“Ransomware has become more of a well-known issue. There is more sophistication in the attacks now.” - Joel Witts Click To Tweet
School districts, health care organizations, cities, and towns have all been victims of ransomware. Families have lost access to photo albums of 20 years of memories and personal finances. It can be a very devastating experience. It is very scary to not be able to do your job or access your data. Now attackers are not only threatening to delete your data, but they are also threatening to leak the data. This can cause lawsuits, legal ramifications, and a huge headache for businesses large and small.
What is ransomware? Ransomware is a type of malware that gets installed on your machine and it locks all of your files so you can’t access them. It spreads very quickly through your computer and you may be unable to access crucial programs and files. Often you get a message from the attackers requesting money or your data will be leaked or deleted. Craig and Joel share their expert insights on how to prevent these attacks.
Craig MacAlpine is the founder and CEO of Expert Insights and a passionate security innovator with over 20 years of experience in information security and product management previously founding e-mail security company EPA Cloud.
Joel Witts is a Senior Content Editor at Expert Insights covering a multitude of areas including cybersecurity.
We talk about ransomware and best practices for protecting you, your family and your business. We specifically discuss ways ransomware can get in, how you can be affected, and ways to protect against it. We talk about secure gateway products, post-delivery protection, and isolation. This episode will help you figure out what solution can offer the best protection to your family and business.
- [01:38] – Ransomware is a type of malware that gets installed on your machine and it locks all of your files so you can’t access them. It spreads very quickly through your computer and may be unable to access crucial programs and files. Often you get a message from the attackers requesting money or your data will be leaked or deleted.
- [03:14] – With a lot of scams there is a level of emotion and urgency in the ransom component.
- [04:50] – Travelex was hit on New Year’s Eve this past year and it closed their operations down for a week while they had to go to a manual basis and had a 32 million dollar hit.
- [06:08] – Ransomware is something that affects all the way up from small to large businesses. The most common targets are healthcare, education, towns, and cities.
- [07:19] – The average ransom sum is increasing to over $40,000.
- [09:01] – There is conflicting advice on whether the company should pay the ransom or not. There is no guarantee that you will get your data back.
- [09:59] – Ransomware has become more of a well-known issue. Businesses are putting more measures in place to try and mitigate the risks from these threats.
- [11:10] – A common way for ransomware to start in an organization is through phishing attacks which are difficult to stop. Phishing is a type of email that tries to trick a user into performing an action.
- [13:31] – If you have got a savvy phisher whose updating that content it is really hard for the gateway systems to pick that up.
- [14:14] – The email may be the start of the phish, but not the method that the malware is downloaded that is just where they start the conversation.
- [17:03] – Secure gateway products usually do a good job stopping spam and phishing emails. Typically 98-99% of these threats will get stopped with those products.
- [19:03] – Someone can get remote access to your email account and forward the emails. The user isn’t even aware of what is going on in their email account.
- [20:04] – Post-delivery protection looks for compromised accounts and phishing emails coming from a genuine internal account emailing someone else within your business.
- [22:10] – If you are an IT manager or IT professional you’re asking for trouble not installing two-factor or multifactor identification.
- [24:17] – E-mail is your gateway to connect with someone, but the malware usually comes through the web like a download.
- [26:34] – Isolation could be the solution, but it will be a while before this option comes to consumers. It is a process that takes a while to get to the home-use level.
- [27:55] – With isolation videos or documents would be rendered for your viewing, but not actually be downloaded to your machine.
- [29:43] – If someone does become a victim of ransomware what are their options?
- [31:59] – Realistically if back-ups are not automated they are not going to happen.
- [34:06] – The IT manager is often a jack of all trades trying to oversee the phone systems, PC updates, and more. Back-ups are not prioritized, because if something isn’t broken then we don’t have time to fix it today.
- [36:13] – Over time there will be more advanced and automated systems that will block the vast majority of ransomware, but there will still be some carefully crafted scams that will be hard to catch. It will probably become less frequent, but never entirely go away.
- [37:07] – The scammers only have to get it right once, but the people that are protecting against it have to get it right 100% of the time. There will always be an element of human mistake because of emotions and fear.
- [39:46] – The attacks can be very effective because of fear and time sensitivity even if technologically we are able to stop them.
