Ransomware is a reality.
Thursday, January 9, 2020
Dave has a master list of cyberbadness. Joe has some handy red flags this tax season straight from our beloved IRS. The catch of the day features an alluring proposition from someone who is probably not “Sofia”. Our guest is Devon Kerr with Elastic Security Intelligence and Analytics who shares his insights about Ransomware.
Links to stories:
Devon Kerr: [00:00:00] Ransomware exists, and it makes it into these very large, diverse and heavily regulated environments.
Dave Bittner: [00:00:07] Hello, everyone, and welcome to the CyberWire’s “Hacking Humans” podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I’m Dave Bittner from the CyberWire and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:26] Hi, Dave.
Dave Bittner: [00:00:26] We’ve got some good stories to share this week, and later in the show, we’ve got my interview with Devon Kerr. He is the team lead with Elastic Security Intelligence and Analytics. And we’re going to be discussing ransomware.
Dave Bittner: [00:00:38] But first, a word from our sponsors at KnowBe4. So what’s a con game? It’s fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We’ll find out later in the show.
Dave Bittner: [00:01:10] And we are back. Joe, before we dive into stories this week, we got a little bit of feedback from a listener…
Joe Carrigan: [00:01:16] All right.
Dave Bittner: [00:01:17] …A letter from someone. They wrote in and they said, (reading) my ex-wife just refinanced her house. The entire affair was conducted at her house. After her initial visit to the company’s business office, a place she was familiar with because she had financed with this company before, there were no emails exchanged. The rest of the contact, not that there was very much, was done via the phone. She was personally familiar with the guy who came to the house for the transaction. I got the impression that the reason the refinancing company did it this way was to eliminate email fraud possibilities by essentially eliminating emails.
Dave Bittner: [00:01:50] Interesting.
Joe Carrigan: [00:01:51] That is interesting.
Dave Bittner: [00:01:52] Yeah. Yeah.
Joe Carrigan: [00:01:53] That may very well be the case.
Dave Bittner: [00:01:54] Yeah. Sort of going old-school, taking it offline.
Joe Carrigan: [00:01:57] That’s right.
Dave Bittner: [00:01:59] (Laughter) All right. Well, thanks to our listener for sending that in. I’m going to kick off our stories this week. I have a story from Naked Security, the folks over at Sophos, and I think this is a nice review to sort of start off our year. The article is titled “7 Types of Virus: A Short Glossary of Contemporary Cyberbadness.” The list here is keyloggers, data stealers, RAM scrapers, bots, banking Trojans, RATs and ransomware. Let’s just go through them real quick here. A keylogger – it’s pretty obvious what that is.
Joe Carrigan: [00:02:25] Right.
Dave Bittner: [00:02:25] It’s when they install something that logs everything that you type into your computer, and it’s a sort of a brute force way to gather information.
Joe Carrigan: [00:02:33] Yeah. And what it usually has is some kind of data exfiltration mechanism. Otherwise, what good is the log, right?
Dave Bittner: [00:02:38] Right. Right, sending it off somewhere.
Joe Carrigan: [00:02:40] That lets people go off. And generally, what they’ll look for is they’ll look for, like, tabs or clicks between two pieces of information. That’s usually a user – or that can be a username and password.
Dave Bittner: [00:02:49] The second one is data stealers. This is similar to a keylogger, but it does a little more rooting around in your system. And it’s doing pattern matching, so it’s looking for certain things like credit card numbers, ID numbers, passwords, email addresses – all those sorts of things – and, again, sending it off to the bad guys. This third one, a RAM scraper – explain to us what that one is, Joe.
Joe Carrigan: [00:03:11] So a RAM scraper is something that looks at the active memory in your PC. And a lot of times in that active memory you might have things like keys, symmetric encryption keys, that you might be using to conduct a secure transaction with a website or you might have passwords in there.
Dave Bittner: [00:03:24] So by going into the RAM, this is stuff that hasn’t been written to your hard drive.
Joe Carrigan: [00:03:28] Right.
Dave Bittner: [00:03:28] So it’s sort of more temporary, ephemeral information that wouldn’t be expected to be permanently retained.
Joe Carrigan: [00:03:36] One of the big advances in our computers these days – I mean, how many gigs of RAM do you have in your computer?
Dave Bittner: [00:03:42] All of them (laughter).
Joe Carrigan: [00:03:43] I have 16 gigs of RAM in my computer at home…
Dave Bittner: [00:03:45] Right.
