What Is a DDoS Attack?

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• Disaster Recovery Plan Checklist – Resilience Cybersecurity & Data Privacy
• Cloudflare DDoS Protection
• Akamai DDoS Protection
• Cost of a Data Breach Report – IBM Security (2022)
• Data Breach Investigations Report – Verizon (2022)
• 5 Network Security Threats And How To Protect Yourself – The Hacker News
• The record-setting DDoSes keep coming, with no end in sight – Ars Technica

Episode Transcript

Brian: Hey, thanks for joining us. Welcome to Fearless Paranoia. I’m Brian, the cybersecurity lawyer.

Ryan: And I’m Ryan, and I’m a cybersecurity architect.

Brian: And we are going to do our very best to help to demystify the incredibly dense and acronym filled world of cybersecurity. And today we jump right into one of those, one of the probably most common acronyms that I’ve heard in my entire practice of technology in cybersecurity has been DDoS. It’s something that for the longest time, I never even heard, explained or defined. But if you pay it any attention at all, to the way cyber criminals operate these days, you will run into this term. And if you deal with IoT, the Internet of Things, local devices, routers, safety, you will run into this term, if you read about the war between Russia and Ukraine and the nation state sponsored hacking and the hacktivism going on there, you will run into this term DDoS. Ryan, what are we talking about? What is DDoS?

Ryan: Well, let’s start by stripping off the first D to get to the really the source of what this is. So now we’re down to DoS. And, you know, for the old nerds, like me, we’re not talking about the old Disk Operating System from back in the days that we all loved and command line where we played Oregon Trail and all that old stuff. Now we’re talking about DDoS, we’re talking about denial of service. And so denial of service at its core is exactly what it says it is: somebody employing methods to deny access to a service that is being offered. And so at its core denial of service is implementing a strategy to deny that service or deny access, their distributed denial of service is what DDoS is. And that’s when we take the concept of denial of service and we start adding things like the Internet into it. So to start at its core, a quick example of denial of service would be let’s say, I want to deny somebody access to a web site. So the easiest way to do that is to overload that website with requests to the point where it can no longer take additional incoming requests, because it has been basically tapped out with the amount of requests that you’re throwing at it. And therefore anyone else that tries to get to the service is unable to the service is effectively offline, because it is swarmed with a huge amount of requests for access or requests for availability of that service.

Brian: So let’s talk about that for a second. When you talk about a website, and we wouldn’t necessarily think about it, because I think a lot of people, a lot of people might look at a website and think of it as static, but it is a service, it is something that requires operation. It’s more than just you know, power to the server that you access to it, we requires another server to send information back to your computer. So to the service being provided, when you talk about requests and being overloaded by requests, give us an idea of what you mean, give us an example of how this works in a website system.

Ryan: Sure, I’ll keep this a little high level, but I’m gonna jump down a small rabbit hole with here this one. So there’s a couple of different things that happen when you make a request to go to a website. So let’s just take something as simple as like amazon.com. You try to go to www.amazon.com, you punch that into your web browser. And the next thing you know, bam, a whole bunch of pictures, data, text, everything pops up on your screen. You’ve got shopping carts, you’ve got different images to click on, you got advertisements, search bars, a whole variety of different things. Plus, you have an account that you can log into, which means you’ve got authentication, you’ve got to use your level account. So you’ve got all these different things happening. This is all a variety of services that are coming back to you, each one of these individual services can be denied on its own, or the whole service itself, the entire set of services can be denied. But under the hood, there’s a lot more stuff happening than just you punching in www.amazon.com. And that page coming back to start with, we’ve seen plenty of websites get really kind of cranked up and quieted the last few years. Back in the early days of the Internet, everybody was familiar with HTTP, the Hypertext Transfer Protocol, which is the main language that the website is kind of used for communication to the browsers. HTTPS became a lot more common because that’s a way of securing that data that’s end-to-end encryption between your browser and that server, that server that’s offering back that that data or that connection. And securing that data is really important when you get into stuff like authenticating and signing in user accounts or passing payment data or any sort of private data back and forth that you don’t want to be able to be like captured man in the middle and read in plain text. Now the average person might not care if okay, you can see my browsing history on what I’m looking at on Amazon, but they will damn well care if you have access to their password to their credit card that they’re punching in or their pay pal information or any of that stuff in there because you could do a lot of damage with that. So that data really does need to be secured. So now you have not just the request for the display of that website. But you also have requests handshakes involved in the authentication layer and in the DNS lookups and all of these different pieces. So there’s a very complex set of things that are involved in providing that whole service and all those together we can kind of jump into individually We’ll pick on a few to talk about how denial of service works with those.