- [40:28] – Great advice is to not panic if you get hit by ransomware.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Expert Insights
- Expert Insights on LinkedIn
- Expert Insights on Facebook
- Expert Insights on Twitter
- Best Email Security Solutions
- What Is Ransomware-as-a-Service and How Can You Protect Your Organization Against It?
- Best Endpoint Protection
- Using Slack in Your Business
Craig and Joel, I really appreciate you coming on the Easy Prey Podcast, talking about what you guys do, and talking today about ransomware and beyond. I always have fun talking with people who have been in the IT industry for many years, and we can have some fun conversations going back to old Cisco router numbers and things like that, except for Joel. We've probably had routers older than Joel, unfortunately. Hopefully, they're still not in place.
Joel: Thanks for having us. Thank you.
Great to have you on. Ransomware (for a lot of people) is a very nebulous thing. They hear the news stories about school districts becoming victims of ransomware, cities, and healthcare organizations. I think a lot of people aren't really clear as to what ransomware is, how do you get it, and how to deal with it. Let's walk through from beginning to end of ransomware. What is ransomware?
Joel: I think ransomware (in a simple sentence explanation) is a type of malware that gets installed on your machines and it essentially locks all of your files. You can't access them, it spreads, often, very quickly through your computer, enters all the other computers in your business, and you might suddenly find that you can't access crucial programs and files that you need to run as normal.
Often, you'll get a message from the cybercriminals or attackers that have created this ransomware that says, “You need to pay us or we're going to delete your data or maybe leak your sensitive data.” Suddenly, you're looking at a loss of productivity. You can't carry on working as normal, because you can't access your systems. A loss of credibility with your customers because suddenly you've jeopardized their data.
Obviously, the financial implication is that you might have to pay these guys, or should you pay them? What's the best practice there? It causes a lot of fear, uncertainty, and it's really quite insidious it's happened. It really leaves you feeling like you've got nowhere to go if you haven't got any systems in place to stop it.
I assume for individuals, it's the fear of, “Now I've lost access to my family's photo album for the last 20 years. All those memories are now encrypted. All my personal finances are encrypted. All the records of things that I find important are now encrypted, and I don't have access to them.” I can see how it would be a really devastating experience. I know with a lot of scams out there, there's this level of emotion and urgency in the ransom component of if you don't pay this amount of money in this amount of time.
Joel: A lot of them. A lot of the attacks will play on that fear. It is scary enough to imagine not being able to do your job or, like you say, access all your data essentially. But then often you get this message and there's normally a timer, a countdown, to the structure or something that says, “You need to pay us today in the next two hours, in the next hour, in the next 30 minutes,” whatever. A lot of individuals don't know necessarily what the best practice is to do because a lot of the times you see these messages pop up and you maybe ignore them. You think they don't read my systems or really think it’s compromised, or maybe it sounds like quite a common spam message. But then if you get hit by a real ransomware attack, what do you do in that situation, especially for individuals? Small businesses as well often don't have the right systems in place. They might not know what to do. A lot of businesses don't expect to get hit by ransomware attacks, but they are running to small businesses much more commonly. It's a really big problem.
I assume it's not just small businesses that are being attacked. We talked earlier before the recording that Travelex became a victim of ransomware. Do you guys know more about that experience or that event?
Craig: Yeah, Travelex was hit just after New Year's Eve this year, and just on New Year’s Eve affected their business operation. Travelex has hundreds of branches at airports and other locations where you can actually do foreign currency exchange. They also have a white label service where they run foreign currency exchange on behalf of other institutions and effectively their operations closed down for at least a week while they had to go to a manual basis.
They've now taken, in Sterling terms, over a £25 million hit in terms of loss of business from that ransomware attack. In dollars, you're looking at $32 million hit to their business. That's now combined with the coronavirus and what else is happening. That puts their business into jeopardy with potential insolvency for that business. You are going to show how mission-critical these issues can be in these organizations. That's a large organization. That's not a mom-and-pop shop. That's thousands of people's livelihoods in jeopardy over this incident three months ago.
That's crazy. I don't want to say you hope it's only small businesses, but it is something that affects from small all the way up to really large businesses.
Joel: Yeah. I think the most common targets are healthcare, education as well. There have been a lot of towns and cities. I think there were 22 towns in Texas.
At least, I’m sure.
