Chris: Hello and welcome to today’s installment of CyberSpeak with Infosec Institute. Our guess today is Bill Siegel, founder of Coveware, a ransomware recovery company based out of Westport, Connecticut. We’ll be talking today about the current state of ransomware, the latest attack vectors, and the best defense methods, and the best things to do if you end up being hit.
Before founding Coveware, Bill was CFO of SecurityScorecard, a New York-based cyber security ratings company. Prior to SecurityScorecard, Bill was CEO of SecondMarket, and served as the head of Nasdaq Private Market, following Nasdaq’s acquisition of SecondMarket in 2015. Before becoming an operator, Bill worked as a distressed debt trader and analyst in the hedge fund industry.
Bill, thank you for being with us today.
Bill: Thank you for having me.
Chris: Okay, I’d like to start with the basics for people who are just learning about ransomware, what exactly is ransomware, and how far back does it go?
Bill: So ransomware is a type of malicious toolkit that typically encrypts data in servers. And the only way to get your data and access to your servers back is to pay a ransom.
It goes back to about 1989, was the first technical ransomware case, very rudimentary. I think it was called the AIDS Trojan. And then the ransomware as we know it today came on the scene kind of in the early aughts, and there was kind of two things that have really led to an explosion of it, which were both cryptocurrency, a way for criminals to get paid anonymously, and then the proliferation of new malicious toolkits which were hacked from our own government, that are available and cheap and easy to purchase, that have really lowered the technical barriers to becoming a cyber-criminal.
Chris: Yeah, I was gonna say I was really surprised to hear that it goes that far back because it feels like it’s a sort of a story that’s really sort of popped up in the last couple of years, but you’re saying it’s going back at least to the early aughts, but that it sort of really ramped up in the meantime.
Bill: Yep, absolutely.
Chris: Yeah, so I know one of the big ransomware cases from the news a couple years agowas Hollywood Presbyterian Medical Center, which basically took down their entire records department. And I believe they paid the ransom, is that correct, to get their files back?
Bill: Yeah, we weren’t involved in that specific case, but that is what was reported. So back in the day when BitCoin was a lot cheaper, but apparently, they did pay the ransom. I believe they did just for continuity purposes. I think the reporting at the time said that they had no backups. And so in order to keep a hospital functioning, doctors having access to medical images, the data they need to perform surgeries, calendars for patients to come in. They really had no choice. A very similar version of plays out every single day with small and medium-sized businesses, where they have to make these basically life and death decisions when they’re not properly backed up, and they really have no other options outside of really letting their business get disorderly, because they don’t have access to their critical system, or make a small ransom payment.
Chris: Yeah, do you think that was a bad decision on their part to pay it, or is it-
Bill: I don’t think they had a choice. Without backups, they probably would’ve had to rebuilt the hospital from scratch, which would’ve taken years, which basically would mean closing the hospital. So it may sound stark, but that is the decisions; close down, and if you’ve got the capital to come back after a period of time, then that’s great, or pay the ransom.
And this is why you see, I think, on the municipality side, because they’re municipalities, they’re not commercial organizations, they’re not just gonna close down forever, right? These places can’t go away. The taxpayers will foot the bill to rebuild the entire city government’s, not only their stack, but all of the lost data, all of the lost systems, all of the lost processes. But for a commercial company like a hospital, or a small business, that’s just not an option.
Chris: Now moving to the very recent past within this past week, you probably saw that there was a ransomware attack that blacked out screens in Bristol Airport in England, which caused the airport to resort to pen and paper schedules and sort of whiteboard lists. They did the opposite thing, they decided not to give in, and they decided to service the computers internally themselves. Do you think that due to sort of changes in policy and stuff that allowed them make this bolder decision?
Chris: I think every single case is different, and it really depends on what are the critical systems, what can the organization operate on on a day-to-day basis, and what can’t they live without.
Bill: So we weren’t inside that situation, never fully say, but clearly they had enough access to enough systems that they felt that they could safely still service inbound and outbound flights, and customers and baggage without access to those systems. And they felt comfortable rebuilding, or they had sufficient backups that they said, “Maybe they’re a month old or a couple months old that’s okay to recover from there, we’ll experience a little bit of data loss, but it’s not worth it for us to give in and make a payment because we have enough that we can carry on operations.”
Chris: What are some of the more popular ransomware attack vectors at the moment? I mean obviously we talked about the sort of ramifications that happen at the end, but what are the things, especially social engineering elements, that are getting ransomware infections through the door?