Brian: But it’s also important to recognize that when you send your request, when you hit Enter, type in the URL, hit enter, you are sending a request to the address that you typed in. You’re not opening up your window from your house and looking at a billboard. It’s much more complicated than that. Y you’re not peering into something that does remain static, and that is always accessible to you. You are sending a request to a server, and then that server is sending you back information. So it’s nothing is static about it. So in order to send you that information, the server has to be capable of sending it and on a basic level, just like any computer, it can do so many things at once.

Ryan: And not only does that server need to be available and capable of handling that response, the entire traffic path has to be clear for that communication to occur back and forth. Because at no point in time is your browser reaching out directly to amazon.com, your browser is reaching out through your ISP, it’s doing DNS lookups, to turn amazon.com into the IP address where this thing lives on the internet, which will then allow it to carry upstream through the internet service providers that make up the backbone and the nodes of the internet. And all of that works as this big web of roadways basically between you and Amazon, where you go on to your GPS and you say, “Hey, give me directions to get to this place I need to go.” The internet’s effectively doing that same thing when you put in this request. It’s saying, okay, ISP, how do I get from Ryan’s house to amazon.com. And then you start looking at that shortest path to get there or whatever the shortest open path is. And then you’ve got all of these different communication paths between you and that final server. And that path needs to be run back and forth with every transaction, every handshake, every update to the page, every piece of that service, anytime something changes dynamically, that path needs to continue remaining open between your browser and that service for that to work. So you can interrupt and deny the service at the server, you can deny it at the host at my side, the client, you can deny it by breaking the path by breaking the DNS infrastructure by breaking the pipe that handles the data going back and forth. And so denial of service is kind of a real thing. There’s a lot of different ways to engage that and it means that those services are you know, in some cases, really kind of like a house of cards sitting out there just kind of waiting to be knocked over.

Brian: Well, I think so the description you gave was pretty apt the map instructions, the bottom line is that there’s a roadway, a pathway along a network of roads to get to where you’re getting, and then for the information that you’re seeking to get back to you. And just like any highway or road can handle only so many cars at once before it’s the speed of the travel is going to go down or you know, potentially as catastrophically its ability to handle traffic at all ceases. I think that’s an important comparison. So when it comes to denial of service, and I’m particularly interested in distributed denial of service, how does it happen? How does the denial the typical distributed denial of service happen?

Ryan: Sure. So in my initial talk about denial of service with something like let’s say, I wanted to stop you from getting to Amazon, I can just overload Amazon servers, if I have the capacity to do that. And that prevents you from getting there. That’s me creating a single point to point denial of service against Amazon or against you or against your traffic path to prevent you from getting to one spot to the next.

Brian: And you said before that by essentially bombarding them with requests and a request would simply be a request to do something on their website, correct?

Ryan: Yep, absolutely.

Brian: And because the website can only handle so many requests from all of its users at one time, obviously, the bigger the enterprise, the bigger computer setup and network setup, they’re going to have the more requests they can handle.

Ryan: Sure, yeah, if somebody wanted to come after my personal website, I don’t really do a lot with it, it doesn’t get a ton of traffic, and therefore I don’t have massive resources sitting behind it. So if somebody wanted to create a denial of service against my website, it would be relatively trivial to probably do so with modern tools. Nowadays, if somebody wanted to create a denial of service against amazon.com, they have got a huge infrastructure, they have got a lot of tools to prevent things like denial of service. And so they are well equipped to be robust against those type of attacks, because they’re familiar with them. And they have to deal with them on a regular basis. But it’s also important to them from a financial standpoint to keep their business running to prevent those type of attacks. For me, if my personal website goes offline for a couple of days or a month or something, it’s probably not going to be the end of the world for me. But if amazon.com were to go down for a month, it could be the end of Amazon at that point, because that would be a large enough problem where they would lose consumers, they would start to pivot to other things, and that’s just that that’s how they make their money is by having that service available.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian: So you just mentioned a consequence there, you know, to Amazon, their business is based on their website being up and running. So I kind of want to know what other consequences are there? What other reasons would hackers use a distributed denial of service attack on not even just necessarily a website, but on an enterprise? And I guess, like you said, Amazon is an E commerce site. So you knock out their website, you’ve essentially knocked out their business. But obviously, you would only be knocking it out for probably a short period of time, because sustaining an attack on that big of an enterprise would be really difficult. So What reasons do hackers use DDoS for?