Joel: Increasingly, it's MSPs as well, that run by targeting because, obviously, the MSPs also have access to all of their clients. The MSP aspect of it is something that's really growing.
Craig: Within the audience, do people understand what we mean by MSPs? It's really easy for us to start talking jargon. Do people know what an MSP is?
Joel: Managed Service Provider. Someone who manages the IP security and other services as well, not just security of multiple clients. So, if they're hit by ransomware attacks and that spreads to the client systems as well, or even if it just stops the clients from being able to access their systems, that can cause a chain of events that make it incredibly lucrative for cybercriminals to go after these groups. They are really lucrative attacks as well. I think I was reading that the average ransom sum is increasing to over $40,000. Those figures were reported by Coveware, which is a company that was set up specifically to help organizations pay the ransom to attackers, which I think just tells you just how they look […] around the attack of ransomware.
I've definitely heard that there are entities where it's, “Oh no, we've hired someone to recover our data,” and they don't know how the recovery is happening. The company just pays the ransom and hopes that they unlock the data, which is really crazy.
Craig: The other side of the coin is in terms of the law enforcement side of it. I've been speaking to law professionals in the UK. It's effectively an unwritten policy that if it's below $35,000, they won't investigate it. There isn't the resource to actually investigate a lot of these attacks. That's actually as a consumer or a business, that is very worrying that it is effectively you can be hit, you can be squeezed hard, you could lose your data, it's going to cost you a fair sum of money to get it back. And for the people who are actually perpetrating this, it's a free card. They're not going to get caught. That's typically where these people are located, are they in Ukraine? Are they in Russia? How do you actually get them embracing justice?
Joel: There's a lot of conflicting advice as well as that other businesses should actually pay the ransom because obviously, even if you pay it, there's no guarantee that the data is even recoverable or that they will unlock the data or anything like that. It really puts the system in a really difficult situation. I've read conflicting advice as to whether you should pay it. I mean, it's easy for security companies to say don't pay it, but if you're a business and you need access to your data and you need it as soon as possible, it’s hard to say, actually that you never want to pay it.
It's easy when it's not your data that's at risk. It's easy to say if nobody were to pay the ransom, then these schemes wouldn't exist because if people can't make money out of it, they're not going to do it. That means I have to shut down my business. That means I have to go to a backup that I did a year ago. That means hundreds or thousands of people out of work. How do you justify that, versus we just hope that someone else doesn't fall victim to this also?
Joel: I read that there's more sophistication in that as well. Whereas maybe before ransomware has become more of a well-known issue and businesses are putting more measures in place like a backup (as we've mentioned) to try and mitigate the risks from the threats. Attackers have been quite smart in that now. It’s not just well, deleted data, but we might leak it. Suddenly, there are data breaches that you're responsible for and people's information, because if you've got a backup in place, you might think I'm not going to pay it because if the data gets erased, I can recover it.
If it's suddenly your data is going to get leaked and maybe your customers are going to be compromised because of you, they might not put some fines under that as they get data regulations, you might suddenly lose more because of that. They're really working on smart ways to get businesses to pay and becoming more sophisticated in that sense.
It's really playing on that fear that we've talked about—that fear and emotion that we talked about earlier. It's like, if you aren't afraid of having to go through the hassle of restoring a backup, well, what about the lawsuits? What about the legal ramifications of a data breach? Let's take a step back and work from outside in. How do people actually get ransomware and what are the steps along the way that can prevent someone from getting ransomware?
Joel: I think a common way for ransomware to start in organizations is through phishing attacks, which are quite difficult to stop for organizations. There are ways of doing it, but phishing attacks really work on two levels in that they exploit weaknesses in email security technologies, which Craig can talk more about the technical side of why phishing attacks are more difficult to stop. But they also still exploit fear in people as well. When you receive a phishing attack, it really exploits that uncertainty and makes you unsure of what to do.
Phishing is a type of email, which tries to trick a user into performing an action. You might get an email saying—it could even be from your boss. I mean, CEO impersonation is a common type of phishing but it basically asks you to perform an action like log into an account, download a file, open a OneDrive attachment or something, which will then start the malware download, which often then is how ransomware spreads into an organization. On the email side, Craig, I'll hand over to you about why phishing is such a difficult thing to stop.
