Learn from others’ mistakes by reviewing last year’s worst ransomware attacks with Mr. Backup and Prasanna Malaiyandi. Listen to them review the 10 worst attacks from 2021, then discuss lessons learned: Colonial Pipeline, BrennTag, Acer, JBS, Quanta, NBA,AXA, CNA, CD Projekt, and Kaseya. Then they discuss the trends they see, and the lessons we can all learn from these horrible attacks.
You can listen to the podcast via any of the above links, or you can watch it here:
W. Curtis Preston: Hi, and welcome to Backup Central’s Restore it All podcast. I’m your host, W. Curtis Preston, AKA Mr. Backup and I have with me, my safe shelving consultant Prasanna Malaiyandi. how’s it going? Prasanna?
Prasanna: I’m good, Curtis. So hopefully no lawsuits have been filed and no injuries,
W. Curtis Preston: no injuries. I, you were concerned of the safety of the amount of weight that I was placing on. What were essentially just long screws. And I went and got what are called construction, lag screws, which is interesting.
W. Curtis Preston: It’s, they’re not what we typically think of as lag bolts, but they’re similar thickness and hardness, but they’re, they have Torx bits in them, which
Prasanna: is really weird. Yeah. I didn’t realize that those existed
W. Curtis Preston: and there, and it’s a B FTB. It’s a. Torque Torx bit. It’s not the usual, there’s like a standard Torx bit.
W. Curtis Preston: That’s in all the screws that I use. This is the next step up, which interestingly enough. I already had a Torx bit for that size that was leftover from what,
Prasanna: Let’s see from your shed project.
W. Curtis Preston: No From my solar project.
W. Curtis Preston: This was the last time I was screwing in bolts of this size screws.
W. Curtis Preston: I was like, oh, I get to use my, use my tool that I have.
Prasanna: It’s good though, because sometimes you’re like, I hate buying one-off tools, but at least, Hey, you’ve used it twice.
W. Curtis Preston: Two amazing things. One is that I got to reuse this tool that I bought the second, and this should really be.
W. Curtis Preston: Number one, and that is. I was able to find I was
W. Curtis Preston: because of my new, my, my new storage system storage is good. I think that’s that’s something
Prasanna: having a place to put everything is key. Yeah. And making sure you put things back also.
W. Curtis Preston: Exactly that is true. I ha I have I have a like a landing shelf that is, it’s literally this high, the next shelf is, it’s like what two inches or maybe three inches high.
W. Curtis Preston: It’s just enough room to put in any of my tools that I, at that moment don’t want to. Go through the trouble of putting back, but I can’t put anything else on that shelf. So I have a landing shelf, but so my tools are either in the appropriate bin or on the landing shelf. So it’s not too bad.
W. Curtis Preston: Yeah.
Prasanna: See my problem with having things like a landing shelf is it’s just going to sit there and then sooner or later you’re going to be like, yeah, I don’t need to put this away. And then it never goes back to.
W. Curtis Preston: That’s the whole point of it. It’s just one place. You know what I mean? It’s just big enough just for
W. Curtis Preston: All it takes is like a couple of minutes to declutter the storage shelf. That’s true. And and it means that if I’m looking for it, it’s either there or there, but yeah, I had a, I have.
Prasanna: I know that you talked about having a bucket that you keep tools you’re currently using actively for a project, just so they’re not laying around everywhere.
W. Curtis Preston: Yeah. It’s a bag. Like it’s a right. So yeah, I still do that. If I’m going to take a bunch of tools, so
W. Curtis Preston: then do you empty the bag and put it in the landing shelf?
W. Curtis Preston: No, if I’m actually emptying the bag, I’m going to put it in the room. Okay. It’s more like I’ve got a tool in my hand. And I’m distracted.
W. Curtis Preston: I got to go do the thing. I just want to put it somewhere where I know it’s not going to get lost. Cause I do have a bad habit of like just laying a tool down wherever I happen to be . Where did those channel locks go?
Prasanna: When you were rearranging things in your garage and fixing your garage or that doesn’t move, didn’t you find?
