Winning The War On Ransomware

Thank you so much for joining us I'm Really excited for this Um So yeah I'm gonna Dive Right In because I feel like we have quite a lot to talk About it has been a year and so I've Been covering ransomware for several Years now and the attacks are just Showing no sign of slowing down at all And that's despite companies spending Records amounts on cyber security so can You paint a picture for us of where We're at with ransomware right now and Why this threat is still growing nice to Have a friend for a few minutes Okay well we can we can start off with The the loudest one in the bunch Um I think You know From my experience in being in cyber Security for over two decades Professionally it looks to me like it's Another pattern repeating except the Impact is changing and that's really What ransomware you know in the Emergence of ransomware coupled with the Rise of cryptocurrency and the ability To extract payment from more sources I Think that's been you know fascinating To watch Um watch emerge and I think that you Know right now from the patterns that I've seen it's some of the same basic Security principles that are so

Difficult to follow just because they're Easy to describe doesn't mean they're Easy to to actually take place in your Organization so I think that's kind of You know roughly where we are and it's Where we have been time and time before Only the impact is changing the blast Radius has changed Yeah up until about 2019 ransomware was A fairly small problem that affected Mainly small businesses with the average Demand Being about 5 000 bucks the Position that we are now in is obviously Drastically different with multi-million Dollar demands being quite commonplace And Finding a solution to this problem is I Think going to be extremely difficult Absolutely and who who is behind these Attacks are these is this predominantly A state-sponsored threat Or is somebody else behind us as far as We know it is mainly for profit Criminals And there are undoubtedly some State Elements involved but the bulk of the Attacks are carried out for money You're not able to add to that that it's Not just it's the criminals but they're Also in a lot of places acting either on Behalf as a surrogate to the state or Acting in a capacity that basically the State chooses to ignore their activity As long as it's focused outside of the

Country you know of origin so we do see These criminal groups sort of you know Symbiotically working with State actors Directly as well and then we also see Them in fundraising for other activities You know there's a a lot of Speculation around some ransomware Attacks being used to fund North Korea's Nuclear program so they're using it as a Method of fundraising and then finally I Would say that there's also been an Increase in the different types of Attack vectors that we see how many of You have noticed that the numbers of Those is SMS messages going to your Phone from numbers that you don't Recognize saying that you have you have To dispute a bill that was charged to You or that you have won a prize or any Of those types of things those attack Vectors are getting much more common and Much more direct to individuals Absolutely and I think the kind of Organizations that hackers are targeting Are kind of diversifying as well so I'm Going to come to you with this one Because I see you tracking it very Closely so over the past Few months we've seen these ransomware Actors turn in their attention to Hospitals schools In the case of Costa Rica we saw an Entire government hit by ransomware How serious is this situation right now

For the public sector and why are they Such an attractive Target for these Ransomware actors It's very serious but why they are Attract and attractive Target isn't Entirely clear we don't know whether the Attacks are Primarily more solely motivated by Profits or whether there may be some Other motivations there as well from the Groups that do have tenuous connections To other states we just don't know and Just to go back to what we were saying Before that also makes the issue of data Theft concerning when data is stolen From a company in the defense space for Example we've got no way of knowing Whether it ends up we don't know whether It's simply in the hands of for-profit Criminals whether it's passed over to Their governments or what we just don't Know Absolutely and I just want to pick up on The point you said there about sort of The motivation behind this so I remember With the the Costa Rica hack The attackers that claimed credit for That Conti they claimed that attack was Politically motivated Katie do you think That's ever the case in these kind of Attacks or are they always sort of Motivated by money I don't think there's an always that you Could apply to anything that hackers do