Craig: Okay. Within the phishing side, typically an organization will have a gateway protecting them. A secure email gateway that will sit on the outside of their email systems, whether they're using Office 365 or an on-premise server, but typically, people aren't hosted email now. The typical attack vector will be a four- or five-lined email. It will come from maybe a Gmail account, so it's coming from a genuine email account to users within the organization and it all spoofs the CEO or the CFO’s name.
It looks like it's coming from their personal email account or something like that.
Craig: Yes, yes. It's from their personal Gmail account, but it's coming from a genuine email account. There will probably be no links within the email, so the actual gateway products, technically, they find it very hard to detect that. All they can go on is have they seen this email before from this email account? Typically no, that they haven't seen emails, so a fresh Gmail account will send that. The other thing that they'll go on is the verbiage, the actual text within the email—have they seen that text before.
If you've got a savvy phisher who's updating that content, it’s really hard for the gateway systems to pick that up. That person will then get into an email correspondence. The recipient will get into an email correspondence with the sender, at which point they will either be enticed to log in to typically something like a secure online portal that they've got to log into. And actually logging into that and actually downloading that will cause a malware download. Or they go to a web link that downloads something.
That will typically be the start of the actual phish, but it might not be the method that the malware is downloaded, but it will be starting the conversation. Technically, a lot of the technologies that we look at will claim to stop this. I think the reality is there's no one silver bullet that will stop it for a company to actually resolve that.
I'll get a little technical here. Maybe you can explain the products a little better than I can. If your secure email gateway is monitoring for suspicious links and things like that, or the content of emails, do additional products of the content firewalls help mitigate, or does that play a role in there as well something that prevents you from going to known sites that are involved in compromises?
Craig: In the business world—we look at the business world rather than consumer—the dominant email platform is Office 365, especially in The States. It's the number one email platform that people will use. Companies will typically deploy that without any additional products. We'll use the default Microsoft filtering that comes with Office 365. The second platform that people will use is G Suite, Google G Suite. That will be the second email platform. The third most popular email platform will be on-premise Exchange.
Some of that is on Office 365—they typically won't be using third-party gateway products. They won't be using additional technology. They'll be relying on Microsoft's in-built technology and we find that very weak. Microsoft does a good job at stopping general day-to-day spam email, the run-of-the-mill spam email, but it does a very poor job at actually detecting and stopping spoofed email. I've seen numerous and numerous attacks where it's a spoofed email from a Microsoft login page. An Office 365 user receives an email that is linking to a fake Office 365 login.
You've got an issue with the default technology. The cheapest of the lowest cost denominator solutions aren't working. Then people that have been running Exchange on-premise have had these issues before in terms of becoming used to running a gateway product. Some companies that have moved to Office 365 have retained their gateway product. That could be the SMB market and Proofpoint Essentials has over 100,000 organizations using it. There are about 30 different secure email gateway providers in the market.
Those products generally do a good job of stopping spam and phishing email. Typically, 98–99% of threats will get stopped by those products, but they'll still let the odd spam and phishing email through. Some of the products will have link rewriting included in them. When you receive an email and you actually click on a link in the email, that link will have been rewritten. At the actual point of clicking on it, it will be scanned or it will be passed through a database of known compromised websites. That technology works well, where if I'm sending you an email of a compromised site that's already been detected, the danger is that zero hour. So if it's a brand new website, there can be a delay of two hours, four hours, 12 hours from when that website goes live to actually being detected as a malware site.
If the scam has been around for a while, you're safe. But if you're patient zero, you really don't have much protection.
Craig: Yes. The way I look at it is a belt-and-braces approach. The secure email gateway is a legacy technology. Probably the first companies offering it would have been companies like MessageLabs, which is now Symantec back from 2000–2001. These technologies have been around and they typically do a good job. They're doing more than just email filtering. There may be some DLP. Another thing that we'll be doing around that.
The newer technologies, one of the issues with an SEG or Secure Email Gateway, it's sitting at the boundary, so it's sitting outside of your email system. A big issue with things like Office 365 is it knows email compromised, business email compromised, where a user's account gets hacked. Someone can get remote access to a user's email account. They will do something like they'll log into that account and set up a forwarder rule. They'll forward email from that account to an external account, and maybe move emails into a read folder. The user is not even aware of what's actually going on in their email account. We see that as a big threat with things like Office 365 and G Suite as people move to hosted. The problem with Gateway Solutions is they're sitting outside of your email platform. They're not actually sitting within your email platform, seeing what's going on.
