EP 1 – Talking Ransomware w/ Andy Thompson

[00:00:00.000] – David Puner
You’re listening to the Trust Issues Podcast. My name is David Puner.

[00:00:17.360] – David Puner
The democratization of… Just fill in the blank. The phrase has become a tired, de facto conference track title. Just do a search. It’s everywhere. The democratization of finance, information, cout ure, creativity; they’ve all been democratized and delivered to the masses. Yet, the phrase may legitimately be the best way to describe the sweeping global ransomware phenomenon that’s plaguing organizations everywhere.

[00:00:44.360] – David Puner
Once a tactic reserved for highly skilled criminals, extortion involved heart-poundingly bank heists, airplane hijackings, and abducted French kings commanding three million gold crowns. But now, thanks to cheap plug-and-play ransomware kits, anyone with a credit card can get in on the cyber extortion action. No special training or skills required. How have we gotten here? Where’s it all headed? What can we do? It’s the focus of today’s episode of Trust Issues.

[00:01:19.230] – David Puner
In today’s episode, I talk to Andy Thompson, Advisor, Evangelist for CyberArk Labs, and a guy you really would want to have at your dinner table, or maybe go on a road trip with. He knows so much about cybersecurity and every aspect of it, and can go deep and just make anything interesting, which is why we start with a subject that is inherently interesting, and that is ransomware. I think you’re going to enjoy it, so why don’t we just get to it? I’ll stop the babbling, and let’s hear from Andy Thompson.

[00:02:02.370] – David Puner
We’re going to talk about arguably the biggest and most pervasive cyber threat out there: ransomware. First of all, I guess, do you agree with that statement?

[00:02:12.670] – Andy Thompson
Absolutely. Ransomware has just blossomed, not just from its inception, but really within the last two years. We’ve seen a triple digit increase in the proliferation of ransomware, and a lot of it has to do with the fact that the business model has changed. No longer do you have to be evil enough to create the content and the ransomware, but you just have to be malicious enough to propagate it. And that’s really where the ransomware as a service has really springboarded ransomware as far as a threat in personal and corporate environments.

[00:02:49.070] – David Puner
How have we gotten to the point where ransomware came into being, and now we’re at this point where we’re talking about triple extortion and ransomware as a service? Really, things have gotten crazy over the years, but they probably started out seeming crazy, and now they’re super crazy.

[00:03:05.550] – Andy Thompson
I want to set the stage: 1989, Global AIDS Conference. Gentleman by the name of Dr. Joseph Popp was distributing I think 20,000 different floppy disks with a software, and actually had a note on there from PC Cyborg company stating that after several days—90 days, to be specific—the computer would be basically inoperable, and they’d have to send a check for $189 to a PO box in Panama. Now, Scotland Yard didn’t take too kindly to that, and ultimately arrested him and charged him for extortion. That was the inception of ransomware.

[00:03:40.790] – Andy Thompson
Since then, it has changed really due to the internet in the ability to proliferate ransomware. And along with that came the creation of cryptocurrency and pseudo-anonymous transactions. That really was what caused ransomware to basically explode. It’s money laundering at the nth degree. And so I think that’s really kind of what caused ransomware ever since the internet in 2009, 2011, when cryptocurrency came into play.

[00:04:14.760] – David Puner
So how did cryptocurrency allow it to blossom, or explode, as the case may be?

[00:04:20.320] – Andy Thompson
Well, originally, we were talking about writing a check. And then came gift cards and money orders and Green Dot. And all of that had a paper trail essentially leading right back to the ransomware operators. With Bitcoin, in particular, that technology allowed for, again, that pseudo-anonymous financial transaction. What we’ve seen even recently, more so, is moving to a whole different cryptocurrency called Monero, where an obfuscated ledger basically allows for completely anonymous transactions of finances, and essentially money laundering.

[00:05:01.150] – David Puner
Does that make it just a losing game if you’re a defender?

