Repelling A Ransomware Attack: Sagi Berco of NanoLock Security On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

The first step is to spread awareness within an organization: Business leaders need to recognize that their devices and businesses are at risk, and their teams need to be ready to respond. As ransomware attackers grow in sophistication, scale, and ambition — as demonstrated by the 2021 Colonial Pipeline hack — businesses must be prepared to defend their technology against threats from all directions and via all methods.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?

In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Sagi Berco.

Sagi Berco is the Vice President of Research & Development at NanoLock Security, a cybersecurity firm offering a zero-trust, device-level protection and management to secure IoT, OT and connected devices against outsiders, insiders and supply chain cyber events. He has over 20 years of experience in the cybersecurity and technology management industry. Formerly, Sagi worked in the intelligence community, where he took part in the development of several award-winning projects and systems.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Certainly. I was born and raised in Nazareth, in the Northern District of Israel. From a young age and to this day, I’ve always been interested in understanding how everything works — looking at what’s under the hood and how different technologies work. So later, naturally, this character took the dominant side. To enrich my education, I’ve went to a regional school and there I discovered the computers playground. Merging my interests in engineering with the evolving opportunities in technology careers, I received my BSc in Computer Software Engineering and an MBA in Technologies and Digital Business, which has led to a rewarding career in cyber security and software management.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Not a story, but rather than the fact that I’ve learned along my journey: Hacking is like an art. Like a good artist, hackers take an approach that nobody has done before to succeed. That’s why protecting is much more difficult than hacking — as a cybersecurity expert, the task is to anticipate and predict the layout of attacks before they happen, with very little insight into what the hacker’s strategy looks like.

Since I’m a sports fan, I would also offer this analogy: A hacker is like a striker in soccer; you can make many mistakes during the game but scoring one goal makes you the hero. As a cyber defender, you’re like the goalkeeper: You can have the most amazing game, but one mistake will make you the one to blame. While the landscape will never be 100 percent safe, it’s essential to always strive to close more potentials security gaps.

Can you share the most interesting story that happened to you since you began this fascinating career?

The time I spent learning software engineering showed me a fascinating new world, so I’d say that my personal story there has been the most interesting piece of my journey. I guess that learning at a place that gave me the tools to learn rather than “simply” teaching material, established a solid engineering foundation that taught me everything software can really do for the world. This discovery inspired my awe for the industry and has kept me hooked for all these years.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

The first, and for my opinion, the most important one, is to build a root of trust between your peers. Whenever such trust is built, people will follow you and do anything with you. The second is to never stop learning. Learn from your mistakes and keep learning the ever-changing technology. The third character trait that led to my success was maintaining a “will do” attitude — Always find alternative ways to aim the progress vector toward the target. The most un-imagined projects I’ve work on were the ones where you have no idea how you are going to do at the beginning — curiosity paves the path to greatness.

Are you working on any exciting new projects now? How do you think that will help people?

Since I joined the NanoLock Security team last year, I’ve had the privilege of working with several leading managed security service providers, device vendors, system integrators, and developers in creating the best solutions for device security amid digital transformation. A recent focus has been spreading awareness of device vulnerability in hopes of prompting action to defend devices against hacks like ransomware attacks. The most recent demonstration we’ve done has been a white-hat hack of a smart lighting controller of the largest smart lighting manufacturer. A hacked smart lighting controller is not something people usually worry much about but when the same vulnerable technology found in the bulb is also found in other connected devices on military bases or as part of critical infrastructure systems, the risks become a lot more real. By demonstrating vulnerabilities that persist regardless of traditional safeguards, we’re able to educate people on the need for more robust device-level security. It’s a lot cheaper (and safer) to protect devices before they are hacked than to deal with frequently exorbitant remediation costs after a hack, so these demos of ours are valuable in convincing business leaders of that dynamic.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

I wouldn’t define myself as an authority, but rather a person whose experiences have allowed me to truly understand and advise on modern landscape for cyber risks and capabilities.

I’ve worked in cybersecurity for over two decades with an 18-year tenure spent in Israel’s intelligence community. Through my work in various cybersecurity R&D roles and my experience tailoring NanoLock’s cybersecurity solutions for global partners in the energy and industrial sectors, I’ve acquired a robust understanding of how ransomware attacks are been planned, built and executed, and how organizations can prevent them effectively.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

At its simplest level, ransomware works much like a normal ransom: a criminal steals something and demands payment for its safe return. Ransomware is a digital version of this familiar crime where a hacker uses malware to access and seize data until the data’s owner pays a ransom. There are several types of ransomware attacks to be aware of, including the following:

