Ransomware 101: What is Ransomware?

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• They Told Their Therapists Everything. Hackers Leaked It All – WIRED
• How to Protect Your Data When Ransomware Strikes – The Hacker News
• M-Trends 2022: Mandiant Special Report
• Verizon Data Breach Investigation Report (2022)
• Cost of a Data Breach Report – IBM (2022)
• State of Ransomware – Survey and Report (2021)

Episode Transcript

Brian:   Thanks for joining us. Welcome to the Fearless Paranoia podcast. We are trying to make cybersecurity easy and accessible for everybody. Let’s see how well we do that. I’m Brian, a cybersecurity lawyer.

Ryan:    And I’m Ryan, cybersecurity specialist.

Brian:   This is season one, episode one, the inaugural episode: Ransomware 101. Today we are talking ransomware at a very basic level. In this episode we’re gonna discuss the essential principles of ransomware. What is it, at its core? We’ll discuss the general concept of what ransomware is, why it is so disruptive, and why it’s so effective. Just remember, this episode is not meant to be a deep dive into all the individual aspects of ransomware. This is a general survey of the subject to make sure that you’re familiar with ransomware in general. We will be bringing the deeper dive into various aspects of ransomware in later episodes. This, however, is ransomware 101.

But before we get there, we want to remind everybody that you can check out our other episodes on Fearless Paranoia.com. You can also subscribe to our podcast through any of your favorite podcast subscription services. For additional information on how you can keep you your business, your family and anyone else safe from cyberattacks, please visit our website at www.resiliencecybersecurity.com to get tips, hints and suggestions and plans and procedures and everything you could possibly imagine to help protect yourself from cyberattacks.

It’s a Saturday night and for reasons passing understanding I’m working it’s 8:30pm. I open my laptop, and knowing that I’ve got some work to do, I open up my Dropbox connection where I put some documents in the day before at work. As I opened the box, something catches my eye. But not enough for me to think too much about it. The files that were there, they’re all their regular files, but they’re not quite the same. And I as glancing through, I can’t really figure out what’s different. I also noticed that the icons don’t seem to be loading properly. But that could just be my computer being my computer. I double click on a Word file that contains something I was working on. That’s when it’s confirmed that something’s wrong. Instead of one box opening two boxes open right off the bat, not a good sign. The first box opens up and it’s a bunch of gibberish, symbols, letters, any kind of order. And I’m really puzzled for a second. But then I see behind that document, the corner of the second document is open. That one doesn’t have symbols that one doesn’t have jumbled, jumbled language. It has text in bright colored font, they have my data locked up. And I can contact them at this email address to arrange to make a payment to unlock it. I’ve been hit by ransomware.

The story I’ve just told you actually happened. Fortunately, it was from back in the days when before ransomware became quite as insidious as it is now and we were able to resolve it with limited business interruption issues and other costs. In fact, the costs of reclaiming our system, clearing it up and everything, actually ended up being less than our insurance deductible. That’s something that doesn’t really happen anymore.

So what is ransomware? I think most people who follow the news or anything, read anything about computers, anything about business, anything about security these days, knows or has an idea of what ransomware is. But getting an understanding full technical definition requires expertise that exceeds most people and requires time that most people don’t have. Fortunately, we’ve got them both. And Ryan, the cybersecurity and IT specialist. So Ryan, walk us through what is ransomware?

Ryan:    That’s a fantastic question, Brian. I’m protecting against the defending against ransomware really starts from the core of just understanding what it is and how it works. And so what is ransomware? It’s software. This is a piece of code that somebody’s written, that encrypts data enacting very, very standard, very widely used encryption tools that are being used with custom algorithms, and makes it unusable to anybody other than the generator of that software to create a ransom-able environment or ransom-able situation where they can hold data of yours hostage and offer it back to you for what they consider to be a very reasonable cost. It’s no different than old fashioned kidnapping or theft for ransom or anything to that effect. The main difference here is these are things that are not happening in your front yard. These are things that are happening from people halfway around the globe, over the internet, you know, a tool that we all use every single day.

