In this episode of the CyberHeroes Podcast, we discuss ransomware, its impact on businesses, and how to protect and recover from attacks.
We were joined by Greg Edwards of Canauri, a cybersecurity solutions expert with extensive experience dealing with ransomware threats.
As ransomware attacks constantly evolve, staying informed about the latest trends is crucial to protect your organisation. We explore the shift from targeting individual users to attacking businesses and the increasing prevalence of double extortion, where attackers encrypt data and threaten to leak sensitive information.
The conversation begins with an overview of ransomware, explaining its evolution and how it has become one of the most dangerous business threats. Our expert delves into the different types of ransomware, from the infamous WannaCry to the more recent Ryuk, and how they have affected companies around the globe. We also explore the increasing sophistication of ransomware attacks, emphasising the importance of staying vigilant and proactive when it comes to cybersecurity protection.
As the discussion progresses, we touch on the consequences of ransomware attacks on businesses, highlighting the financial, operational, and reputational damage that can be caused. Our guest shares real-life case studies of companies that have fallen victim to ransomware attacks, providing valuable insights into the risks and lessons that can be learned.
We also examine the role of cyber insurance in mitigating the impact of ransomware attacks and how it has become an essential component of a comprehensive cybersecurity strategy.
To help businesses protect themselves from ransomware attacks, we outline several best practices and preventive measures, emphasising the importance of employee training, regular data backups, and strong password policies. Our guest further elaborates on the role of ransomware prevention solutions, such as Canauri, in safeguarding data and minimising the risk of attacks. We discuss the features and benefits of these solutions, including their ability to detect and block ransomware in real time and assist in the recovery process.
In the latter part of the episode, we delve into the crucial topic of recovering from a ransomware attack. Our guest provides practical advice on the steps to take when faced with an attack, from isolating infected devices to seeking professional assistance. We also discuss the controversial issue of whether to pay the ransom, highlighting the various factors that should be considered before making a decision.
As we wrap up the conversation, we emphasise the importance of continuous learning and cyber security training, and staying up-to-date with the latest developments in ransomware and cybersecurity. Our guest shares resources and platforms that can help businesses stay informed and better equipped to protect their data and systems.
In conclusion, this episode offers valuable insights and practical advice on ransomware, its impact on businesses, and the various ways to protect and recover from attacks. By understanding the threat and implementing robust cybersecurity measures, businesses can minimise the risk of falling victim to ransomware and ensure their data and operations remain secure.
Join us for this fascinating discussion, and be sure to subscribe to our podcast for more episodes on cybersecurity and other essential topics that matter to you and your business.
As always, the aim is to help you, the listener, better protect your people, profits and reputation from cybercriminals.
If you get value from this, be sure to subscribe, and why not share it with someone you know who would also benefit from it?
Now settle in and enjoy.
To find out more about cyber security training and the Cyber Heroes Concierge Service, go HERE
To detect and stop ransomware, check out Canauri HERE
Connect with Canauri on LinkedIn HERE
Hey Greg, great to have you here. And as you know, we are about to talk about ransomware. All things ransomware. And I think, really the best starting point is if you could, in your words, explain what ransomware is to start with, and then what it does, maybe in the second piece.
G: Yeah, absolutely. Thanks for having me on, Mat. The thing about ransomware, what it is, at its core, is it's encryption software. So what it's doing is it's locking the file. So you think about all of the files that you have on your laptop, desktop server, or wherever you have data files, well what ransomware does is it locks those up so that you can't access them, and then requires a password to get access to them. That's what it is at its core. Some of the ransomware that's out there now will do what's called Double Extortion, where they will not only lock the files up, but they will also copy those files and threaten to release them on the dark web if you don't pay.
M: That's not much fun. And unfortunately, it's an increasingly popular form of cyberattack.
G: It's actually the most common now. And really almost all malware is now ransomware. Because when you think about what these cyber attackers are doing and how they get paid, it's either through scams and getting you to pay through an ACH or wire transfer, or extorting and stealing money from you because or some damage that they're doing to you.
And so when you think about malware, which we've had since the early 2000s, (actually into the nineties there was malware), but before 2012, it was really just used more for espionage and really caused your computer to run slowly. Sometimes you'd get a pop-up screen that said "Hey, call this number, and we'll make your computer run faster." Well, if you think about what happened in 2012, Bitcoin came out and cryptocurrency rose.
And so it allowed these attackers to be able to get paid anywhere in the world completely anonymously, which has completely changed the cybersecurity landscape. In a matter of, you know, it's changed in less than ten years, but it's been 11 years since Bitcoin really became popular. It was released in 2009, but it really didn't hit the mainstream until 2012. And now we have thousands and thousands of other cryptocurrencies out there.