I am a hacker by the way Um but in terms of motivation you know Money isn't the sole motivator of any of Us whether we're on the criminal side or On the fighting crime side it's a Combination of motivations you know and I kind of break it down to Compensation recognition and pursuit of Intellectual happiness and so some some Folks I think especially in the early Days of hacking where I grew up learning How to hack in the late 80s early 90s we Did it out of curiosity we did it Because we were exploring and maybe Making a little bit of harmless Mischief But when we see these ransomware attacks It's the intent you know it's the it's The impact that we see massively Changing so I think that um you know for The average hacker they may have various Motivations over the course of their Hacking life and I definitely have Friends who started out more on the dark Side and are now You know running companies that help Fight people like how they used to be But yeah in terms of money ransomware Certainly is is Primarily you know the goal is to get Money but also the goal may be Disruption right and we've seen them Also working to not just Ransom the data But they will Ransom you saying that They will release the data publicly

Which is a different form of blackmail That they can use once they get that Access And this year as well we've seen these Attackers They've also gone after some really Well-known companies I think we've had Nvidia and we've had Foxconn we've had AMD and that's to name Just a few It must be quite worrying for startups And startup Founders seeing These massive companies getting hacked They have seemingly endless resources And they're failing to protect Themselves Where are these companies going wrong Probably no single answer on this Um the attack vectors are going to Change from company to company when they Do change it could be a zero day or it Could be a failure to implement MFA or An MFA bypass and there's no standard Answer and that is what makes this Problem so difficult to deal with and There's no simple or easy solution I would definitely agree with what Brett You just said because what we see is It's not just that organizations are Getting parts of this wrong it's that Organizations evolve over time and go Through periods of you know almost Building up their security and privacy And then you know it's a pretty good

Program for a while and then we actually See those programs Decay over time I Mean if you look at the technology Companies that are around today I mean I still think of Facebook as a New company but they've been around Since what 2004 was the dorm room you Know Mark Zuckerberg was in his dorm Room in 2004. so that's an older tech Company and you see these sort of the Rise and fall of their technological and Security and privacy capabilities and That's what my company sees a lot is That organizations may have started out Strong but you know technology jobs People leave their jobs Cyber security jobs are you know among The most recruited heavily recruited Jobs so you basically see people put Some measures in place and then leave And then whether or not those measures Stay up to date or they cover what's Most important and everything so that's What I think you know that that lens Um the the what we're seeing behind what Brett was saying which is there is no One answer and there may not be one Answer for all time for an organization It may change over time and I think That's um that's been one of the biggest Problems we can tell everybody to do all These best practices but that might not Be what keeps The Intruders out and it Might not keep them out forever

And compared to these sort of big name Companies we've seen hacked over the Past 12 months Startups at an advantage given the fact They have perhaps less data definitely Less money a smaller attack surface or Are they as much at risk I would say in Some way they are at a slight advantage In that their attack surface isn't as Large and their technology stack is Newer Katie talks about Decay and that Is absolutely right things do tend to Deteriorate over time Um old networks and environments may not Be as secure as New Orleans So on on the one hand they definitely do Have that advantage and if you look at Some of even the bigger tech companies They took advantage of their newer code Base and their newer Tech stack to sort Of LeapFrog some of the older technology Companies that maybe had been working at It for some time right I used to work at Microsoft I think Brett used to work at Microsoft too so we won't we won't drag Microsoft too much here but my point is That um you know I think that sometimes Startups can have an advantage but Sometimes they don't right so I Accidentally hacked clubhouse that was a Big unicorn startup that was popular for About 10 minutes as they are but you Know during the height of its popularity There were some security issues and so I

Had downloaded the thing and and tried It out and it was terrible for my social Anxiety I hated it but it had an attack Surface and I you know can't change my Nature I happen to see that there were Some problems and when I tried to report The vulnerability to clubhouse it was Like a weeks-long journey and it took Forever to get a person and when I Finally did get a person it was one of The co-founders and he sincerely wanted To fix the problem But they hadn't made that choice to Invest their early hires in hiring for Security so they already had millions of Followers or millions of users and they Had that responsibility as a you know as A technology company but the mentality Of a startup and they had fewer Employees at that time than I have at my Company so they were really operating Very lean at that time so um you know it Really depends and I think for Founders Out there who are thinking about this How can I protect myself or you know Against ransomware they should be Thinking about investing in security not Just early but in proportion to the Responsibility that you have what kind Of data do you have how many people are You trying to protect and I think you Know when startups do the Unicorn thing And grow exponentially they can often be At a massive disadvantage because they