The newer form of technology is called Post-Delivery Protection. These are systems that actually sit within your hosted email environment. An example of those are companies like IronScales […] GreatHorn. A growing number of newer companies, sort of new-age security companies where it's actually sitting within your email platform, and it's looking for compromised accounts, it's looking for phishing emails coming from a genuine internal account, emailing someone else within your business.
Another thing that we see often is these compromised email accounts are quite typically used by phishers. The idea is that you compromise an email account and you use that genuine email account to go phishing with because that account may be on the owner list, it will have a good domain reputation. To stop that, I would recommend any company on Office 365 or G Suite, get 2FA or MFA installed. Get Two-Factor Authentication or Multi-Factor Authentication installed. You're just looking for trouble if you haven't installed that. You should be restricting access to your users' accounts. Typically, the balance is around getting that balance between ease of use and security. I think that's the age-old issue.
Let's take a step back for those that aren't aware of what Multi-Factor Authentication is and often called Two-Factor Authentication. We see it a lot on our bank accounts where you log in and your bank sends you an SMS message that says you need to enter the code 123456 before you can log into your bank account just trying to prove that.
Craig: It could be a message to your cell phone or it could actually be an app that's installed on your phone. On your iPhone or Android device, Google has their own app, Microsoft has an app, and it will give you a one-time code. In Microsoft's example, they'll give you a one-time code that you type in, or it'll actually pop up with a notification to go, “Hey, is this a genuine request? Approve it or deny it,” and it will actually be the second level to log in.
I will just encourage businesses, if you're an IT manager or an IT professional, you're asking for trouble not to install that. At a policy level, it's good hygiene. We should be practicing it. We're all washing our hands now with COVID. I think MFA and 2FA should just fall into that good hygiene. We should all be following it. It's best practice just to get it done.
Absolutely. We've talked about a number of ways that ransomware can get in and how you can get impacted, and we've talked about at what points you can protect against it. Obviously, there are internal policies of telling people don't click on links. The reporting on that as far as the effectiveness—some people report that it's highly effective. Other people report that basically if someone gets an email from what looks like their boss, they're not even going to think twice about clicking on a link.
Craig: Yeah. I think one of the technologies that we've been really impressed with is isolation. Let's assume that the email does come in. It bypasses all this fantastic technology that you've got. The user actually clicks on a link. In the past, there were a lot of companies that would have gone for web filtering. Proxy-based web filtering or DNS web filtering, where you're actually going, “Is it a good website? Is it a bad website?” Allow and deny.
The problem of these technologies is you still have this zero-hour element, and in our testing, we've been really impressed with browser isolation. I think this is the future where web traffic filtering is going. What isolation is at the point that you actually click on a link and go to a website, that website is not connecting to your PC or to your Mac.
You're getting a rendered view of what is on that third party website. If there's any malware that is hosted on that third-party website, and if you think about it, the majority of malware comes through the web, so email is your gateway to actually connect with someone, but it will come through the web. It will be a web download that will actually infect your PC. Isolation is a great way of you being able to browse the web securely. Nothing's actually been rendered on your machine. There's a growing body of companies that provide isolation, and I think we'll start to see a lot of acquisition in this area where you've got companies that have gotten an isolation product being acquired by the web Trojan companies because it's a real gap with web Trojan companies.
The issue with isolation is the cost to actually do that. In the conversations that we have, we see the larger organizations—the enterprises—they can afford it. They can justify it. They can swallow that high cost per user to get it installed. For the smaller companies, they are going, “Well, we're doing web filtering, we've got this low-cost option. Why do we need to do it?” I think it's one of those solutions that will become de facto, but it might take three to five years for it to become an industry-wide solution that people use.
Do you foresee that coming out at some point to consumers at home as well? Maybe Google will offer that as a service, let's say?
Craig: That's always the question. Will someone like Google actually acquire one of these vendors and spin it up wholesale, because they've certainly got the data center to do it.
The computing power to handle that. They've got the scale and they can provide that to users. They've already got Google Chrome.
Craig: I never thought about that for the consumer market. I think you're right. I think it will be some of the large players in the market. The Microsofts, Amazons, Googles that they do bring this consumer market and I think it's going to take one of the larger players with this scale to build deliberately.
