59 — Jeremy Kirk of The Ransomware Files
Shiva Maharaj Kontinuum 0:00
Good morning ladies and gentlemen. Welcome to another episode cybersecurity amplify and intensified. Today we have with us, Jeremy Kirk have the ransomware files available on all major podcasting platforms. It is one of my new favorites that and intelligence matters. Go check them out, like subscribe. And me too, please. It’s going on.
Unknown Speaker 0:21
Not much. Thanks for having me. I really appreciate it.
Shiva Maharaj Kontinuum 0:24
Thank you. So I guess if you can just let the listeners and viewers know a little bit about yourself.
Unknown Speaker 0:29
Yeah, sure. So I’m Jeremy Kirk, I’m editor with information security Media Group, which is a publishing company that’s based in Princeton, New Jersey, so they do information security events, and we also do online stories. And I do video interviews and audio interviews with security, interesting people in the security field. And I live in Sydney, Australia, so I’m their only employee in Australia. So I’ve been here about 10 years. Okay, cool.
Shiva Maharaj Kontinuum 0:57
So how did you get started with the ransomware files project?
Unknown Speaker 1:03
You know what? It’s funny, because I think you’ve probably listened to darknet diaries before. And Jack reciters absolutely fantastic podcast. And I listened to that. And I was like, Oh, I just love it. I just love it, love and love it. It’s an audio storytelling. It was super interesting. It was about security. And I kind of thought I want to do that. And of course, anybody, anybody listens to darknet diaries. I want to do that right? And realize, Wait, it’s actually really freaking hard. It sounds so easy to do. But what I thought was, I wanted to do a narrative podcast because I was interested in like, different ways of telling stories. I’ve been traditionally kind of a print person, you know, going back a very long time. And, you know, with the advent of COVID, everything started doing video interviews really liked it started doing more audio stuff was like this is this is fun. So I thought, I want to have a narrative podcast, right? So then you got to figure out well, what’s it going to be about? And I thought, Well, why don’t I make a narrative podcast about ransomware? And I’ll talk to people, organizations who were infected with ransomware and figure out what tips would they pass on to others? What struggles did they have, right? And so that great, cool, got that’s good topic. Nobody looks at, you know, look at an apple podcast. And everywhere. Nobody’s doing nobody said anything like this. There were some security ones that touched on ransomware. But there was nothing close to that. And so and then I was like, great. Now I just got to find people to, you know, participate, right? And it just immediately hit a wall. Because nobody wants to talk about the ransomware infection. And I was thinking like, this is a crazy idea. How am I going to do this because nobody’s gonna want to talk about this. So eventually, I found a guy and ski ski in Washington who works in Bothell, Washington. And so he works for the North Shore School District. He’s a, he’s a classic Unix administrator. And he had done a talk at the USENIX Conference in Washington, DC about how his school district recovered from rebuke. And his presentation was up. So he was the first one I was like, hey, ski, would you would you want to do this? It’s like, I’m gonna do it like a story. And so that was like, the pilot was how the school district recovered from rebuke. And, and then for three months, I pitched organizations and everybody said, No, and I was like, I don’t know if I’m gonna do this. I wanted to make six episodes, right? Initially, I was like, that was my goal. I was like, I’ll make a half dozen of these things, if I can. Got the first one, just dead, just absolute crickets approaching any other organization for like, 12 weeks. And then I called pitched an Australian company that does the they do the software and equipment to print like the best before dates on like beer and cheese. So they call themselves like an intelligent tracking service. Intelligent, like, I guess, basically, they track the palates of where things go. And, you know, if you have to recall, like a pallet of yogurt, because of a health concern, like there’s their software is the one that makes that code and bed makes allows you to identify where it’s gone. And they were hit by ransomware, as well. And they were like, yeah, we’ll do it. The CEO had a background in technology. So I thought, Oh, he’s probably a good person to approach because he’s gonna really conceptually understand this. And it and it was a fantastic episode. It was super interesting. They had a really interesting recovery story. But, you know, really, it’s kind of intended to focus on the positive, you know, there’s a lot of ransomware it’s always like, this company got infected, this company paid, it’s always a lot of shame, you know, and media stories that I don’t think it should be like that, you know, it’s like these. These events can be existential events for companies, right. And like, the last thing you should be doing is going to County’s website and going, Look, Look whose data has been dumped. I’m going to write a story about it because that’s not really helping the problem what’s helping the problem is, or what can help solve the problem is like sharing these experiences of like, how did you recover because they you have a really interesting situation you’re a wastewater plants in Virginia or you’re a manufacturing company in Australia. How did you, you know, walk me through what happened. How did you communicate with your board? How did you communicate with each other And there’s all kinds of interesting bits that I think are really helpful beyond just, you know, shaming people.