Bill: Sure. So on the commoditized side, like the stuff that’s hitting most small and medium-sized businesses, it’s really low-hanging fruit, right? Cyber criminals are gonna look for the easiest way in. A lot of them are operating … Their criminal working is just like a business, they wanna minimize their own costs, for the most amount of money, and so they’ll go after the lowest-hanging fruit. And right now, I would say the vast majority of cases that we’re handling on a daily basis are accessed via RDP. So either totally unsecured or weakly secured and able to be brute-forced.
And then once inside with that level of access, the attackers are able to do one of two things; they either sell those credentials again to another criminal group that then actually goes in and lays the malware, or they’re going in, and they’re hopscotching across the networks, laying the files in strategic areas to ensure that the most amount of servers, the most amount of machines get infected. And then waiting for the business to come back online and realize that they’re locked up.
But I would say right now it is alarming the number of companies that continue to leave RDP access either totally unsecured or really weakly secured.
I think small businesses really think that we’re small, we’re off the radar, we’re not gonna be targeted. They don’t really understand how easy it is to … you know, mass-scanning techniques that these groups use. Just search for these IP addresses that are weakly secured and just how easy it is to brute-force access.
Chris: You noticed at all if the sort of the big ticket, big news item, ransomware stories have changed behaviors at all? It sounds like you’re saying that people are sort of repeating the same mistakes over and over.
Bill: You’d like to think that they are, but sadly they’re not. Small and medium-sized businesses don’t have access to the big budgets, and they do still assume that they’re not gonna be targeted. They read it in the news and they’d figure, “Well, I’m so small and my footprint is so small, how can I ever be a victim? So it’s not gonna happen to me.” So I don’t think it’s changed their behavior unfortunately.
Chris: So okay, I’d sort of talk practical things. Assuming you get the notification on your screen, the red page of death that says, “Ransomware infected your system.” What would be the first steps you would take to make sure that doesn’t spread, if that’s even possible or not to make worse?
Bill: Sure. So the first piece of practical advice is take a deep breath, all right? A lot of people panic, they don’t know what to do. A lot of employees don’t report it to IT ’cause they’re embarrassed. So the first step is pause, take a deep breath. Hopefully you work for the type of organization where you get in trouble for not saying something, but if you’re raising your hand and saying there’s a problem, no one gets in trouble for that.
From a technical perspective, it’s important to isolate the machine quickly, so unplugging the ethernet cable and disconnecting it from WiFi. That’s really the first thing that should be done to the machine. From there, the machine should not be turned off, no attempts to fiddle with the files, trying to go online to find a decryptor tool and run it on the files. None of that should be done, it should really just be isolate the machine, and then raise your hand and call an IT professional, or if you’re a small business, call an outside firm to come in and help.
Most cases that come to us, come to us after several days of trying to figure out a solution on your own, seeing if you can even decrypt the files on your own through some method. And a lot of time is spent, a lot of downtime costs are wasted before the company kind of capitulates and comes to the point of raising their hand and asking for help.
So if there’s one piece of advice is to immediately ask for help, ’cause downtime is what kills companies, not the cost of the ransom. The average ransom these days 1000 bucks, 1500 bucks. That’s half an hour of downtime for the average small business, right? Let alone three or four days. So raising your hand early and getting help early is really the first thing that every company that finds themselves in this situation should do.
Chris: If a company is coming to you, to Coveware and saying, “My company got hit by ransomware,” what is the sort of flow chart? What is the process that you’re going to do to sort of like help them through this entire sort of unpleasant process?
Bill: So the first step is an assessment. We’re going to pick up some information from the company, basic information on what they’re seeing on their screen, text of the ransom notice, the file extension that’s been appended to the encrypted files, how they think it got in, if there’s internal IT, if they notice like a rogue RDP session, or remote access installed on some employee’s machine, an employee got phished.
So we’re gonna do an assessment. We’re gonna attempt to do two things. We’re gonna identify the strain of ransomware to determine if it had been decrypted before. If it has, that’s kinda rare, but if it has we can point them directly to the manufacturer that’s published the open-source decryptor tool, and that’s great. Just send them on their way.
If they haven’t, we’re gonna identify it, we’re gonna plug it into our own database of cases to determine the severity, like what’s the spread rate risk on company, the prevalence on the wild, development cost. And then we’ll start walking down the decision tree of if we need to make a payment, what does that look like? Have prior cases with the same string have been negotiated successfully and to what levels, and what the success rate is on payment, how likely are they to actually to get the decryptor tool?
And then that’s about half the battle. The decryptor tools themselves are their own kind of beast, they’re flukey, they have their nuances to them, so we have care sheets on those as well. So provided we do get the decryptor tool and key, we can help the internal IT or their outsourced IT help actually run the decryptor tool to the maximum success rates possible to continue the highest amount of data recovery.
So we’re essentially able to lay out a decision tree and probabilities of success at each of these steps, before they even have to make a decision of engaging with us.
