Repelling A Ransomware Attack: David Ratner of HYAS On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

Backups, backups, and more backups. Everyone hates backups, until you need them. And many companies give only cursory attention to the backup process. Early in my career I recall the story of an enterprise that needed to recover from backup, only to discover that their backup process was flawed and all thirty days worth of backups were useless! Backup processes need to tested, repeatedly, to ensure that they can be used when you need them most.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing David Ratner.

David Ratner is CEO of HYAS. He leads the long-term vision for HYAS and the day to-day mission to bring confidence to HYAS clients. His career spans various areas of software and technology, from writing code for some of the first and largest mobile and messaging systems to scaling, growing, and exiting multiple venture-backed, private-equity-owned, and public software companies.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was the first west-coast-born child of a native East Coast family. My father had moved out to California to attend Stanford graduate school, and my mom went with him; they both assumed they would move back to the US East Coast after school and never did. So I was born in California, but my entire extended family is in the New Jersey / New York area, and I definitely have characteristics of both coasts.

Having two well-educated parents meant that academia was stressed at a young age; my sister and I had “summer homework” — math assigned by Dad, reading assigned by Mom. I was quite athletic, and played soccer my entire childhood, ran track and cross-country, and even wrestled, but academics always came first. I was definitely on the smaller side — I still remember that my first driver’s license at age 16 listed me as “5’0 and 100 lbs”. Perhaps part of my diminutive size is what led me to become so competitive and prove myself, and I did both athletically and academically. By the time high school ended I was winning both math competitions and races.

I had used various computers in middle school but got my own first one as a Bar Mitzvah present from all the grandparents. The Apple II+ came with only 48k of RAM, needed an extension card to type in lower case, and utilized a modem with suction-cups for dial-up internet at 300 baud. Nevertheless, I loved it and began writing programs in Basic and exploring the early Internet including various Bulletin Board Services (BBS).

At Cornell I was a double major in mathematics and computer science and went on to the University of California in Los Angeles where I received my Masters and PhD in computer science. I was fortunate enough to work on a DARPA-funded research project, and wrote thousands of lines of code to prove that my PhD dissertation would work. I was completely at home writing computer code. I also continued my athletic pursuits, focusing on various martial arts which I started at Cornell and continued in Los Angeles and beyond.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I haven’t always been focused on cyber security, as some of my roles have been in other areas of technology, but I have always been interested in security. I grew up in the age when hacking was more inquisitive than nefarious — a boss and mentor of mine for one of my summer jobs was an original phone phreak, and I will admit that I have sent a fake email or two as I learned about how the Internet works. But I guess what really inspired me and got me started was during my first job at Software.com. We were making highly scalable messaging systems for large ISPs, cable companies, and mobile carriers. In the early days the system would check if the recipient was valid before accepting the message, and quickly hackers and spammers learned that they could utilize this feature to identify all the valid emails at any given installation. I was given the task to outsmart them. I implemented a set of heuristics, essentially a very-early self-learning system, and watched as the spammers tried to outsmart it. It was my first foray into understanding just how “cat and mouse” the cyber security world is, with the realization that as hard as I was working to keep the bad folks out, there were just as many if not more people conspiring to break back in. With a competitive spirit that had steadily grown ever since I was young, and black belt from my instructor in Los Angeles, I was determined to fight back. And win.

Can you share the most interesting story that happened to you since you began this fascinating career?

At one point I was doing a significant amount of business and revenue in Japan, so I was traveling there quite often. On one trip we went out to dinner and drinks with the CEO of one of Japan’s well-known media and communication companies. Over many drinks the CEO and I bonded, and when he discovered that I had trained in Brazilian Jiu-Jitsu with some of the famous people who fought in the UFC, including Vitor Belfort, he got super excited and exclaimed “let’s arm wrestle!” As he was clearing the table and preparing I leaned over to our Japan account manager and whispered for guidance — am I supposed to lose? “YES!” he said quite emphatically! Now losing is not part of my DNA, so let’s just say that I didn’t win and I didn’t lose, and everyone had a good time.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

First off, while I was clearly quite technical, having received my PhD in distributed, replicated file systems, I had the (perhaps rare) ability to explain technology at various levels of complexity depending on who I was speaking with. We’ve all seen the presentation or discussion that starts too deep technically and just gets deeper — I believe that it’s critical to be able to explain how something works differently but still effectively depending on who you are talking to. Just last December I was meeting with a CTO who said to “my team has tried to explain to me how this works, but I still don’t get — make it simple for me”, and within just a few minutes, the lightbulb went on and he understood. This ability to explain technology to non-technical people, in a way that made sense, combined with the ability to go deeper technically whenever needed, was recognized by others early in my career and enabled me to get out from behind the computer screen and into the field to work with people, customers, partners, and the market.