Shiva Maharaj Kontinuum 5:07
You know, it’s interesting that you say that because I’m not going to say I was above the name and shame. I would go to the sites and say, Okay, who in my neighborhood Godhead neighborhood state? Okay, yeah. Oh, you’re a competitor of mine. Let’s figure out what’s your clients got listed? Let me call him and say, Hey, your provider got hit. You want a new provider? And then one day I sat down? It’s a douche move. I admit it. regret it. I did it like, Sure, three times. But I sat there. And I had this epiphany moment where it was like, by me doing this. I’m not helping me. I’m not helping the end customer who got hit, the only person I’m helping is the ransomware. Group. Yeah. Because now because of that shame, and that fear, they can prey on people. And that’s probably going to help them get hit. And if you’re on LinkedIn, but how many IT people? Are you connected to on LinkedIn? Not? A lot of well, I guess, let me qualify that. Are you connected to a lot of people? A couple 100? A couple dozen,
Unknown Speaker 6:16
that hundreds, probably in the 1000s by this point.
Shiva Maharaj Kontinuum 6:20
So when there’s a new breach vulnerability, what’s your feet filled with?
Unknown Speaker 6:26
Yeah, right. Right. Yeah, it’s a lot of like, I, it’s weird. If you look at it this from like a publishing perspective, too. It’s like, well, what my line is like, Look, if Toyota comes out and says, Hey, we’ve got to shut down our production line because of a cyber attack. You know, I, which is actually probably most likely a ransomware attack against one of our suppliers. I think that’s a newsworthy event, right? If the company is coming forward, what I really despise is people going to leak sides, and tweeting about new victims, right? Because it’s already because we know how this works, right? It’s like the computer systems, they steal your sensitive data, then they encrypt. And like, if you don’t buy the key, you know, they press you so like, well, we’re gonna dump your personal, you know, personal data of your employees. And I’m just like, I just, I don’t understand, like, why would you? Why would you clean about that photo of a car accident, right and tweeting about it? Like, you wouldn’t do that, would you? So why would you do that? So really,
Shiva Maharaj Kontinuum 7:23
that’s a really good comparison for people to think about with this stuff. Because by keeping that stigma of shame on ransomware, you’re only helping the ransomware groups. Absolutely. You’re not doing any way to make anything better. I’m what I’m tired of is the concept regurgitation. On the LinkedIn, or any of these other social ish media platforms where everyone’s posting the same thing? And it’s because what I think happened, and I don’t know if you’ve noticed this, but I think the average non technical person is getting incredibly desensitized to ransomware. Because it’s barely see every day all day from, I guess, my peers or me at some point.
Unknown Speaker 8:06
Yes, yeah. Yeah. I mean, I think the, you know, data breaches and the fact that whole privacy thing. I mean, I think that that ship has kind of sailed, because there’s just been so much data and all of our personal data that’s gotten out, I think you’re absolutely right, it’s desensitize people to it. Now, that said, I mean, I think that there’s particularly United States there’s need for stronger lead privacy legislation, because it’s always, you know, you need that it’s crucial for people to trust electronic services to know that there are going to be repercussions for poor information security practices, right. And that’s ultimately what we want. We want companies to be accountable and realize that this is something you need to invest in. And I think that’s it, you know, there has been one positive thing about ransomware is that a lot of companies are realizing that right, we have to get our shops in order, otherwise, we’re not going to be in business, and then maybe perhaps the downstream benefit of that is to is probably better overall security for, you know, personal data that’s held by companies, it’s like, at least that’s gonna be protected, you’re protected against ransomware, you’re probably going to be less liable to, you know, lose data, as well.