Prasanna: I found
W. Curtis Preston: all sorts of tools up, like up in the rafters, although it was my favorite was the tool, the wrench that. inside the garage door. The garage door is metal and it has lips on it. Cause it’s a divided garage door, not one solid piece. And there was a random wrench just sitting in one of those.
Prasanna: So as I watch a lot of YouTube auto shows and apparently it’s very common to misplace 10 millimeter sockets.
W. Curtis Preston: So yeah, if you work on foreign cars, 10 millimeters is a very, yeah. The common
Prasanna: thing. And so people have like dirty of the 10 millimeter socket. Cause because they keep losing them.
W. Curtis Preston: Yeah, I should. I should. Yeah, I should do that. Just get a few 10 millimeter sockets and both sockets and wrenches. The ratcheting wrench. Yep. But So we’re going to talk about other people’s problems today. I’m done talking about mine.
W. Curtis Preston: I saw this article that was put out by the I don’t know how to pronounce this Touro college T O U R O college of Illinois.
W. Curtis Preston: They put out this article that was the, the top 10 biggest ransomware attacks of 2021. And I was like, oh, how nice of them to, summarize all these for us. And there was an interesting thing that for a while they weren’t going after healthcare. Yep. But it looked like that changed in 2021.
Prasanna: Do you remember the hospital in Germany that got hit with ransomware and had to send a patient to another hospital and the patient died in route? Yeah.
W. Curtis Preston: I remember that story and we know of death via ransomware.
Prasanna: No, but I remember that the ransomware actor apologized, I think because they were like, oh, we didn’t intend to target hospitals because that’s not part of our MO.
W. Curtis Preston: But that’s clearly changed. According to this article, they’re saying 600 hospitals clinics and other health organizations were impacted by 92 ransomware attacks.
Prasanna: And this is only the ones that we’ve really heard about. How many are there?
W. Curtis Preston: The only ones that we know about. But I think heading off the list, heading off the list is going to be colonial pipeline.
W. Curtis Preston: This was the, this was the one that really put ransomware on the map.
Prasanna: Oh yeah. And really annoyed the the President
Prasanna: If I recall.
W. Curtis Preston: Yes, it did. And so there was something called the dark side gang. They began the attack. They first targeted the firm’s billing system and their internal business network.
W. Curtis Preston: And it basically shut down this pipeline. . They didn’t shut down the pipeline per se. They just shut down the pipelines ability to do business, which I think is a common thing that we’ll see across some of these. Yeah.
Prasanna: I think what ended up happening is all across the Eastern seaboard. They couldn’t like gas stations.
Prasanna: Couldn’t actually resupply right. Or refuel because there was no ability for colonial to figure out how much gas costs and where and all the rest.
W. Curtis Preston: Yeah, this one is a really interesting thing here. They’re saying that the, one of the reasons it was particularly dangerous because of consumers starting to panic, and they started doing things like hoarding gasoline in flammable, plastic bags and bins, and one car even caught fire.
Prasanna: and this was a widespread impact if I recall, right? So many millions and millions of people affected
W. Curtis Preston: They did eventually recover. They did actually pay the ransom and the U S law enforcement was able to recover much of the ransom payment. They were able to trace the cryptocurrency,
Prasanna: I think we did a podcast about this topic a while ago when this happened. And I think this is also the one where basically the dark side gang shut down because there was too much heat put on them and then they came back as a different ransomware gang.
W. Curtis Preston: They yeah.
W. Curtis Preston: They quote unquote went out of business. Yeah. But it’s not like they’re like an actual business. They’ve got to file paperwork or they just stopped doing business as that. And then he just changed their name and do something else. Yes.
W. Curtis Preston: So they were also responsible for the Bren tag attack, which as a chemical distribution company. And they’re saying that it was, is it even bigger ransom? It was seven and a half million dollars. This one, again, they paid the ransom, which.
W. Curtis Preston: Or they paid part of the ransom.
Prasanna: I don’t know so much about the colonial pipeline, but with this one, particularly, they also exfiltrated a bunch of data. And so I think the chemical company was a little worried about that.
W. Curtis Preston: That makes sense. That makes sense.
W. Curtis Preston: So that was the. Dark side group. The another one that we have here is the I’m going to call a Revil. They were a hacker group and they did the one on Acer. Yep. And this is a company you and I should know. Yep.
