RANSOMWARE RECOVERY: Protect your organisation from Ransomware attacks

RANSOMWARE RECOVERY: Protect your organisation from Ransomware attacks

Show Video

[Music] welcome chromecast check it out i'm sam major commercial director for chrome technologies i'm joined once again by detective director ben randall hi sam thanks for having me a topic for today's podcast is talking about ransomware recovery mitigation how to protect yourself against ransomware but obviously you know what is ransomware and how has it evolved over the years so pretty heavy yet interesting topic and one that's certainly from the center a lot of news at the moment we've seen some very high level and very very costly ransoms which i think we can dig into in a bit but if we just peel this back a bit because ransomware is not new you know it's under various different guises and names and if we can just kind of step back god maybe five ten years i think kind of has been a while but kind of what is ransomware you know in your learning opinions yes uh and kind of how did it start and i guess how does it evolve to what we're i'd like to get deep into what we're seeing today because some of it is really interesting yeah yeah let's peel back the onion a little bit as to where to start yeah so fundamentally ransomware is where a a malware a bad player has gained access to your computer or to your data rather and encrypted it they have a private key which you don't have and they i mean back in the early days what they initially did was offer a request a small ransom in return for the private key so you could decrypt your files um more recently that has progressed to encrypting your files and also making a copy of your data exfiltrating it and threatening to expose expose that on the way publicly on the web yeah you know if you don't pay the ransom yeah it's kind of now the double threat yeah absolutely i mean it covers them for the the situation where well it's okay i've got a backup i can restore my data yeah oh but we've got a copy of the data so we can spill it as well so yeah it comes in two ways really double done yeah okay so we're going back to the seo days the first things i remember around ransomware is crypto locker yes so an excuse movements on some of this is obviously i'm not the technical one here um but was that the same as is now after you get infected on a system would that propagate and do it in the same way it does now i guess how's that change i mean i think things have got more sophisticated i mean back then what would happen is typically it would be someone would open a uh an infected file like a pdf classic invoice with something in there yeah and their one machine would encrypt all the data it could find via shares and so on um it's still pretty effective to be honest a lot of users have access to a lot of important important data that they work with day to day um more recently they've become more sophisticated i believe there's elements of ai in there machine learning so they can find their way through a network and get onto servers spread you know within the network in a more intelligent fashion but fundamentally the same thing is really happening it's just that encryption of data you know that's yeah there's also an element of attacking your infrastructure which may provide a way out like say if you've got internal backups who might try and target those backup servers and remove delete reformat drives that sort of thing if you don't have immutable backups interesting actually that's a term that i should be aware of having you know sold storage virtualization for many years yes um but you know the mutual backup not this a new term but it was new to me actually understanding that's a real kind of air gap or fire break whatever you want to call it to to being able to resolve some of these problems yes yes so essentially that's where a backup um isn't just a file that's stored somewhere which you can just go and delete it or encrypt it um fundamentally it's it's a it's a tape sitting on a shelf you can't erase that unless you literally put it in the drive and erase it um or it's in storage which has it with a term immutability so that yeah you can see it but it's kind of it's also right once re re re read only remember it works so you can have a time limit on the ability to delete that i mean that can be done in the cloud um on-prem but and then also that is a really good idea so it means you can't delete the backups that are only a month old or something like that yeah with that i suppose that helps you in a recovery position but as far as someone actually getting access to the data and we talked about the exploration of daytrader copy doesn't resolve that issue right no no i mean ultimately with all these things prevention is better than cure so it's all around security um user education would be a real you know does it always seem to come back to the the problem in the chair yes but uh but yeah so the bottom line is it's phishing awareness it's people knowing to use good passwords yeah additionally there's a technological side to it we can look at multi-factor authentication so even if someone's password is known they haven't got the other faculty yeah so that sort of thing um you've got patching of systems to make sure that there aren't just known vulnerabilities i'm thinking about the exchange vulnerability that was earlier this year which gave remote access um also um having systems which are fundamentally insecure i mean things like remote desktop servers which aren't really in use but still on the internet everyone's forgotten about you know you've got leaked credentials someone logs into that you've given away the keys to the cast web servers that sort of stuff can be particularly vulnerable all these things you have to stay on top of that really and it's it's an ongoing process it's you know it's iterative you need to keep on it regularly and and be aware of where your your standing is in terms of those updates because it is i mean it is becoming particularly scary um looking at some of the data i'm going to cheat and look at some of the notes i've made because some of the numbers far