Shiva Maharaj Kontinuum 9:14
I’ve seen the opposite of that. Actually, I’ve really seen a lot of companies say we don’t want to spend this week look, we’ve always spent, you know, a couple $100 a month. Why do we need to spend $1,500 a month for this, but I’m just throwing numbers out. But what I have seen is when a company gets breached, and insurance is picking up the tab, they’ll spend anything, they’ll be like, yeah, let’s get the best AV let’s get the best firewall. Let’s configure it properly. Let’s use MFA. Yeah, once once that checkbox stops cutting checks for them. You see, it’s almost predictable how they begin shedding all Yeah, yeah. Policies and procedures that they brought into place post post incident. That’s
Unknown Speaker 9:57
interesting. I mean, I think, you know, cyber insurance like Yeah, that’s a huge topic in and of itself. I mean, I think it’s, it’s interesting, like, I think that’s gonna change and the fact that like, companies aren’t going to be able to just go, Oh, I’ve got a cyber insurance policy, I can just, you know, not do the basics, because now you know, the policy limits are coming down, the cost of insurance is going up. Insurers are also making it making their potential clients meet baseline cybersecurity standards before they even grant policies. So I think like, this is good. It’s like, if you want to get insured, you have to be sure you’re following you know, all these kind of like CES, a kind of basic guidelines, MFA, etc, etc. So I think I think that’s good, but I don’t think companies are going to be able to be so, um, I guess, like, today’s Yeah, just like, oh, you know, my insurance will cover it, it’s like, well, you know, you’re gonna hit your coverage limit pretty quick. And after that, it’s on, it’s on you, you know, hopefully, that’s my eyes, my
Shiva Maharaj Kontinuum 10:58
I’ve noticed something very interesting for my customers that are in our Managed Services program. For those watching, those are air quotes. When we have to fill out an application form for cyber liability insurance, we play by backing up data. We provide what control it’s mapped to, we like the CIS controls, version eight. So we give that we give that binder slash PDF to the underwriter with the application. And on the application, we say See page, so and so or paragraph or whatever, and they hate that. Because what I’ve noticed is, they want you to self attest that you’re doing all these things, so that when a breach comes around, they can then ask you for the proof that you did it. And if you didn’t, they can deny your claim.
Unknown Speaker 11:47
Hmm, hmm. Yeah, I think the self attestation too, is, you know, I mean, I guess I be interested, like, our insurer is also asking, do you know, amongst your clients, are they asking like, show us your last penetration tests? Show us some documentation? And if you don’t want
Shiva Maharaj Kontinuum 12:04
that, what they want is for you to say Yes, sir. Now, whatever the your answer is, they want it. But they don’t want proof of it. And to me, it’s a bit disingenuous, because if it should be like real, well, I don’t like compliance, because I think it’s all checkboxes. I think if you’re going for cyber liability insurance, and they say, to have MFA, you should be giving them data to backup how your NSA is configured, or what you’re using for MFA and go down the list. Otherwise, a lot of companies are going to think that they’re protected. And if push comes to shove, they’re going to be their claims will be denied. Oh, yeah,
Unknown Speaker 12:43
that’s a really good point. Yeah, I haven’t really encountered anybody who’s I mean, it’s just kind of like talking about insurance, too, is always, you know, very, very kind of touchy. I mean, I will tell you, like the couple of people I’ve talked to, for the podcast, couple organizations that had cyber insurance, it totally pulled them out of the muck. I mean, it’s, it helps it helped them get back on their feet, way faster than they would have been able to, particularly that Australian company that was I was referring to, it’s like, they were able to get people and resources in to help, you know, immediately help rebuild and data recovery specialists. And it was just, you know, companies, like, they still don’t conceptually realize, like how bad it’s going to be, you know, they always kind of think, Oh, we put this money into cybersecurity. And they realize that cyber criminals don’t care how much is in how much you’ve invested in what they’re just looking for that one mistake. Right? And they probably do. Yeah, yeah. I
Shiva Maharaj Kontinuum 13:42
remember one of your episodes. I don’t know if your last one or maybe it was your second to last episode was on the Maersk. Yes. And one of the most impressive things about that whole situation is the insurance company losing their claim that it’s a act of
Unknown Speaker 14:01
war. Oh, right. Right. Yeah. I didn’t include that in the episode. But yeah, right. Because there was a what there was another victim of murder, or sorry, a victim of not pecha. Yeah, whose claim was denied. And I forget now what it was Maersk. They know it was I think it was I know, I think it was a different company. But anyway, I’m familiar with what you’re talking about. Yeah. And they claim that the insurance denied them because they claimed not pecha was an act of war. And it’s kind of a mission statement by a nation state. And it’s like, well, what’s what’s war? What? Cyber War, right, that opens up all these gigantic and