Prasanna: Acer computers. I remember back in the day it was, you bought a desktop system.
Prasanna: You either bought an HP, a Compac. Or you bought an Acer or a Gateway. Those were like the four desktop computer companies well known back then, back in the day when
Prasanna: I was a little kid back in the day, right? And this was another one where Acer that Revil, actually targeted a vulnerability in Microsoft exchange and they got access to their files and leaked images of sensitive financial documents and spreadsheets.
Prasanna: And the crazy thing is the ransom that they asked for this one. I think it was something like 50 million dollars.
W. Curtis Preston: $50 million. They’re thinking, oh, Acer, they got it in the hole. The Acer in the hole, no, that wasn’t any good, but,
Prasanna: but we don’t know though.
Prasanna: Do they actually pay out the ransom?
W. Curtis Preston: It doesn’t say. It’s interesting to see Acer in the news as a victim. Literally the last time I thought about Acer, you were right. They used to be the big deal, but they haven’t really been a big deal. The last time I remember thinking about Acer much was when I got notified that I was part of a class action lawsuit that they had been putting like used parts inside new computers.
Prasanna: So the next one is JBS foods, which I think I recall this one as well. It was like a meat processing company that’s like worldwide.
Prasanna: And I think that it was what was it that they were worried about food shortages because of this attack, because being a high profile meat company and processing plant, people always worry about toilet paper and food. And so I think the ransom for this one was $11 million and it was the exact same ransomware group, Revil, that you talked about before, but they were also around this and it looks like they actually did do the payment.
Prasanna: And it is one of the largest payments of all time. So it looks like the Acer one, they did not pay out, but it looks like JBS did pay out. ,
W. Curtis Preston: I do remember being worried about that may have been just more worried about meat shortages
Prasanna: especially knowing you and your barbecue
W. Curtis Preston: Yeah. Yeah. I was concerned about, I probably went and bought three briskets or something.
Prasanna: But it is one of those things, it’s like we saw with the colonial pipeline attack as well. Consumers panicked. A lot of these things, consumers aren’t even aware of because they’re like, yeah, it’s just another large company until it actually hits them in their daily lives.
W. Curtis Preston: The next one’s interesting. So it’s a company I had never heard of Quanta like most people haven’t heard of them, but they are one of Apple’s major business partners. So this one was an interesting one where the Quanta was like, no, we’re not, we don’t care. We don’t care what you do.
W. Curtis Preston: This was another exfiltration, one Quanta basically said, we’re not giving you anything. I don’t care. Revil then said, well fine. we’ll go after apple. So they targeted apple and it’s just the way the summary was written. It just said by may they seem to have called off the attack.
W. Curtis Preston: Yeah. So I’m just really curious what happened with the conversations, with Apple
Prasanna: I think I do remember this one as well. I think what actually ended up happening is what they had published was old documents for outdated apple plans. That we’re no long, I think it was like maybe 2015, 2016 plans.
Prasanna: And the designs and Apple’s moved on since then. So
W. Curtis Preston: interesting. So they were like, yeah. Put out the phones for the iPhone six. We don’t care.
Prasanna: Or I think it was mainly around their laptops and their hardware for that. If I recall what Quanta was used for.
W. Curtis Preston: Interesting. Interesting.
Prasanna: But that’s always an option for companies, is you could always say, Hey, I’m not going to pay it because the information you have is no longer relevant to our business.
Prasanna: So this is one I actually hadn’t heard about, and I don’t know about you, but the NBA actually got hit with ransomware as well, and it looks like it was one particular. NBA team, the Houston rockets, which was hit by the book hacker group and stole about 500 gigs of confidential data.
Prasanna: They said that they would post all of these and it had things like contracts of the players and financial information. But no ransom was, or no ransom payments were made. And the interesting thing about this is I know this happened last year. Recently, I think a week or two ago, the San Francisco 49ers were actually hit with ransomware as well.
Prasanna: Yep. So it looks like sports teams are not safe from ransomware.
