymore in the new waves of ransomware. They're just doing the extortion piece of it.

Is that a trend we'll see continuing or what trends are you seeing in ransomware as we're moving on here?

Liska: Yeah. Right now, about 30% of attacks that we see don't involve any encryption. So that is just data theft. And the reason that we're seeing a lot of that is because data theft can happen from anywhere.

So, it doesn't need to be you or your cloud. It can be your partners or your partner's cloud or a third party and/or their cloud, or whatever. That makes it easier. So, a great example of that is the campaigns that we've seen from the Clop ransomware group, where they are specifically looking for zero-day vulnerabilities in file transfer protocols because they know there's a lot of data sitting on those servers. And they'll get the data, sort through it, and then whatever the biggest names are in that data collected, that's what goes up on the site. So, you may not have done anything wrong. You may have secured everything properly, but if one of your partners didn't, or one of your partners didn't, you can wind up listed on those websites and for a lot of the ransomware groups, they're finding that's just as effective as doing encryption without all of the hassle associated with encryption.

So, I do think that is a trend that unfortunately we're going to see continuing to grow because it's just simply easier to do. Not as easy as what we were talking about right before the event started, where you can just send an email and pretend like you have data and you're going to hold it hostage and hope that they send you money.

But, still, easier than managing the encryption process.

Duby: So, is a ransomware attack that doesn't involve encryption or some sort of malware, is it still ransomware? Doesn't the 'ware' imply some sort of software involved?

Liska: So, it's really interesting if you go back to the first use of the word ransomware.

Not 1989 with the AIDS Trojan, but earlier, like in 2009 when Symantec -- which was the company that first came up with the term ransomware -- they actually used the term to refer to data theft and holding it hostage. And in one of their yearly breach reports, when they still did those, there's actually a little asterisk that they were describing a new kind of ransomware where the bad guys encrypted data, and they were talking about how the definition had changed from just stealing your data to now actually encrypting it. So, we've actually seen over the course of however long ransomware has been around, we've actually seen that definition modify over time. Yeah, it's not as accurate to call this ransomware, but we have called it ransomware before, and we just have to accept that there's a changing definition as the con op of the bad guys changes.

Duby: All right. Yeah. I'll give you a quick second to put a plug in, because one of the audience is asking about your book -- so just take 10 seconds and put a plug in for your books and where they can find them.

Liska: So the most recent one is Ransomware: Understand. Prevent. Recover. Our editors let us sneak in a comic book guide reference for the title. And you can get that off Amazon. So, if you search 'Allan Liska ransomware,' you will find it there. And, if you search Allan Liska ransomware anywhere else, unfortunately, I'm permanently tied to the word ransomware.

Duby: All right you're the expert.

All right hey Dan, you're over there in government-land. I'm going out of order here a little bit, but let's just talk a little bit about it -- we see many ransomware attacks that are affecting small governments, small police departments, small schools. How are they responding to that?

Are they just hoping they're too small to be seen or are they actually accepting that challenge and trying to divert funds to fighting that? Or just what are they doing? Maybe they're, yeah…

Lohrmann: No.

It's a great question. I think, first of all, I've been hearing it around, I tend to work with a lot of the larger states and cities, counties, and a lot of them are trying to help their partners. So, a lot of states have what they call a whole-state approach. So, if you're a small county or a school district in Wisconsin, they have almost like a national guard, a volunteer cyberforce that can go out and help a lot of these organizations.

Quite frankly, a lot of them just don't have the resources. Some of them are one-man operations, one-man IT shop; CIO is also the guy who's literally installing servers. Others, it's a little bit more complicated than that, but I think the one thing I want to say out of the gate, Earl, is it's not slowing down.

Whether big, small, medium, the attacks just keep on coming. Both reported and unreported. There's a lot of, again, if you look at the Black Fog numbers -- and we can talk about those just in 2024 -- you start looking at the Change Healthcare [attack]. We know with the big ones, you hear about [in?] the paper, CDK, Starbucks.

But there's also a lot of attacks against water systems -- and that's a big one, critical infrastructure. And a lot of these are small municipalities that run their own water systems and they just really … despite the fact that there is a lot of really good information out there, and I know we're going to talk at the end about some solutions and ways that people can attack this and groups that are out there to help them -- MS ISAC, Multi-State Information Sharing and Analysis Center, and other groups like that -- the reality is a lot of them just don't have the resources to go after it. It's just so much to do, and maybe they don't have the funding or the budget to do it. There are steps they can take. We're going to get to that later in the show.