Shiva Maharaj Kontinuum 14:39
wordage. The language of the policy didn’t clearly define what that would have been, which I guarantee you the moment they got that judgment, that entire Yeah. Which was ripped apart. Done. For the next Yes,
Unknown Speaker 14:52
yes. Right. Right. Yeah. I mean, I think that’s, that’s probably not great for the insurance industry. Hurry, like me who’s gonna buy a policy that says like, if you’re, if you’re attacking this, because that was a very abstract attack, right, like we don’t know, we know that it was aimed at this Ukrainian accounting provider, we don’t know if the intention of the GRU, you know, because that’s who the US Department of Justice, you know, they indicted six Gru agents for the not pecha attack. We don’t know if that was just, we created a cyber, we created a cyber weapon that just got out of hand, or we don’t care that it got out of hand. All the above? I mean, who knows? You know, right. But it’s like when you have and that’s the weird thing about, I guess, risk in cyber is that you can be way downstream of something that’s happening. And that’s been the fear of what’s going on right now, between Ukraine and Russia, there’s just great fears that Russia might use some sort of cyber, you know, malware that gets out of hand and has a bunch of collateral victims around the world. But it does raise a good question of like, well, is your insurance going to cover this? Like, I think it should I feel like it should like, right, like, it’s, it’s
Shiva Maharaj Kontinuum 16:07
gonna be like the terrorism writer here. If you don’t pay the extra fee for it, you’re not going to get it? They’ll offer it because insurance companies will always figure out a way to get them. Yeah. They’re not going to lose. And that’s
Unknown Speaker 16:18
a good point. Yeah, that’s good point. Well, charge me for it. And I’ll decide whether I want to pay for it or not, but don’t like, post incident, don’t come back to me and say, Yeah, we’re not going to cover that. You know,
Shiva Maharaj Kontinuum 16:29
very, if you look at what the terrorism coverage costs relative to a general Ianno policy, it’s not that much more. But a lot of people forego. Yeah, yeah. So what are you working on for the next episode?
Unknown Speaker 16:44
So episode five was about Texas and our evil. So if you remember what happened in Texas, there was a very small MSSP that did a lot of work for Texas governments and their systems were corrupted, or basically infected by our evil, which then use their RMM software to infect all these cities. So that incident was probably like, the biggest one in 2019, or at least one of the biggest. So I’m doing a sister episode of that one, which also involves are evil and Kaseya. And so there’s there’s strong parallels between these two incidents, you know, both were are evil. Both were arguably kind of supply chain style. I know people bicker over what’s a supply chain attack and what’s not. But I think you put those in the same bucket as a supply chain style attack. The US Department of Justice announced the indictments for two men on the same day for both of those attacks, which has made a lot of people feel really good. Because it’s, you know, those were both enormous incidents, and a lot of ransomware incidents just result in absolutely nothing on the law enforcement side. So, so I thought those would like those would pair together really, really well. So now I’m working on the VSA app. So I hope to have it out by the end of the month. But it’s a really, as we all know, it’s a really complicated story. It’s a really crazy story. And it’s one that I’m really looking forward to telling because I’ve got a lot of great people that are going to be in it.
Shiva Maharaj Kontinuum 18:11
It’s, I think, my listeners here know that I’m no fan of Kaseya. So I, I’m impatiently waiting for you to drop that episode, because anything I can find out would be fantastic. Yeah, look, I
Unknown Speaker 18:25
mean, you know, the podcast, I tried to really make it like, an accurate representation of events, you know, and not not let it be grievance based. You know, because there’s a lot of I mean, rants working leave a lot of bitter taste in people’s mouths, depending on what end you’re on it. But I’m happy to say for this episode, kasay is going to participate, which is great, because I really wanted them to give their perspective on on, you know, what happened as well. And, you know, the episode is about looking forward, and how do we stop these things, and you know, what have MSPs learned, so I think there’s definitely I’ve got two MSPs in it, possibly a third is going to be in it as well. And these were MSP MSPs, that whose downstream customers were dramatically affected by this. In fact, one of them had, I think, all of his customers, which were like 80 customers, all of them were infected. But they have a great story, because they had good backups. And so they were able to get back on their feet pretty quick. So, you know, all these things, that episode is really going to tell you know, some intricacies about this attack and sort of how people, you know, how people were recovered. So
Shiva Maharaj Kontinuum 19:29
that was one of the interesting things about this rebl attack. They are they’re really well known for denial, guts, and backup systems. But I don’t know. Because say customers got incredibly lucky that backups were left intact. Almost one.