Joe Carrigan: [00:03:45] …And 32 or 64 in the one at the office.
Dave Bittner: [00:03:48] Right.
Joe Carrigan: [00:03:48] So these RAM scrapers go in there after that data – tons of it in there.
Dave Bittner: [00:03:51] Yeah. The next category are bots. Bots is when some code gets put on your system and it’s then used to make your system do whatever they want it to do.
Joe Carrigan: [00:04:01] Right. It’s usually an independent toolkit kind of thing. You know, so you have software that’s running on your computer that’s communicating with some command and control system that might be doing something like performing DDoS attack or mining cryptocurrencies or something.
Dave Bittner: [00:04:13] Right. And this is where your IOT devices tend to get…
Joe Carrigan: [00:04:16] Oh, yeah (laughter).
Dave Bittner: [00:04:17] …Wrangled into bots.
Joe Carrigan: [00:04:18] Because…
Dave Bittner: [00:04:18] Your security cameras, things like that.
Joe Carrigan: [00:04:20] Yeah. In IOT, the S is for security.
Dave Bittner: [00:04:23] Right. That’s funny.
Dave Bittner: [00:04:27] The next category is banking Trojans.
Joe Carrigan: [00:04:29] Yep, very dangerous pieces of equipment. They go after your – specifically target your banking information for the purpose of stealing access to your accounts.
Dave Bittner: [00:04:36] Next up are RATs, remote access Trojans.
Joe Carrigan: [00:04:39] Or some people call them remote access tools. But these are something that kind of have a legitimate use. Think about the phone call we get where it’s Joe or Dave’s lifetime technical support and repairments, right?
Dave Bittner: [00:04:48] (Laughter) Yes.
Joe Carrigan: [00:04:49] And you don’t want to drive over to the house.
Dave Bittner: [00:04:50] Yeah.
Joe Carrigan: [00:04:50] So you put a remote administration tool on their system and you log in and you can help them out without having to go over there. But that same functionality can absolute be used as a malicious vector.
Dave Bittner: [00:05:01] Yeah. And this is one we hear of but were a lot of the tech support scams.
Joe Carrigan: [00:05:04] Exactly.
Dave Bittner: [00:05:05] You call in…
Joe Carrigan: [00:05:05] It’s the first thing tech support scams do, is they say, go install this remote access tool so we can get on your computer.
Dave Bittner: [00:05:11] Yeah. And if they – if you give them that access, they have complete control of your computer, more or less.
Joe Carrigan: [00:05:15] Yes, they do.
Dave Bittner: [00:05:16] And then the last category here – saving the best for last…
Joe Carrigan: [00:05:19] Right.
Dave Bittner: [00:05:19] …Is ransomware, something we talk about here a lot. And that’s where they get a hold of your computer and they start encrypting files, and they tell you that in order to get those files back, you have to pay them some money.
Joe Carrigan: [00:05:30] Yep.
Dave Bittner: [00:05:30] And you may or may not get those files back.
Joe Carrigan: [00:05:33] That’s right. Some ransomwares are not ransomware; they’re just fake ransomware. It’s easier to just wipe someone’s hard drive and then tell them that you encrypted the files.
Dave Bittner: [00:05:41] They’ve got some good tips here to try to prevent these sort of things – of course, keeping your systems up to date. They say patch early and patch often. That’s a big one. Look for and act on warning signs in your logs. This would apply, I guess, more to enterprise folks…
Joe Carrigan: [00:05:55] Yes.
Dave Bittner: [00:05:55] …Who are monitoring those system logs. And then defense in depth – what’s the plain English explanation of defense in depth?
Joe Carrigan: [00:06:01] My favorite one is the belt-and-suspenders approach, right?
Dave Bittner: [00:06:04] Ah, yeah.
Joe Carrigan: [00:06:04] A terrible fashion faux pas but keeps your butt crack from showing, Dave. So…
Dave Bittner: [00:06:09] Most importantly, mercifully.
Joe Carrigan: [00:06:11] Right. Right. So for defense in depth – and most particularly here in ransomware – you would keep multiple backups, right? I like to quote one of my first mentors in this field, the late Jeff Russell, who told me that the first rule of computing is “back up, back up, back up, back up and back up,” right? And that’s really the best defense against any kind of loss of data. A great example of defense in depth is using a second-factor authentication. So even if they do compromise your banking credentials with a banking Trojan, they’re not getting in without having access to your phone, which is a lot harder to get.