That can really dramatically reduce the likelihood of them getting hit. Unfortunately, a lot of them aren't, and the numbers are getting worse. They're not getting better. It was the top story in normal and cybersecurity in 2019, which led to my book that we wrote, Cyber Mayday. We've talked about it on this show before -- Cyber Mayday and the Day After -- which are true ransomware stories from all over the world.

It was the top story in 2019, and it's only gotten worse every year for the last five, six years. So, it continues to be the big story outside the Beltway in Washington; obviously, nation-state attacks against the Pentagon or the White House will get a lot more attention, but inside the Beltway, it's nation-state attacks against big organizations. Outside, it's all about ransomware.

Duby: So, do these … does, like, a small police force or a small municipality … are they actually paying the ransoms or how are they recovering from this?

Kimes: It really depends. In many cases, you know what happens in real life is they bring in the criminal justice. So, they'll bring in the FBI, they'll bring in the state oftentimes will come in and help them recover.

Some cases, they're having to totally rebuild. In some cases, you can go to nomoreransom.com. You can actually find the FBI's got the encryption key or the state, local government works with law enforcement, some aspect of law enforcement. They're able to rebuild.

And some states like North Carolina have laws that say you can't pay the ransom. There are certainly cases, and I won't go into specifics right now, where cities have paid ransoms. I think that it remains to be seen what'll happen in the future. Does passing the law necessarily stop the ransoms from coming in?

Some say yes, some say no. There's different studies on that, but I certainly think that the reality is that they get help from others to come back up. But just the one thing that you're begging a question, which I'll just say right out of the gate, if you're a small company -- and several companies we've talked about in the last couple weeks that literally went bankrupt because the ransomware -- they said, 'We're not paying the ransom out of principle,' and, literally tens of millions of dollars, companies that have been around for years, went bankrupt. Counties, cities, states, governments … can't go bankrupt. You can go bankrupt with your bonds, but what I'm saying is you still have to run the government tomorrow, right?

So, if you're a county that gets hit, they, in some cases, they've had to totally rebuild their systems. But they usually get help from law enforcement to help them.

Duby: All right. Speaking of that small business side of it -- Darrin, you had sent me some Verizon data last week that was just kind of showing these different statistics and things, and one of the statistics was pretty striking to me. It was a graph, and it had 'small businesses,' 'medium businesses,' and then 'enterprises,' with a bar chart. And when you added up the small businesses and the medium-sized businesses, it dwarfed the enterprise bar on that chart. And I think that's … for whatever reason, it still seems to be counterintuitive to people.

Like they still feel like ransomware only affects large companies, and I try as much as I can to get this message out, and [that] chart was a really good indicator. I wish I would've brought it here and showed it, but can you just talk a little bit about, what you're seeing in terms of what, like the … we talk about the ICP, the type of ideal customer profile when we're trying to sell things to people … so, what's the ideal customer profile for ransomware? It seems to be small, mid-size companies, not large organizations.

Kimes: What I'll say to that right away ransomware groups look for targets of opportunity.

If it just so happens that I think small businesses are more open to these attacks -- and I'll go into that a little bit. If you just gimme a minute, I'll walk through that, that graphic that we were talking about. The graph is basically a dashboard that my threat intelligence group that I'm a part of puts together basically on a month-to-month basis.

The one you saw was a year-to-date graphic started January 1 and it kind of looks at the numbers. And then what we are able to do is pull the victims down from the shame sites from some aggregators. And then we can leverage Verizon's ability and do some background on the companies themselves.

And that's where that raw data comes from. You can think of this, I use the term victimology of ransomware. Since we're just looking at the victims as well as the total numbers, but what we look at as far as size of the victims, we look at it two ways. There is the gross sales, [that] was one thing we looked at, [that] was mentioned by someone in the group.

'We need to look at that.' We just carved up some categories 'gross sales from zero to $1 million;' '1 to $5 million;' '$5 million to 20;' '20 to 50;' and then '50 million-plus' to get into that enterprise that you're talking about. What we saw in just a simple pie chart is that there … of all the victims that we saw … there's about a 7% range difference between all of them.