M:Yeah, sure. It seems so obvious, now you said it. But actually, I hadn't realised that that was the trigger for the shift from just malicious software to really ransomware because, yeah, the ability to be paid anywhere in the world.
G:Prior to starting Canauri, I owned a company called Access Backup, and we were an off-site backup and disaster recovery company. Starting in again, in 2012, I saw the rise of ransomware happening between 2012 and 2015, which is before really anyone was talking about ransomware or had heard about ransomware. And in that three-year time frame 20% of our client base was hit by ransomware and required full-on recoveries because of it. And that's, you know, that's before most people even had heard of ransomware or knew anything about it.
M:Yeah, absolutely. So, all right. So thank you. Now it's clear for everyone listening or watching what ransomware is. What are the most common ways that people discover they have been subjected to a ransomware attack? I'm just thinking about going through a step process of the journey of a ransomware attack. So yeah, it's occurred, but how do we find out it's occurred?
G: So lots of different ways. So a lot of times I get called in after the fact, when it's too late, when our software isn't already installed, but in the most recent one, the attackers locked up over 100 database files that this company had stored and exfiltrated them and then encrypted them on the local machine. So when the tech (who was actually one of the IT personnel from this company), went to open one of those database files and couldn't, they then found the ransom note.
And that's so that's a very typical way. I mean, that was a unique case where it was just on one laptop, and it hadn't gone laterally across the rest of the network. But it's still a case where the user goes to access the files, they can't get to them. And that's when they know, and this I mean sometimes happens within a matter of minutes. Usually, it's more like hours, and sometimes it's days. And then these attacks, a lot of times, they'll use what we call a time bomb, where they'll actually start the attack and wait until the holiday weekend (that's a very common event) or even a Friday afternoon - late afternoon, early evening - start the attack so that it can propagate that ransomware and encrypt all of the files before anyone notices.
M: That wouldn't be a great deal of fun to be the person making that discovery. And I mean, what's your advice? So you mentioned the ransomware notes, I'm assuming that's a digital note embedded. That is triggered when you go to open a file and it pops up and says, Guess what?
G: Exactly. And, the thing is, they (the cyber attackers) have tech support numbers where you can call and they'll help you, because most people generally, don't have a crypto wallet and don't even know how to set it up. And so they have tech support, where they'll help you to set up a Bitcoin wallet and help you to pay them.
M: Yeah, the business of ransomware.
G: It is absolutely is a business.
M: Yeah, sure. And so now what's your advice to anyone in that situation? What's the first thing they should do?
G: Yeah, so the first thing that you should do is not pay the ransom, if you absolutely can keep from it. But you've got to figure out how they got into the system. So depending on the size of your company, I mean, that's really calling in a cybersecurity solutions expert to determine what the damage is. Have the files been exfiltrated? Are they are out of the system? I mean, that's a big, big first item - to make sure that the attackers don't have a backdoor into your network. And then start your recovery process. So determine if you have good backups and can recover from backup. That's the best way to recover. And again, this is if you don't have Canauri, if it's run through the entire network and locked all of the files. And that they haven't deleted the backups as part of the ransomware attack, because that's another common tactic - that the backup files will be sabotaged so that you don't have a recovery point to go back to.
M: Sure. Sure. Canauri your company. Just tell us I guess, how does it work? What's the difference? If Canauri as a piece of software is installed? How does that work?
G: Yeah, so the the big differentiator between what Canauri is and what endpoint detection response or antivirus is, is that what Canauri does is it's watching for the action of ransomware actually running. So this is post-execution, you've got the ransomware. It's now running on your network. What Canauri already does is recognise that and isolate and kill either the process that's running the ransomware, or isolates the machine that's running the ransomware, depending on how it's running. And we use bait files or Canary files, to see the network with what's called deception technology. So that we can have a very accurate reading on if it's ransomware or not ransomware. And typically, in a typical ransomware attack, our software will recognise it and stop it in less than a second and less than six files affected.
M: And I guess it raises the alarm as well.
G: Yeah, it does also. It sends a message to the network admin, as to which machine it's coming from, who the user was, what the files were that were hit, beyond a timestamp of when it started and when it was stopped.
M: Sure. And that's a classic example, isn't it? I mean, prevention is the best cure. And I guess with Canauri, it sounds like it doesn't prevent the attack from occurring. It just prevents it from propagating throughout the organisation in its tracks.