Unknown Speaker 19:47
Yeah. And so the question is, well, why? Why didn’t are able to lead shadow copies? Why didn’t they exfil data before those were the two big things they didn’t X Phil before and they didn’t do Shadow Copies. So we’re, why did this happen? So there’s some theories about it right. And this kind of goes back to how Kaseya is VSA product was exploited in the first place. So we know and this is all this is all public. This is all public stuff. Back in April 2021, the Dutch group di VD, researchers Toki, say that they found, you know, a lot of serious vulnerabilities. And Kaseya was in the process of trying to patch those prior to that July 2 2021. Attack. We know that our evil somehow discovered the authentication bypass in VSA for on premises VSA. And that’s kicked off the attack, say it was really, really close to patchy but they figured it out first. And, you know, this is just kind of like a really extraordinary kind of situation. So one theories that maybe are evil, they figured out the bug, they thought, all I can say is gonna patch this quick, we just got to hit it, you know, and they hit it in a really automated way. Just skipped over x filling data, because that takes a bunch of time and could raise alarms skipped over deleting shadow copies, or like, right, we’re just gonna hit everybody as fast as we can, because we know this is going to be closed really quick, I think there’s a pretty viable, viable theory that they just hurried up and just did it while the window of opportunity was open. But luckily, that helped a lot of people. You know, it was it was it was really, you know, it was really quite an oversight by our evil but one that helped out a lot of people. And just to go back to Episode Five with Texas, there’s something similar that happened to like, when our evil got into the MSPs, ScreenConnect. There were like 23 systems, one each belonging to every city. And then the 24th was the actual ScreenConnect server that they were using to push, push the ransomware to all the things and they accidentally encrypted, that server that they were using, right, so just shut down their attack, they couldn’t get in anymore. And again, that was just another Dino kind of dumb thing that the attackers did. That helped out. I meant that because like that little MSP in Texas, they did services for like cities in Florida and elsewhere, I didn’t even realize this until later, they had a bunch of other clients, it could have been far, far worse. But because the attackers encrypted the own system that they were using, that stopped it, right. And so the damage was limited at that point, they cut off their access point. So again, it’s like a lot of these things. Like, they just get like lucky breaks, because attackers are just like, I don’t know, you know, they just make mistakes, luckily,
Shiva Maharaj Kontinuum 22:35
is these attackers living off the land? So when they see the opportunity, they’re gonna go for it. And if they think, you know, maybe they knew could say it was very close to patching, or maybe they thought, because they was very close to patching. So they executed and took what they could have gotten. Yeah, yeah, right. Right. I know, you may want to keep this close to your vest for the release of the podcast, but are you gonna let me phrase this easily for you? So you can say, piss off for any information on how to say it got the pastor decrypter?
Unknown Speaker 23:09
Look, I’ll tell you right now, that that is. It’s it that’s like, confidential information. But so I can’t that no, nobody ever told me that. I mean, that, of course, would be interesting. But I think one bit to look at, in respect to that, is that, you know, a couple of weeks ago, we saw the big Conte leaks, right? And so there were security researchers up in that groups jabber server for ages. And, you know, we know at least when the Kisei incident, we know from the Washington Post that Potter story that basically, it was either the FBI or one of its partners or a security company, they got into our evil systems, right. So you know, nobody will say that on on the record. But you know, ransomware crims have terrible offset, you know, they make mistakes all the time. And I think what’s happened in the last year or so, is that, you know, governments like Australia and the US and elsewhere, are saying like, Yeah, we’re gonna go after you offensively. And that was that was the Kaseya. That incident was the first sort of real example of offensive action against ransomware promos because the FBI and its partners or whoever that key was obtained almost within a day or two of the incident actually happening. And if you look at like what happened leading up to Kaseya, right, you had colonial that was dark side, but its dark side was an affiliate that was pretty close to our evil. You had JBS foods and then you had to say alright, so because, you know, rebel had been waving its arms, like, look at us. Look at us. We’re a bunch of, you know, flagrant cyber criminals. And I think law enforcement, everybody said, No, this isn’t gonna happen again, you know, and it happened again, they were like they were ready. Next time it happened to get that key. And of course, there’s more. Another fascinating part of the Kaseya story is that, you know, the FBI held the key for three weeks because they were working on, you know, kind of a clandestine action against the group. And there was some controversy over well, should they have released a key sooner and there’s lots of opinions about that. But it’s a fascinating situation. And it just goes to show how difficult it is to fight these groups or or it actually actually shows you a real law enforcement success getting the key was a big success. And, you know, it shows that, hey, these efforts will work over time, you know, and they will.
Shiva Maharaj Kontinuum 25:28
What are your thoughts on now? preface this? I’ve always been under the belief that ransomware groups are far more dynamic than we are as protectors. With Conte being breached, we will deem breach dark side or dark matter, dark, dark, whoever their crypto taken away by the FBI. Do you think they are smart enough to begin subverting some of these actions in the future?