Have not put those investments in place For security and privacy And Cody touched on an interesting point There they said can be hard to let Companies know that they have Vulnerabilities it's not necessarily Easy and attacks have actually unfolded And succeeded In before people were able to contact The company and say You're vulnerable this is about to Happen Yeah so Katie you've done quite a lot of This over your career I know you've Worked with monks often the Department Of Defense on bug Bounty programs Whereby people can report these serious Security flaws to you is this something You would advise startups do should they Be working with hackers at this early Stage to kind of pick out the holes in Their systems well it's a complicated Answer because yes of course you should Be willing to hear from any member of The public who wants to give you Important security or privacy feedback Right that is something that is a Startup you want feedback you want early Adopters you want beta testers you want Feedback you definitely want security Feedback however I have seen a Phenomenon where startups will say I Will just simply go out and start a bug Bounty program and I'll start paying for

Each bug well your startup Nest Egg will Probably evaporate by the time you pay Out for all of those bugs if you have Not built in Security in a security Development life cycle and those are all Very grown-up words not startupy words But you do have to internalize that Magic before you are ready to offer cash Rewards because otherwise it would be Like trying to get your house painted Like the exterior of your house painted And just offering you know a dollar for Every like brush stroke that somebody Walks by and and paints and they might All paint the same spot on your house You know you need to basically do Professional assessments build Security In from the ground up and then you are Ready to you know potentially open the Front door and welcome reports from Hackers but if you do it before that Actually Clubhouse had a bug Bounty Program and it still took me weeks to Get to them why because they have been Convinced by a fellow startup in their You know their VCS portfolio that they Could start one of these programs Privately and any hacker who came to Them they could get the bug locked up in A non-disclosure agreement because it's A private program and they may never Have to fix it unfortunately the person Who found a bug was the person who wrote The you know the the ISO standards on

How to report vulnerabilities and get Them fixed so they really weren't going To get away with that with me but you Can imagine how many other hackers Probably came to them and probably gave Up because they couldn't even find that Front door so yes and no be prepared for Friendly people to report security Issues to you but by be prepared it Means more than just saying I have a bug Bounty program sign this NDA And I guess maybe these bug Bounty Programs shouldn't be a first stop Owners start up there will be people in The audience that want to know What are the really basic things I need To have in place from day one to ensure I'm building a resilient startup what Would you say are those cyber security Basics they should Implement now Well this is something I tell that Everyone and this is regardless of Whether or not you have a startup Company enable multi-factor Authentication on everything you have Every account you have and so startup Should be doing this too I mean we we Saw that even with multi-factor Authentication an older startup like Twitter was hacked recently right they Had multi-factor authentication but it Was a combination of a persistent Attacker using social engineering to Trick the Twitter employee into giving

Them their multi-factor code but you Know that's one thing that I say that You know consumers and technologists and Anybody who has something that they Would like to protect and not have Hackers ruin their day I would say Multi-factor authentication is one of The best things you can do It's undoubtedly the most significant Thing that any organization can do to Improve its security posture Absolutely and Authentication is great startups should Have this in place but over the past few Months we've seen hackers bypass those Which is crazy it should These startups should they be ensuring Their employees know how to spot these Risks like how important is it to make Sure the people are aware of the problem There's no single perfect solution it's A matter of stacking security layer upon Security layer and so yeah staff Training in conjunction with MFA in Conjunction with other things all serves To reduce risk Some rare wins Or against ransomware the US government Announced that it had seized millions of Dollars that have been paid to these Ransomware groups it Arrested some Members of of these gangs Katie how would you rate these efforts So far are they making an impact they