Ryan: There’s a whole variety of different reasons to use something like a denial-of-service type attack, but a lot of the main ones in most cases, a lot of it is, is retribution, or being used reactively for some sort of reason. Brian Krebs is a major security researcher, he’s a journalist.

Brian: He’s amazing.

Ryan: He uncovers a lot of information. But because of that his website has basically from as I understand, is still under a denial-of-service attack, and has been for months, maybe even well over a year at this point, constant denial of service attacks, because of the work that he does. He has irritated a lot of people on the dark side of the cybersecurity world.

Brian: And he is amazing. And I’m a huge fan.

Ryan: But because of that he draws that kind of level of attention. So that’s why they would want to deny service to his website as much as possible because he is effectively hampering their ability to continue the level of profitability and the level of chaos that they’re looking to kind of invoke on the internet. And by doing that, he’s in their way. And so this is used as a means to bully to harass and to hopefully, I think in the end try to deter him from doing what he’s doing. Another reason for using it can be covered flat out, if I were to want to be malicious and go at a company, the first thing I want to avoid doing is doing it from a single point that might be easily picked up by any of their detection, software’s intrusion detection, anti-virus, any of their log gathering any of their security tooling can usually pick up a single instance of something and then it’s me against a security team one on however many. If I can start doing things like running denial of service attacks against a whole variety of their other services elsewhere around their company, except maybe the one hole that I’m trying to poke away at or get into now I’ve got their whole security team running and scrambling trying to figure out what the hell’s happening around all these different perimeter areas and all the spots where their services are at. And then of course, their business units are probably screaming at their security team saying, hey, we need to be back online, we’re losing money, customers can’t get to us. This is reputational, this is financial security teams now got their head so far up their backside, that they don’t see the fact that I’m poking away at their backdoor with some sort of zero-day exploit or some sort of well-known exploit that they don’t have patched properly or something like that. And so you can use that as kind of a method of misdirection in the same way, like a magician would keep one hand low and one hand high, when they’re really tried to do something, they’re waving that high hand around, left and right all over the place to really get your attention up there. So you’re not catching the fact that that low hand is slipping a card out from a sleeve or something, you know, it’s just general misdirection.

Brian: Or when you want to make sure that the Eye of Sauron doesn’t see too little hobbits walking across your country, you send 10,000 soldiers to the gates and challenge them to a fight.

Ryan: Exactly. That’s phenomenal, phenomenal analogy for some DDoS. So that kind of really breaks down a couple of the main reasons why there are other reasons, but they start to kind of fall off in prevalence really quick.

Brian: The bullying, I think was a point you made it like to demonstrate that you can like the Russian government doesn’t constantly get Ukraine’s government websites just to demonstrate, hey, I can knock you out whenever I want to.

Ryan: Very infrequently are there lasting effects from denial of service and distributed denial of service. Usually, the major goal there is to disrupt service long enough where you’re making it painful for somebody else.

Brian:   You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Ryan: And that’s really the core behind it. Because eventually, at some point in time, you’re going to lack the resources to continue the denial of service attack because they it does require a lot of resources to overwhelm servers, modern servers and modern services nowadays, and eventually they will find a way to deal with that too, because in a lot of cases, there are tools out there like Cloudflare and Akamai and things like that, that have gotten really good at identifying this type of denial of service tech, they start to see the flood of these type of anomalous requests going into servers, and then they just start dumping that traffic to make sure that that traffic never actually hits the service therefore not allowing the denial to occur. And so the internet is getting better at providing services to stop things like that. But that’s where DDoS really kind of gets its power from them. Because Denial of Service Point to Point is really easy to identify. Well, not really easy, but it’s easier to identify and easier to mitigate. Distributed denial of service is when you start tying together multiple units, multiple vectors, multiple assets that become part of this chain of a denial of service. So now it’s not just me, Ryan, sitting here with my one computer trying to create a denial of service against Amazon, which I’d never have a hope of ever being able to accomplish because of the resources I have versus their resources. But if I can take over a botnet of say, I don’t know, Eufy baby cameras that are all unsecured on the internet, and let’s see if I can harness 100,000 of these. And then I can go grab another 100,000 insecure routers that are all spread out across Southeast Asia. And let’s say maybe I can grab you know, some other home security cameras from another big manufacturer, I won’t drop any names just to avoid being a jerk. But if I can gather up a whole botnet of all of these different devices that I now have the ability to send commands to and can control, I can take all of these devices and get all of these cameras, all these baby monitors all these other devices at the very same time sending the same requests to Amazon over and over and over repeated. So now instead of me throwing rocks one after another at the wall of Mordor, now you’ve got 100,000 racks all hitting that wall all at the same time, significantly higher potential for damage. But more importantly, it’ll have significantly higher potential for disruption, which is really what the main goal is. And so whether that’s to distract, or whether that’s to disrupt, the more resources that you put behind it, the better chance of success you have. And that’s really the whole concept behind distributed denial of service is gathering up as many resources as you can or finding a way to amplify the resources you have in such a way that the impact created by their traffic is amplified enough that you eventually overwhelm the provider on the other end in such a way that they’re no longer able to efficiently operate and offer up the service that they’re that they’re trying to.