Unknown Speaker 26:00
Yeah, I mean, absolutely. I mean, everybody learns from their mistakes. I mean, I think at the same time, there’s always kind of a, probably the fact that, you know, Ransom, or criminals are working in places where we haven’t seen a whole lot of law enforcement action. We did see Russia arrest. I forget how many I think it was probably 14 rebels, or
Shiva Maharaj Kontinuum 26:23
are we round ups in the days? Leading up to Ukraine? Yeah.
Unknown Speaker 26:27
Yeah. So I mean, I think that will spur some deterrence, perhaps. But I mean, I still think they’re operating really, and they continue to operate in a vacuum, where it’s just really easy to, to not have a lot of fear and not have a lot of worry, and Yeah, everybody’s gonna, you know, with every thing that happens on the law enforcement side, they’re going to get better and probably take some more protections. But then again, it’s just like that sort of game that, you know, attackers and defenders are always sort of playing like, you know, attackers are always gonna get a little bit better defenders gonna get a little bit better to offensive, people are gonna get a little bit better. And there’s always some little wrinkle in all of it that, you know, that it’s just kind of that’s just kind of the game, but I don’t think that they’ll get to the point where there’ll be in defeatable. You know, like, I think there always be opportunity. It’s,
Shiva Maharaj Kontinuum 27:18
it’s just going to be a perpetual game. Of Yeah, mouse. Yeah. I mean, Conte, their servers were breached, or what have you a couple of weeks ago, and they’re back to enchanting and cleaning victims. So
Unknown Speaker 27:31
yeah, I mean, I think everybody hoped and, you know, we also saw some I saw some of those accounts to that, like, there were these anonymous Twitter accounts popping up with photos of Russian men who supposedly were linked to nicks in those Conte leaks. Now, whether that is accurate, who knows whether those men are affiliated with the FSB? Some essentially, that’s it is less that’s unproven. I think, from what’s been shown so far, I think you have to look at that really critically. And it’s easy to get kind of, you know, we know what happened and all that comes from the Yahoo stuff, you know, years ago, when it was, you know, it’s shown that, like, there was contact between some of like, the LinkedIn breach or the guy who linked breached LinkedIn. And I think the guy who breached Yahoo, it was shown that there was some interaction with the Russian government. So I think it’s easy to get kind of whipped up about this kind of stuff. But I don’t think there’s been any definitive link to say, yeah, these these person, these people are definitively blinked or the FSB or, you know, it’s have to be very careful, I think, with attribution and Doxxing people. And, you know,
Shiva Maharaj Kontinuum 28:34
I think that it’s about a sorry,
Unknown Speaker 28:36
I just the last point, I think that’s another thing too, about security researchers just kind of dumping stuff, because there might be law enforcement action pending. And that might screw it up. If you’re dumping like photos of people and their birth dates and photos of the passport. I mean, I get it like, you know, people want to get attention for the research. But I also think that maybe that’s maybe you should just share that with law enforcement. If you think that not stick it on Twitter, because it might screw everything up. You know, if they have pending actions.
Shiva Maharaj Kontinuum 29:04
So question is depend on some of the countries, it’s unlikely that you’re giving it to law enforcement is going to do any good. Very
Unknown Speaker 29:11
true. Very true. I mean, you know, I think, you know, the US particularly over the years, especially with like, the Chinese government, you know, they’ve just basically named people and put people indictments, and they know that they’ll never charge them. But I think I, I think that does help deterrence. Absolutely. Because I don’t think anybody wants to be permanently on the FBI most wanted list, even if they are in Russia or China. I mean, I think that that’s, you know, it’s like, you can’t leave your country for the rest of your life. Basically,
Shiva Maharaj Kontinuum 29:41
you’re leaving anyway.
Unknown Speaker 29:43
Yeah, very true. Very true. I mean, you know, maybe they don’t care, you know, so
Shiva Maharaj Kontinuum 29:48
better living. A lot of these. A lot of these guys if they really are state sponsored to a degree. They live in the lap of luxury, as long as they’re still of use to whatever agency is using
Unknown Speaker 30:00
Sure, yeah. Yeah, absolutely. Yeah.
Shiva Maharaj Kontinuum 30:04
The one thing I’m, I’m scared for, with all the ransomware arrests, and especially the extra additions from there have been a lot from Korea, Ukraine and Israel, if I’m not mistaken, it, it’s going to make these guys stop traveling eventually. And they’re gonna say, in Russia or countries that are willing to turn a blind eye. And how do you stop them at that point? I’m not saying stop extradition by any means. But, you know, that’s a side effect of it.
