Today, thanks to cheap plug-and-play ransomware kits, anyone with a credit card can get into the cyber extortion action. No special training or skills required. So, what can we do? In the premiere episode of the Trust Issues\u2122 podcast, David Puner talks about this and more with Andy Thompson, advisor & evangelist at CyberArk Labs.<\/p>\n
[00:00:17.360] – David Puner
\nThe democratization of… Just fill in the blank. The phrase has become a tired, de facto conference track title. Just do a search. It’s everywhere. The democratization of finance, information, cout ure, creativity; they’ve all been democratized and delivered to the masses. Yet, the phrase may legitimately be the best way to describe the sweeping global ransomware phenomenon that’s plaguing organizations everywhere.<\/p>\n
[00:00:44.360] – David Puner
\nOnce a tactic reserved for highly skilled criminals, extortion involved heart-poundingly bank heists, airplane hijackings, and abducted French kings commanding three million gold crowns. But now, thanks to cheap plug-and-play ransomware kits, anyone with a credit card can get in on the cyber extortion action. No special training or skills required. How have we gotten here? Where’s it all headed? What can we do? It’s the focus of today’s episode of Trust Issues.<\/p>\n
[00:01:19.230] – David Puner
\nIn today’s episode, I talk to Andy Thompson, Advisor, Evangelist for CyberArk Labs, and a guy you really would want to have at your dinner table, or maybe go on a road trip with. He knows so much about cybersecurity and every aspect of it, and can go deep and just make anything interesting, which is why we start with a subject that is inherently interesting, and that is ransomware. I think you’re going to enjoy it, so why don’t we just get to it? I’ll stop the babbling, and let’s hear from Andy Thompson.<\/p>\n
[00:02:02.370] – David Puner
\nWe’re going to talk about arguably the biggest and most pervasive cyber threat out there: ransomware. First of all, I guess, do you agree with that statement?<\/p>\n
[00:02:12.670] – Andy Thompson
\nAbsolutely. Ransomware has just blossomed, not just from its inception, but really within the last two years. We’ve seen a triple digit increase in the proliferation of ransomware, and a lot of it has to do with the fact that the business model has changed. No longer do you have to be evil enough to create the content and the ransomware, but you just have to be malicious enough to propagate it. And that’s really where the ransomware as a service has really springboarded ransomware as far as a threat in personal and corporate environments.<\/p>\n
[00:02:49.070] – David Puner
\nHow have we gotten to the point where ransomware came into being, and now we’re at this point where we’re talking about triple extortion and ransomware as a service? Really, things have gotten crazy over the years, but they probably started out seeming crazy, and now they’re super crazy.<\/p>\n
[00:03:05.550] – Andy Thompson
\nI want to set the stage: 1989, Global AIDS Conference. Gentleman by the name of Dr. Joseph Popp was distributing I think 20,000 different floppy disks with a software, and actually had a note on there from PC Cyborg company stating that after several days\u201490 days, to be specific\u2014the computer would be basically inoperable, and they’d have to send a check for $189 to a PO box in Panama. Now, Scotland Yard didn’t take too kindly to that, and ultimately arrested him and charged him for extortion. That was the inception of ransomware.<\/p>\n
[00:03:40.790] – Andy Thompson
\nSince then, it has changed really due to the internet in the ability to proliferate ransomware. And along with that came the creation of cryptocurrency and pseudo-anonymous transactions. That really was what caused ransomware to basically explode. It’s money laundering at the nth degree. And so I think that’s really kind of what caused ransomware ever since the internet in 2009, 2011, when cryptocurrency came into play.<\/p>\n
[00:04:14.760] – David Puner
\nSo how did cryptocurrency allow it to blossom, or explode, as the case may be?<\/p>\n
[00:04:20.320] – Andy Thompson
\nWell, originally, we were talking about writing a check. And then came gift cards and money orders and Green Dot. And all of that had a paper trail essentially leading right back to the ransomware operators. With Bitcoin, in particular, that technology allowed for, again, that pseudo-anonymous financial transaction. What we’ve seen even recently, more so, is moving to a whole different cryptocurrency called Monero, where an obfuscated ledger basically allows for completely anonymous transactions of finances, and essentially money laundering.<\/p>\n
[00:05:01.150] – David Puner
\nDoes that make it just a losing game if you’re a defender?<\/p>\n
[00:05:06.430] – Andy Thompson