[00:05:06.430] – Andy Thompson
These ransomware outfits have like global help desks. They have training materials, they’ve got professional-level backends supporting these malicious outfits. So I think what we’re finding is it’s less Wild Wild West and craziness, but more a migration to professionalism and processes based out of these outfits. Does that make sense?

[00:05:31.750] – David Puner
Yeah, it’s kind of like when the Sundance Film Festival becomes legitimate or something like that.

[00:05:37.470] – Andy Thompson
Yeah, yeah.

[00:05:38.870] – David Puner
I’m talking to you about this today, Andy. And you’re an expert in many things, but you’ve definitely been deep involved and interested in ransomware for a while now. Can you give us a little bit of a rundown of how you got involved and how it is involved in your day to day now?

[00:05:56.190] – Andy Thompson
Yeah, absolutely. I really started researching ransomware back in 2016. I’m an active member and one of the organizers for the Dallas Hackers Association back here in Dallas. Somebody reached out to the Dallas Hackers Association stating a problem. It was kind of a sad story, really. A widower recently lost his wife, and all their photos from years and years and years were stored on this machine that was compromised by ransomware.

[00:06:27.070] – Andy Thompson
He didn’t know what to do, so reached out to us, and we did our best to help this gentleman. We were able to actually recover the encryption cre and restore all his files. But that really got me thinking, how far is this being taken? And so I started researching history of ransomware, analysis of how it works, and really, most importantly, the mitigation controls around ransomware. Since then, I’ve become part of the Ransomware Task Force.

[00:06:55.770] – David Puner
Let’s take two steps back. I want to ask you about the Ransomware Task Force in a second, but first, to go back to the Dallas hacking scene for a second. The gentleman who reached out to you regarding the images that he was trying to get back, how did he get connected with the Dallas hacking scene? What does a Dallas hacking scene look like? Is it kind of, you know, to those who don’t know anything about it… Or maybe it’s just me, when I think of something like that, it’s like, “You can’t find us, we’ll find you,” or something, or whatever the A-Team’s saying is.

[00:07:25.490] – Andy Thompson
No. It’s quite the opposite. We’re totally out there in the public. We have a Meetup, a website, it’s on meetup.com. This organization meets once a month at a Korean karaoke bar of all places. And we basically have a miniature conference once a month with lock picking, we have a capture the flag competition, we have 15-minute fire infosec talks. It’s really cool. It’s like a miniature Defcon.

[00:07:53.450] – David Puner
About how many of those communities would you say are around the country?

[00:07:56.950] – Andy Thompson
Honestly, all of them, really. If you look hard enough, you can find ISSA chapters, (ISC)² chapters. The meetings are on their websites. But Defcon groups, there’s chapters all over the United States. Hacking is NOT a Crime, another organization with multiple chapters all over the world. There’s the BSides conferences that, again, are all over from Dallas to Tel Aviv to Sydney, Australia to Las Vegas. All of these are just near and dear to my heart.

[00:08:27.940] – David Puner
So back to the Ransomware Task Force for a second. That is something internal at CyberArk, or is that elsewhere?

[00:08:35.100] – Andy Thompson
It’s actually external. It’s a collective of about 60 different organizations that have partnered together, just experts in the industry, to provide guidance to governments and corporate organizations, providing recommendations regarding security control, cybersecurity insurance, mitigation methods, you name it. And so I’m just a small part of that organization.

[00:09:00.740] – David Puner
We talked about the beginning of ransomware, and then how it just was really able to explode with the internet. In 2017, we had the WannaCry outbreak; 2017, NotPetya; 2020, SolarWinds; 2021, Kaseya. And those are just a few of the notable names. How have the defenders evolved along with the the offenders, as it were?

[00:09:23.300] – Andy Thompson
That’s a great question. Let’s start with where we’re seeing more adoption in, and it is the fact that these criminal organizations are consolidating. There’s several major outfits like REvil, Conti. Lapsus$ is big in the news today. These organizations are consolidating and really focusing their attacks on big organizations. It’s no longer the kind of spray-and-pray spam emails that you see in the past. They’re spearfishing, they’re targeting individuals within organizations for what I call, or what we call, business email compromise. You’re more apt to accept an email and an attachment from a legitimate email within your organization.