We thought maybe it's not gross sales -- or at least I thought, maybe it's not gross sales -- that is a determining factor. So, we go on it to look at the number of employees of a business, and that's the bar chart you were referring to. We did some research and got with our sales folks that do sales on the SMBs, small [and] medium businesses, and we asked: What do they consider small? What do they consider medium?

And as it turns out, they use 50 and under employees as a small; 51 to 250 is medium; and 250 and over they consider large. And, using that criteria, we found in particularly the first two months of 2025, you could add the medium and large business victims together, and it equals about the number of small businesses that were affected.

Then that brings on the question: Why? Look, small businesses are ... a person doesn't go into a business making widgets thinking that they're going to have to do anything but make and sell widgets. As it turns out, they don't have the personnel likely to look at cybersecurity.

They may not be able to afford a company to come in and provide their cybersecurity, so that leaves them a bit more vulnerable, I believe, in that regard. And that's where we come up with. We also look at victim ownership types. So, what type of business is it? We found the majority are privately owned businesses -- over 80% at least for the first two months.

And this data holds true also for the entirety of 2024, within a few points. We're able to tell a lot about the victims of ransomware that we can find. Again, we scraped these victim names from the 'name and shame' sites as well as some of the aggregators. And keep in mind also, these are all victims of ransomware that did not pay the ransom.

Otherwise, normally those victims don't show up in being named and shamed if indeed they pay the ransom. So, keep that in mind. These are the folks that didn't pay. But that's how we look at ransomware on a day-to-day basis for Verizon.

Liska: Yeah, and I think what's interesting is, what Darrin's talking about here is one of the reasons why ransomware has stayed in the public eye so much.

If you look at the latest Chainalysis report at the end of the year, there were about $1.5 billion in ransoms paid. But if you look at the IC3 report, there were $55 billion that were lost to business email compromise. So, business email compromise actors make significantly more money, the only difference is ransomware actors have their own PR arm in these data leak sites.

So, ransomware constantly gets that attention, whereas the BEC actors just take their money and go buy another Ferrari with it rather than bragging about who they've hit, and that allows it to continue to stay in the public eye in the way that other types of cybercrime don't.

Kimes: Yeah, I'll say to your point, Allan, about BECs, I'll say in the Secret Service, and my experience with incident response, our incident response teams in VTRAC, we see more BECs than we do ransomware attacks.

Duby: That's interesting. So, let's bring Erika in for a second here. You worked on the Verizon data breach report. You add content to there. Where do you see that report going? And how are you seeing ransomware playing into the report? It seems like it's in there every year.

It's one of the top trending items, as we've all been talking about. Where do you see the report coming right now? I know we talked about a little bit earlier and just give us whatever clue you can give us.

Gifford: Okay, so the DBIR team is very tight-lipped, and rightfully so. I begged for snippets, and, of course, they're keeping to that. So, you have to really understand and enjoy that. But marketing is going to let us know on April 2 when the DBIR is going to be released. So, my part in that is going through incidents and putting in what we know about those incidents, right?

Threat actors, how they got in, what did they do, things of that nature. And then enter those into the database, and then the database Gods and Goddess go through everything and then create the report. But I can say what I saw when going through and investigating these incidents when it comes to ransomware. So, a few things that I noticed is that not only is there an uptick in it, but also what we call the name and shame, right?

So, some ransomware groups are continuing to encrypt, but the issue that they have is in the larger corporations they're getting better with backups, so it's easier for them to recover from a backup, catch up, and they're good and running. So other corporations we're finding, or I'm seeing the trend, is that the name and shame, right.

So, they put a little snippet out for the corporations to validate and say, 'Yes, that is our information.' And it's like, 'All right, we'll give you however many hours or days to give us the ransom. If not, we're going to put it out there, and we're going to allow people to bid on your information.' So you have more of that coming in.

Another thing that we're starting to see is that there is a replay of that information, so even though a ransomware actor is going out and saying, 'Hey, this is your information out there,' sometimes when we take a closer look at that, it is their information, but it is from something a couple years prior.