Joel: I spoke to a couple of the co-founders of one of the large […] I asked them that question, “Do you see this coming to consumers and working in general security technologies?” I think the impression I got was they thought it would, but not for a while. The technology trickles down, essentially, and that's going to take a while. For what's really now, a lot of it is still very enterprise-focused. To get down to the home-user level, it's going to be a long process.
It's like the Tesla Model of doing business. We're going to learn on somebody else's dime and then as we perfect the technology, we get closer and closer to the consumer and closer and closer to the entry-level market and let those that have deep pockets fund the learning process.
Joel: Exactly. That was actually very similar to what they gave me. We're still troubleshooting with these big organizations that can afford to have those growing pains. Whereas when it gets down to the smaller level, it's like you need it to work, essentially.
Craig: My understanding is the US government at the moment is trialing it with two different vendors for 25,000 users. Vendor A put 25,000 users and on Vendor B put 25,000. Once they've done that selection process, what I understand is they will then pick one of those two vendors to deploy it across the board and deploy that so that'll be a very large deployment for that.
Will be some great learning that will come as a result of that experiment.
Craig: This is getting to the point of even the video that you're watching is rendered. Everything. If you go to a PDF document, an Excel spreadsheet, a Word document, none of it is actually being downloaded to your machine. It's a rendered version that you're actually viewing. Things like macros in an Excel file. Arguably, if you move to that vision, nothing's actually touching the endpoint, the actual user's machine. You're securely protecting that user's machine from anything malicious on the internet. It's just a window to the internet that they're actually seeing.
This reminds me of 20-25 years ago. You had terminals that really had no computing power. It was just a rendered image. It was just a monitor and a keyboard. There wasn't a computing power and it sounds like we're cycling back to that—what we're going to be living with. Interesting.
Craig: But you need immense technology to work. You do need very good bandwidth for it to actually work. The actual connection to the user has to be a high bandwidth connection. A lot of it is relying on fiber connections or at least good, strong connectivity to the user. Maybe not Tesla but with Musk's satellites going up, maybe that'll all come in the future once we get mobile internet. And through thousands of satellites, maybe that will be the next thing.
It's the promise of 5G. Let's say someone does become a victim of ransomware. Their computer has been locked. What are their options? We talked about whether you can pay the ransom.
Craig: Get some Bitcoin. I think with the way the markets are crashing, it's going to be cheaper. You need less Bitcoin today than you did last week.
Maybe that will be the, “Hey, sure. You want 15 Bitcoin? That's only $10. Sure, have it.”
Craig: Yeah, no longer $20,000 a Bitcoin. In all honesty, I think you're relying on your backup strategy, ultimately to recover. How have you been backing up your data? What are your point recoveries that you've got? Are you keeping a 30-day retention, a 90-day retention, your different backup points on that? As people move to the cloud, it's an interesting one for people ensuring good backup hygiene. Back in the day, you'd have had your file server on-premise, you'd have been doing your tape backups, nightly, coalescing that until we clean a monthly backup and lose it all, been shipped off to a vault, to a fire safe off-site somewhere.
As we move to this online world, and now people are using offsite storage, how good are their backup strategies for that? I think that's what's been showing up with a lot of these cases. People haven't gone for the cheaper or lower-cost solution. We save money. We've been through a recession, let's cut costs. I think it's that balancing act people are going to look at to get your data back.
I know that having worked for a small business previously. Even consumer-level backups are a quirky thing.
Craig: It's the tax to use as a cost. I've got my data. Why do I need to pay extra to keep another copy of it?
That's the challenge. You get people that are like, “Okay, well, I'll just attach an extra hard drive to my computer. I'll copy the files over once a week.” If you have ransomware, most likely it's going to encrypt your drive that's attached to your computer anyway. Realistically, if it's not automated, maybe for a couple weeks, you'll be good about dragging your files over. But realistically, if it's not automated, it's not going to happen.
I'm not sure. Is ransomware also impacting network-attached storage? If I assume that if it's relatively just acting as a drive that's connected via Ethernet rather than a USB-C cable, that its network-attached storage, is probably just as at risk to malware or to ransomware.
Craig: I wouldn't want to claim to have knowledge in this area. My domain knowledge is email and web. So I've stopped professing on discussing subjects where I'm wrong.