G: Exactly. We call our AI a post-execution-termination-algorithm - it's just a fancy way of saying it's an algorithm that is watching the file integrity, and then killing that attack inaccuracy issue.
M: Very clever. And of course, the links to everything we're talking about will be in the show notes. So we're going to come on to AI, but I'm really interested. I mean, sadly, you must have lots of case studies that you could refer to. And it's not nice to hear sad stories, but nonetheless it's nice to learn from case studies. And anyone who has suffered an attack, I'm sure would appreciate their story anonymously being used, if there is a chance that others can benefit from that and learn.
Yeah. Let's. So maybe if we start because I'm interested as well, to try and compare well, for those companies that are prepared, and do have cyber specific policies and procedures in place, and they have a recovery plan in place, and so on, versus those that do not. And the reality of the impact of an attack on those two different examples, organisations, and the speed to recover, the speed of returning back to business operations.
G: Yeah, so I can give you an example. Unfortunately, so many examples. But I can give you an example of a company, that didn't have proper protections, and then give you another example, a company that did have proper protections and still got hit.
So without proper protection, this is a manufacturing company, and I won't name names. But one of their employees opened a malicious email. Ransomware attack started running - without knowing - because typically it's not like the ransom note pops up right away and says, "Hey, you're about to be in trouble". That's all happening behind the scenes and in this case, encrypted their entire server. And in that situation, they decided not to even try to bring that server back online, they luckily had good offsite backups. And it even in that case, where they had good backups, it was three days before they had access to their data. Again, by the time that they pulled all the data back to a station, they didn't have another server to put it on. And so it took three days just to get access back to the data and weeks before they had full functionality back up and running. So when you think about what's happening even when you have a good backup, it's still very disruptive to the day to day operations. So that company, they really weren't prepared, their antivirus wasn't even updated on every single station. Very poor cyber hygiene.
Another example, was a managed service provider that had good practices, but the thing that they didn't have was multi factor authentication on their remote monitoring and management system - we call it RMM. And what happened is that the attacker spearphished one of their employees into giving up their credentials, and logged into the RMM. And what an RMM does as remote monitoring and management is exactly what it sounds like. It allows MSPs to control and monitor their clients systems. In this case, the attackers had access to hundreds of clients directly and encrypted any of their clients servers at different clients. And it was that situation. I mean, there was nothing I could do other than console the business owner that eventually reached out to me and got a hold of me. But I mean, they imagine EDI separate companies, and now your IT providers, the one that's allowed that in and it took them, I don't know the whole background. It had to have taken them weeks and weeks to get to everybody and get all of those systems back up assuming they had good backups.
M: And it's easy to imagine that all eighty of those clients then jumped ship and went somewhere else due to lack of trust for sure. Devastating for everyone.
G: Yeah, yeah. A reputation hit even beyond those eighty clients had to be devastating. And and you hear stories of ransomware attacks, putting companies out of business. That's exactly how it happened.
M: Out of interest with Canauri. Had that been running within the MSPs own infrastructure and on their clients infrastructure, how is that likely to have been different?
G: Yeah, so even in an attack like that where they had full access, Canauri would have stepped in and stopped that attack. Supply chain attacks, which we haven't even talked about, just came out with the 3CX: Cassia was another RMM Company and tool that had a supply chain attack. And what a supply chain attack is, is where already-known good software is infected with malware, most typically now ransomware. And then that known good software, according to the security and Windows environment systems, starts running the ransomware itself. And in that case, Canauri would ,again, stop that attack image in its tracks.
M: Sure, sounds like a no brainer, frankly. So, I mean, we often get two comments, one we get there, "I've already got malware in place, you know, we're protected". And we also get the very often "Yeah, but we have a managed service provider. So surely, they're already doing all this stuff".
G: So ask them to prove it. That's what I would say. So managed service providers should be able to give you a monthly report that shows that the basics are covered. So what are those basics - it's a good antivirus and endpoint detection response, it's making sure Drive Encryption is turned on, it's making sure patches are up to date, it's making sure your backups are running. Those are all things that as business owners, the managed service provider should be showing, and giving them those reports to prove that they're doing what they're saying. And as part of that having Canauri installed, of course, I have to plug the company.
M: Yeah, of course. Yeah. Well, I mean, at the end of the day, you bring to this conversation, a wealth of experience. So of course, yes, you have a commercial interest in promoting Canauri. But actually, most of what we're talking about so far, is generic up to date information about the ransomware environment that we're all living with at the end of the day.