too big for me to remember um but i find it's incredible 48 of businesses have been affected by ransomware in 12 months that's a quote from mime cast so i'm quite happy to quote that one on the podcast on standby that's just to say a major fact um and 50 of those organizations have paid yes now when you think about the average cost of a ransomware attack i think has gone from five years ago of ten thousand dollars and we're now seeing what was the the u.s oil pipeline when was it 70 million i think the colonial pipeline i think they actually paid five million dollars um they got the jbs the um meat suppliers i think they paid 11 million dollars um and most recently you've got corsair who uh of course that's the answer which is the which is an altogether more that's the next level of initially if we go into that in a second actually but certainly there their main initial ransom demand was 70 million dollars i believe that's reduced to 50 million now but yeah so it's a bargain yeah i mean that really brings us on to the click of the case what we call a supply chain attack so that is where you've got a tool cassette used by um msps to support multiple clients and they they use that to roll out patches and that sort of thing um and so cassaya getting breached meant that they got all the people further down in the supply chain yeah um i believe that the the the player involved in that revel um they now this again you and i discussed this off camera it's quite terrifying from a commercial perspective sounds like a great business right but yes but i mean it's terrifying these organizations are there so it would be for those that don't know and i was kind of one of them can you talk us through the business model they put together because it's fantastic it it it is quite professional yeah these aren't just hackers sitting in a bedroom somewhere no what we're looking at is that uh revel uh with their pronunciation sadina kibi or sodino ki b i'm not quite sure how you pronounce it but um their product they've come up with some effective code um and communications platform basically and what they're doing is they're selling this as ransomware as a service so they're franchising the the um you know they've obviously done their own initial attacks and i guess they get more manpower it makes more sense than to franchise it out um so people can pay a cut of the mate you use those tools yeah and pay revel just like a franchise so yeah you know pay a 10 of the profits or something like that and when the ransoms are so big that's significant well yeah let me just talk about being a 70 but kind of reduced to 50 million 10 that is a handsome payday yes yes i believe in in that case with the with the cassaya um attack they're breaking it down the individual um machines underneath which have been affected below that you know they pay the 50 million to get the keys to the whole lot uh if you pay just you can pay on an individual basis it's only forty five thousand dollars support my account server back and i can yeah you get that one back for that and you can see that there's there's because they've gone a little bit smaller that it gets more likely to be paid you know if you are someone a million dollars or something it's probably not going to happen unless they're very low depending on who they are right yeah exactly but a small business might go you know what we can afford 45 000 and it just increases the temptation to pay i read i can't remember which it was it was a local borrower council in england they became a ransomware attack and the demand was something extortionate and that means you went back going we don't have that money yeah we can raise this and it went from being like a million pounds to they could raise 13 000 pounds but okay but the problem with that is obviously you've paid and obviously all the devices you should never pay these ransomware attackers because ultimately a all right you might get the encryption key back there's no guarantee they haven't exfoliated your data there is you're not necessarily in a position where it just won't happen again yeah it's almost a guarantee actually i mean i believe that in a very large number of cases don't quote me on the actual number but where the ransom has been paid and you know presumably they've decrypted their data to some degree of success there's more on that later as well the problem with paying is you're putting a target on your back um you know they you know you're a soft target they're just going to come back for more later it's very common no i totally get that and obviously there's always the risk you pay ransom you don't get your encryption keys or that they've passed on the information they've managed to gather to they can sell it to somebody else there's so many ways that that door can be left open and actually and unfortunately we've had to help a few people to try and resolve recovery yeah and you know uh claw the way back if you like and he's already interesting right because it's a pretty dire situation when this happens but absolutely looking at the process that these people use there's an awful lot of thought that goes into how they do it it's probably you know i know you've been very hands-on with something yes i mean back in the early days several years ago must be about six or seven years ago now we dealt with a crypto locker attack and that was it was fairly basic it would come from one machine we were able to help the the the um the affected company uh purely by restoring from backups yeah um unfortunately in those days they literally just disconnect that machine from the timing and see what damage has been done and recover from backups and pretty much as it was the and this is another part of it actually as it was it had started before the weekend okay nobody had alerted anyone and it ground on throughout the whole weekend and and pretty much everything was done by by the monday or tuesday when when we were contacted yeah um so you know the data was done fortunately they had a decent off-site backup we um they were using a sigra yeah at the time and it was possible to do a run a recovery of all their data and you