Dave Bittner: [00:06:41] Right.
Joe Carrigan: [00:06:42] Even if you’re just using SMS security, that – we’ve talked about here it’s not the greatest form of second-factor or a multifactor authentication, but it’s better than nothing.
Dave Bittner: [00:06:50] Way better, yeah.
Joe Carrigan: [00:06:50] Yeah.
Dave Bittner: [00:06:51] Yeah. All right. Well, good article from the folks over at Naked Security. We’ll have a link to that in the show notes. Joe, what do you have for us this week?
Joe Carrigan: [00:06:58] Well, Dave, it’s tax season, right?
Dave Bittner: [00:07:00] Already?
Joe Carrigan: [00:07:01] Yes.
Dave Bittner: [00:07:01] Ugh. OK.
Joe Carrigan: [00:07:02] Every January, this kind of ramps up. So the IRS has a Twitter feed, and of course, because it’s tax season – and we’ve talked about this before with Christmas, with the scammers going after package delivery – now it’s tax season, they’re going to move on to tax scams. So the IRS tweeted some red flags that you should look out for when you’re receiving communication from the IRS and, actually, for any scammer, really. They’re going to pose as a trusted source. They’re going to try to get that authority power behind what they’re saying. They’re going to tell you something’s wrong with your account. They’re going to claim you’re in violation of the law, which is a big one. It scares a lot of people.
Dave Bittner: [00:07:34] Yeah, sure.
Joe Carrigan: [00:07:35] They’re going to tell you to open a link or an attachment…
Dave Bittner: [00:07:37] Right.
Joe Carrigan: [00:07:38] …Which, of course, we always say don’t click on the link. And they’re going to ask you to log into a familiar-looking but fake website. And we’ve talked about the social engineering toolkit on the show before.
Dave Bittner: [00:07:46] Yeah.
Joe Carrigan: [00:07:46] But that will let you clone a website just by essentially entering a URL – right? – and then making a couple of changes to it. But it’s remarkably good.
Dave Bittner: [00:07:55] Additionally, they have some tips here, some good information.
Joe Carrigan: [00:07:58] They have a website titled “How to Know it’s Really the IRS Calling or Knocking on Your Door.”
Dave Bittner: [00:08:02] (Laughter).
Joe Carrigan: [00:08:02] Because they will call you.
Dave Bittner: [00:08:04] Yeah.
Joe Carrigan: [00:08:04] And they will knock on your door.
Dave Bittner: [00:08:06] Yeah.
Joe Carrigan: [00:08:06] They have some telltale signs. IRS agents conducting audits may call taxpayers to set up the appointments or discuss items on the audit, right?
Dave Bittner: [00:08:14] Yes.
Joe Carrigan: [00:08:14] But they will not make a demand for payment at this point in time.
Dave Bittner: [00:08:17] Right.
Joe Carrigan: [00:08:17] They’re calling because – an audit is not necessarily going to end terribly for the person who’s being audited.
Dave Bittner: [00:08:23] No. I’ve been through that, actually.
Joe Carrigan: [00:08:26] Yeah.
Dave Bittner: [00:08:26] I have been through an audit where they come to your house and look around.
Joe Carrigan: [00:08:29] Really?
Dave Bittner: [00:08:29] Yeah. If you get a call like this, don’t panic; it’s not necessarily the end of the world.
Joe Carrigan: [00:08:33] Right. They may show up and attempt to collect a tax debt, but they’re never going to make a demand that you make an immediate payment to any other place than the United States Treasury. So whenever you’re making a payment to the IRS, it is going to be to the U.S. Treasury. The criminal investigators may actually show up, but these are law enforcement agents; they are not going to make a demand for payment, OK?
Dave Bittner: [00:08:53] Oh, I see.
Joe Carrigan: [00:08:54] So there’s two different branches of this. They have a list on this website of things the IRS does not do. They do not call making a demand for immediate payment via gift card or via wire transfer, right?
Dave Bittner: [00:09:05] (Laughter) Right.
Joe Carrigan: [00:09:05] None of this happens.
Dave Bittner: [00:09:06] Right.
Joe Carrigan: [00:09:06] And the first contact from the IRS is always going to be a letter that’s essentially a tax bill. It’s not going to come out of the blue. That’s really the big thing about this, is if you’re not expecting a call from the IRS, if you have no reason to expect a call from the IRS, it’s probably not the IRS. You would know that you’re going to get these calls or that you’re going to get a visit, right?