So, there is a lot of replay happening now, on that if they're not successful in getting a ransom or attention. And so, we've seen a couple of those when we've taken a hard look. When it comes to the overall industry that I saw when I took a look at the four biggest ransomware hacks of last year, three of those were actually in the healthcare industry, which I thought was really interesting. Costing millions of dollars for incident response. The United Healthcare … that hit up to, what, a $22 million ransom and like a $2.8 billion recovery for that. So, these are massive.

Third-party again is … we saw, the big trend of third-party infiltration. Phishing is still another one. One of the top four, actually, was because somebody honestly thought it was something coming in that they needed to address. They clicked on the phish and it came in. So, a few things to really look at now … that I saw … especially getting phishing emails into my personal email accounts.

I got one yesterday that I talked about. It was amazing. It was probably the best phishing email I've ever seen. It said it came from customer service. And the way it was put together was really good. So, what I'm also looking at is the increase in AI in some of these making it look a lot better.

AI is also being used to take away accents of people, right? So, when you answer the phone or you see an email, now it looks like it's coming from a native-language speaker of wherever you're from. So, this is another thing to be cognizant of, so you can have somebody that's not really big into the tech be able to use AI, so it could be anybody out there using it and going through and getting that out there. So, these are the trends that I've seen. It's going to be really interesting when the DBIR does hit to see how accurate that is. But you have to realize it's coming from many different countries, foreign reporting agencies, and things of that nature, so what I saw was not a complete data set. It was only a partial data set of everything that I saw personally.

So good stuff coming up.

Lohrmann: Let me just jump in too. Some great data there, Erika. I'm quoting the Black Fog Report if you want to go out and you want to look at my most, one of my recent, blogs came out a couple weeks ago about trends from Black Fog -- their report comes out in March or end of February for last year. They said 745% growth. Excuse me, sorry about that, 745% growth in unreported ransomware. And there's a variety of ways that they get that data. How do they report on unreported ransomware? That's tradecraft. We can talk to our experts about that.

There's a variety of ways that Allan and Darrin can, Darrin and Erika can probably talk to us about the different mechanisms. But also 56% of the attacks use PowerShell; 28% of the exfiltration victims pay; 94% of the attacks exfiltrate data. So exfiltrating data is something that, you know, whether they encrypt or not, we talked about some of those numbers earlier, but from Black Fog's perspective, that's happening.

And a lot of different things. Double extortion, triple extortion -- there's different things that guys can talk about that, but those are just some of the data points from the Black Fog report.

Duby: I'm still just getting hung up on this: Why are they attacking the school districts and small municipalities?

I can understand that maybe the defenses are lower and they're not spending as much as they should and they're running old equipment, so I get the attack surfaces there. But what is the motivation? Because, like, how much money can you really get?

Lohrmann: I think the motivation … I love to hear the other panelists.

Let's get into discussion about this. I think it's money. I just think it's money. I don't see them hitting a school district for some political philosophy about how we're training our people.

Duby: How much money can you get out of --

Lohrmann: I think if you do the … if you do the … if you do the … basically the shotgun approach and you got people and if you, in some cases, you talked to Erika, talked about logging in, phishing, this and that.

People are saying: Yeah, there's phishing, there's a variety of ways they're getting in, breaking multifactor, those kinds of things. You hear about that. But I'm hearing more and more people say, 'Look, we're logging in, we're not hacking in. We're logging in with Dark Web credentials.' And if you can get in, if you can just, if you've got millions, if not billions of records in the Dark Web and you're like, 'Hey, I log in and it happens to be a school district, and oh my goodness,' then they hand it off to the next person and they can get a couple hundred thousand bucks. That's a couple hundred thousand bucks. And you could say from our perspective, 'Hey, if you went across the street and went to Target, maybe you can get a billion bucks,' but maybe a billion, a million, a couple million, whatever.

Now you're going to get a billion. But you could get more. You can get more, but the issue becomes, and I'd love to hear the other thoughts of the panelists. It's an opportunity, money that they're getting.

Gifford: And also, I believe it's bragging rights, right? You have the various phishing as a service and things of that nature.

So, it's marketing for them. So, if you are going to want to have that type of service, what are you going to do? You're going to take a look and say, 'Okay, this particular threat actor's out there a lot, so I'm going to spend however much and join their as a service.' It could be that some of these … the lower municipalities and things of that nature … are paying some sort of ransom.