Definitely are making an impact and I Think that you know anything that we can Do to raise the bar And make consequences happen you know For for some of these crimes I think is Is making an impact however Um with so many soft targets out there It's just a matter of time before you Know the next target has to continue to Do business or you know in a lot of Cases do Health Care do something uh That threatens life and limb so I think Yes it's making an impact but is it Making a dent I'm not sure Yeah it's all about swinging the risk Reward ratio and every little thing that We can do to swing the needle more Towards risk and further away from Rewards is a good thing it's not Necessarily going to solve the problem Or even make that much of a dent but It's better the alternative of doing Nothing we've had a really good question From the audience actually that follows On quite nicely from that one that is About sanctions so the question is do Does the US need a better system of Sanctioning ransomware entities given That we see these groups they just keep Coming back they keep rebranding Do you think it's working I don't believe that sanctions against Individual groups are necessarily Particularly effective I do believe that

Restricting the circumstance in which Organizations are permitted to pay Demands generally could be effective Great and another great question we've Had through actually is is ransomware Fundamentally a cryptocurrency problem Oh that's a great question well I think That we would be uh we would be fooling Ourselves if we didn't notice that the Rise of ransomware and the rise of Cryptocurrency values Have been correlated right And I think the Regulatory scheme around Decentralized currency is partly to Blame for how hard it is to track down The criminals right so I I do I I'm not Saying that it's a cryptocurrency Problem but I am saying that you know Certainly some of the things that people Love about decentralized currencies are The very things that make it an ideal Um you know System whereas before the only like Anonymized currency was Cash At the same time business email Compromise which uses the traditional Banking systems is also extremely Profitable so cryptocurrency isn't Necessarily entirely to blame for the Problem although it's very likely a Facilitator and do you think there are Ever Circumstances under which organizations

Hit by ransomware should pay the ransom Demand Um I think that's a really complex Question you know and so I am a small Business owner and if if there were an Existential threat to my business where My business would not exist anymore if I Didn't pay the ransom well then Obviously I would have to pay the ransom Or just agree to not do business anymore Um so I think that there are some Circumstances where you know people will Have very little choices left to them Which is also why the ransomware task Force you know that had had come Together to give advice about this Didn't You know recommend that paying Ransomware be criminalized the the Payment of it itself Um but I do think that they're you know Requiring organizations to report that They have paid ransomware I think that Will help organizations try and use Their imagination and their resources to See if there's any other way they can Return to normal business operations Without having to pay so it just gives Them that pause we do also see some Organizations though choosing to pay to Prevent data being released online Or simply because it is the cheapest Option uh the continuation of their Business may not be under threat but

They nonetheless choose to pay anyway And that is I think an area around which There could be some additional Regulation Possibly companies shouldn't be paying Simply simply because it is the least Expensive option and sticking to the Regulation side of things so Startups with customers in Europe if They get hit by ransomware The data is leaked they then have to Report that within 72 hours is there any Similar legislation in the U.S and if Not should we be doing more As far as I know there is only Industry-specific legislation and it Varies according to the state there is No generalized reporting or disclosure Requirements on that is something I do Think needs to change the fact that so Few companies do report and disclose Their incidents makes it hard to measure The extent of the problem if we if Policy makers can't see what impact Their policies are having how do they Know whether they're working So I got to put on my like Quasi-regulatory advisor hat um there Are some regulations that are coming up In in the United States that will Require you know Um Beyond just the breach disclosure Regulations that were already on the Books but will require the US government

Be notified of a security significant Incident once you are aware that that is Significant in some way Then you have 72 hours to let the US Government know now they're trying to Work out you know essentially The Kinks Of how this might work and I've seen Draft bills saying that it should extend Even when you find out about a Vulnerability that you should then Report it to the the government I think That is the worst idea for cyber Security it is a terrible idea imagine If you're an adversary for a second And instead of having to hack individual Companies to find out let's say what are Their unfixed security vulnerabilities Go to their bug database and find that Out that's that's frequently a target of State state-sponsored attacks is hacking Microsoft Apple Google Etc and going for Their bug databases to find out what can I exploit you know for quite some time Can you imagine Concentrating that for all U.S based Companies of a certain size or Significance in one bug database kept by The US government I think that would be A terrible idea I advise against it Anytime a legislator will listen to me And you know it's a difference between An actual incident and breach which of Course we already have legislation to to With for breach notification