[00:10:13.110] – Andy Thompson
So we’re seeing the ability of these attackers focusing on application vulnerabilities from externally facing web apps. We’re seeing RDP brute-forcing of externally facing terminal services sessions. These sorts of attacks are really what we’re seeing as the majority of the vectors in for corporate ransomware. The other thing is that they’re no longer just satisfied with compromising a single machine. Once the foothold is established, there’s, goodness, upwards of 100 days of dwell time within these organizations before they pull the trigger and execute the end game, and that’s really the ransomware.

[00:10:57.640] – Andy Thompson
And I think what’s really important to note is the change in the definition of what ransomware is. Previously it was just encrypting files and holding that for ransom. And we’ve seen organizations like Lapsus$ that completely bypass the file encryption and move straight to double extortion, where they’re holding the files for ransom. They’re exfiltrating the data, the proprietary sensitive information, and again, holding that for ransom. So let’s just call a spade a spade, folks. Ransomware is extortion. That’s the simple answer. We’ve really moved from file encryption. And again, that’s still present in the industry, but we’re just talking about straight-up extortion.

[00:11:44.730] – Andy Thompson
I’ve also seen IoT devices being compromised. We saw recently at Defcon… Well, not recently, a couple of years back. But a IoT heating and air conditioning thermostat was compromised. They could literally sweat you out of house and home until you pay the ransom. I also recently saw some evidence of mobile software on televisions being compromised by ransomware.

[00:12:10.810] – Andy Thompson
So I think a lot of that has to do with the… Ransomware authors are starting to use cross-platform scripting languages in order to do this sort of malicious activity. So we’re seeing a lot of evolution in the advancement of ransomware—from a software perspective, from a target perspective, you name it.

[00:12:30.560] – David Puner
We are in the business of defending and protecting here. This is a pretty big battle. Can it be won? And obviously, organizations are comprised of individuals. What can we do from an individual standpoint? And what can organizations do to fight back?

[00:12:46.520] – Andy Thompson
I think the reason why ransomware works initially is because organizations fail to practice good security hygiene, and they’re using somewhat ineffective methods to mitigate ransomware. And so from a personal perspective, I think it’s about being vigilant, being aware of what ransomware is, how it propagates, what to be aware of. So in the event that your grandmother, for example, gets a ransomware spam message, that she’s aware of not clicking these sorts of things.

[00:13:18.130] – Andy Thompson
Another thing that I recently released on my GitHub is a really, really simple script that just reassigns the default application from PowerShell to Notepad. So again, there’s probably no reason why my grandmother should be executing batch scripts and things like that. So check out my GitHub. It’s github/binarywasp. It’s a terrible, terrible name I picked back in high school, but I still keep it around.

[00:13:45.090] – Andy Thompson
Simple security controls go a long way in preventing ransomware from a personal perspective. But from a larger enterprise organization perspective, there’s two acronyms that I really promote, and it’s least privilege and application control, so LP and AC. Those two things, as a combination, go a incredibly long way in preventing today’s version of ransomware.

[00:14:09.890] – Andy Thompson
What I’ve seen, again, when I mentioned ineffective methods, is signature-based AV, for example. Ransomware, and today’s malware, is what we call polymorphic. It changes. Simply flipping a byte changes the hash and the fingerprint of these ransomware strains. And so signature-based stuff doesn’t really work. And then you see some EDR endpoint data, protection agents and things like that, can detect the behavior, but only after the fact.

[00:14:38.820] – Andy Thompson
So I personally believe that the concept of least privilege, removing local admin rights, can prevent the installation of really aggressive malware. So attackers can’t do reconnaissance and propagate and laterally move within a network. But more importantly is application control. This is a hard thing to do in a lot of organizations, when you explicitly allow or explicitly deny applications. So what I advocate for… Like server environments, for example, you know exactly what software is supposed to be running on that system. Really, allow listing is the recommendation there.