know they they may have lost a little bit of time but only talking a couple of days worth of data which was for them was was a good safe if you extrapolate that out to bring it now forward to more more modern companies with more business yes and look at the size of the data now just to unpick some of that so um you would turn back the company that uh paid their ransomware and then restored the backup anyway so they realized this one encrypt the encryption was going to take yeah this was actually i believe it was the colonial uh pipeline issue they paid the ransom they got the keys but the decryption was incredibly slow um i i guess that it takes quite a while to encrypt the files and i've not washed it all the time you're not pushing oil it's probably costing yeah just a little bit um so so the the as it happened they had an effective uh backup system in place so they were able to restore so ultimately it was why do they pay i guess is the question it's a good question i mean i don't know the specific of that attack but i know ones we've seen where things like the time that they'll pick knowing the encryption takes a while they'll pick holidays they'll pick time they know people are at the office for an extended amount of time so the malware ransomware section has to be there for a while they've got a way in right and they're waiting i i think it's quite clear uh from certainly the most recent um incidents we had which i believe was the rebel um or someone operating the rebel um service if you can call it that um they they got it we were contacted after um the easter weekend yeah there have been a base i think they've been in there for some time before that and they just they go right okay let's start things going when everyone's away the back's turned it gives it time to grind through it you know in that case companies have a lot of data it takes a long time to encrypt it that's the thing i guess nowadays we actually have a exponential growth of data so everyone even the smaller business large bits have huge amounts of data but i suppose that is one not a blessing as a wrong word but well think how long it takes to encrypt i know it's certainly the case where we managed to give a lot of stuff back because it was taking so long to grind through the encryption right as it happened i mean you know they were unlucky in the fact that there were problems with their backups and and also their on-site backups were actually wiped by the by the well by their players um so but as luck would have it they had so much data that not all of it was encrypted i think it was about 80 was recoverable purely because it hadn't been encrypted yet yeah rather than any other measures they had in place really yeah that's really interesting actually um i'd like to get into you don't mind because i know you were kind of really hands-on with this but we were obviously approached by a company that had suffered an attack as we've you know we've been through and funnily enough it was over an extended period of time they knew those people had been away from the office yeah and it'd just be great if you could talk through some of the so i know it was a pretty bad one and we're able to help them recover an awful lot of data and get them back up and going but there were some pretty interesting things that if they just had to pay more attention it wouldn't have been as bad it'd be interesting to share with the audience because some people watch this and will go i'm good and i think that's great and others might think uh there's things that potentially off the back of this we should go and address yeah absolutely um in that particular instance there were multiple failures which led you know i think if if probably if any one of the things if they hadn't all gone wrong together yeah they probably would have been okay i mean they'd recently started doing rants um uh fishing yeah um phishing assessment tests that's the one i was looking for and a high percentage of their users failed those tests wow um and in fact i think i believe one or two users even admitted to having actually clicked on genuine ransomware um you know phishing links we don't know for sure exactly which one caused the problem but it could have been a combination of them there were things like as i mentioned earlier about a remote desktop server publicly available which actually wasn't in use a lot of users had administration accounts which wasn't strictly necessary so so a high percentage of users could be could give a widespread breach then their backup they didn't have an offsite backup so they and and the backup they had was not immutable um say the the the malware players if you like they had actually i'm sure that a human had been involved because the actual drive where the back officer store was being low level formatted when we actually found it so that took some intervention it wasn't just software did that then you've got um the the issue with their storage had got quite full and they didn't have any they didn't have any real snapshots on their sand storage so even though they had replicas to the other site the most recent snapshot the most recent the company had was encrypted so so it's just a catalogue of unfortunate yeah incidents you know if any one of these it had an immutable backup off-site or inside there they have domain it was striking the the professionalism of the actual web page i was just saying to touch on that because you showed me to see how professional i didn't expect it to look like that yeah yeah it was it was the web page you had they had a private key to access their key for help um where you could they gave their address for their monero um for the ransom to be paid yeah i i believe it was half a million dollars if you responded within seven days after that was a million uh that's what your parking fine if you're paying very much like that very much like that um but yes there was you know once you put it in they gave all those details there's a chat to support for assistance with it and they'll give you a prove who they were by decrypting one file for free one or two files i think it was for free um just to prove