Brian:   So the concept it means it’s taking something hostage, and it’s the idea and I think, I mean, it’s been around forever, but the idea that something is worth more to you to get back than it may be worth on the open market. The idea of, even if your computer systems were full of personal information that might be sold on the dark web, that data is not that expensive on the dark web, but you were willing to pay a lot more to make sure it comes back or to use it yourself, then it then has actual intrinsic value.

Ryan:    Yeah, that’s great. You actually touched on a couple of really important points there, too. The first one is that the data is important to the generator, the owner of the data, and life is just not as easy to continue on with without having it back. Whether that’s a detriment to your business, this is core critical data that you don’t have backed up somewhere else. It’s data that is not recoverable easily. And so it’s, it’s got a certain level of value attached to it. Some of that data has just value purely to its owner. Some of that data is very valuable to a whole variety of people based on the nature of it. So not only do you have a situation where as your data gets into a situation where it’s been encrypted by ransomware, and it’s being held hostage, that data, again could just be valuable to you enough for you to offer a payment back to these criminals to get access back to your data. It could also be valuable to them from an extortion standpoint of what happens if we dump this data, are you going to be willing to pay us a little extra not just to get access back to it, but to keep us from publicizing the state out on the internet so that everybody else can have a copy of it too. And that’s been that’s been something much more prevalent and the ransom attacks popping up in the in recent times is that there’s almost a two-stage piece behind that ransomware attack where they attempt to profit twice from it. And again, it’s good from a business standpoint, but it’s, it’s terrible for the rest of us that are on the receiving end of those types of malicious attacks.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian:   Yeah, I’ve been amazed recently how it does seem like ransomware while certainly was you know, when this stuff first became popular it was an effective term; extortionware almost seems like it’s the better term for the modern version, because ransomware evokes the concept of “we’re holding this until you pay us to get it back”; extortionware it is a much. I mean, and that is a a version of extortion. You know, kidnap and Ransom situation is one type of extortion, we are going to illegally get money from you, based on you either doing something or not doing something. We’re going to leverage you to pay by taking something valuable of yours and returning it back. But the whole concept of extortion, there is this idea that you can be compelled to do something not just based on the proposition of getting something back, but on a whole variety of levers. And I think, and we’ll talk about I definitely want to talk about this in greater detail, in a later episode, this concept you touched on as the what I’ve been seeing referred to as double and triple extortion, where the people doing the extortion actually leverage different ways of getting you to pay, one of which is not even approaching you with the ransom, but approaching your customers and letting your customers know that, you know, they have your data. And there’s the actual data about the customers. And I think one of the more famous examples of that recently was, I think, a Scandinavia, essentially a large psychiatric organization where they took people’s patient notes and contacted the patients that said, if you’re, you know, if your psychiatric doc doesn’t pay up this ransom, we’re releasing your psychiatric notes.

Ryan:    Yeah, it’s definitely taken a few different iterations. And it continues to find ways to become not just more effective, the malware families and especially the ransomware itself, but just the entire method of distributing it and how they’re utilizing it to draw maximum income capabilities out of the whole process has really kind of gone through, again, a whole series of evolutions, and I don’t see any of that stopping. A lot of it follows very standard criminal methodologies of just finding, you know, low hanging fruit, easy opportunities. And a lot of these ransomware attacks really kind of focus on, you know, those easily exploitable people. So again, folks like ones with medical issues where something is, you know, that’s really personal information, or going into a business and stealing source code from a software developer. That’s your bread and butter. Those are your trade secrets. That could be something as simple as a customer database where maybe it’s not critical to your business, but it’s certainly going to be critical to everybody who does business with you, which can turn into, you know, a major business impact later on if that data were to get out. And so it’s a constantly changing field. And it’s one that’s one that’s just going to keep getting more and more devious, which is why it’s more important than ever now that we put in to effect at the personal professional levels everywhere we can basic internet hygiene practices to stay safe from some of these because a lot of these attacks are taking advantage of and exploiting overlooked updates, overlooked resources, very well known exploitable holes that could be, they can be closed pretty easily with basic hygiene practices, basic updating and patching. And there’s a lot of just general hygiene practices that can really prevent, I’d say, I’d say a good majority I’d even go so far as to guess probably 90% of a lot of these are really avoidable incidents.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Brian:   Let me ask you real quick cuz I think that, you know, a lot of people who watch you know, any TV program that deals with computer issues, and usually deals with very poorly among most people, I think is this idea that encryption can somehow be cracked. I think in reality, cracking encryption really means having the password, having the key that unlocks the whole thing. And we’re definitely going to have an entire episode on just helping people understand the basics of what encryption is and how it actually works. But when we’re talking about encryption, you’re not cracking any of this stuff, unless you know the code, right?