W. Curtis Preston: No one is safe. And then, so there’s another gang, the Avedon
W. Curtis Preston: gang. I’ve never heard
W. Curtis Preston: of this. No, I never, I that’s how you pronounce it. Avedon. I don’t know. These are like made up words. So it’s kinda hard. So they attacked a company called Axo, which is an insurance company.
W. Curtis Preston: , this one appears to be a retaliation. This, one’s interesting that AXA, which is an insurance company that pays people who suffer ransomware attacks. They said that they they were going to stop reimbursing ransomware attacks.
W. Curtis Preston: And so they got this attack after that kind of ironic. Yeah. It is funny that you know, that the hacker group, so they gain access to three terabytes of data, which is a lot. I don’t know, it didn’t really, nothing really seemed to come of it, which I think is a solid response. It doesn’t say if they were trying to leak the data or…
Prasanna: it’s probably one of those things where they’re like, you changed your plans. We’re not happy with it because we’re no longer going to be paid. So we’re going after you, some of this, I also wonder did they pay the ransomware?
Prasanna: Did they change their policies because of this? What happened? And it’s one of those, like you said it’s a mystery. You never know what actually ended up going on.
W. Curtis Preston: Exactly.
Prasanna: So the next one is another large insurance firm called CNA. Where they were attacked encrypted 15,000 devices.
Prasanna: And this was also when people were working remotely. So a lot of this was employees working from their homes or wherever else, and they could no longer access their network and get their work done. It was supposedly linked to a hacker group called evil Corp and using a
W. Curtis Preston: great name. That’s a great name for a ransomware
W. Curtis Preston: group, right?
Prasanna: Oh yeah. Do you watch Mr. Robot? Yeah, it wasn’t weren’t they called? Oh, they were called e-corp, but in my mind,
Prasanna: Might as well be called evil Corp. But anyway, apparently it was a new type of malware called the Phoenix CryptoLocker that was used for this attack. And once again, they don’t talk about how much was a ransom, did they pay or not, or anything else like that?
W. Curtis Preston: Yeah. Which is I’m, you know what, I’m going to do it. If it doesn’t say they paid the ransom, I’m going to believe that they successfully restored and. Went past that. , but it’s interesting. That’s the second cyber insurance company that got attacked yeah. Now
Prasanna: it’s hard to tell if that is a cyber insurance or just a large insurance company.
Prasanna: It doesn’t specify.
W. Curtis Preston: It does. In the other article you say that you’d do cyber insurance. Gotcha. There are big company. Yes.
Prasanna: The one thing that would surprise me though, is with 15,000 devices, everyone working remotely, could you imagine. The recovery process from that.
W. Curtis Preston: Yeah. And, and sadly, since many companies don’t back up their mobile devices, which they should, but they don’t right.
W. Curtis Preston: They see that as, wasted money or whatever. I disagree of course, because I think a lot of. A lot of companies, especially now that we’re working remotely more and more data is still on remote devices, despite what everyone wants to do. Yeah. Yeah. So the, but the, I do think, we had evil Corp.
W. Curtis Preston: We had Revil, we had what was the first one was the name of the company, the ransomware group, dark side, the dark side. And then we
Prasanna: also had.
W. Curtis Preston: Yeah, Avedon, but this has to be my favorite gang name. It’s the hello kitty gang.
W. Curtis Preston: Yeah, CD Projekt. Red is a video game based in Poland. They actually accessed source code to the game. , it doesn’t say that they were, they threatened to release it, but they had, it looks like they actually deleted the data. And in this case, it specifically said that that CD project had backups in place to restore the data.
W. Curtis Preston: Yay. Backups win!
Prasanna: This reminds me of the toy Story 2 saga right where they lost toy story two while it was being created. And luckily someone who was on leave just happened to have a copy sitting in her home and was able to bring back the data and make sure the movie yeah. Make sure the movie actually went out the door, probably actually saved the company too.
W. Curtis Preston: I’ll do our standard disclaimer Prasanna and I work for different companies.
W. Curtis Preston: He works for zoom. I work for Druva and this is not a podcast of either company. And the opinions that you hear are ours. Be sure to rate us at ratethispodcast.com/restore. And if you’re interested in the kinds of things that we’re interested in, then just, give me a holler at email@example.com or wcpreston on Twitter and we’ll have you on.