G: Yeah, it's a whole new environment that we have now, where the cyber attackers are. They are business units, they're run by criminal organisations that run them like businesses, there's recently been an organisation that laid off forty five of their scam callers. Because their bots were more efficient. They were on the human dialling. And so there are, when you think about, you know, forty five people sitting in a call centre, that their only job is to try and make that call, "Hey, this is Microsoft, we have an urgent update that needs to be installed right now. And we'll get that fixed for you. As you need to connect to your computer go to this website." People do it all the time, but you think about forty five of them sitting in a call centre. And they're laid off because the bots have a better ROI than the human. I mean, they're running it like a business.
M: It is a business. It's a huge global business. And it's a whole industry, isn't it? People have careers as cyber criminals, that's the reality, actually, and you're right. I mean, I think that's a nice segue, actually, when you talk about how the landscape is forever changing. And the use of bots, for example, being used ever more effectively, even by the cybercriminals. The relatively recent, within the last six months, (let's say not to date this too much), democratisation of AI in the form of chatGPT, in particular. And there are other platforms, but by far, today, chatGPT is the most prevalent and most widely used. We've certainly talked to our audience already about the the likely impacts of that, when it comes to phishing emails, and messaging and so on. But that's really only scratching the surface and given that even chatGPT as well can write code, and in the wrong hands can write malicious code, and can be used for evil. From your perspective, what's the current impact that AI is having? In the world of, I mean, specifically ransomware, but generally, that the cyber criminals face but also, how do you see it unfolding as we move forward?
G: Yeah, so the the biggest things that besides just the better phishing emails, I mean, that's one of the most obvious that's come from the generative AI that's out there right now, but what these organisations are using AI for is to run their attacks in simulation mode to have a high probability. So they'll run it in simulation mode against the most common antivirus tools that are out there to make sure that they're evading those tools, before they release these better phishing campaigns that we're talking about. So that's what I have seen for quite some time as a cat and mouse game, and where the attackers advance, the cybersecurity advances, the attackers advance and AI just ups that game and makes it more complex and more complicated.
M: For both sides of the story.
G: Absolutely. Both sides.
M: And I take it, it's also possible that they could take a version of Canauri and run simulations again to that. Absolutely did. Yeah. How do you combat that?
G: We do the same thing. Yeah, hack our own systems, and we are continuously evaluating and hardening our system. So it's not something where we don't have the issue of signature-based antivirus where they're having to release multiple versions of updates per day. But we do have that progression of more complicated attacks. And so we have to attack ourselves, and continuously harden our systems.
M: You know, often I'm left with a sense, almost, I mean, overwhelmed. Yes. For many business owners, they've already, you know, there's already so many challenges that businesses face, you know, the growing prevalence of cyber attack is just another one. But it's very real. And it seems to be front of mind. For a lot of people these days, there's so many reported cases in the media that I guess, it's trending, and insurers are becoming smarter and sharper around what is not included, and so on. But often, when we talk about when we onboard a client into our programme, we talk about, obviously, using long, unique passwords, different one for every login, and so on, and how to make that manageable, of course, is through the use of a password manager app, such as 1Password or bitWarden are the main two that we tend to talk about and use, and I often sense a feeling of almost defeat, you know, yeah, but what stops them from hacking the Password Manager app? Why can't that be hacked. And of course, technically, there was a risk of that with any software, that it can be compromised. But we tend to go with the "Well, you can only go in history for these particular examples". And at some stage, you can talk about the actual technology that's used. And if, for example, one person wants to be hacked, actually, they don't have the master key to unlock the bolt anyway, so and so on, you can talk about all of those things. But technically, there's some really clever people out there with some really clever software. And it's possible that anything can be compromised, no doubt. There's never a guarantee, that you can't, with all the best systems in the world, that you will not still fall victim to some form of cyber attack. But it's that sense of defeat that I find disheartening. And we try and say, well, to get at some stage, you've got to trust something. Now, I know that you very much talk about an approach that is layered security. And I'd love you to talk to that. For those business owners, managers, leaders, who are listening to this, the philosophy of layered security. And I guess, the pros and cons of that. I'd love to hear your thoughts around that.