Dave Bittner: [00:09:26] Yeah. Yeah. They’ll get a letter first, and…
Joe Carrigan: [00:09:28] You’ll get a letter first.
Dave Bittner: [00:09:28] …The letter may say, expect our call.
Joe Carrigan: [00:09:30] Right.
Dave Bittner: [00:09:31] Yeah.
Joe Carrigan: [00:09:31] Yep. They will never demand you pay taxes without the opportunity to question or appeal the amount that they say you owe, right? That’s due process, and we have that here in the United States.
Dave Bittner: [00:09:39] Yeah.
Joe Carrigan: [00:09:40] And the IRS is subject to this well. They will never threaten to bring in the local police as well. They have their own law enforcement agency, and if it gets to that point, you’re going to know…
Dave Bittner: [00:09:48] (Laughter) Right.
Joe Carrigan: [00:09:48] …That it’s gotten to that point. On this website that we have a link to, if an IRS representative actually visits you, he or she will provide two forms of official credentials. And one of them is called a Pocket Commission and the other one is called an HSPD-12 card. Now, the HSPD-12 card is a governmentwide standard for federal employees and contractors. Here’s something I don’t like about this website from the IRS – and I’d like the IRS to change this. So if you’re listening IRS, make this change.
Dave Bittner: [00:10:16] (Laughter) Joe’s got some requests.
Joe Carrigan: [00:10:17] I’ve got some information here. It says, you’re entitled to ask for these credentials, and you’re entitled to verify them. And then it says the representative will provide you with a dedicated IRS telephone number for verifying the information and confirming their identity. That’s unacceptable, IRS. That phone number needs to be on this webpage right here.
Dave Bittner: [00:10:35] Oh, yeah.
Joe Carrigan: [00:10:36] Because if a scammer manages to reproduce one of these HSPD-12s with a convincing level of counterfeiting, then they’re probably already going to have a number with one of their buddies at it, and he’s going to say, here’s the IRS number; call and verify. And if you call and verify, the guy’s going to say, oh, yeah, that’s a real IRS agent; you better give them the gift cards.
Dave Bittner: [00:10:53] Right.
Joe Carrigan: [00:10:54] But if the IRS put this number on this page, then a real IRS agent could say, go to irs.gov and click on this link and you’ll get the number to verify this information.
Dave Bittner: [00:11:03] Yeah. Yeah.
Joe Carrigan: [00:11:04] That is much more secure than having the agent give the taxpayer the telephone number.
Dave Bittner: [00:11:09] I suspect also it’s probably within your right – or you can certainly make the request – that you go to their office to have this meeting.
Joe Carrigan: [00:11:16] You can do that as well, yeah. Yep.
Dave Bittner: [00:11:17] Yeah. And, you know, that way, you know. (Laughter) Got that big, old sign on the side of the building.
Joe Carrigan: [00:11:22] That’s right.
Dave Bittner: [00:11:23] All right. Well, it’s good information and certainly something to keep an eye out for this time of year.
Joe Carrigan: [00:11:27] Yeah, just keep your guard up.
Dave Bittner: [00:11:27] These IRS scams, they are all over the place
Joe Carrigan: [00:11:30] They’re going to be – it’s going to be thick with them this year.
Dave Bittner: [00:11:32] Absolutely. All right. Well, it’s time to move on to our Catch of the Day.
0:11:36:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:39] Joe, our Catch of the Day was sent in by a listener. This is a romance scam from someone claiming to be Sofia. I’m going to read it here. But before I do, I want to describe the image that came along with this picture. I have to say, I’m not typically a fan of tattoos.
Joe Carrigan: [00:11:56] Yeah.
Dave Bittner: [00:11:56] But in this case, I’m willing to make an exception.
Joe Carrigan: [00:11:58] (Laughter).
Dave Bittner: [00:11:59] This is a lovely young lady who is leaning toward the camera, and her entire, I’d say, top half of her torso…
Joe Carrigan: [00:12:08] Yep.
Dave Bittner: [00:12:08] …Is a lovely tattoo of an octopus. And it’s kind of – I don’t know, kind of alluring there, Joe. What do you think? Not your thing?
Joe Carrigan: [00:12:17] Not my – the octopus…
Dave Bittner: [00:12:18] (Laughter).