Chris: Is there a fair amount of negotiation involved with ransomware agents? I mean is it really just kind of pay the fee, or they’re sort of like actual kind of like text negotiations, word-for-word negotiations and so forth?
Bill: It depends. There are certain ransomware types, and certain attacker groups that we’ve identified that there’s no point to try and negotiate, and there is others that we’ve had success negotiating with. We’re able to make that identification early on in the process and guide the company, because that affects time and cost of recovery ultimately, right? If there is hard constraints at the company level, we’re down, we have to get up immediately, or we don’t have this amount of money to spend, so we have to get it down to a certain level. We establish those parameters upfront. But we’ll guide them through that process. And if it’s a ransomware type, an attacker group that we’ve successfully negotiated before, we’ll advise them to what those levels are and how long that takes. And then it’s their option whether or not they want to pursue that.
Chris: So assuming that they don’t have the money to pay the fine, and you have no choice but to just take the hit, what does the sort of post-ransomware recovery look like, given that you have some amount of time to get your system back online?
Bill: So after the decryptor tool is received, it really depends on the amount of data that’s been encrypted. It typically will take … Just the actual decryption process will typically take a couple of days, depending on the amount of data. The tool is just running and running and running. If it’s a small machine, it could take a couple of hours, but the given company, it’ll take at least a day or two.
And then from there, the full wiping, reformatting machines, and then obviously putting new tech, new procedures in place as well in the back end.
Chris: So obviously there’s a lot of different options once you get hit, but sort of upfront, what do you think sorta educational programs should be in place? You mentioned sort of closing the security backdoors and stuff, but do you have any sort of like educational, or security, or any strategies for general staffers to avoid ransomware?
Bill: For sure. So part of our services, we’re a 100% general company, so we distribute through demand service provider of our channel. Part of our service in addition to having our own products on standby is all the data that we collect, it forms what we like to call our preventative strategies.
And part of that, in addition to like alerts and analytics, is security awareness training. And this goes beyond that “Don’t click on suspicious files”, what we’ll do is we’ll observe things like RDP, but I would say like the brute-forcing of RDP is about half of it, the other half is employees getting fished. And so we’ll look at the specific ways that it’s happening. And when we’ll see a pattern, we’ll write it up and put it into a deck, and send it out to our partners, and say, “This is what’s going on, right now?” We’ve seen 10 cases over the past seven business days, please advise your clients that they need to be careful of this, ’cause it’s going on currently.
So it’s a big part of prevention, right? The employees at the company are always the weakest link in the chain. No amount of training is really enough.
What we also do is we try and contextualize it, because training can be boring. So for instance with phishing, we’ll have our partners demonstrate how easy it is to phish people. Right? ‘Cause people think, “Well, I’ve gotta be some technical person.” Well, no, you just go to these websites and you punch an email address you wanna show up, and punch in the person you want to go to, and you send it to someone that’s sitting in the audience and you watch it pop up on their phone, and they say, “Oh my god, Donald Trump sent me an email.” So we’re trying to be a little bit more impact just to raise … you know we wanna raise people’s blood pressure a little bit, so they recognize just how big of a threat this is, and how easy it is for attackers to get there.
Chris: In the last couple of years ransomware has really risen in terms of costs of damages and fees and recoveries. They’re saying now that it’s estimated to cost between 11.5 billion in 2019, up from 5 billion in 2017, and 25 million in 2015. Do you think these huge jumps in cost and damage as the report in the news have changed at all while people are viewing ransomware? Do you think people are realizing it’s more of a threat? Or like you say are they still saying “Well, I’m a small company, they’re just not gonna-“
Bill: Well, I think it’s tipped to the point now where the proportion of companies that are getting hit … I think word of mouth does a better job raising awareness than security … You know when we put out a report that’s got scary numbers on it, or security firms put out reports, I think when the business across the street or your neighbor, when they experience it, that’s when it’s starts to hit home, right? Within a high proportion of businesses that get attacked every year, I think it’s starting to tip to that point. But there is still a big reluctance to spend and make improvements.
And what a lot of companies don’t realize also is you can’t spend on this every five years. Like a consistent investment in IT is your best answer to these things. You have to be patching, right? You need to upgrade, you need to buy new products that do different things, because if there’s one thing that’s true it’s that the attackers, they’re not just one step, they’re three and four steps ahead of where most companies are. And you gotta bring yourself up to speed, otherwise it’s just a numbers game.
Chris: Now, we’ve mentioned obviously ransomware has gotten more and more complex, and you mentioned that there are a lot more sort of services available, and we’re really seeing with platform like Cerber and Satan that the sort of ransomware as a service sort of elements are allowing people to hire a large scale organizations that can provide them with professional grade ransomware in exchange for a percentage of the final take.