Second, I believe it’s difficult to succeed if you don’t have the drive to win. Many talk about competition being bad, and in fact I still remember talking to the People Partner at a famous Venture Capital firm who asked me in a not-very-nice way why I was so competitive. However, without a drive to win, it’s easy to slack off when the road becomes challenging. One of my favorite quotes from Steve Jobs is “If you really look closely, most overnight successes took a long time.” It takes continual hard work, and without a competitive spirit and a drive to succeed, it’s easy to get distracted, dismayed, de-focused, and quit. Nothing worth doing is ever easy, and often it takes digging deep internally to keep pushing. From an early age I was always competitive, and that spirit has definitely helped keep me focused on the big picture.

Finally, there is a difference between having a healthy amount of competitive spirit and simply being a jerk. Being able to cultivate and drive the right culture is critical. While I have always had a drive to win, I have also focused on collaboration, working together, rallying the team, and uniting everyone to achieve the common goal. Team culture, and company culture, is often overlooked but is probably one of if not THE most important thing to work on as a leader, as without it there is no foundation upon which to build and grow. I have always focused on building teams, organizations, and companies that embody the right culture — separately, we’re only as strong as the weakest link, but working together, we can overcome any and all obstacles. I have consistently focused on hiring and organizing people, teams, and organizations to embody a collaborative and consistent culture that removes politics and hero-worship and instead drives accountability, teamwork, and collaboration. A leader is only as good as the people he or she works with, and, partly because of the culture that I drive and embody, I have had the privilege and good fortune to work with some amazing people that I am proud to say are not just incredible people, but are also my friends. And I’d probably be so bold to say that they like working with me too.

Are you working on any exciting new projects now? How do you think that will help people?

To be honest, HYAS takes up most of my time, as we are working hard to fundamentally change the game and give organizations everywhere the visibility and control they need to move forward confidently in this ever-changing world. But when I’m not focused full-forward on HYAS, or working out, I am spending some of my time helping advise other companies. One of the recent ones is a company called Winning Feathers which is focused on helping teach the soft skills that people need to succeed in the world. Most of K-12 education focuses on the hard skills, and we often overlook how critical the soft skills are in forming relationships, working with others, and succeeding in life.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

Even though HYAS is a smaller startup company, we work with some of the largest companies on the planet, and have direct insight into some of the largest attacks around the world. Not only do we work with various Fortune 100 companies such as one of the largest social networks, one of the largest credit card processors, and two of the Fortune 5, but we even work with domestic and international law enforcement. We have helped major companies understand various attacks and either teach bad actors to hunt for easier targets or actually provide enough information for companies to involve law enforcement and have the bad actors arrested. While other cyber security companies hunt bad actors and their attacks, we at HYAS actually see them coming.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

Ransomware is a type of malware (malicious software) used by cyber criminals. Whereas the purpose of malware is usually just to infect, steal data, or cause some form of generic damage, ransomware is specifically designed to block access via encryption to data or key systems. Cyber criminals then demand ransom money, usually paid in some form of crypto-currency, in exchange for the encryption key to release their hold on the enterprise.

In general, ransomware attacks can focus on blocking key computer and/or business functions, often known as locker ransomware, or can focus on encrypting key data but otherwise not interfering with basic functions, generally known as crypto ransomware. Both types, but more generally the second one, can be combined with data exfiltration as well, whereby the bad actor steals the data first prior to encrypting it, thereby threatening to sell or otherwise release it to the public in addition to placing a stranglehold on the enterprise.

Victims of ransomware attacks typically have only a few options after an infection: they can either pay the ransom, try to remove the malware themselves and restore service, or recover from a clean backup version and restart.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

While individuals should always take care to protect their data and devices, most ransomware today is targeted at business. Now, these businesses can be of varying sizes — just because you are a small or medium business (SMB) doesn’t mean you are not a target. In fact, SMBs may actually be targeted disproportionately due to the fact that their security systems are not always as robust as those at large enterprise — a 2021 report indicated that an overwhelming 85% of managed service providers (MSPs) reported attacks against SMBs [cite], and multiple reports indicate that ransomware attacks may be shifting from “big game” hunting to “mid game hunting”, where attackers identify smaller targets that are less likely to trigger a legal or governmental response.

However, with the rise of ransomware in recent years, and the evolution of “ransomware as a service”, where almost anyone can deploy ransomware in minutes, anyone can become a victim if not prepared.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

Who you gonna call? Ghostbusters!