[00:15:20.100] – Andy Thompson
When it comes to endpoints, it’s a little harder. I just had to upgrade my Chrome or browser just to get into this webcast today. New software is coming out. It’s a challenge for an IT organization to allow list everything. So I call this kind of a gray listing approach to application control— hamstringing and limiting the capacity of binaries in your environment. So for example, if we restrict a piece of malware, a unknown binary in our organization from internet access, for example, it can’t facilitate that encryption key exchange that many ransomware variants use.

[00:16:02.680] – Andy Thompson
Another thing is preventing the ability for unknown binaries and applications from reaching out to shared network volumes and map drives. That, again, prevents the ability for ransomware to propagate beyond the initial infection. So again, the combination of least privilege and application control go an incredibly long way.

[00:16:25.400] – Andy Thompson
I also think end user awareness training—I mentioned that earlier from my grandmother’s perspective—I think it goes a long way in corporate environments as well. Another thing that I think a lot of corporate environments need to be aware of, or start doing, if they’re not already, is operate under that assumed breach mindset. This is really scary, folks. Lapsus$, the organization that’s in the news currently, they are soliciting malicious insiders to establish that foothold, so you don’t have to worry about vulnerabilities. They’re opening the door wide open for these folks.

[00:17:04.240] – Andy Thompson
If you have and operate under a assume breach mindset, you’re watching internally just as aggressively as you are externally for these sorts of malicious threats. So I think a combination of user awareness, technical controls like least privilege, application control, and operating under that assume breach mindset will go a long way in protecting corporate organizations.

[00:17:26.820] – David Puner
So you mentioned a couple things there that I think are pretty interesting. The idea of malicious insiders, what can we possibly do about that?

[00:17:34.660] – Andy Thompson
Watch the watchers. Oftentimes, we’re seeing this from the perspective of an IT organization, a rogue systems administrator, but we need to be aware that that’s no longer the case. I mean, somebody in Accounting or Finance, Procurement, HR, Legal, these people have sensitive information that can be leaked. So again, be aware that it’s no longer just an IT problem. Watch your privileged users for malicious activities.

[00:18:08.290] – Andy Thompson
Make sure that you’re locking down the end user workstation so that in the event that a machine is compromised, that it can’t facilitate reconnaissance, it can’t facilitate lateral movement or privileged escalation. We ultimately want to stop the initial foothold. But in the event that the foothold is already established, we want to make it as difficult as possible to establish that foothold and really propagate that ransomware.

[00:18:34.360] – David Puner
So the last couple of years, we’ve been talking a lot about work from anywhere and how it’s ramped up the opportunities for these malicious actors. How have we come to adapt better to that?

[00:18:45.200] – Andy Thompson
Well, COVID really kind of kickstarted and ramped digital transformation into the next level. What we’ve seen is a mass migration to working remotely, working from home. What I see there is a real risk. We see people working their day jobs from the same machine that their kids are playing Minecraft on. That’s particularly scary, because oftentimes, we see that corporate security controls don’t propagate down to the machines and mobile devices that people are using to do their job, which is really scary.

[00:19:26.680] – Andy Thompson
But we’ve also seen migration to remote access, to secure environments. There are secure ways to tunnel traffic and tunnel your day-to-day job in a remote and secure way. I feel that, in my personal opinion, of course, that the digital transformation that has happened so recently due to COVID is more so exposing us to risk than it is helping us, from a ransomware perspective.

[00:19:58.540] – David Puner
What can happen if an organization does receive that initial infection? Is that just game over, or is there something positive that they can do to get out of that situation?

[00:20:09.620] – Andy Thompson
Not necessarily game over. I mean, yeah, it’s bad. You need to assess the damage, find out what potentially has been encrypted, what ultimately sensitive information or systems have been exposed to this level of an attack. If it’s not in the logs, it didn’t happen. Or you don’t know what you don’t know. So go back to the logs and really find some level of attribution.

[00:20:37.130] – Andy Thompson
But again, it’s not necessarily game over, because if you’re doing things right, you’ve got some level of air-gapped backups to restore from. Ideally, that’s what I would advocate for is never to pay a ransom, but to do your best to facilitate a backup and recovery program. That’s easier said than done. So what I really advocate for is a lot of organizations to do a regular mock ransomware event.