\nThese ransomware outfits have like global help desks. They have training materials, they’ve got professional-level backends supporting these malicious outfits. So I think what we’re finding is it’s less Wild Wild West and craziness, but more a migration to professionalism and processes based out of these outfits. Does that make sense?<\/p>\n
[00:05:31.750] – David Puner
\nYeah, it’s kind of like when the Sundance Film Festival becomes legitimate or something like that.<\/p>\n
[00:05:37.470] – Andy Thompson
\nYeah, yeah.<\/p>\n
[00:05:38.870] – David Puner
\nI’m talking to you about this today, Andy. And you’re an expert in many things, but you’ve definitely been deep involved and interested in ransomware for a while now. Can you give us a little bit of a rundown of how you got involved and how it is involved in your day to day now?<\/p>\n
[00:05:56.190] – Andy Thompson
\nYeah, absolutely. I really started researching ransomware back in 2016. I’m an active member and one of the organizers for the Dallas Hackers Association back here in Dallas. Somebody reached out to the Dallas Hackers Association stating a problem. It was kind of a sad story, really. A widower recently lost his wife, and all their photos from years and years and years were stored on this machine that was compromised by ransomware.<\/p>\n
[00:06:27.070] – Andy Thompson
\nHe didn’t know what to do, so reached out to us, and we did our best to help this gentleman. We were able to actually recover the encryption cre and restore all his files. But that really got me thinking, how far is this being taken? And so I started researching history of ransomware, analysis of how it works, and really, most importantly, the mitigation controls around ransomware. Since then, I’ve become part of the Ransomware Task Force.<\/p>\n
[00:06:55.770] – David Puner
\nLet’s take two steps back. I want to ask you about the Ransomware Task Force in a second, but first, to go back to the Dallas hacking scene for a second. The gentleman who reached out to you regarding the images that he was trying to get back, how did he get connected with the Dallas hacking scene? What does a Dallas hacking scene look like? Is it kind of, you know, to those who don’t know anything about it… Or maybe it’s just me, when I think of something like that, it’s like, “You can’t find us, we’ll find you,” or something, or whatever the A-Team’s saying is.<\/p>\n
[00:07:25.490] – Andy Thompson
\nNo. It’s quite the opposite. We’re totally out there in the public. We have a Meetup, a website, it’s on meetup.com. This organization meets once a month at a Korean karaoke bar of all places. And we basically have a miniature conference once a month with lock picking, we have a capture the flag competition, we have 15-minute fire infosec talks. It’s really cool. It’s like a miniature Defcon.<\/p>\n
[00:07:53.450] – David Puner
\nAbout how many of those communities would you say are around the country?<\/p>\n
[00:07:56.950] – Andy Thompson
\nHonestly, all of them, really. If you look hard enough, you can find ISSA chapters, (ISC)\u00b2 chapters. The meetings are on their websites. But Defcon groups, there’s chapters all over the United States. Hacking is NOT a Crime, another organization with multiple chapters all over the world. There’s the BSides conferences that, again, are all over from Dallas to Tel Aviv to Sydney, Australia to Las Vegas. All of these are just near and dear to my heart.<\/p>\n
[00:08:27.940] – David Puner
\nSo back to the Ransomware Task Force for a second. That is something internal at CyberArk, or is that elsewhere?<\/p>\n
[00:08:35.100] – Andy Thompson
\nIt’s actually external. It’s a collective of about 60 different organizations that have partnered together, just experts in the industry, to provide guidance to governments and corporate organizations, providing recommendations regarding security control, cybersecurity insurance, mitigation methods, you name it. And so I’m just a small part of that organization.<\/p>\n
[00:09:00.740] – David Puner
\nWe talked about the beginning of ransomware, and then how it just was really able to explode with the internet. In 2017, we had the WannaCry outbreak; 2017, NotPetya; 2020, SolarWinds; 2021, Kaseya. And those are just a few of the notable names. How have the defenders evolved along with the the offenders, as it were?<\/p>\n
[00:09:23.300] – Andy Thompson
\nThat’s a great question. Let’s start with where we’re seeing more adoption in, and it is the fact that these criminal organizations are consolidating. There’s several major outfits like REvil, Conti. Lapsus$ is big in the news today. These organizations are consolidating and really focusing their attacks on big organizations. It’s no longer the kind of spray-and-pray spam emails that you see in the past. They’re spearfishing, they’re targeting individuals within organizations for what I call, or what we call, business email compromise. You’re more apt to accept an email and an attachment from a legitimate email within your organization.<\/p>\n
[00:10:13.110] – Andy Thompson