But the big thing too is what we continue to preach is know what's on your network, understand where your liabilities are. Of the four big hits last year that I talked about, two got through because they didn't have MFA. And so, in taking a look at everything that was going on, it looks like MFA would've definitely stopped these two attacks.

Again, I think it is money, and it's also a marketing thing and bragging rights.

Liska: And don't discount stupidity either. So, we saw this when a ransomware group several years back hit a Palm Beach School District. What they saw is that the Palm Beach School District had a $5 billion budget.

So, to them that translated into a $5 million ransom, because what they're used to is they're used to going to ZoomInfo, seeing how much the company or organization is worth, and then calculating ransom as a percentage of that. So while these ransomware actors, many of them are technically adept, a lot of them at this point are script kitties because they've dumbed down the tools … so the ransomware-as-a-service operators have dumbed down the tools and the initial access brokers have dumbed down the tools … to make it that all you have to do is follow script. So, you have to get enough money to buy the access from the initial access broker, have enough money to get into one of these ransomware-as-a-service operations, but then after that it's all scripted for you, including translations of what words you need to look for when you're stealing files. So, you get into a school district, you look up the school district, and you see again that it has a billion-dollar budget not realizing that doesn't necessarily mean that they have any spare cash at all to pay a ransom.

I always try and maintain that balance between … yes, the tools are really effective, and they can do a lot of damage, and I don't discount that at all … but a lot of the threat actors behind it are idiots. And they just happened to have moved into a system that's made to run relatively smooth for them with little kind of outside knowledge of what's happening, and I know that seems counterintuitive because we're told by security companies, RSA's coming up in a couple of months and you're going to hear about how terrible and scary all of these threat actors are. And some of them really are, but not all of them. The ones at the bottom of the barrel, they're not that smart.

Kimes: Going back to what you said, Dan, we're talking about attacks on … why would they attack educational systems, a school district for that matter, healthcare? Why would they want to shut down a hospital? Look, in my research we also look at the industries of the victim and educational victims --could be university, could be all the way down to a school district -- they're all put together. We use the NAICS supersectors to carve things over the two-digit sectors. Education is only 3% of the victims, yet I would say they are a much greater factor as far as newsworthiness. Same thing with hospitals. The top industries are manufacturing and professional services, which is accounting and engineering.

But what you hear about are those that cause the pain points: education, healthcare. In Chicago, last year, Lurie Children's Hospital was hit in a pretty bad attack, they had to actually move some surgeries and that made a lot of news locally here in the Chicago area. You also have to look at that factor.

Those are just newsworthy victims. And not that they're any less important than the others, but they are newsworthy.

Gifford: Especially in the healthcare industry, when you have a news story -- there was a couple globally that happened where people couldn't get into the emergency room, couldn't access records to help treat a patient, there was even the cesarean sections that had to be rescheduled, heart transplants. Or not heart transplant, heart issues, heart surgeries that had to be redone. This really strikes fear in the heart of people. If I have a heart attack, am I going to be able to go into the emergency room and be taken care of if I have to have stents?

Is that going to be there? Children having chronic issues and ailments, can my child get treated? This does strike fear in the heart of everybody. So, it makes a pretty good impact globally when these things happen.

Kimes: I just was going to say real quickly, or another big piece to this, I think big piece, maybe it's less piece than it was three, four years ago, is the cyber insurance piece, which is a whole other session, and there are different opinions on this. I can argue it. North, south, east, west. You know there certainly were reports out that criminal gangs were targeting companies that had cyber insurance. And then you get into this whole circular thing about cyber insurance, I don't want to go there today, but that's another thing. If you're a school district, if you're a city, county, state, university, and you've got cyber insurance, that's another whole factor of, okay, how big is the policy? How much can we get? And more and more policies now are saying we're not going to pay for the ransom as part of the policy.

So, there's a lot of different discussion there, but that's another piece of this.

Duby: Alright, I want to keep it with you for just a second here because there's a question that came in around this, [the] department of Homeland Security has put some funds out there to help people with cybersecurity.

So, it looks like it was about $280 million according to this question, which, spread across the country doesn't seem like a whole lot. So, what do you think that the federal government can do to help mitigate some of this at the state and local level?

Kimes: Yeah, some of that's already been happening.