I guess the answer then is, you as the user, if you think that you're getting a protected device, you need to find out whether you really are or not and really ask those questions of your vendor. In the case of, “If my computer gets malware, is my NAS protected from that?” If the answer's no, then in theory, you might have a “backup,” in case your computer dies. In the world of ransomware, your NAS is compromised, then you lose that data.
Craig: I think if you look at how businesses buy or consume IT, there are two methods that businesses will consume. A smaller business will typically get through an MSP. Let's say, you're an insurance broker—you employ 15 people. You'll have a local company that is supporting your IT and you're really relying heavily on that MSP to guide you. I think within the industry, there's a responsibility of MSPs to actually have that honest conversation with their customer to actually advise them on best practice and implement that, while also ensuring that they, the MSP, are following best practice and they aren't the attack vector.
As you move into slightly larger businesses that can then afford to have IT professionals in-house—an IT manager—it then becomes beholden on that IT manager to get this implemented. I think one of the issues that you've got that I've alluded to earlier that that person is a jack of all trades. They're covering maybe the phone systems. We've got a PBX voice system. They've got responsibility for PC updates, is the onsite file server still working, and ensuring these practices. I do wonder for how many of those people they're like, “Yeah, I know I've got to do it but I've got another 20 more important jobs I've got to get done.” That prioritization argument that goes, “If it ain't broken, I don’t need to fix it today.”
I've definitely been in that position where I was responsible for the phone system, the mail server, the websites, desktop support, and it does become that play of the boss telling me he wants to go this direction, and I'm trying to fight and wrestle. Like, “No, security really does need to be a higher priority.” There is that battle that can go on within a company because the owners are looking at it like, “Is this going to make me money?” They are there for profit. It's hard to have that conversation of, “No, this is not going to make you money. It's insurance. It's going to hopefully prevent you from losing money.”
Can you afford your business to be down for a week or a month? It may only be a couple of days, but can you afford your business to not be operational for that period of time? Or if you're a home user, can you afford to be without your computer at home for an extended period of time?
Craig: Absolutely. How do you think ransomware is going to play out? Do you think it's one of the things technologically it will become a gap so it's closed? Because I look at the NHS in the UK and a lot of the ransomware that's happened in the UK has been because old systems that haven’t been patched or updated. It's been vulnerabilities and systems that haven't been closed. Do you think it's one of the problems that will move away, as technology catches up?
I think it'll probably be a similar experience to dealing with spam. Over time, there'll be more and more advanced automated systems that will block the majority of it—the vast majority of it, about 99% of it—but there's still going to be those carefully crafted things that happen within that zero hour that are just going to be really, really hard to catch. I think it'll become less and less frequent, but I don't know that it's just like spam, if it's something that's going to ever entirely go away.
Craig: I suppose you’ve got two sides of the coin here. There's the one that you buy the technological gap, so we try to plug it with extra services. You've also got the human elements, the training elements. I guess in any system, that's always going to be the weak point as an attack vector. It just needs one mistake, one error.
They kind of talk about terrorism. The terrorists only have to get it right once. The people that are protecting against it have to get it right 100% of the time. I think it's going to be that way. There's always going to be that risk because the humans are always involved. We're going to act out of emotion, we're going to act out of fear, we're going to make a mistake. Those things are still going to happen regardless. How many machines out there are still running Windows XP or even Windows 7?
Craig: Windows 7, yeah. I was in the doctor's surgery, and about six weeks ago Windows 7 device.
Joel: I think statistically, the number of successful ransomware attacks is not catastrophic. I think it's because organizations, in particular, are looking at the reports that are coming out and trying to implement best practices as quickly as possible and getting those systems in place. I think in terms of attacks, we might see it drop from a peak that has been in the last couple of years. But alongside that, there's also been increased sophistication in the attacks.
Like we say, going after MSPs and going after more vulnerable SMBs, and even individuals, where organizations are doing maybe a bit more research into making those phishing attacks a bit more credible. Because the attacks are so successful, even though the defenses are getting better, the attackers are going to work against that because this is something that has been proven to work very effectively.
I think there's been a real increase in ransomware as a service where attackers can go onto the dark web, they can purchase this ransomware, and even if it's stuff that's been cracked and other users, you might see the message and think you might be able to recover your data.