Prasanna: And if you know someone who worked at Pixar jury the time at toy story two and the entire fiasco, please reach out to us. You
W. Curtis Preston: know, we know people. I wonder if those people know other people, we know people in the industry is what I’m saying.
Prasanna: So the last one, the last attack on this list was KASEYA. And this one, I clearly remember. This was the company that was used by a lot of MSPs in order to manage their customer’s environments. And there was an issue in their code. That allowed people to get in and get into all of the customer’s accounts as well.
Prasanna: And they started encrypting everything. So instead of just attacking one company, they basically went after infrastructure software used by numerous MSPs, which affected hundreds and thousands of businesses. And for this one, they wanted 70 million in Bitcoin. And I think that the, this one, they didn’t actually pay out the ransomware and they were able to find the encryption keys.
Prasanna: I think the FBI was involved and they found the servers. They were able to get the encryption keys and be able to unencrypt people’s data before the ransomware was paid. But this was a huge story.
W. Curtis Preston: Yeah, this was a really big one because it reminded me of the other supply chain attack from the previous year, the solar winds attack where it was via the supply chain.
W. Curtis Preston: They used Kaseya’s virtual system administrator to actually, they pushed a, say a fake software update that. That’s just evil.
Prasanna: I think solar winds was actually 2021 Curtis.
Prasanna: Was it?.
W. Curtis Preston: I dunno how well, maybe it wasn’t ransomware.
Prasanna: It wasn’t ransomware. It was a supply chain attack. It was just a supply chain just to
Prasanna: supply Justin, Just only a small little supply chain attack.
W. Curtis Preston: I do like that in the case of Kaseya that the FBI was able to.
W. Curtis Preston: Do what they do. And they apparently were good enough that they were actually, that they hacked the hackers and got the keys.
Prasanna: This one, if I recall was they had found the issue, right? Someone was sorry, a security researcher had found the issue had filed it with them. They were planning to fix it.
Prasanna: And then the hackers basically did a zero day right before the patch.
W. Curtis Preston: I do remember that. Yep. Yeah. Those bastards.
W. Curtis Preston: When we look back on these attacks, there are some common threads here. I want to save the exfiltration one for the end. It looks like about half of them were what I would call traditional ransomware attacks, where if they had a decent backup, they would be able to recover and not pay the ransom.
W. Curtis Preston: And that’s really the that’s really the desire in the end, is to not pay the ransom
Prasanna: Another common thread amongst all of these attacks is that they’re all different industries.
Prasanna: No one is safe from these. We’ve talked earlier in the podcast about healthcare being affected now. Look at all the companies we talked about. There’s no one common pattern amongst all of them. You can’t say that I will not be impacted by ransomware. I think everyone needs to be, to take it seriously and consider and figure out what their contingency plans are when they do get hit.
W. Curtis Preston: Other thing was a few things that I saw in there was that it somewhat humanized the attackers. And by that, they were susceptible to things that humans are susceptible to. So one would be the fact that there was this, what appeared to be a retaliation attack against an insurance company for saying they’re not going to pay ransoms anymore.
W. Curtis Preston: Also there were a couple of times where basically the FBI went after a more, or they attacked too big of a target, like when they attacked apple and then suddenly you didn’t hear about it anymore. And. I’d like to think that apple used their connections to the FBI or whatever it doesn’t say that they did.
W. Curtis Preston: And maybe they didn’t. But I think they picked on somebody a little too big there. And, this is probably the best good news I have about of this is that these ransomware entities are human and that they can be stopped in one way or the other. Yeah.
Prasanna: They’re not a nameless organization.
Prasanna: That’s just somewhere else, right? It, yes, they are. They are,
W. Curtis Preston: they have really stupid names,
Prasanna: But there are humans in the end. And it’s also interesting to see the amount of infighting amongst the ransomware gangs. How some gangs don’t like each other gangs are taking over. So there’s almost like a mob style play or a cartel style play going on amongst the ransomware gangs themselves.
Prasanna: And it’s one of those things like there’s no honor among thieves.
W. Curtis Preston: It’d be interesting of to continue your analogy with the cartels, if like Revil says, Hey, we get health care and evil Corp, you can have these guys, they like their turf, that would be kind of funny if they were doing that.