So that, that was one year, over the course of a four-year plan. The state and local government grant program for cybersecurity, which it was, across the country, literally a discussion, we had a breakfast here in the room that I'm looking at on the other side, which I could show you all this big room.

I'm in a rotunda. But absolutely, there have been grants for state and local governments. Some of it's gotten down to the counties and cities and local levels. And that's unfortunately it's one-time money. So, a lot of them have used that. We just discussed … a lot of them have used that to do education, awareness, put certain things in place. The operational side of that, the challenge is that a lot of that is not ongoing, and there's even talk about cuts happening right now in Washington and will the next round of money even be coming or will that be cut with some of the federal cuts that are happening now? I know I literally talked to somebody in the elevator yesterday here, hotel about a mile away, where there's cuts to the MS-ISAC instead of internet security coming. That's in the news.

But yes, there have been grants, federal grants from the Cybersecurity Infrastructure Security Agency, CISA, which is part of Department of Homeland Security, to help state and local governments. One of the solutions is the MS-ISAC, Multi-State Information Sharing Analysis Center. Go to msisac.org.

Go out there and they have … there a number of different great websites that have solutions. They see some other questions in there about … what can you do? Backups? Immutable backups. There's a lot of things, steps you can take, and there's a lot of best practices we can talk about, but yes, those grant programs from the feds have helped. But you're right, it is, does tend to be, a drop in the bucket when you look at the whole country.

Duby: All right. I want to lob one out there to Allan and Darrin. You guys can tag team this question. It's in the one of the audience asked it, but it also ties into a question that I just had as part of our overall question set here … With ransomware, when it included encryption, there was something very visible, like you knew that you had been hit and you knew that you had to respond to something. But with the fact that, forget what you said, Darrin, whether it was 30% or 35% or whatever, that don't involve encryption now, so you have this ransomware attack without any visible sign that you've been attacked, yet there's a ransom that comes in. So how does it change the negotiation tactics, and how does it even change the attack itself if you don't even know if there's actually been an attack? You just get a notification that, 'Hey, we have a bunch of your data. Give us $2 million, or we're going to release it.' How does that change the whole dynamic versus your systems are all encrypted, and your operations are shut down?

Kimes: So, the example I'll go back to the 2023 CL0P campaign with the MOVEit software. CL0P is a ransom group that is known to attack file transfer systems and protocols.

You're asking: How would you know you've been attacked? You wouldn't know until you got that, that in that case of CL0P, you wouldn't know until you receive your ransom note, or unless you're looking at your outbound firewall logs and see a massive amount of data bleeding through your system there.

But for CL0P what they would do is take advantage of a vulnerability or a zero-day and they would buy that from a bug bounty or a researcher in that realm. But really all you could do in that when you're dealing, like with the zero-day is watch the CVEs that come out, the latest CL0P campaign, those CVEs or vulnerabilities were published back in October, and their campaign really kicked up in December. I don't know if all that data was stolen during that time between October and December and they're named, but you may not know unless you are again, looking at that telemetry that shows large bouts of data being stolen from your system.

Liska: Yeah. And again, we talked about this earlier, it may not even come from your system, so you may not know it. Because yeah, if your partner was using the file transfer or Cleo and the latest one and you weren't, you wouldn't know anything about that.

So, when you negotiate with an attacker like that, the first thing you basically ask for is proof of life. Show me that you've gotten my data, so I can see a sample of what you have. And then you have that information to work on to see what they got, et cetera.

And that's where you bring in, generally, you bring in your cyber insurance company, and they often have negotiators either on staff or available on retainer to use. And I always recommend using a professional negotiator to talk to these people, especially for groups that are established, because they know how those groups work, they've talked to them before, they know when they're bluffing, et cetera, and they're really good at doing the negotiation. Unfortunately, I've seen too many organizations try and handle the negotiations internally, and it generally doesn't go as well. So that's the way you have to do it.

And it's weird. We've all been doing this for a while, right? And data governance used to be something peripheral to the security team. But now with these kinds of attacks, it's almost become a core part of what we have to do as part of our security operations, because the CEO isn't going to go to the compliance team and say, 'Hey, why is our data being leaked on CL0P's website?'