With the bad guys shifting from the independent actors to multi-tiered organizations to now companies that can fuel even the most inexperienced hackers, how is the strategy going to be shifted do you think to keep ahead of all this?
Bill: Well, it’s just gonna make attacks more prevalent and frankly the downside of ransomware as a service is you end up with non-technical attackers. And non-technical attackers are harder to deal with. We’re dealing with several right now that we’re confident are ransomware as a service, like there’s a technical author behind it, but the people that you have to communicate with are non-technical. And they are much more difficult to deal with. They don’t communicate well. Their hours are very strange, they’re prone to disappearing for periods of time.
And that can impact data recovery rates at the end of the day, and that’s all that really matters. So unfortunately, it’s not good for small businesses, because your odds of achieving a good outcome are less, especially if you do it on your own.
We see a lot of folks, they get discouraged because oh, we sent them an email and they didn’t reply, so I just kind of gave up, and it’s like, “Well, these aren’t upstanding citizens, manning the Microsoft support phones, all right? God knows where they are doing what.” Like you have to be very persistent. You have to follow-up with them constantly, like you have to communicate with them in a very simple way. You have to anticipate their dialect and whatnot.
So it makes it just a lot harder to achieve a good outcome at the end of the day. But this is the way it’s going unfortunately.
Chris: That’s really interesting. It seems that people who are bad at ransomware are actually more dangerous than people who are good at ransomware-
Bill: Oh, for sure, for sure.
Chris: So what do you think the state of ransomware is going to be in the years to come other than lots more of it?
Bill: Well, there’s gonna be a lot more of it. This is game of catch the mouse. And unfortunately, with RDP … Like if I could broadcast to the world that every small business go and configure their RDP settings properly or put 2FA in front of it, or just close it down entirely and use a different service, the amount of ransomware that’s going on right now would drop probably 90%, literally within a week.
Now, that being said, it would come back, they would find a new attack vector, they would come in a different way, but that’s what we have to do. Right? We have to, as a global community that is trying to improve the security of every company, we have to move everybody at the lower end of security hygiene, everybody has to move up together. And if you can collectively raise that bar, then the attackers have to get more sophisticated. So, there’s one real truth in this world that while the amount of attacks has skyrocketed exponentially, to your earlier point, the technical sophistication of the attackers has plummeted.
And we as a security community would do ourselves a great favor by forcing the attackers to raise their own technical bar, cause it will limit the amount of people that can actually do it. Right? And so one of the things that we kind of strive to in our mission, and our mission as a company is to end ransomware period, is to force the attackers to raise their own game, so it’s harder to get into the lowest hanging fruit on the corporate spectrum.
But it’s a hard challenge. But that’s the world we live in right now.
Chris: So that particular tactic, what would you need from companies to sort of get ransomware people to raise their game as you say, what would … If you could sort of enact one law or one policy, like what would it take to sort of make that a full-scale phenomenon?
Bill: Sure. Well, I would say that … Honestly, a good question. Security awareness training, number one. Here’s an interesting stat, I did this research once, I calculated the amount of money that companies spend on like HR training, right? Sexual harassment training, workplace behavior training, relative to the costs of lawsuits that the average company pays for HR-related lawsuits. And then when you compare that to losses from downtime from ransomware or cyber-attacks relative to the amount that they spend on security awareness training, it’s totally lopsided.
Companies need to spend at least a commiserate amount, right? To make it apples to apples on security awareness training, relative to the costs and risks of HR-related losses. And they’re not.
So there’s one thing I would say like just take a practical look at the amount that you spend to train your employees to behave properly in the workplace, so that you don’t expose your company to risk. And the amount that you spend to ensure that you’re employees don’t click on malicious files and bring the whole company down.
And I think most companies if they did that exercise would realize that they are vastly underinvesting in these areas and that they need to balance it up. That doesn’t mean don’t spend on the HR side, that’s very important, but it’s spend a commiserate amount at least on the IT side.
Chris: I think it’s a pretty good prescription with which to wrap up today’s discussion. So Bill Siegel, thank you very much for your insights today on ransomware.
Bill: Thank you very much for having me.
Chris: Okay, and thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to YouTube and type in InfoSec Institute to check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Please visit InfoSecInstitute.com/cyberspeak for the full list of episodes.
If you’d like to qualify for a free pair of headphones, podcast listeners can also go to infosec.institute.com/podcast and sign up. And if you’d like to try our free security IQ package which includes fishing simulators, which you can use to trick and then educate your colleague and friends in the ways of security awareness, please visit infosecinstitute.com/securityIQ.
Thanks again to Bill Siegel, and thank you all for watching and listening, we will speak to you next week.