Unknown Speaker 30:32
Yeah, absolutely. I mean, there’s no, there’s no extradition treaty between the US and Russia. You know, there’s no, there’s never been so. I mean, there’s just, you know, even the current conflict with Ukraine aside, you know, there’s never a chance that these people were gonna, you know, face justice, although they did get the sinskey. The guy for Kaseya because he crossed into Poland. Yeah, yeah. So now he’s in Texas.
Shiva Maharaj Kontinuum 30:58
There was a there was another expression of a Canadian gentleman. Associated with dark matter.
Unknown Speaker 31:04
Yeah, it was Walker net. Walker, I think
Shiva Maharaj Kontinuum 31:07
well, yeah. Walk your dog. And I think they’re all the same. Taylor Swift
Unknown Speaker 31:11
or to keep track of the linkage. I mean, I struggled with it too, honestly. Yeah, but that’s another victory too. I mean, yeah. That’s kind of Yeah, it was interesting that he was just in Canada run in front and ran somewhere. But, you know, I, that’s great. It’s great. Because I think like, probably even to, like, people who are in Western countries, get in on ransomware. Like, that’s probably really, really risky.
Shiva Maharaj Kontinuum 31:36
That’s good. No, no, for them. quite honest. Yeah, it’s yeah, you’re gonna do it. It’s one. I think it’s one hate to say this. It’s one thing if you’re doing it in the Far East, than if you’re doing it here in the West. SAC. Yeah. Yeah. So anything else? What else do you have planned for the ransomware files? After we can say so? Oh, is that number six and done?
Unknown Speaker 31:56
That’s gonna be number six. Well, my god, yeah. Like I said, my goal was to hit six. But actually, I think there’s some more stories I’d like to tell. You know, I think I’d like to tell one around Conte, because that was, that’s still just such a huge prolific gang. And I think, I think, sorry,
Shiva Maharaj Kontinuum 32:13
2 billion, I think they collected your main wallet. That’s preucil. 2 billion, I think it was.
Unknown Speaker 32:19
It was it’s enormous amounts of money. And it’s enormous amounts of money. I mean, yeah, like, I think, you know, I think I can hit 10 episodes. And I think that all I would I really want to get though, I really want to get an organization that paid. Right. So everybody that I’ve spoken to, has not paid. A couple said, pain was potentially on the table at first, but once they calm down, look at the backup situation had a good Forensics Analysis. They said, Yeah, you know, it wasn’t on our radar, then at that point, but I would like to get an organization that paid because, I mean, I think morally pain is really vexed, right? You don’t want to give cyber criminals more money, because that just emboldened them. But also, you know, if you’re like a company that has like 60 employees, and like, you’re literally going to go out of business, unless you get this decryption key. I can understand why you would pay. And I think, you know, to look at it from the perspective of is this, is this better? Is it better for this company to go out of business? Or is it better to give cyber criminals money? I think sometimes it’s probably better to give cyber criminals money, maybe in some cases, but overall, generally, I think we have to stop paying them though. That’s that’s the big thing. Because when they stopped getting paid, they will stop this. They’ll move on to you know, the old school banking, malware and etc.
Shiva Maharaj Kontinuum 33:40
And there’s someone you should speak to that. Or yeah, on YouTube, cyber, Matt Lee. Matt, I’m calling you out, buddy. Sorry. He is all about raising the tide of IT providers, so that you can get customers to really not have to pay have your, you know, have your stuff to a point where your backups work. You have an incident response plan. So there’ll be an interesting conversation for you, I think. Yeah. Well,
Unknown Speaker 34:06
I got a question for you. I mean, since you run an MSP, I mean, what’s the state of your clients backups? And are how concerned are they about ransomware?
Shiva Maharaj Kontinuum 34:15
So backups have taken a really interesting term for me. Because it’s the SM there’s a lot more SaaS applications, and we have melody to back those up. So in essence, we’re two things we’re left to backup are the Microsoft 365, tenancy, whatever’s in email, SharePoint, OneDrive, and QuickBooks, if you’re using on the desktop version. What does that again, QuickBooks, okay, the accounting platform, other than that, in the SMB, there’s not much need for backups anymore, quite honestly, outside of those two scenarios, and a lot of companies are going to QuickBooks Online. So again, you’re losing your we’re losing the ability to back that up and we have to rely QuickBooks did not have a mess.