\nSo we’re seeing the ability of these attackers focusing on application vulnerabilities from externally facing web apps. We’re seeing RDP brute-forcing of externally facing terminal services sessions. These sorts of attacks are really what we’re seeing as the majority of the vectors in for corporate ransomware. The other thing is that they’re no longer just satisfied with compromising a single machine. Once the foothold is established, there’s, goodness, upwards of 100 days of dwell time within these organizations before they pull the trigger and execute the end game, and that’s really the ransomware.<\/p>\n
[00:10:57.640] – Andy Thompson
\nAnd I think what’s really important to note is the change in the definition of what ransomware is. Previously it was just encrypting files and holding that for ransom. And we’ve seen organizations like Lapsus$ that completely bypass the file encryption and move straight to double extortion, where they’re holding the files for ransom. They’re exfiltrating the data, the proprietary sensitive information, and again, holding that for ransom. So let’s just call a spade a spade, folks. Ransomware is extortion. That’s the simple answer. We’ve really moved from file encryption. And again, that’s still present in the industry, but we’re just talking about straight-up extortion.<\/p>\n
[00:11:44.730] – Andy Thompson
\nI’ve also seen IoT devices being compromised. We saw recently at Defcon… Well, not recently, a couple of years back. But a IoT heating and air conditioning thermostat was compromised. They could literally sweat you out of house and home until you pay the ransom. I also recently saw some evidence of mobile software on televisions being compromised by ransomware.<\/p>\n
[00:12:10.810] – Andy Thompson
\nSo I think a lot of that has to do with the… Ransomware authors are starting to use cross-platform scripting languages in order to do this sort of malicious activity. So we’re seeing a lot of evolution in the advancement of ransomware\u2014from a software perspective, from a target perspective, you name it.<\/p>\n
[00:12:30.560] – David Puner
\nWe are in the business of defending and protecting here. This is a pretty big battle. Can it be won? And obviously, organizations are comprised of individuals. What can we do from an individual standpoint? And what can organizations do to fight back?<\/p>\n
[00:12:46.520] – Andy Thompson
\nI think the reason why ransomware works initially is because organizations fail to practice good security hygiene, and they’re using somewhat ineffective methods to mitigate ransomware. And so from a personal perspective, I think it’s about being vigilant, being aware of what ransomware is, how it propagates, what to be aware of. So in the event that your grandmother, for example, gets a ransomware spam message, that she’s aware of not clicking these sorts of things.<\/p>\n
[00:13:18.130] – Andy Thompson
\nAnother thing that I recently released on my GitHub is a really, really simple script that just reassigns the default application from PowerShell to Notepad. So again, there’s probably no reason why my grandmother should be executing batch scripts and things like that. So check out my GitHub. It’s github\/binarywasp. It’s a terrible, terrible name I picked back in high school, but I still keep it around.<\/p>\n
[00:13:45.090] – Andy Thompson
\nSimple security controls go a long way in preventing ransomware from a personal perspective. But from a larger enterprise organization perspective, there’s two acronyms that I really promote, and it’s least privilege and application control, so LP and AC. Those two things, as a combination, go a incredibly long way in preventing today’s version of ransomware.<\/p>\n
[00:14:09.890] – Andy Thompson
\nWhat I’ve seen, again, when I mentioned ineffective methods, is signature-based AV, for example. Ransomware, and today’s malware, is what we call polymorphic. It changes. Simply flipping a byte changes the hash and the fingerprint of these ransomware strains. And so signature-based stuff doesn’t really work. And then you see some EDR endpoint data, protection agents and things like that, can detect the behavior, but only after the fact.<\/p>\n
[00:14:38.820] – Andy Thompson
\nSo I personally believe that the concept of least privilege, removing local admin rights, can prevent the installation of really aggressive malware. So attackers can’t do reconnaissance and propagate and laterally move within a network. But more importantly is application control. This is a hard thing to do in a lot of organizations, when you explicitly allow or explicitly deny applications. So what I advocate for… Like server environments, for example, you know exactly what software is supposed to be running on that system. Really, allow listing is the recommendation there.<\/p>\n
[00:15:20.100] – Andy Thompson