They're going to come to you. So now data governance is your responsibility, and that's what you need to be thinking about before an attack like this happens, is you need to understand where all of our data is, right? Because we all live in the cloud now, and so you need to know what teams are doing what and putting what data where and what security protocols are in place, et cetera.

And that's just an additional thing that an already overworked security team has to be concerned about.

Duby: Maybe I'll open this up to Erika too. So like the three of you have any of you seen an example where one of these, well-established, well-known, a lot of street cred type ransomware actors has just threatened to attack a company and said, 'Hey, unless you pay me, $500,000, I'm going to hit you with ransomware.' So, they're getting paid before they've even gone through the problem or the hassle of attacking a company?

Gifford: I've seen that a couple times, but that's usually when they take information that, or data that they've gotten a year or two prior.

And they'll put it back out there, change a little bit of things to make it look like it's new, but then when we go in there and really pull stuff in and take a look, we can have a pretty high confidence that this is not new data. This is something that was taken before. Sometimes it's from a third party.

There's a lot of companies out there that, the third-party storage, they don't do good data hygiene and they've been hit. And so, they take that data into the company. And then again, when we take a hard look at it, this data is really old and the client's no, it's, it has nothing to do any relevance now. It's way too old and so nothing's done. There's no contact given back out to the threat actors. So, we do see these things happening.

Kimes: Interesting. Yeah, I guess you could say there's no honor amongst thieves. They'll recycle data in a heartbeat and, I think we saw that with United Healthcare last year.

Duby: Yeah, we just think like the evolution of, we've talked over and again about how these adversaries are basically lazy. They don't like to work hard; they use a lot of automation. They use a lot of scripts. They use an ecosystem. Seems like the next evolution would just be like, 'Hey, I'm going to ask for a ransom before I even attack you to see if you'll pay it and just see if some money will come in.'

Liska: We do see that, but I've not seen it from reputable -- and I hate to use the term reputable -- but from the established threat actors, we haven't seen that yet. We've seen it from scammers pretending to be those. So, they'll drop the name LockBit or Alvi or whatever into an email and say, 'Hey, we stole your data and look up LockBit and see how dangerous we are or give us money.'

Those almost always tend to be scams, but the methods that they're using are always evolving, and so it wouldn't surprise me if at some point we do that. I mean it's, like the mob going and saying, 'Hey, why don't you go ahead and give us the money now, or something bad's going to happen to you.'

Gifford: And they do that with zero days as well. If the zero-day came out and they're like, 'Okay, hey, you have this, we're going to hit you in 24 hours.' So, they know people are really vulnerable during that time.

Kimes: And an additional tactic that may lead to what you're talking about, Earl, is violence as a service. We have seen advertisements from a few different ransomware groups that not only are they ransoming your data, encrypting your data, on top of that they're threatening violence to, usually it's the C-suite, and normally you'd laugh that off and say, 'Okay, these, the folks are likely in Russia or maybe Eastern Europe, Brazil.'

What they're doing is offering to pay someone local to that business to perform brickings, which literally is what it means: throw bricks through windows. In one case, we actually saw a ransomware group offer I believe it was 500 in whatever digital currency they were offering 500 U.S. for pictures of the CEO's house.

So, there is a small sector of these groups that aren't afraid to go kinetic against people that they are trying to extort. So that is a kind of a sinister and dark turn that we're monitoring over VTRAC that we've seen over the past years. And again, we call it VaaS, or violence as a service.

Duby: That's new to me, so thanks for sharing that.

Allan Liska: None of us are any fun at a party. I know.

Duby: I hear that from my wife all the time. It's, 'Man, why do you have to talk about work?'

Kimes: They ask, what do you do for a living? Yeah. You never leave your house. What do you do?

Duby: All right, so we got about five minutes here because we want to wrap this up before the top of the hour so everyone can get to their next meeting.

So, I just want to do a round robin here. Each take a minute to talk about either the thing everyone should be doing or a key takeaway that you want them to walk away from this session with. So, I'll just start at the top of my screen here and work around here. Allan, what's your key takeaway?

Liska: So, I saw that there are a few questions in the chat about 'What's the one thing you can do to protect yourself?' and because this is now an ecosystem and the initial access brokers, with the exception of CL0P, the initial access brokers are the ones that get access. Without the initial access brokers, they can't get out.