Unknown Speaker 35:02
Right? Right. Yeah. Well, that’s positive. I mean, Sasken, SAS can definitely help. I mean, you know, it’s a lot of these incidents are centered on, you know, the stuff that you have on prem. Right, that gets encrypted. Like, that’s a lot of the long before.
Shiva Maharaj Kontinuum 35:17
The ransomware operators realize, Wait, there’s no data on prem anymore. Let’s go after these cloud providers who’ve been offering features and not secure. Yeah, I mean, I don’t, I’m not gonna name any names, because like, quite honestly, I couldn’t legitimately name a SaaS provider that has really poor security. But just imagine, pick any of the big CRM companies out there. If they’re cloud hosted, and they get breached, and all the files get ransomed, and there’s no backup left. Their business has gone, and 1000s of their customers businesses are gone. Yeah, yeah, I think the next iteration for SAS is going to be for the big providers to allow the users to backup their data, whether it’s a download, manual download, or download that gets emailed to them. Some version of that we can’t keep trusting the SAS companies to keep the only copy of Organa.
Unknown Speaker 36:14
Sure, sure. And that’s another thing about Cloud using cloud services is that you don’t know how good their security is on the other side, right? It’s just a box, a black box on the internet that you’re using, you know, it’s you have a computer, it’s somebody else’s computer, you know, and like, you know, it’s like,
Unknown Speaker 36:35
it is it has
Unknown Speaker 36:36
security benefits, but there’s also just things that you’re never gonna see, you know, until later until you hear about something bad happening. And you’re just yeah, that’s where your trust is, and but you have to trust something. Do you trust yourself to trust your cloud provider? Who do you trust more? Well, everybody can make a mistake. So
Shiva Maharaj Kontinuum 36:52
can you imagine what would happen if a company like Salesforce got breached? I don’t wish it on them. Um, this is not me wishing but just because of their scale. Yeah, if all data was lost, it would be game over for a lot of different businesses in a lot of different industries.
Unknown Speaker 37:08
Yeah, yeah. I mean, I would think that a company of that scale would have, you know, a very rigorous backup regime and disaster recovery. And but, you know, I mean, predicting who predicted SolarWinds because I mean, in theory, people said, like, this is a possibility. But I think until it actually happens, you’re like, Whoa, oh, that’s, that’s, that’s an interesting, devastating vector. You know,
Shiva Maharaj Kontinuum 37:35
I think that’s gonna be the next iteration of ransomware. Yeah, I kind of predict
Unknown Speaker 37:39
like, I don’t know, I think it’s all windows focus now. So I think when I was listening to as Patrick Gray’s Risky Business Podcast, a couple few months ago, and they were talking about possibility of ransomware on Linux, you know, because they really, I mean, there’s been some, some ransomware for Linux, but it’s never really kind of taken off. It’s like Windows is just like the lowest hanging fruit, you got active directory, which is great to get into if you’re an attacker,
Shiva Maharaj Kontinuum 38:07
consumers choice, and the consumer is never going to secure it the way you know, IT professional should. Yeah, it’s low hanging fruit,
Unknown Speaker 38:16
I would say. Yeah. Yeah. If you look at like Linux, I mean, across the enterprise landscape, I mean, that, you know, there’s a huge open opportunity there for a whole new wave of, you know, ransomware on a different platform and
Shiva Maharaj Kontinuum 38:30
see that with the new fat pipe vulnerability. On was it Linux or Unix? I think it is. Oh, is
Unknown Speaker 38:35
this dirty pipe? You
Shiva Maharaj Kontinuum 38:36
mean, dirty pipe? Sorry.
Unknown Speaker 38:37
Yeah. Dirty five. Yeah, yeah. Yeah, that was a very interesting one. I mean, that’s, uh, I think you have to already be on the system to use that. But I mean, you know, once you get in, it’s like, that’s very powerful vulnerability. Yeah. People don’t protect
Shiva Maharaj Kontinuum 38:52
the physical access a lot of their system. So once they get in, it’s a free for all for people. So that’s an interesting make for an interesting summer, I think. Yeah, yeah. But that’s it for my end. Unless there’s anything else you wanted to go to? No, it’s great. It’s been a pleasure to talk with you. Thank you so much for coming on. Ladies and gentlemen. Jeremy, correct. Of the ransomware files. How can they get in contact with you if
Unknown Speaker 39:17
contact? Yes, absolutely. I’m on Twitter. I’m on LinkedIn. The podcast is called the ransomware files. It’s on most of the major podcast platforms. So leave a review. leave a rating
Transcribed by https://otter.ai