Brian: And it’s important to bear in mind, we tend to think of even IoT devices, as you know, it’s a camera, but reality is it is a computer. And if it sends a request to Amazon, it is the exact same type of request and type of traffic that your computer sends. And therefore its response has to be the same. And so sending a request from a router or an enterprise printer, or you know, baby monitor camera is all has to be treated the same way. If it’s not filtered out the Internet of Things creates incredible opportunities for disruption in that way.

Ryan: And the Internet of Things is notoriously insecure. Most of those technologies were put together with usability and operational access as first and foremost, like the important pieces to get those out on the market. You know, hey, here’s some cameras. And hey, guess what, you guys are all carrying smartphones. Now here, you can watch all this stuff from your smartphone. But the average end user doesn’t think okay, cool. Well, because I’ve got this on my smartphone, and there’s a username, password, it’s got to be totally secure, right? Nobody else can ever possibly see this, as long as they don’t have my password. You know, people like up prove that wrong all the time. But if that information is out there and accessible, that means those cameras are accessible to everybody else if they’re accessible to you, as well. And all it would take is somebody to either figure out how to gain administrative access to one of one or more of those devices, or the controller of those devices, if you have them all centralized in some fashion. And then yeah, you’ve just added that device times however many you have into a small botnet that now somebody has control over. And while that thing can still offer up the same service, it’s still offering the camera feed. But now it’s also got each one of your eight cameras in your house pinging Amazon 100 times a second amplified by X number of cameras, and then I X number of different houses have, you know, however many different camera systems people have put together, so eventually, yeah, it goes up exponentially. And again, you don’t even need to necessarily hammer Amazon directly. In order to deny Amazon service. I was a big attack many years ago against Dyn DNS, which is a dynamic DNS provider that was basically done just by sending the requests to them to go after something like Amazon. So even if the requests don’t get to Amazon, you can effectively shut down the domain name resolution path between a large portion of the internet and Amazon. And so even though Amazon service is still robust, and online, people can’t get there, because the domain name routing system that’s required to make the translation between amazon.com and the actual physical IP address of where they live isn’t able to operate because that systems been overloaded, which means unless you know the direct IP address to get to amazon.com, which I guarantee you 99 plus percent of Amazon users have not a damn clue you can’t get to the service then because the service that’s required to do that translation in the middle isn’t available. And so again, that can happen all along the way. And so that whole chain is vulnerable to those type of attacks. And the more that we keep adding more insecure IoT and more insecure devices to the Internet, the more people start patching their different things, the more we start to see more and more of these botnets being tied together, pulled together and thankfully at the moment, most of them are still focused all on in different industries. jewel assets. But someday somebody’s either going to manage to take all those botnets and pull those together, or all of the runners and operators of those botnets are all gonna come together someday and say, Hey, let’s really go after the big one. And let’s go take somebody back down, and they’re gonna go after somebody like an Amazon or Microsoft, God forbid, 365 or something goes down for like a week or two, can you imagine the level of impacted denial of service of that level could really do to businesses worldwide, where AWS or Azure, Microsoft, 365, Google, with GCP, any of those services go down, that’s huge, catastrophic level impact for that kind of denial of service. So it’s important to see those systems coming in place like CloudFlare, and Acme and stuff to really prevent those. But we need to get better at securing the source of the problem, which is better regulation around securing IoT and just closing down those loopholes that people are taking advantage of to describe those devices in the first place.