Versus an incident that is under Investigation versus a vulnerability That may or may not have been exploited Yet and I think understanding the Differences in those terms is going to Be key to getting the right legislation As opposed to legislation that will Literally just collect it all in a giant Buggy Bank like a piggy bank for you Know an adversary to come over and smash With a hammer whenever they they get Close Absolutely that sounds like a recipe for Disaster and we've just had another Another great question through and bro I Know this is something you have been Been working on recently so how Effective are ransomware decryptors in Fighting back against these these Attackers Depends what you mean by effects of in Terms of helping individual companies They can be extremely effective because They help them recover their day so Without needing to pay possibly a Multi-million dollar rent some demand in Terms of combating the ransomware Problem generally less so as soon as the Attackers discover that their ransomware Has a weakness that's being exploited no Fixes And another question just come through Is it worth startups investing in cyber Insurance

I think for a lot of of startups they Have to right it's a requirement to do Business often if you were trying to get A contract signed the your customer will Require you to have cyber insurance so I Think it's a cost of doing business that All companies should plan on building in Now the level of it that that's another Matter Awesome and I guess what what more Could the US government be doing to help Startups in this sector if a startup is Hit by ransomware is there support for Them from the government or they do they Kind of have to go It Alone There is limited support no one is going To come in and solve a problem for them Unfortunately Law enforcement can certainly provide Help and assistance then and in some Cases may be aware of the existence of a Decrypter But hasn't yet been publicized so it's Absolutely worth involving law Enforcement companies may find out the Solutions to their problems are Available I agree I think there's some limited Support from the government that's Available but if you look at our Government we've been struggling and Most governments are like this Struggling to keep up with the demands

Of of protecting the data that that the Government has on its own so the amount Of help they might be able to extend to Others small companies is probably going To be limited Um but I would say that if startups want Help and and end inspiration in looking Rather than looking towards the Government they should look to some of The more established private companies That have you know have have provided a Lot of Transparency insight and even tools to Help make management of their security And privacy easier and I think honestly It's a community-based defense no matter How you slice it so it doesn't really Matter if the help is coming from the Government or another private company Absolutely and if a startup is hit by Run somewhere if or when perhaps What are some tips you can offer to Founders in in order to manage the Christ as well I mean it can be it can Be scary where do they begin in that Situation Plan in advance assume you will be hit And know what you're going to do if it Happens and the last thing you want to Be doing in the event of a ransom attack Or any other type of cyber security Incident is working out what your Playback should look like that should Already be sorted out in advance

Right it's muscle memory that gets Organizations through any crisis whether It's ransomware or some other attack and Then making sure that it's not just your Engineering teams that have done the Fire drills make sure your legal team Your Communications team your customer Support team any of those teams should Also be participants in learning how to Prepare for these kinds of attacks Absolutely and I just want to go back to The title of this talk so the the title Of this panel is winning the war on Ransomware What do you guys think that ultimately Looks like This is such an ambitious title it's so Ambitious I I had to bring it up I don't think we do win the ball at Least not anytime soon Um I think the best we can hope for is a Reduction realistically that this Problem is going to be around for a very Long time I don't see any Speedy Solution You know I think that's exactly right I Think that we are we are part of a Larger ecosystem and we we exist on an Internet that was never designed to be Secure in the first place and so in this Matrix where where we live Um we just have to be prepared to evolve And adapt and I think you know some of

The things that we were talking about Like I said at the beginning they are Cyclical But the manifestation of How It's Playing out and what the impact is to Startups especially is starting to Change and be more serious absolutely And I know we're focused on ransomware Here but are there any other threats That Founders should be aware of right Now should be keeping an eye out for Right now climate change that's Something I'll be aware of and be Keeping an eye out On insecurity terms business email Compromises probably the next biggest Threat Absolutely Um I'm just going to go through our Questions so we've had a question about Where these hackers are coming from Where these attacks are originating so Somebody says lots of these ransomware Attackers are based in Russia how is the Ukraine war affecting U.S government Efforts to combat this Yeah first it's important to note that We don't really know where they're based On yes lots are believed to be in Russia Or the CIS but the Affiliates the people Who use their ransomware to carry out The attacks could be based absolutely Anywhere Including Canada there was a former