[00:21:07.590] – Andy Thompson
There’s also cyber security insurance, which I’m still on the fence about, but it goes a long way in recovery financially, as well as instantiating some of the basic controls within the organization as well. In order to even receive cyber insurance, the minimum security controls have to be in place. And so that goes a long way in preventing ransomware. But ideally, the controls that we’re recommending here proactively prevent and also help constrain the damage as well. I hope that kind of answers your question.

[00:21:44.930] – David Puner
Yeah, it answers my question in a big way, I think. Thank you for that. We’ve talked about how it started, how it’s evolved, where we’ve been with it in the last few years. Where is this all going? I mean, not that you’ve got a magic ball, but where is it going, and as defenders, how do we best keep on top of that so we can do our jobs successfully?

[00:22:10.690] – Andy Thompson
Oh, wow. Great question. Where is ransomware moving to? I got my answer right now. It’s industrial control systems. I think that’s going to be the next wave of ransomware. Ransomware no longer has to just encrypt files. We’re seeing, again, that double extortion, holding the information for ransom, but also we’re seeing triple extortion.

[00:22:32.330] – David Puner
Yes, I was hoping you would mention that.

[00:22:34.850] – Andy Thompson
[crosstalk 00:22:34] DDoS you. So I think those are some of the advancements that we’re going to see in the ransomware landscape.

[00:22:41.250] – David Puner
Triple extortion doesn’t sound good at all. Maybe I heard this wrong, I’m not sure, but that more and more, ransomware is going to be industry-specific?

[00:22:49.050] – Andy Thompson
Yeah, you’re absolutely right. I mean, it depends on who’s actually the malicious actor behind the the keyboard. But we’re seeing industries like healthcare being particularly targeted by certain ransomware operators because of the fact that this is extremely sensitive information that we’re dealing with, and it’s very time-sensitive. There are documented cases that systems being offline have cost people their lives. It really has real ramifications.

[00:23:21.420] – Andy Thompson
There was a famous bank robber, and they were asked, “Why are you robbing banks?” And the answer is, “Because that’s where the money is.” And I think that’s what we’re going to see a lot of in the future. And currently, really, bad actors, these ransomware operators are no longer targeting the piddly onesies and twosies and $100 ransoms. They’re going after $5 million, $11 million ransoms. And so I think what we’re going to see is bigger ransoms and and bigger consequences.

[00:23:53.240] – David Puner
Andy, I look forward to doing part two of this podcast sometime in the near future, because you’re just a fantastic wealth of information. If you want to leave the listeners here with one thing, what’s another thing that they that they should know going out of this conversation about ransomware?

[00:24:10.520] – Andy Thompson
Ransomware is real. It’s evolved over time. It’ll continue to evolve. But at the same time, I think the recommendation is solid, it’s foundational, and it’s not going to change, whether it’s file encryption, whether it’s data exfiltration, whether the instantiation of malware and propagating through the network.

[00:24:36.880] – Andy Thompson
Again, I’ve been dogging on my grandmother real hard on this call today, but she told me something a while back that I thought was really poignant, and it’s something that I want to leave you with. “An ounce of prevention is worth a pound of cure.” And by proactively putting in controls in place, specifically least privilege and application control, end user awareness, these sorts of things really go a long way in protecting your organization.

[00:25:04.070] – David Puner
And if there’s another thing that I’ve taken from this conversation, it is do not mess with Andy’s grandma.

[00:25:10.910] – Andy Thompson
Exactly.

[00:25:12.110] – David Puner
Andy, this has been awesome. Thanks so much.

[00:25:14.950] – Andy Thompson
Thank you for having me.

[00:25:16.150] – David Puner
Talk to you soon.

[00:25:27.210] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment—constructive comment, preferably, but it’s up to you—or an episode suggestion, please drop us an email at [email protected]. And make sure you’re following us wherever you listen to podcasts.