Joe Carrigan: [00:12:20] …Isn’t my thing, no.
Dave Bittner: [00:12:20] OK, fair – all right. Perhaps I’ve said too much.
Joe Carrigan: [00:12:22] Right (laughter).
Dave Bittner: [00:12:24] At any rate, here’s the text.
Dave Bittner: [00:12:26] Hello. My name is Sophia. As my display name implies, I’m a pretty devil (laughter). At least I have a sense of humor. How about you? I am single – no boyfriend or husband lurking about that I must hide my online profile from. I’m employed – and my own home. So I’m not living in my parents’ basement. At least I have that much going for me. I guess those women always want to go back to your place, don’t they? My pictures are current, and I am healthy. OK, I’m not sexy like other model. But I’m not some hairy, old, fat girl, either. In my spare time, I enjoy road trips and photography. I love YouTube and hate TV. I know it’s kind of the same thing, minus the commercials. Not a sports fan generally, but I can at least watch an NFL football game once in a while and find it entertaining. I found online dating a tiresome chore. The site is no exception, yet here I am, lured by the promise of potential promiscuity with multiple partners or a partner. Sigh, even the smartest girls think with the wrong head sometimes, if you get my meaning. I’m sure there are vibrant, charming, interesting and seductive men. I just haven’t met you yet. I guess all one can do is try and hope that our paths shall cross someday.
Dave Bittner: [00:13:40] So, Joe…
Joe Carrigan: [00:13:41] This is – what this is, a dating profile on a website?
Dave Bittner: [00:13:44] I think so. Well, I think this is the lure to get you to leave the dating website…
Joe Carrigan: [00:13:49] Ah, and go onto the second platform.
Dave Bittner: [00:13:50] …To go – yes…
Joe Carrigan: [00:13:51] Right.
Dave Bittner: [00:13:51] …To take you away from the safe…
Joe Carrigan: [00:13:54] You know, Dave, I don’t know why we’ve never said this before, but, you know, there’s an old adage about when you’re out with a new group of people.
Dave Bittner: [00:14:01] Yeah.
Joe Carrigan: [00:14:01] It’s never go to the second location, right?
Dave Bittner: [00:14:03] Oh, right.
Joe Carrigan: [00:14:04] You know, if you’re at a bar and somebody says, hey, let’s go back to my place, and this is someone you’ve never met, you say, no, no. We’ll hook up later. Bye.
Dave Bittner: [00:14:11] Yeah, yeah.
Joe Carrigan: [00:14:11] Right? This is the same thing with dating sites. When somebody says, let’s get off this site go to another site, that’s going to a second location. It’s the same thing as going to someone’s house where you’re going to wind up in a bunch of pickle jars in the basement.
Dave Bittner: [00:14:23] (Laughter) All right. Well, that is our Catch of the Day. Coming up next, we’ve got my interview with Devon Kerr. He is the Elastic Security Intelligence and Analytics team lead. And we’re going to be chatting about ransomware.
Dave Bittner: [00:14:35] But first, a word from our sponsors. And now we return to our sponsor’s question about forms of social engineering. KnowBe4 will tell you that where there’s human contact, there can be con games. It’s important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls – this is known as vishing – or by SMS texts, which people call SMiShing. See how your security culture stacks up against KnowBe4’s free test. Get it at knowbe4.com/phishtest. That’s knowbe4.com/phishtest.
Dave Bittner: [00:15:28] And we’re back. Joe, I recently had the pleasure of speaking with Devon Kerr. He works at Elastic Security Intelligence and Analytics. He is their team lead, and we had a good conversation about ransomware. Here’s my conversation with Devon Kerr.
Devon Kerr: [00:15:41] I think that a lot of folks in the industry held the belief that ransomware would taper off, as it was a slightly more cumbersome and alarming practice than coin mining, which you could argue at scale is just as lucrative. But instead, I think what’s happening is we’re seeing an operationalizing of this criminal approach. To cite one example, FIN6, which is associated with Ryuk and a number of the other financial types of intrusions, you know, they cut their teeth, basically leading intrusions into payment processors to obtain card data.
Devon Kerr: [00:16:16] But I think they realized that there’s only so much money in that approach. And either, they decided that they could innovate, and so they should try. And so they started targeting, you know, the MSP customer environments – basically the types of environments where an MSP becomes essential for IT operations are probably reasonable targets that will have a high success rate. If you happen to hit them with ransomware, chances are their disaster recovery won’t be able to simply passively restore those things. So I think that there’s reasons why that’s occurred. And I think that because we haven’t seen that contraction, something a little bit more active has to occur in the industry to correct this.