Employee of the Canadian federal Government expedited to the us earlier This year in connection with ness Walker Ransomware attacks It's interesting you mentioned the Affiliates so we have seen Sort of a lot of what I've been covering Recently is these ransomware actors Moving to ransomware as a service so That's whereby they kind of rent out the Ransomware right is that making it Harder to track them Yeah that can be used as a obfuscation Tactic Affiliates can work with multiple Groups simultaneously They sometimes deploy different types of Ransomware simultaneously there have Been cases where they have initially Communicated through one ransomware Groups Um Chat portal and conclude that the Conversation through another's So the connections are all blurry Absolutely and another another technique We've kind of seen growing over the past Few months is is double extortion so it Used to be when you were hit by Ransomware your data was encrypted If you had great backup software cool Great I will unencrypt that How is this making the fight against Ransomware even more challenging It shouldn't be impacting us at all

Um paying to prevent the release of data Really makes no sense that data has Already been stolen the company's Already had a data breach the genie Can't be put back in the bottle Um and Many companies have been extorted for a Second time using the same set of data They were supposedly destroyed after They paid the initial Ransom so paying In those circumstances to my mind isn't A good idea No I think I think the um the other Thing that companies if they want to Really take a defense-in-depth approach They should be looking at not saying so Many things in email or you know and Whatnot now there are certain things That you can't change you know the Sensitivity of a contract or a document That just needs to be what it is but you Can certainly avoid some of these like Incredibly embarrassing email dumps Where I never understand why people Don't write email as if it's a postcard And it's being sent to the Washington Post because you should be writing your Emails as if they will end up in a data Dump someday and that is absolutely Something that you should be thinking About same thing with your text messages I mean what is it what's the the the Twitter acquisition drama where we're Getting to see all of these clear text

Text messages and that's just not from Ransomware attacks that's from Court Discovery right so you're protecting Yourself against a whole bunch of Embarrassment if you just stop writing Things down Amazing so I was saying to you guys just Before we came out I really want to end This on a positive note and we were kind Of struggling thankfully we have had a Great question through that I think Means we can end it on on a high so are There any security startups out there Right now that you think are doing Amazing things that can save us from This Yes There almost certainly are I just can't Think of any who are Worth calling us in this I will call I Will call out uh I will call out a Security startup Um it's called gray noise and it's not About ransomware at all but what it does It's a friend of mine Andrew Morris made This company what it does is it filters Out the noise right of no these are Probably friendly scans from you know Known security researchers versus this Is actual attack traffic and why is that Important and why is that something that A whole venture-founded company could be Built around We are a limited resource you know Brett

And I and people like us we we can't Grow up the next generation of cyber Security and privacy professionals fast Enough to protect all of you so what do You need you need to operate with the Staff you have And ideally you need to filter out the Noise so gray noise is my go-to of Giving a huge shout out and then I I um Because I serve on a couple of federal Advisory boards for cyber security The the newest one is the Cyber safety Review board so that's kind of almost Like um the NTSB that goes and examines When a plane has crashed and figures out Why did the plane crash and then Distributes that information this board Was was created by executive order and One of the things that we found in the Discovery you know of what happened with The log 4J attack Was it was the companies with muscle Memory that did the best number one and The companies that could act fast and Filter out the noise in the middle of an Attack so I would say you know get that Muscle memory you can only do that teach Yourself that you know you can maybe get Some Partners to help you with that but Then with what little staff you do have Get some gray noise because that will Make their lives so much easier and your Staff will burn out I'm gonna just throw It out there make up a statistic 30

Percent slower with gray noise I am not An investor by the way he's just a Friend and I just found them so Effective I think it's also worth Mentioning quickly that government does Now seem to be doing a much better job Of pulling in Private sector expertise involving People like Casey and the policy making Process and that's a good thing it is Going to make a difference we managed it We managed to end on a positive note Amazing but thank you so much guys I Really enjoyed that Um thank you so much for joining us Thank you thanks