That actually is a really good point. There are a lot of products out there that if you've been a victim of older ransomware, such as decryption, people have reverse-engineered the decryption keys and you might actually be able to get your data back using a free data recovery service. I'm not familiar with which ones they are, so be careful about what you're looking for because you're probably as likely to be a victim of ransomware, trying to find your ransomware decryption key.
Joel: Do a lot of research if you've been hit and you're looking for that. It's definitely the case because they really go hard on that element of fear and with that countdown on there, and really pressuring people to just pay it without doing anything else. The attacks can be very effective, even if they're technologically able to stop them.
I think it always comes down when there's that fear, now there's emotion, there's the urgency. You’ve got to stop, take a deep breath, get other people involved before you take an action. It's just to make sure you've got multiple eyes looking at it. You’ve talked with the professional, whatever it is. If it's a tax scam talk with your kids, talk with your parents, talk to someone who can offer…who’s once removed from it and is not going to be having that fear and emotion that you are.
Joel: Yes. I think definitely don't panic is good advice if you get hit by ransomware.
The good old line from The Hitchhiker's Guide to the Galaxy: “Don’t panic.”
Joel: We read that, so don't panic.
Is there a place for people who want to learn more about how to protect their email systems? How can people get ahold of you guys, and what services do you offer to help them?
Joel: We've written a lot of content about ransomware in particular. We've got a long article about what technologies are in place, especially for SMBs, to protect themselves from ransomware. We've also published really in-depth guides to the best email security solutions, and that particular feature in regard to stopping phishing, stopping ransomware. We've also got some articles on the best endpoint protection for SMBs. Craig, is there anything else you'd want to…
Craig: I suppose we've also done research in other new technologies. I think one is Slack. As we move to more remote working—is Slack secure? How do you ensure Slack secure teams as well, so actually looking at other ways the communications are evolving, how we communicate is evolving. How do we keep those channels secure?
I'll make sure to link to those articles in the show notes. That way people can easily access that and not have to chase them down. If people want to follow you guys on social media and visit your website, can you provide those for us?
Joel: Yup. On social media, on Twitter, we’re @insights_expert.
Craig: Bit of a tongue twister, that one.
Joel: Yeah. You can find us on Facebook and LinkedIn, just Expert Insights.
Craig: And the website is Expert Insights. Just quickly to give a color about who I am. I set up an email security company back in 2003 and ran that business for a span of 10 years. I sold that business in 2013 and I suppose where Expert Insights—we've not really dwelled on this—comes from is partly my own frustration. I would say I'm a technical user wanting to know what is the best solution to solve a problem?
The website was born out of frustration. I see so much marketing spin in our industry. I go along to the trade shows and you've got all these flashy stands. There have been millions spent on marketing and everyone has got the solution to all your ills. We are in an industry where it's a great industry. I love the security industry. I've been in it for over 20 years, but it’s being consumed by marketing. As a technical user, the website was born out of, “I'm frustrated with this. I actually want to know what the best solutions are.”
I don't claim that everything on our website…we can give you that to the nth degree, but we are a resource for someone to narrow in on the right solution. If you've got a problem, and you're looking for a solution, we are one of the tools you can come to, to digest information, to read about it, and make a considered decision on what's right for your business. That's where I see our role is in helping people on their journey to solve their problems.
I think we're really kindred spirits because that's really been a very similar background behind whatismyipaddress.com. Most of the resources out there about IP addresses—you have to be a network engineer to understand but not explain things in terminology that end-users understand. I just need to know what I need to do personally. I don't want to go get an electrical engineering degree. I don't want to get a computer science degree. Just explain this to me in English and stop the geekspeak. That's a very kindred revelation there. I just want the simple. What is it and how does it work? Oh, it's like a phone number. Okay, I get that.
Craig: I think one of the pleasing things is our readership is global. We're an English-language website. The largest visitor base that we have is obviously the US, but I'm blown away by the number of readers we're getting in Africa, Asia, Europe. And if we can make a difference in this, I know that we're doing some good from this. Let's see what happens.
I think that was an absolutely great note to close out on. Craig, Joel, thank you very much for coming to the Easy Prey Podcast. I appreciate your time today.
Joel: Thank you for having us. Thank you for having us. Thank you.
Craig: Thank you.