Dave Bittner: [00:16:55] Yeah, it definitely seems as though the trend has been away from that sort of consumer-facing shotgun approach, where someone locks up your uncle or aunt’s computer and asks for 50 bucks or 100 bucks. And things are a lot more targeted and also higher stakes these days.
Devon Kerr: [00:17:12] Yeah. I mean, I think there’s some evidence that a few of these malware families that are performing ransomware operations on end points are specifically looking for enterprise document types. They’re looking for Outlook archives that they could destroy. There’s absolutely a business impact risk there. And again, I think that if I were a threat actor who wanted to, you know, guarantee some amount of revenue, I would probably hedge my bets in that direction – you know, again, vulnerable victims, understaffed, you know, relying on third parties. They’re going to trust whatever that third party does. And so it’s just, I think, a natural progression to target those third party’s customers.
Dave Bittner: [00:17:50] What about this trend that we’ve seen of them going after municipalities? In your research, I mean, is that a true trend, or is it as much that when a municipality gets hit, it attracts a lot of attention, there’s a lot of press about it?
Devon Kerr: [00:18:04] I believe – and what we’ve observed – is that those are often incidental targets. They’re basically picked up in larger campaigns. You know, if we use a third party, like an MSP as an example, you know, the folks behind FIN6 may not necessarily know who that MSP’s customers are. But once they figure that out, those become very valuable targets of opportunity for the same reason that, you know, anybody using an MSP might be a target of opportunity. You know, again, the chance that they’re going to have backups of all their critical data or even know where it is will be limited. Their ability to, you know, put personnel behind recovery is going to be limited.
Devon Kerr: [00:18:40] And all of those things I think ratchet up the pressure on these vulnerable organizations to pay up, which is really, I think, what groups like FIN6 want, is they want to monetize. And if you provide them with a mechanism that guarantees them some amount of revenue, they’re going to absolutely do that every time. Municipalities just fall into that same bucket. They rely on those third parties to keep pace with the, you know, the state of technology. They rely on those third parties to make things a little bit more usable for their municipal employees. All of those things, I think, you know, have pros and cons from a threat perspective.
Dave Bittner: [00:19:12] Yeah. It also strikes me with the municipalities that quite often, they are required by legislation to provide certain services, which cranks up the pressure in terms of getting those systems back online.
Devon Kerr: [00:19:25] Sure. If you think about it from the perspective of what a municipality is obligated to provide its citizens or the populations that it serves, the laws that were written that govern those processes, those were created before this phenomenon. So they haven’t really taken into account that ransomware exists, and it makes it into these very large, diverse and heavily regulated environments. You know, especially if you think about where the budgets for those security and IT operations functions come from, those come from the taxpayers, which is that same population that’s affected when they lose positive control of their environment.
Dave Bittner: [00:19:55] What sort of things are you all tracking when it comes to the geographic distribution of ransomware? I’m thinking both from, you know, where it’s coming from and who they’re going after.
Devon Kerr: [00:20:06] I think there are several organized groups that are largely, you know, Central European that have been very successful. Those types of organized financial criminals, you know, it may just be that their portfolios are expanding to include things like coin mining and ransomware as just alternative revenue streams to traditional, you know, payment card breaches. Some of these same groups also, you know, do seasonal work. You know, if you think about the U.S. tax season, that’s a great time that we often see targeting of small businesses because those small businesses usually have a time crunch. And again, when there’s pressure, people tend to be a little bit less focused, have less scrutiny, which means a higher rate of success.
Devon Kerr: [00:20:42] You do typically see targets, though, in environments where there is revenue to be had. The U.S. market is a really large surface area for this type of financial crime, but it’s not unique to the United States. You know, I think we’ve seen ransomware-type of attacks in dozens of countries, you know, all kinds of verticals. So there – I wouldn’t say that there is, like, a, you know, perfect storm set of attributes, but the victims that tend to experience it the most painfully are those who typically haven’t invested in either security boundaries like network segmentation, or they’re really in growth mode. Those growth businesses are typically thinking about, you know, how do I expand my business, not how do I protect it. And unfortunately, you know, coming back to that too late can oftentimes be a cost that can’t recover from.