Ryan:    So yes and no. in some instances, some of the less mature ransomware gangs have used very weak ciphers and some of their ransomware code that they’ve done, they’re developed and in some of those cases, and it’s been relatively trivial for some expert researchers to reverse engineer what was used. And so yes, some encryption, and in theory, all encryption really can be cracked, as long as you have enough time and enough resources to do all of the testing and all of the brute forcing. And part of the biggest problem is a lot of these lot of these encryption ciphers nowadays, even with extremely powerful supercomputers or distributed computing, or even if you were to find a way to wrangle the power of like an extremely sophisticated botnet, something where you’ve got a lot of computing resources to crack away at this, and we’re still talking years, decades, potentially centuries, in some cases, to crack some of these with current technology. So again, are they crackable? Yes, is the likelihood that they’re going to be cracked with any sort of, you know, in any sort of short timeframe or with any ease, it’s pretty, pretty safe to say no, in most of those cases, theoretically…

Brian:   it’s uncrackable. Practically speaking.

Ryan: In most cases, where the ransomware tools do get reverse engineered and do get cracked, a lot of times, it’s either because they’re using an extremely old piece of tooling in the ransomware. Or it’s because the ransomware gang itself has had some of their code repository or places where they’re holding some of those secrets, some of those passphrases keys actually gets compromised. And what they’re doing to other people actually happens back to them as their source code, their internal tools are taken by security researchers and then distributed on the internet, saying, Hey, here’s a tool to help you decrypt all of these things, because we broke into their infrastructure, you start to get into some interesting legal issues from that side, too. But again, it does happen from time to time that some of these things do get reverse engineered or do get broken, but it’s not something that one would ever want to count upon. The better approach is to certainly put plans in place to protect yourself from it. And to make sure that in the case that it does happen, you’re not counting on either having to pay a ransom or find a key to get back into it, that you’ve got a secondary plan in place to make sure that you can continue enforcing business continuity around the issue instead.

Brian:   So what is ransomware then fit in in the overall concept or context of a business getting hacked?

Ryan:    So the ransomware again, ransomware very rarely ever, the first stage of compromise ransomware is usually one of the end stages of compromise. That’s kind of the end goal is to apply the ransomware apply the ransom and collect and then finish whatever the business relationship is there, if you can call it a…

Brian:   Business relationship gets business conducted at the end of this meeting, the your signature, or your brains will be on this contract. Yeah.

Ryan:    And effectively, I mean, it is it is business. I mean, it’s a billion-dollar industry, you know, so rants Software is a huge business nowadays. It’s a legitimate business and most of our minds, but it is what it is.

Brian:   And so it’s this combination of really strong encryption and these ransomware groups knowledge of where to look for critical information, and most importantly, what constitutes critical information for businesses, health care, so facilities, even individuals that makes ransomware so disruptive to our modern economy system way of doing things. Absolutely. Well, in a nutshell, there it is. Ransomware 101. Want to thank you for joining us today. Look forward to seeing you again in the future. Don’t forget to subscribe to our podcast, you can do so through your favorite subscription service or on our website. Also, if you have a specific cybersecurity topic you’d like to hear Ryan and I address in our podcast, you can go ahead and send us a message on the Fearless Paranoia website at Fearless paranoia.com We hope to see you again next time. This is Brian and Ryan Fearless Paranoia signing off.