But seriously, it isn’t necessarily “who do you call first”, but “who are the various people you call simultaneously.” In most cases, the local police aren’t equipped or able to handle this kind of event; notifying them should be a secondary action unless the ransomware attack is going to have an effect on local conditions (such as affecting local utilities). A call to the FBI should be first and foremost along with a call not to just any cyber security “expert” but a firm capable of handing ransomware attacks, because you want people experienced not just in handling the tactical “what do I do now” question but capable of performing deep analysis on your network and other assets and determining what else they may have done, where they may have placed additional backdoors, and are they still residing inside the enterprise.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

First and foremost — once operations are restored and the ransomware attack is cleaned up, figure out if the bad actors are really out of your network or if they still have entry points and you are still “owned.” This step is vital, and often overlooked. Just because you paid the ransom, or restored from a clean backup, doesn’t mean that they aren’t hiding somewhere else in your network, waiting to exploit you again at some point in the future. Perform a full, detailed analysis. Make users change passwords, especially administrative ones.

Second — don’t play the “CYA” game. Too many organizations focus on figuring out how that bad actor got in, plug that particular hole, and feel that they are now safe. Yes, it is important to address that specific vulnerability. But more importantly, you need to take a look at your overall security posture and address it holistically. For example, most organizations have decent security protecting various entry points, but have almost no visibility into what is exiting the organization. Every known piece of ransomware starts with some exploit to get in, and then requires communication with the outside world, specifically the bad actors’ command-and-control infrastructure, to move around the enterprise, identify data and targets, install a ransomware binary and start the encryption process. Most organizations are completely blind to this communication, and if you were the unfortunate victim of a ransomware attack, it means that you did not notice the nefarious (and potentially disguised) outbound communication to the command-and-control. It’s vital in today’s modern era to install a Protective DNS solution capable of identifying changes in outbound communication patterns and spotting remote destinations that should not be communicated with. Without this level of visibility, you may plug a particular hole, but you will eventually be the victim of the next attack, and another, and another.

Finally — ensure that standard backup and recovery operations are in-place, regularly tested, and work.

Should a victim pay the ransom? Please explain what you mean with an example or story.

This is a hard one to answer. Personally, I hate being held hostage in any scenario, and abhor rewarding a bad actor; it simply validates their business model and encourages them to attack someone else. That being said, it can end up more of a business decision where you need to weigh the variables and make the right decision for the business. For instance: do you have backups, how long would it take to restore from backup, what would be lost if you did and what’s the impact on your business and your customers, how does the ransom cost compare to the revenue lost, do you have cyber insurance and what will it cover — these are just some of the business questions that must be answered.

For example, consider the Colonial Pipeline attack of 2021, in which Colonial Pipeline paid $5M USD to restore operations. They didn’t want to, but felt that this was the only option to rapidly restore service and the best option for customers and the people of the United States. In fact, a majority of CFOs surveyed agreed that Colonial Pipeline had “no choice but to pay.” [cite]

Note that the FBI in the United States does not support the paying of any ransom [cite]. Nevertheless, doing so is not illegal. As of today, a business cannot face criminal charges for paying a cyber ransom because doing so is not a felony or criminal offense. However, at the same time, US business could face civil charges under the Office of Foreign Assets Control’s new policies, because OFAC has sanctions in place against several countries, and you don’t necessarily know where a hacker is operating, and violating an OFAC sanction could result in a significant fine.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

First off, there are a set of obvious things — do you have multi-factor authentication enabled for passwords, do you have the right controls in place to track and decommission assets and systems, enable and disable permissions appropriately? Do you have endpoint protection and anti-phishing solutions and training? Are your systems patched and do you stay current with up-to-date releases?

But more broadly, security is fundamentally a byproduct of visibility; just as you can’t expect anything that you don’t inspect, you can’t enact good security without first having the proper visibility required to understand what’s going on, why is it happening, and should it be happening. First comes visibility, then comes the controls, and combined, you enable security.

In this vein, one of the most common mistakes is not having the right level of visibility, in the right places, and one of the second most common is not actually putting in place automated analysis and controls based on that visibility. It may seem innocuous, but if you don’t know what’s actually happening inside your production network, what traffic is actually flowing through your corporate network, then how will you ever spot the needle in the haystack, much less the needle in the stack of needles? As bad actors improve their ability to hide in plain sight, visibility becomes increasingly more important. In 2021 we heard about a bad actor hiding inside a production network for five years undetected; just recently there was an article about a Chinese hacking tool that went undiscovered for over a decade [cite].. Visibility is critical, now more than ever.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

There are many who support criminalizing the payment of ransom — that is, making it illegal. Most bad actors do this for financial gain, and if they can’t make money with ransomware, they will work to generate income some other way.