Brian: And also, the one big thing that companies can do in the event that you happen to be on the business end of a DDoS attack is number one to have a proper incident response plan in place so that you can quickly respond to the existence of the threat and then to having an adequate disaster recovery plan in place because even though it might not feel like a DDoS attack should be something on the same level as a hurricane a flood of fire when you think of disaster, losing your company’s entire digital presence is a disaster and you need to have a plan for getting it back up and running as quickly as possible. And that is what an adequate Disaster Response Plan does. In order to get more information on that you definitely need to listen to our episode on disaster recovery. There’s also additional disaster recovery plan information at Resilience Cybersecurity.com. That is all the time that we have today. DDoS is a fantastically interesting topic. It can also feel kind of morbid and defeatist but the important thing to bear in mind is that there are ways to keep yourself protected. Even if you can’t keep yourself fully defended. Your goal is to survive these things to get back up and running as quickly as possible. And making sure that you have the right planning in place that has been tested that has been practiced is crucial. We want to thank you for joining us today. Don’t forget to subscribe to new updates Fearless Paranoia.com. Or you can get those by subscribing to our podcast on any of your favorite podcasting platforms or apps for Fearless Paranoia. I am Brian.

Ryan: And I’m Ryan and make sure you put strong passwords on all your IoT stuff going forward. Do it for not just yourselves, but for all the rest of us too. And we certainly appreciate it.

Brian: Yeah, if any of you leave the default password on anything anymore, you are to blame for everything. Kind of like the British are to blame for everything. All right, thank you and we’ll see you next time.

Ryan:    And I’m Ryan, cybersecurity specialist.

Brian:   This is season one, episode one, the inaugural episode: Ransomware 101. Today we are talking ransomware at a very basic level. In this episode we’re gonna discuss the essential principles of ransomware. What is it, at its core? We’ll discuss the general concept of what ransomware is, why it is so disruptive, and why it’s so effective. Just remember, this episode is not meant to be a deep dive into all the individual aspects of ransomware. This is a general survey of the subject to make sure that you’re familiar with ransomware in general. We will be bringing the deeper dive into various aspects of ransomware in later episodes. This, however, is ransomware 101.

But before we get there, we want to remind everybody that you can check out our other episodes on Fearless Paranoia.com. You can also subscribe to our podcast through any of your favorite podcast subscription services. For additional information on how you can keep you your business, your family and anyone else safe from cyberattacks, please visit our website at www.resiliencecybersecurity.com to get tips, hints and suggestions and plans and procedures and everything you could possibly imagine to help protect yourself from cyberattacks.

It’s a Saturday night and for reasons passing understanding I’m working it’s 8:30pm. I open my laptop, and knowing that I’ve got some work to do, I open up my Dropbox connection where I put some documents in the day before at work. As I opened the box, something catches my eye. But not enough for me to think too much about it. The files that were there, they’re all their regular files, but they’re not quite the same. And I as glancing through, I can’t really figure out what’s different. I also noticed that the icons don’t seem to be loading properly. But that could just be my computer being my computer. I double click on a Word file that contains something I was working on. That’s when it’s confirmed that something’s wrong. Instead of one box opening two boxes open right off the bat, not a good sign. The first box opens up and it’s a bunch of gibberish, symbols, letters, any kind of order. And I’m really puzzled for a second. But then I see behind that document, the corner of the second document is open. That one doesn’t have symbols that one doesn’t have jumbled, jumbled language. It has text in bright colored font, they have my data locked up. And I can contact them at this email address to arrange to make a payment to unlock it. I’ve been hit by ransomware.

The story I’ve just told you actually happened. Fortunately, it was from back in the days when before ransomware became quite as insidious as it is now and we were able to resolve it with limited business interruption issues and other costs. In fact, the costs of reclaiming our system, clearing it up and everything, actually ended up being less than our insurance deductible. That’s something that doesn’t really happen anymore.

So what is ransomware? I think most people who follow the news or anything, read anything about computers, anything about business, anything about security these days, knows or has an idea of what ransomware is. But getting an understanding full technical definition requires expertise that exceeds most people and requires time that most people don’t have. Fortunately, we’ve got them both. And Ryan, the cybersecurity and IT specialist. So Ryan, walk us through what is ransomware?