\nWhen it comes to endpoints, it’s a little harder. I just had to upgrade my Chrome or browser just to get into this webcast today. New software is coming out. It’s a challenge for an IT organization to allow list everything. So I call this kind of a gray listing approach to application control\u2014 hamstringing and limiting the capacity of binaries in your environment. So for example, if we restrict a piece of malware, a unknown binary in our organization from internet access, for example, it can’t facilitate that encryption key exchange that many ransomware variants use.<\/p>\n
[00:16:02.680] – Andy Thompson
\nAnother thing is preventing the ability for unknown binaries and applications from reaching out to shared network volumes and map drives. That, again, prevents the ability for ransomware to propagate beyond the initial infection. So again, the combination of least privilege and application control go an incredibly long way.<\/p>\n
[00:16:25.400] – Andy Thompson
\nI also think end user awareness training\u2014I mentioned that earlier from my grandmother’s perspective\u2014I think it goes a long way in corporate environments as well. Another thing that I think a lot of corporate environments need to be aware of, or start doing, if they’re not already, is operate under that assumed breach mindset. This is really scary, folks. Lapsus$, the organization that’s in the news currently, they are soliciting malicious insiders to establish that foothold, so you don’t have to worry about vulnerabilities. They’re opening the door wide open for these folks.<\/p>\n
[00:17:04.240] – Andy Thompson
\nIf you have and operate under a assume breach mindset, you’re watching internally just as aggressively as you are externally for these sorts of malicious threats. So I think a combination of user awareness, technical controls like least privilege, application control, and operating under that assume breach mindset will go a long way in protecting corporate organizations.<\/p>\n
[00:17:26.820] – David Puner
\nSo you mentioned a couple things there that I think are pretty interesting. The idea of malicious insiders, what can we possibly do about that?<\/p>\n
[00:17:34.660] – Andy Thompson
\nWatch the watchers. Oftentimes, we’re seeing this from the perspective of an IT organization, a rogue systems administrator, but we need to be aware that that’s no longer the case. I mean, somebody in Accounting or Finance, Procurement, HR, Legal, these people have sensitive information that can be leaked. So again, be aware that it’s no longer just an IT problem. Watch your privileged users for malicious activities.<\/p>\n
[00:18:08.290] – Andy Thompson
\nMake sure that you’re locking down the end user workstation so that in the event that a machine is compromised, that it can’t facilitate reconnaissance, it can’t facilitate lateral movement or privileged escalation. We ultimately want to stop the initial foothold. But in the event that the foothold is already established, we want to make it as difficult as possible to establish that foothold and really propagate that ransomware.<\/p>\n
[00:18:34.360] – David Puner
\nSo the last couple of years, we’ve been talking a lot about work from anywhere and how it’s ramped up the opportunities for these malicious actors. How have we come to adapt better to that?<\/p>\n
[00:18:45.200] – Andy Thompson
\nWell, COVID really kind of kickstarted and ramped digital transformation into the next level. What we’ve seen is a mass migration to working remotely, working from home. What I see there is a real risk. We see people working their day jobs from the same machine that their kids are playing Minecraft on. That’s particularly scary, because oftentimes, we see that corporate security controls don’t propagate down to the machines and mobile devices that people are using to do their job, which is really scary.<\/p>\n
[00:19:26.680] – Andy Thompson
\nBut we’ve also seen migration to remote access, to secure environments. There are secure ways to tunnel traffic and tunnel your day-to-day job in a remote and secure way. I feel that, in my personal opinion, of course, that the digital transformation that has happened so recently due to COVID is more so exposing us to risk than it is helping us, from a ransomware perspective.<\/p>\n
[00:19:58.540] – David Puner
\nWhat can happen if an organization does receive that initial infection? Is that just game over, or is there something positive that they can do to get out of that situation?<\/p>\n
[00:20:09.620] – Andy Thompson
\nNot necessarily game over. I mean, yeah, it’s bad. You need to assess the damage, find out what potentially has been encrypted, what ultimately sensitive information or systems have been exposed to this level of an attack. If it’s not in the logs, it didn’t happen. Or you don’t know what you don’t know. So go back to the logs and really find some level of attribution.<\/p>\n
[00:20:37.130] – Andy Thompson
\nBut again, it’s not necessarily game over, because if you’re doing things right, you’ve got some level of air-gapped backups to restore from. Ideally, that’s what I would advocate for is never to pay a ransom, but to do your best to facilitate a backup and recovery program. That’s easier said than done. So what I really advocate for is a lot of organizations to do a regular mock ransomware event.<\/p>\n