G: Yeah, yeah. So to me what layered security is, is having multiple, multiple layers where the attackers can get through one layer, but not the next. So if you start in a typical ransomware attack, the most common way that they're going to come in is through email. And so having good anti phishing and scanning of the email as it's coming in, so that's layer one. Then layer two is is good antivirus on the machines going to pick up the most common attacks. Layer three then would be endpoint detection and response. So that if it gets through the antivirus that at least the EDR will pick it up. And then beyond that is Canauri. So that if that gets past all of those things and it's actually running, which happens every single day, then it gets stopped. If For some reason Canauri is bypassed and it gets past even that, then you've got backup. And you can recover from backup. And you want it to be offsite and encrypted backup with a different password, as you mentioned, than your typical admin password. And so that is layered security. If they get through one layer, then they'll get stopped by the next, if they get through the next, then they get stopped by that. The downside of that is cost and complexity. And again, do you as a business owner, just throw your hands up or stick your head in the sand and say not gonna do it!? Well, I would say if you're not, if you're not utilising layered security, then your likelihood of being attacked over the next, say three year period is going up and up and up. And I would say greater than 50%. At this point, even no matter where you are in the world, how small your business is, if you have an internet connection and a bank account, you are a target. And so you have to level up and you have to find a managed service provider that can prove to you that they're doing the right things. And so it's a bit of education to understand what those layers of security should be. And then making sure that the MSP is proving to you that they're doing it, and that they're doing it for themselves.
M: Yeah, absolutely. And of course, the education isn't another piece of the story. Educating staff, supply chain management, are all very different topics and, given your background, disaster recovery as well. And we've talked about backups. And certainly we've got other podcast episodes where we talk specifically about backup and what that should look like. But given your background with disaster recovery, what would your advice be to a business owner or manager who today hasn't got a cybersecurity incident response plan? They don't have a plan. So if they were to fall victim today, they'd be standing there going, Oh, what do I do?
G: Yeah, I see. So number one would be talk to talk to a professional, talk to an MSP that can put that in place for you, and test it. So not only have it put in place, but make sure that it's tested. That's the thing that in my experience, either companies think that they have a disaster recovery plan, but they've never tested it, and think that they're going to be fine - they might be able to recover the files, but it takes them so much longer to get back up and running than they ever expected. And so companies need to go through that process of actually testing the backup and recovery, to know what it's gonna be like when that disaster hits. Because if it's not ransomware, here, where I live in the Midwest, in the US, we have tornadoes that regularly take out entire towns. And one of probably one of the strangest that I've ever dealt with in the disaster recovery, besides hurricanes and tornadoes was a train derailment where the company that was affected, they couldn't go to their office because of a chemical train derailment. And they didn't at that point, they didn't have remote access into their system. And so they were down, other than being able to use our system at that time.
M: Yeah. So basically, the message is seek advice from those who know how to do this stuff and have a plan and then test it. I appreciate the testing part in particular, because it's it's not just about ticking boxes. It's not just Yeah, yeah, we've got a plan, brilliant, tick the box, don't worry about that then sort of put the plan away. And if ever asked, yeah, we've got a plan. And I think as well, even though none of us like insurance, and we don't like insurance questionnaires. It's not a fun part of life. What we're seeing is very much a trend where those are underwriting cyber security insurance policies, in particular. The questions are becoming far more specific and detailed and far reaching. And the number of exclusions that are then applied to a policy are growing, and for sure, in the event of a claim we work closely with a number of insurers who offer cyber insurance policies and the number of exclusions are not excused. Rather than that the number of rejected claims is increasing, because they'll go Yeah, tick the box ticked the box. Yes, yes, yes, yes, yes, yes, we have, yes, we have, and then fall victim to a cyber attack, make a claim. And then she goes, Well, okay. You said yes to all of these things, now demonstrate that you had that in place. You can't just tick the boxes and fingers crossed. Because insurance is business too. And for sure, that it's not that they go out of their way to avoid paying a claim, but they'll only pay claims that are based on the information you provided to them. And that's fair enough.
G: Absolutely. And that's where it would come back to the reporting from the managed service provider, not only having the managed service provider hope to document and go through the cyber liability application with you, but then making sure that the monthly reports that you get are lining up with what the MSP helped you to say yes to on that report.
M: Yeah, absolutely. I think we might be there, Greg, unless there's any final thoughts you'd like to share? I think that's a really solid introduction to ransomware. The advice you've given is golden, frankly. And for sure, Canauri is a product that we'll link in the show notes and encourage people to check out as we will have an MSP look into Canauri and see how that can fit into the ecosystem of what we offer. Because the logic of what you've described, yeah, makes absolute sense. And, yeah, there clearly is a place in an ecosystem for that - an ecosystem of protection. But is there anything else you'd like to share?
G: So I think the only thing is just to reiterate the, what I call levelling up that companies need to do and especially now that we've seen the power of AI with chatGPT coming out that really put in the hands of well, hundreds of millions of people now, the power of AI and so that just encourages me more that business owners need to level up their game with not only their use of technology and AI, but their cybersecurity as well.
M: Yeah, absolutely. Sound advice, Greg, thank you very much indeed.
G: Thanks for having me.