that that was what it was and we think we think it's potentially part of the revel uh what do we call it yeah yeah yes it was absolutely it was was revel in a kibi uh i can never pronounce it but yeah if you'd say that word um but yes it was that as far as i can tell wow i guess and the other thing we mentioned on that we saw is obviously i guess what's escalating the ease of this now is bitcoin or ethereum or whatever it might be currency cryptocurrency because now it's not you know transferred this bank account oh what now we can find you it goes off into the ether and it's just kind of driving this certainly very much harder at least um it's it's facilitated that international transfers with very low cost and really no accountability yeah again it goes back like you said having the right technology is the right training they're saying that because you leave the door open these people will find a way in i guess looking at some of the some of the suggestions you'll see will be you know have your cyber essentials personal opinion i don't think it's worth the paper it's written on because it's self-certification right so essentials plus is definitely a step up having someone come in and rub a stamping that you've got yeah the right technologies processes one up from that will be iso 27001 again each time well each time that there are a fairly substantial roundtable yeah and if you've if you've done those properly yeah iso 2700 cyber essentials plus um it means your users will have awareness yeah and and this is really interesting you know as we mentioned earlier the weakest link unfortunately is the people really yeah um but if people are on their guard you're much less likely to get someone click on that link or open that file the i guess the thing with with those certifications whilst as you say it's very important that you you've analyzed and understood the right technologies in place process in place people are educated but it's a point in time once you've got your rubber stamp i'm ce plus or i'm iso 27001 if people you know go right the audits have gone down we're about to do what we're doing you've got a big problem on your hand so i think it's very important that um obviously you know mdr services are out there we do it for our customers um and it's just you know i think it's good practice especially nowadays because this isn't going to slow down no no ransomware's getting more and more aggressive we're seeing more and more attacks the stats i've pulled out earlier people are paying rightly or wrongly it's your business you've got to do something yes so obviously the prevention is is far less costly i'm settling the cure right so i think we need to potentially dig in a bit to what we can do around the mdr and how we can help yeah as you said mdr managed detection response so that would be a service where you've got a um got a service which is keeping an eye on the data from your systems in general so that that could be literally everything they're looking at all the logs and so on when they start noticing those iocs in indicators of compromise they'll be on the phone to to your it department to let you know i mean depending on the level of service in the pro who we're talking about some will actually automatically lock out those machines so it's a laptop or whatever isolate that machine from little network but certainly they'll be you know over the easter weekend you'll get the worrying phone call but at least you've got the call before they've had three days of attack we know it takes a while to grind through right so if you see that the behavior the wrong behavior happening yeah and using ai and using people response and so on to actually go is that right yeah someone go doesn't seem right yes let's stop that you can have systems that shall alert you but unless your staff are really keyed up on on everything that's doing you know you can get alert fatigue so yeah get 500 alerts a day with other systems we use with the prtd stuff and customers that just want to ignore the the flashing red thing because it keeps flashing but that it's because it's something important and yeah when it comes to this stuff it's even more important but that's why we're now seeing you know we're providing for our customers to see more and more people coming to actually have our managed services team we'll suffer the red light fatigue and we'll look at what's going on and we can advise our customers as to what can happen um and that prevention is definitely definitely better than cure yeah and the early response to a detection or something you know the quicker you react the the better you're going to be yeah okay so if we were trying to wrap up i want to kind of guess maybe the three key takeaways i get i mean we know the first one right is education yeah yeah i guess that and then we're going to probably say having the right technologies mm-hmm it's clear i might go for four here man i was going to say well you say technically we've got your your kind of your user login security technology your mfa your good passwords that kind of thing yeah yeah yeah a mutual backup yeah 100 percent if you've if you've got a bank if you assume it's going to be a not if but when and if you've got a solid backup that you can recover from then you're in a much better position than you would be yeah and then you know i guess lastly if you do get that fatigue or something you know you kind of want to outsource the problem working with a good company that can help you with that yeah and almost yeah take that we can there's no perfect solution these things will happen but i think you've said the key thing the fastest response is the best yeah absolutely if we can help our customers do that then fantastic yeah yeah brilliant thank you ben i've actually i've actually learned stuff today which is great as always thanks for joining me yeah good to see you and thank you for joining us once again on chromecast check it out please remember to like subscribe and share if there's anything you'd like to discuss in future episodes do leave that in the comments below thank you [Music] you

2021-08-03 16:47

Show Video

Other news