Ryan:    That’s a fantastic question, Brian. I’m protecting against the defending against ransomware really starts from the core of just understanding what it is and how it works. And so what is ransomware? It’s software. This is a piece of code that somebody’s written, that encrypts data enacting very, very standard, very widely used encryption tools that are being used with custom algorithms, and makes it unusable to anybody other than the generator of that software to create a ransom-able environment or ransom-able situation where they can hold data of yours hostage and offer it back to you for what they consider to be a very reasonable cost. It’s no different than old fashioned kidnapping or theft for ransom or anything to that effect. The main difference here is these are things that are not happening in your front yard. These are things that are happening from people halfway around the globe, over the internet, you know, a tool that we all use every single day.

Brian:   So the concept it means it’s taking something hostage, and it’s the idea and I think, I mean, it’s been around forever, but the idea that something is worth more to you to get back than it may be worth on the open market. The idea of, even if your computer systems were full of personal information that might be sold on the dark web, that data is not that expensive on the dark web, but you were willing to pay a lot more to make sure it comes back or to use it yourself, then it then has actual intrinsic value.

Ryan:    Yeah, that’s great. You actually touched on a couple of really important points there, too. The first one is that the data is important to the generator, the owner of the data, and life is just not as easy to continue on with without having it back. Whether that’s a detriment to your business, this is core critical data that you don’t have backed up somewhere else. It’s data that is not recoverable easily. And so it’s, it’s got a certain level of value attached to it. Some of that data has just value purely to its owner. Some of that data is very valuable to a whole variety of people based on the nature of it. So not only do you have a situation where as your data gets into a situation where it’s been encrypted by ransomware, and it’s being held hostage, that data, again could just be valuable to you enough for you to offer a payment back to these criminals to get access back to your data. It could also be valuable to them from an extortion standpoint of what happens if we dump this data, are you going to be willing to pay us a little extra not just to get access back to it, but to keep us from publicizing the state out on the internet so that everybody else can have a copy of it too. And that’s been that’s been something much more prevalent and the ransom attacks popping up in the in recent times is that there’s almost a two-stage piece behind that ransomware attack where they attempt to profit twice from it. And again, it’s good from a business standpoint, but it’s, it’s terrible for the rest of us that are on the receiving end of those types of malicious attacks.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian:   Yeah, I’ve been amazed recently how it does seem like ransomware while certainly was you know, when this stuff first became popular it was an effective term; extortionware almost seems like it’s the better term for the modern version, because ransomware evokes the concept of “we’re holding this until you pay us to get it back”; extortionware it is a much. I mean, and that is a a version of extortion. You know, kidnap and Ransom situation is one type of extortion, we are going to illegally get money from you, based on you either doing something or not doing something. We’re going to leverage you to pay by taking something valuable of yours and returning it back. But the whole concept of extortion, there is this idea that you can be compelled to do something not just based on the proposition of getting something back, but on a whole variety of levers. And I think, and we’ll talk about I definitely want to talk about this in greater detail, in a later episode, this concept you touched on as the what I’ve been seeing referred to as double and triple extortion, where the people doing the extortion actually leverage different ways of getting you to pay, one of which is not even approaching you with the ransom, but approaching your customers and letting your customers know that, you know, they have your data. And there’s the actual data about the customers. And I think one of the more famous examples of that recently was, I think, a Scandinavia, essentially a large psychiatric organization where they took people’s patient notes and contacted the patients that said, if you’re, you know, if your psychiatric doc doesn’t pay up this ransom, we’re releasing your psychiatric notes.