Dave Bittner: [00:21:30] Where do we find ourselves when it comes to recommendations in terms of paying the ransom? You know, initially, the notion was don’t pay the ransom. But we even see some organizations today that are sort of in this situation where they say, well, we didn’t pay the ransom, but we paid someone to pay the ransom (laughter).
Devon Kerr: [00:21:48] So you brought up two ideas that I think are both worth decomposing a little further. So one is the phenomenon of, like, these, you know, these ransomware retainers. You know, if we do it through a third party, is it less of a business liability than if we paid it directly? And I’m not a lawyer, so I can’t really weigh in on the ethical or legal ramifications of that decision. I do think that I’ve talked with businesses – and I have to approach this sympathetically because in a lot of cases, these businesses, they did not anticipate this outcome. They didn’t know that this could happen to them. It was not part of their threat model – if they’re even, you know, to a level of maturity where they’ve come up with a threat model, that they understand their landscape.
Devon Kerr: [00:22:26] And for that reason, from the business’ perspective, a lot of this is like an ambush. It’s like, they were just minding their own business, you know, doing the things that was necessary, and then this terrible outcome occurred. I think it’s hard for them to appreciate the complexity of decisions that leads there – you know, the money we don’t spend on an endpoint control, the money we do spend on maybe go-to-market stuff that raises our visibility and projects a sense that there’s, you know, there’s something here for an adversary to come get. You know, those things typically are made independent of the threat landscape or that perspective.
Dave Bittner: [00:22:57] Yeah, it’s interesting. You know, it reminds me, I have a friend who’s a commercial real estate agent. And he said that – you know, he would often describe to people when trying to plan out their insurance for eventualities, you know, when it came to things like fires, he would say, you know, imagine that you come to work one morning, and what’s left is a Wile E. Coyote smoking hole in the ground. And I wonder if ransomware is a similar sort of thing. You know, most of us don’t imagine that a fire would be a regular day-to-day part of our operations. And yet, most of us have insurance for fires.
Devon Kerr: [00:23:33] Oh, absolutely. Not just that, but if you think about office buildings where people work, you know, building management has a series of regulations that they’re upholding. They’re working with the local municipal government to meet those requirements for building safety. You know, there’s all manner of regulations around how employees are made safe. And so in the event of a fire, you know, your building has to have physical structures that enable people to get out in a timely way. And there’s definitions for what timely means.
Devon Kerr: [00:24:02] I feel like in the security industry, a lot of those things are ungoverned right now. And although that’s not necessarily, you know, the worst outcome, I think it does give business owners and responsible parties, I think, reason to pause and to ask themselves, well, just because it’s not the letter of the law, isn’t it still essential that we do? How are we going to develop contingencies if this occurs? And again, just make sure that it’s part of an active decision making process, not just some passive, you know, secondary afterthought. Those are the customers I think that get hit the hardest, where for them, it’s like, well, we meant to get around to this, and we knew it was going to be bad.
Devon Kerr: [00:24:40] But so much other stuff came up that we prioritized ahead of this because we just thought it was unlikely. Those are the ones that typically get caught unaware, and it’s a much more expensive process. And it’s expensive, I think, for a lot of reasons, but one of them is it exposes, you know, some of the ad hoc decision-making that goes into infrastructure. And those things generally have to be fixed, which is, you know, a human cost, either time or dollars.
Dave Bittner: [00:25:05] Interesting stuff from Devon, yeah?
Joe Carrigan: [00:25:06] Yeah, indeed. Ransomware is a big problem. And one of the reasons it’s still a big problem is because it works. Disaster recovery, particularly IT disaster recovery, is not mature enough on a broad enough scale to prevent ransomware. If everybody had really great, mature disaster recovery programs, ransomware would go away because nobody would make a penny from it because they would say, you pay us the ransom, and people would say, well, we’ll just restore from backups…
Dave Bittner: [00:25:32] Right
Joe Carrigan: [00:25:32] …And be done. But Devon makes a great point about this. And one of the things he said was that organizations that are in growth mode may not be focusing on disaster recovery or ransomware as a threat vector.
Dave Bittner: [00:25:44] Mmm hmm. Yeah, we’ll get around to that (laughter) when things calm down (laughter). Yeah. Yeah.