Prasanna: Remember also a lot of these companies or ransomware gangs. They have affiliates, which is crazy. And so the main company takes a cut of it. Their gang takes a cut of whatever the affiliates do. And so it’s almost like a business of ransomware.
Prasanna: It’s not just really one gang anymore. It’s a whole network of people all working to try to attack companies.
W. Curtis Preston: And communicating via the dark web. If anybody was hoping that there was going to be a reduction. I don’t think that we saw that in 2021.
Prasanna: I don’t think it’s going to happen for 2022.
W. Curtis Preston: I know in fact, there are those who are concerned right now. So we’re recording this as Russia has invaded the Ukraine. the reason I was bringing this up is there is some concern that Russia will begin significant retaliation attacks via cyber attacks.
W. Curtis Preston: We’ll see. We’ll see relatively soon. Yep. Whether or not that is going to be the case, but, we certainly know that they are a, they are a big place where a lot of this stuff happens. And we also know that at least we have significant evidence to suggest that , some of these efforts are funded by the state.
W. Curtis Preston: Yeah. So let’s talk about the piece that I think is the most scary from all of these. And we saw it in a lot of them and that was exfiltration and threat of exposure.
Prasanna: Yeah. And that’s a big thing for a lot of companies. If you think about their trade secrets. Private documents that would harm the reputation of the company or expose trade secrets outside ?
Prasanna: It’s those sort of things that companies are paying a arm and a leg to make sure that doesn’t go out the door. And a lot of these ransomware gangs are going into corporate networks. They’re not actually encrypting anything. They’re just seeing what goes, where and what data lies, where they’re siphoning off that data.
Prasanna: And at the same time, they’re encrypting everything. And it’s not that you could just say, oh, I’m going to go restore my data and bring back my environment because they have that piece of data out there that they know they can hold over you. And that’s hard to protect against.
Prasanna: Not impossible, but hard,
W. Curtis Preston: not impossible. That’s what I wanted to talk about because even though we’re, we’re mainly concerned with the backup and restore part of this. My heart goes out to these companies that have suffered that type of attack. And I would say that we’ve had a couple of guests on the podcast that have addressed some of the ways that you can have a more frontline defense . So one of them that comes to mind is the DDI re episode, which I didn’t know anything about. And I didn’t know. Prior to that, I had no idea that they use DNS in that way. This idea where they send a specifically worded string of a URL, essentially, a host name that if you know what you’re looking for, it’s really obvious to see that this is a command and control server request. And so that was one thing that I think that people can use is to look at a modern DDI systems such as DHCP, DNS, and
W. Curtis Preston: internet map,
W. Curtis Preston: or, oh, as I map as an identity, manage management and protection, right? So the, this idea that you watch outgoing requests. And if you see your outgoing requests to a to what appears to be a command control server, they would trap it. They would actually satisfy the request that they wouldn’t deny the request. They would just put it into a black hole. But they would note that happened.
W. Curtis Preston: And then they would just shut off that system from any further requests of any kind and then notify. And this all happens. Machine learning and AI type stuff. This is not a human being, doing this as automated stuff, by the way.
Prasanna: It’s the, I stands for IPAM, not IMF, same letters.
W. Curtis Preston: IP address management. Okay. So for the record, my first letter was. Was the protection IP. Cause the, I
Prasanna: guess I know
W. Curtis Preston: I wasn’t that far off
W. Curtis Preston: so that’s, DDI other, and didn’t we have somebody that was monitoring outgoing bandwidth or was that just, we had somebody that was monitoring file system stuff.
Prasanna: No, there was also ADI, right? Who had the firewall software.
W. Curtis Preston: Yeah, I think we need to, I think we need to reach out to other companies.
W. Curtis Preston: And by the way, if any of the listeners are aware of the type of what I’m looking for here is a network monitoring system that monitors all outgoing traffic and uses machine learning or AI, or both to identify something as different. There is this one IP address in Russia that seems to be, that seems to be receiving a lot of data that didn’t use to get any data.