However, as I talked about earlier, it’s often a business decision whether or not to pay, and standing on principles can be difficult in the face of major outages and disruption. Criminalizing the payment of ransom could actually cause bad actors to encrypt more vital systems and infrastructure, for instance, just to test resolve. Alternatively, companies may simply pay in secret, and we lose the ability to track and share information, making it easier for bad actors to attack over and over again.

It is for reasons like these that I support technology approaches over government sanctions. As I talked about earlier, there are multiple phases to a ransomware attack — typically this starts with some kind of exploit allowing entry into the enterprise. Often this exploit will be sold to a criminal organization, and they may insert their own custom malware. As they explore the organization and steal data, they learn more about the network, ultimately substituting a special ransomware program for the custom malware and giving it the encryption instructions. Across all these phases, the bad actors are communicating with their command-and-control infrastructure — this is the achilles heel of a ransomware attack. This is where the attack is most easily stopped, because if an organization has the visibility to see those communications, they can stop them, preventing the attack from moving into the next phase and ultimately preventing their systems from being encrypted.

Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)

1. Protective DNS — on the corporate network. The perimeter is dead, and with new work-from-anywhere models, various IoT devices, and our increasing release on complex supply chains and multiple cloud services and shared libraries, the attack surface has never been larger. While it’s good to try, it’s impossible to monitor much less protect and block all possible entry points. What’s common across all exploits, however, is the need to communicate out once installed on the inside, and Protective DNS solutions can spot this anomaly and alert and/or block it in real time. Zero-trust networking is great inside your enterprise; extending zero-trust to the “last hop” outside your enterprise requires Protective DNS.
2. Protective DNS — monitoring the production network. While many understand the need on the corporate network, most have forgotten about the production network, or don’t have a solution that can add protection without impacting availability, latency, and performance (hint: that was a key consideration and design point for us at HYAS). The production network in many cases has almost gotten out of control with various cloud services and shared libraries and the move from on-prem to the cloud has meant that key visibility controls were traditionally lost. Devops teams can spin-up new assets almost faster than teams can track them, making it even more difficult to understand what is live in the production network and why. And think about that complicated supply-chain attack that may start with a vendor or shared library three degrees of separation from your organization — how are you ever going to find that if not for a Protective DNS solution that understands who you are talking to, why you are talking to them, and if you should be talking to them. This is the evolution of zero-trust networking and a critical piece as we are more reliant than ever on the Cloud, shared components, and complex supply chains. Fortunately, on the production network, this can be deployed in a passive manner such that it can monitor and see everything without impacting availability, performance, or latency.
3. MFA on accounts and passwords. This may seem obvious, but it is still an issue. I forced my two boys to enable two-factor authentication on their gmail accounts, and even though they are not high-priority targets, sure enough one of them started seeing 2FA messages clearly not from their logins. It’s well-known that the bad actors initially got into Colonial Pipeline through a known password for an account that was not protected with MFA. Authenticator and other authentication-apps are better than SMS verification, but honestly, anything is better than nothing. Without MFA, you might as well simply publish your passwords and/or leave your front door unlocked.
4. Backups, backups, and more backups. Everyone hates backups, until you need them. And many companies give only cursory attention to the backup process. Early in my career I recall the story of an enterprise that needed to recover from backup, only to discover that their backup process was flawed and all thirty days worth of backups were useless! Backup processes need to tested, repeatedly, to ensure that they can be used when you need them most.
5. Employee training. Last but definitely not least, employee training is critical. Phishing and various forms of social engineering are key mechanisms that bad actors continue to use to infiltrate organizations, and training employees to recognize them is a critical line of defense. And I’m not just talking about “don’t click on that link”. Setup processes and procedures for key actions to be confirmed via alternate mechanisms so that a single email can’t result in money going out the door. Remember the attack that started with USB drives in the company parking lot with company logos on them — employees simply carried them into the building. Social engineering covers a lot of “do’s and don’ts”, and having all employees be eyes wide open is often the first line of defense.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I was raised with a huge appreciation for nature. I know that addressing climate change at a global scale is difficult and not something that any one individual can really impact. However, it’s also the type of problem where a lot of small actions can ladder up to produce a large impact. I don’t know what the right answer is, and being a technologist, whether it has one or many different technological solutions. But if I could inspire a movement, it would be to get everyone to think, just for five minutes a day, about how to improve the environment, about what little action they can take today. And together, all those little actions will combine to produce a real effect.

How can our readers further follow your work online?

You are welcome to follow or connect with me on LinkedIn (https://www.linkedin.com/in/davidhratner/) or on Twitter (@davidhratner). I blog regularly, published on the HYAS website at www.hyas.com,, and occasionally participate in various podcasts and interviews on youtube and other platforms. I’m always open to connecting, and I travel often so happy to grab coffee or a drink in person!

This was very inspiring and informative. Thank you so much for the time you spent with this interview!