Joe Carrigan: [00:25:50] I don’t understand how ransomware is not part of people’s threat models. He says that in the interview as well. He talks about how it comes as a surprise to most people. And maybe that’s because I’m steeped in the cybersecurity culture that this is actually one of the most terrifying things that I think an organization can go through. It can absolutely just destroy your organization if all your data is gone and you haven’t made plans for getting it back.
Dave Bittner: [00:26:09] Yeah. I wonder are we at the point still where it’s likely that you don’t know someone whose business was affected by this? You know I’m saying?
Joe Carrigan: [00:26:19] Yeah. I know plenty of businesses that have been affected by it, but I don’t know those folks.
Dave Bittner: [00:26:24] If one of your colleagues has a business that burns down…
Joe Carrigan: [00:26:27] Yeah.
Dave Bittner: [00:26:27] …Chances are you’re going to make a call to your insurance agent and say, listen; I just want to check in and make sure I’m good here.
Joe Carrigan: [00:26:33] Right. And that’s – another point you made is the Wile E. Coyote smoking hole in the ground.
Dave Bittner: [00:26:37] Right.
Joe Carrigan: [00:26:37] I love that analogy.
Dave Bittner: [00:26:39] (Laughter).
Joe Carrigan: [00:26:39] It’s one of my favorite things. The mitigation for that kind of physical damage is very similar to the mitigation for a ransomware attack. If I have offsite backups of my data – offsite, offline backups – then a smoking hole in the ground is not a devastating hit to my business in terms of the data.
Dave Bittner: [00:26:54] Yeah, it’s more…
Joe Carrigan: [00:26:55] I can get the data back.
Dave Bittner: [00:26:56] It’s a nuisance rather than a business killer.
Joe Carrigan: [00:26:58] Well, yeah. I mean, it may be a business killer for other reasons. I mean, it may have, like, – like, all my inventory was in there. Now I have just in time inventory needs. And it could be a myriad reasons. But the data recovery portion of it, the recovery is a lot simpler if you have offsite backups. Speaking of nuisance organizations, he talks about coin-mining malware. I think that’s a lot bigger than we know. I think that there is huge amounts of that going on, but it’s non-destructive and essentially a nuisance, right? So people really don’t see what’s going on. And sometimes when these guys get in there, what they do is they secure your system.
Dave Bittner: [00:27:30] Yeah.
Joe Carrigan: [00:27:31] They don’t want their coin miners going offline.
Dave Bittner: [00:27:32] Right. They kick everybody else out.
Joe Carrigan: [00:27:34] Right.
Dave Bittner: [00:27:35] That is a real thing, where they’ll…
Joe Carrigan: [00:27:36] Yeah.
Dave Bittner: [00:27:37] A coin miner will come in, and it’ll basically disinfect your system of other malware because it wants to be running in a pristine environment.
Joe Carrigan: [00:27:45] Yeah, it’s almost like this symbiotic relationship that companies might have with malware writers who all they ask for is a little bit of electricity, and you pay for it.
Dave Bittner: [00:27:54] Right.
Joe Carrigan: [00:27:55] And in return, they keep your machine free of other things because it’s in their interest to do so.
Dave Bittner: [00:27:59] Folks in the security biz thought that we’re seeing a shift away from ransomware towards coin mining.
Joe Carrigan: [00:28:06] Right.
Dave Bittner: [00:28:06] And it was for that reason, because coin mining can run in the background and not really draw a whole lot of attention to itself. But I think partially because the price of things like bitcoin hasn’t gone vertical the way that a lot of people thought it would…
Joe Carrigan: [00:28:20] Right.
Dave Bittner: [00:28:21] …It’s made it less profitable. But also, I think, like Devon said, ransomware has become more sophisticated and more business-like as well.
Joe Carrigan: [00:28:28] Yeah. That is 100% correct. These guys have help desks to help you decrypt your data – some of them do – when they actually infect your system with well-written ransomware. Now these ransomware applications are actually getting better, you know, over time as people learn their mistakes and they develop new applications or new malware that goes in and encrypts your files. But it is in their interest to help you get that data back when they encrypt it.
Dave Bittner: [00:28:51] Yeah. Well, our thanks to Devon Kerr for joining us. And we want to thank all of you for listening. That is our show.
Dave Bittner: [00:28:59] Of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:22] The “Hacking Humans” podcast is probably produced in Maryland at the startup studios of DataTribe, where they’re co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I’m Dave Bittner.
Joe Carrigan: [00:29:35] And I’m Joe Carrigan.
Dave Bittner: [00:29:36] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.