Ryan:    Yeah, it’s definitely taken a few different iterations. And it continues to find ways to become not just more effective, the malware families and especially the ransomware itself, but just the entire method of distributing it and how they’re utilizing it to draw maximum income capabilities out of the whole process has really kind of gone through, again, a whole series of evolutions, and I don’t see any of that stopping. A lot of it follows very standard criminal methodologies of just finding, you know, low hanging fruit, easy opportunities. And a lot of these ransomware attacks really kind of focus on, you know, those easily exploitable people. So again, folks like ones with medical issues where something is, you know, that’s really personal information, or going into a business and stealing source code from a software developer. That’s your bread and butter. Those are your trade secrets. That could be something as simple as a customer database where maybe it’s not critical to your business, but it’s certainly going to be critical to everybody who does business with you, which can turn into, you know, a major business impact later on if that data were to get out. And so it’s a constantly changing field. And it’s one that’s one that’s just going to keep getting more and more devious, which is why it’s more important than ever now that we put in to effect at the personal professional levels everywhere we can basic internet hygiene practices to stay safe from some of these because a lot of these attacks are taking advantage of and exploiting overlooked updates, overlooked resources, very well known exploitable holes that could be, they can be closed pretty easily with basic hygiene practices, basic updating and patching. And there’s a lot of just general hygiene practices that can really prevent, I’d say, I’d say a good majority I’d even go so far as to guess probably 90% of a lot of these are really avoidable incidents.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian:   Let me ask you real quick cuz I think that, you know, a lot of people who watch you know, any TV program that deals with computer issues, and usually deals with very poorly among most people, I think is this idea that encryption can somehow be cracked. I think in reality, cracking encryption really means having the password, having the key that unlocks the whole thing. And we’re definitely going to have an entire episode on just helping people understand the basics of what encryption is and how it actually works. But when we’re talking about encryption, you’re not cracking any of this stuff, unless you know the code, right?

Ryan:    So yes and no. in some instances, some of the less mature ransomware gangs have used very weak ciphers and some of their ransomware code that they’ve done, they’re developed and in some of those cases, and it’s been relatively trivial for some expert researchers to reverse engineer what was used. And so yes, some encryption, and in theory, all encryption really can be cracked, as long as you have enough time and enough resources to do all of the testing and all of the brute forcing. And part of the biggest problem is a lot of these lot of these encryption ciphers nowadays, even with extremely powerful supercomputers or distributed computing, or even if you were to find a way to wrangle the power of like an extremely sophisticated botnet, something where you’ve got a lot of computing resources to crack away at this, and we’re still talking years, decades, potentially centuries, in some cases, to crack some of these with current technology. So again, are they crackable? Yes, is the likelihood that they’re going to be cracked with any sort of, you know, in any sort of short timeframe or with any ease, it’s pretty, pretty safe to say no, in most of those cases, theoretically…

Brian:   it’s uncrackable. Practically speaking.

Ryan: In most cases, where the ransomware tools do get reverse engineered and do get cracked, a lot of times, it’s either because they’re using an extremely old piece of tooling in the ransomware. Or it’s because the ransomware gang itself has had some of their code repository or places where they’re holding some of those secrets, some of those passphrases keys actually gets compromised. And what they’re doing to other people actually happens back to them as their source code, their internal tools are taken by security researchers and then distributed on the internet, saying, Hey, here’s a tool to help you decrypt all of these things, because we broke into their infrastructure, you start to get into some interesting legal issues from that side, too. But again, it does happen from time to time that some of these things do get reverse engineered or do get broken, but it’s not something that one would ever want to count upon. The better approach is to certainly put plans in place to protect yourself from it. And to make sure that in the case that it does happen, you’re not counting on either having to pay a ransom or find a key to get back into it, that you’ve got a secondary plan in place to make sure that you can continue enforcing business continuity around the issue instead.

Brian:   So what is ransomware then fit in in the overall concept or context of a business getting hacked?

Ryan:    So the ransomware again, ransomware very rarely ever, the first stage of compromise ransomware is usually one of the end stages of compromise. That’s kind of the end goal is to apply the ransomware apply the ransom and collect and then finish whatever the business relationship is there, if you can call it a…

Brian:   Business relationship gets business conducted at the end of this meeting, the your signature, or your brains will be on this contract. Yeah.

Ryan:    And effectively, I mean, it is it is business. I mean, it’s a billion-dollar industry, you know, so rants Software is a huge business nowadays. It’s a legitimate business and most of our minds, but it is what it is.

Brian:   And so it’s this combination of really strong encryption and these ransomware groups knowledge of where to look for critical information, and most importantly, what constitutes critical information for businesses, health care, so facilities, even individuals that makes ransomware so disruptive to our modern economy system way of doing things. Absolutely. Well, in a nutshell, there it is. Ransomware 101. Want to thank you for joining us today. Look forward to seeing you again in the future. Don’t forget to subscribe to our podcast, you can do so through your favorite subscription service or on our website. Also, if you have a specific cybersecurity topic you’d like to hear Ryan and I address in our podcast, you can go ahead and send us a message on the Fearless Paranoia website at Fearless paranoia.com We hope to see you again next time. This is Brian and Ryan Fearless Paranoia signing off.