• Ransomware-as-a-Service (RaaS): RaaS is a pay-for-play malware service often practiced by organized groups of hackers who hire out their services to moneyed clients including nation-states. The hacker group will do all the dirty work at the clients’ behest and receive either a cut of the ransom or a simple sum payment. This is more of a business model than an actual style of attack.
• Doxware: Also known as Leakware, Doxware leverages seized sensitive personal or company information against the victim, threatening to distribute private data online or to authorities if a ransom is not paid. The term is borne from “doxing,” which is the online practice of maliciously exposing private info like a public figure’s home address or an anonymous poster’s real name.
• Lockers: As the name suggests, this type of attack completely locks users out of devices to prevent access to files and data. A lock screen will typically communicate the ransom demand and a time-sensitive threat if unpaid. The threat here is not usually the release or destruction of the data, just the inconvenience of being unable to access it.
• Crypto ransomware — This type of attack encrypts data until the victim is willing to pay. It does not fully lock the user from the device as the “Lockers”, but it takes some of the user assets as captives.
• Scareware: Built on scare tactics and sometimes paired with Lockers, scareware delivers a false claim that a virus or other issue requires payment to be resolved. Most internet users have likely stumbled across this type of ransomware in the form of a pop-up declaring your files have been corrupted and only they can fix it. The pop-up is lying of course but wants to scare its victims into compliance.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

Ransomware is a relevant threat for businesses and individuals, but at much different levels. Individuals are easier to hack because their security posture is a personal preference rather than enforced company policy, but individuals offer much less potential reward. Why hack a civilian for $3,000 when you could hack a company for $3 million, right?

Clearly, the strongest actors will aim to target businesses rather than individuals.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

Notify federal law enforcement with all of the details you have available.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

Companies need to approach ransomware attacks as a matter of when they will happen, not if they will happen.

Training your team to respond to ransomware attacks will ensure that in the event of an attack, they can respond immediately and strategically. Contacting a security expert and setting up systems to prevent attacks is always the best first step and should be done before the attacks occur. If that ship has already sailed, CISA recommends freezing systems by taking the network offline, unplugging effected devices, and communicating with your internal team immediately to assess.

Should a victim pay the ransom? Please explain what you mean with an example or story.

A victim should do their best to avoid paying the ransom. There is no guarantee that the attacker will unlock systems after receiving payment and obviously that money only funds and incentivizes future criminality. Though there are situations where paying the ransom can seem like the only option, it’s always best to contact a security expert and law enforcement before doing so. Even if you do end up paying, they will at least be able to help you trace and hopefully recover your funds. This is what happened in the Colonial Pipeline incident, where they paid the ransom but recovered part of it later.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

The conception of hacks as something that comes from company outsiders is pretty outdated. Attacks and mistakes from supply chain sources and insiders are becoming more prevalent, in large part because poor cyber hygiene from within a company makes them quite a bit easier. In the cybersecurity realm, any form of automatic trust is a major vulnerability, so organizations should be sure they aren’t prioritizing convenience over security. Saved passwords, automatic privileges, unencrypted credentials, each of these things are forms of misplaced trust that should be nixed.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

In a word, vigilance. Never stop improving your security because bad actors never stop improving their tactics. Always adhere preventive solution over solution that detects after the attack has been took place.

Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)

The first step is to spread awareness within an organization: Business leaders need to recognize that their devices and businesses are at risk, and their teams need to be ready to respond. As ransomware attackers grow in sophistication, scale, and ambition — as demonstrated by the 2021 Colonial Pipeline hack — businesses must be prepared to defend their technology against threats from all directions and via all methods.

After awareness comes proactivity: Adding an additional layer of device protection is essential for critical infrastructure companies. Hackers will find a way in the network– and device-level protection can prevent devastating consequences, especially in industrial machines as well as billions of smart devices such as smart meters.

A third defense is enacting a “Zero Trust’ approach to device and network security. Such a Zero-Trust approach much reject all changes to a device that have not been authenticated– the white-hack hack to a lighting controller that I mentioned earlier is a good example of why this is needed. All we had to do was essentially Google credentials and we were granted privilege.

Fourth, business owners must understand that a multi-step approach is key. For the known vulnerabilities, performing penetration tests using the known attack vectors can help you patch your system on a regular basis. For unknown risks, prioritize preventative security rather than detection solutions. As hacker groups grow more refined, the urgency to build up a diverse defense has never been greater.

Once these steps are taken, continuous evolution of precautions and monitoring is essential. Cybersecurity is an arms race, so if you are standing still, you are losing ground against bad actors.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Living in the modern era brings enough challenges to day-to-day life. My method of delivering good to people would stay in the realm of cybersecurity, combatting catastrophes in that sense as more technologies emerge. Awareness and proactive prevention are everything when it comes to cybersecurity, and that’s something that impacts everyone day to day. Any individual should be able to live without the fear of a cyberattack, and I’m motivated to educate as many people as possible until we achieve a rock-solid guard.

How can our readers further follow your work online?

You can follow me and the other experts at NanoLock on our blog: https://nanolocksecurity.com/blog/

This was very inspiring and informative. Thank you so much for the time you spent with this interview!