So, two things that I recommend to everybody: Keep an eye on the CISA KEV list, the Known Exploited Vulnerabilities list, because there are going to be 50,000 vulnerabilities released this year, but not all of them are actively exploited. The CISA Kev list is a shortened vulnerability list of things that you should prioritize patching now.

Patching things keeps people, one way, out and then monitor for leaked credentials. Erika said this, Darrin said this, bad guys are logging in. If you can get ahead of those leak credentials and get those passwords changed before the bad guys have a chance to use them, you can keep them out.

So, something as simple as Troy Hunts, Have I Been Pwned service is available, sometimes even at a free level for small businesses. So, every business can do that. You get an email saying, 'Hey, these credentials were leaked,' you changed those passwords for those employees. It's not going to stop all the initial access brokers, but that is two ways that you can improve your security relatively cost effectively, and keep out the initial access brokers, which will keep out the ransomware actors.

Duby: All right, Erika, what's your one key takeaway?

Gifford: Little tried and true stuff. Know what is on your network. And what third parties have that you're working with that have access to your data. And phishing, right? Once you understand what you have on your network … understand what kind of vulnerabilities you have … mitigation of those vulnerabilities, two of the big four last year for ransomware MFA would've helped them a lot. Phishing. People I think are getting maybe a little tired of the repetitive education that they have to do. So, take a hard look at your security training, especially, on your phishing training, things of that nature. How do you make them more engaging? And a lot of … we were talking about this earlier … is to actually add real-life stories. I received that great phishing email yesterday. AI is playing a part in that now, making them look better, taking away any type of accents for any type of vishing calls and things of that nature.

So just put more of these real-life things into the training programs because, let's face it, we get beat with it all the time, and people just click through. So, I think that is going to be an easier way for them to be able to see what actually is going on.

Duby: Okay. Darrin.

Kimes: Yeah.

It looks like Allan and Erika took all the good ones here. But I would say just a couple things. Know your attack surface. You need to know what your company looks like to the threat actor. Maybe you gain that knowledge by hiring red teams for exercises and blue teams to look from the other side.

I would look into -- and I hate to use Verizon terminology; I'm not trying to sell -- but Dark Web hunting. Go out and look for those credentials. Not only there, there are other places out there in the Dark Web there that people that know how to operate in those spaces can look and potentially purchase those creds and things of that nature.

But those are two things that I would be looking at if I had the budget for it.

Duby: Okay. Great. All right, Dan, bring us home.

Lohrmann: Yeah, I'd say go to cisa.gov. -- cisa.gov/stopransomwarev. That's just one website. There's a lot of great websites out there with checklists. I'm not going to go through them.

Great suggestions by Allan, Erika and Darrin. But cisa dot gov slash stop ransomware, great website. Also linking in, when do you bring in law enforcement? Lots of questions that a lot of different ransomware sessions have covered over the years. That's the one tip I would give. And then, Darrin alluded to it there at the end, this real quick second one is, make sure that, you say we have good backups, we have immutable backups, but I've seen companies and governments that didn't realize that the actually restore was going to take them weeks or months. And that ended up leading to them actually having to pay a ransom. So, the reality of really knowing truly what's it going to take. In that situation, a tabletop exercise, as Darrin mentioned, or those kinds of things can really help.

But those checklists are really helpful. Go to cisa.gov and also nomoreransom.com is another one. But that's a really good resource. So, thanks everyone for being on today.

Duby: Alright, so April 8, so a month from now we will be talking about this will be a really interesting one for us, Dan.

I don't think we've ever talked about this topic. So, we're going to be talking about securing space and how do we protect satellites from cyberattack. So that's going to be, that'll be pretty cool. I don't know what kind of guests we're going to have. So, we got our work cut out for us in the next month to come up with some guests there, but

Lohrmann: I got one idea.

I got one idea.

Duby: All right. Good. I know it's going to be a good one. So, April 8, same time, same place. And again, share this episode with all your friends. We're trying to get the 50,000 subscribers, we're at about 43,598 subscribers right now. Hopefully, we can get a big push. Thanks, Allan, Erika, Darrin, for your time.

It's been a great conversation, just like I thought it would be. So, appreciate you guys showing up, and thanks everyone for tuning in and listening. We'll see you next time. Have a great day.