[00:21:07.590] – Andy Thompson
\nThere’s also cyber security insurance, which I’m still on the fence about, but it goes a long way in recovery financially, as well as instantiating some of the basic controls within the organization as well. In order to even receive cyber insurance, the minimum security controls have to be in place. And so that goes a long way in preventing ransomware. But ideally, the controls that we’re recommending here proactively prevent and also help constrain the damage as well. I hope that kind of answers your question.<\/p>\n
[00:21:44.930] – David Puner
\nYeah, it answers my question in a big way, I think. Thank you for that. We’ve talked about how it started, how it’s evolved, where we’ve been with it in the last few years. Where is this all going? I mean, not that you’ve got a magic ball, but where is it going, and as defenders, how do we best keep on top of that so we can do our jobs successfully?<\/p>\n
[00:22:10.690] – Andy Thompson
\nOh, wow. Great question. Where is ransomware moving to? I got my answer right now. It’s industrial control systems. I think that’s going to be the next wave of ransomware. Ransomware no longer has to just encrypt files. We’re seeing, again, that double extortion, holding the information for ransom, but also we’re seeing triple extortion.<\/p>\n
[00:22:32.330] – David Puner
\nYes, I was hoping you would mention that.<\/p>\n
[00:22:34.850] – Andy Thompson
\n[crosstalk 00:22:34] DDoS you. So I think those are some of the advancements that we’re going to see in the ransomware landscape.<\/p>\n
[00:22:41.250] – David Puner
\nTriple extortion doesn’t sound good at all. Maybe I heard this wrong, I’m not sure, but that more and more, ransomware is going to be industry-specific?<\/p>\n
[00:22:49.050] – Andy Thompson
\nYeah, you’re absolutely right. I mean, it depends on who’s actually the malicious actor behind the the keyboard. But we’re seeing industries like healthcare being particularly targeted by certain ransomware operators because of the fact that this is extremely sensitive information that we’re dealing with, and it’s very time-sensitive. There are documented cases that systems being offline have cost people their lives. It really has real ramifications.<\/p>\n
[00:23:21.420] – Andy Thompson
\nThere was a famous bank robber, and they were asked, “Why are you robbing banks?” And the answer is, “Because that’s where the money is.” And I think that’s what we’re going to see a lot of in the future. And currently, really, bad actors, these ransomware operators are no longer targeting the piddly onesies and twosies and $100 ransoms. They’re going after $5 million, $11 million ransoms. And so I think what we’re going to see is bigger ransoms and and bigger consequences.<\/p>\n
[00:23:53.240] – David Puner
\nAndy, I look forward to doing part two of this podcast sometime in the near future, because you’re just a fantastic wealth of information. If you want to leave the listeners here with one thing, what’s another thing that they that they should know going out of this conversation about ransomware?<\/p>\n
[00:24:10.520] – Andy Thompson
\nRansomware is real. It’s evolved over time. It’ll continue to evolve. But at the same time, I think the recommendation is solid, it’s foundational, and it’s not going to change, whether it’s file encryption, whether it’s data exfiltration, whether the instantiation of malware and propagating through the network.<\/p>\n
[00:24:36.880] – Andy Thompson
\nAgain, I’ve been dogging on my grandmother real hard on this call today, but she told me something a while back that I thought was really poignant, and it’s something that I want to leave you with. “An ounce of prevention is worth a pound of cure.” And by proactively putting in controls in place, specifically least privilege and application control, end user awareness, these sorts of things really go a long way in protecting your organization.<\/p>\n
[00:25:04.070] – David Puner
\nAnd if there’s another thing that I’ve taken from this conversation, it is do not mess with Andy’s grandma.<\/p>\n
[00:25:10.910] – Andy Thompson
\nExactly.<\/p>\n
[00:25:12.110] – David Puner
\nAndy, this has been awesome. Thanks so much.<\/p>\n
[00:25:14.950] – Andy Thompson
\nThank you for having me.<\/p>\n
[00:25:16.150] – David Puner
\nTalk to you soon.<\/p>\n
[00:25:27.210] – David Puner
\nThanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment\u2014constructive comment, preferably, but it’s up to you\u2014or an episode suggestion, please drop us an email at trustissues@cyberark.com. And make sure you’re following us wherever you listen to podcasts.<\/p><\/div>\n","protected":false},"featured_media":214233,"template":"","class_list":["post-143283","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\n