W. Curtis Preston: And suddenly they’re getting a lot. That’s a perfect application for machine learning. I don’t know what you’re looking for. Just look for something that’s different. Look for patterns patterns have changed and when it looks, if, and then you can set it, if it looks like it’s an exfiltration, shut it down, just shut it down immediately and then yell at me.
W. Curtis Preston: And then. , if it’s a valid,
Prasanna: then we’ll just enable it and then we’ll learn
Prasanna: If everybody use DDI and something like that, I think this would kill so much of this. Yeah.
Prasanna: It reminds me of like the skiffs that a lot of the department of defense contractors use.
Prasanna: And I’m like, at what point do you just end up going to that sort of model where everything is completely isolated, you’re not connected to any networks, right? Everything is locked down.
W. Curtis Preston: That would be difficult.
Prasanna: I know in today’s day and age, for a business, it is difficult, but.
Prasanna: . It does come down to somewhat of a network hygiene. Yeah, right. Where it’s you should understand as the network admin what’s on your network.
Prasanna: Who should be going out?
Prasanna: Like what are normal behaviors versus what are anomalies, if you don’t have those automated tools
W. Curtis Preston: That would really only apply in a small network. You know what I mean?
Prasanna: But you could also think of out automation without automation, for sure. But at least it’s a starting point.
Prasanna: And for some of these companies that are getting hit, if they’re small enough, because most companies are not going to be the size of apple with the ability to influence governments or whoever else to shut down ransomware orgs.
W. Curtis Preston: There aren’t any companies bigger than apple. So that is fortunate.
W. Curtis Preston: One last time I checked. So ransomware is not going away. Backup helps and on top of that, I would say automated advanced disaster recovery is also the key here that you need to not wait until you get a disaster. Or a ransomware attack to, to start your restore modern day system can restore your data in advance so that if you get a ransomware attack, the data’s ready to go.
W. Curtis Preston: That’s number one.
Prasanna: One thing I would add ahead of that though, Curtis is have a plan in place. I know you and I we’ve talked about this so many times, right? Don’t just close your eyes and think, oh, this will never happen to me. Assume it will happen to you and make sure you have a plan for how you would recover in case it happens.
W. Curtis Preston: It’s the one time when assuming is a good thing being
W. Curtis Preston: be a boy scout. Isn’t that what it is?
W. Curtis Preston: Oh yeah. Be prepared. Be prepared. Yeah. And then the other thing is that, and we’ve done some episodes on this, on the fact that some of even with a good backup and recovery tool, the dwell time of some of these ransomware attacks are that the data is encrypted over time and that recovery is going to be problematic at best.
W. Curtis Preston: And I know that Druva has a tool to address this. I don’t know if anybody else’s is addressing this yet, but this idea of ransomware attacks where they encrypted data slowly over several weeks. And they start with the oldest stuff first that nobody’s noticing, and then suddenly you collide and yeah.
Prasanna: Yeah, because the last thing you want to do is you get hit with ransomware, you restore and recover your environment. And then a day later it respawns itself and re encrypts all your entire environment again.
W. Curtis Preston: Yeah. You don’t want that at all? Yeah. What a mess. All right. Ransomware bad. Recovery good.
W. Curtis Preston: Yup.
Prasanna: But I don’t think it’s the last time we’re going to hear about ransomware though.
Prasanna: What I’m looking for it, it would be nice if what has happened and what I hope we are on the final edge of COVID. That we’re now seeing, the company or countries are now switching into endemic mode and we’re going to treat it like the flu, et cetera.
Prasanna: It would be nice if ransomware became an occasional thing, instead of it just it’s something like every 15 seconds or something, some ridiculous number that I’m hearing. Yeah.
Prasanna: We probably haven’t even heard of 90% of the ransomware cases out there. Right there swept under the rug. People pay off the ransomware, right?
W. Curtis Preston: Exactly and they’re embarrassed. Anyway. Thanks again for, a depressing topic. One of my least favorite subjects, and yet we talk about it all the time. I hate bad people that try to,
Prasanna: yep. Totally agree, Curtis what’s that? I totally agree. Yes.
W. Curtis Preston: Yeah bad people suck. Recoveries don’t. All right. Thanks again to our listeners. We’d be nothing without you remember to subscribe so that you can restore it all.