 Welcome to this CUBE conversation. I'm Lisa Martin, excited to welcome back one of our distinguished alumni, Derek Manki joins me next. Chief Security Insights and Global Threat Alliances at 49th 40 Guard Labs. Derek, welcome back to the program. It's great to be here and great to see you again, Lisa, thanks for having me. Likewise, yeah, so a lot has happened. I know I've seen you during this virtual world, but so much has happened with ransomware in the last year, it's unbelievable. You know, we had dramatic shift to a distributed workforce and you had personal devices on network parameters and non-trusted devices or trusted devices on home networks and lots of change there. Talk to me about some of the things that you and 40 Guard Labs have seen with respect to the evolution of ransomware. Yeah, sure, yeah, it's becoming worse, no doubt. You know, we highlighted this in our Threat Landscape report. If we just take a step back looking at ransomware itself, it actually started in the late 1980s. And it didn't, you know, that was very, it relied on snail mail. It was obviously, there was no market for it at the time. It was just a proof of concept, a failed experiment, if you will. But it really started getting hot a decade ago, 10 years ago, but the technology back then was that the cryptography they're using, the technique wasn't as strong as easily reversed. And so they didn't really get to a lot of revenue or business from cyber criminal perspective. That is absolutely not the case today. Now they have very strong cryptography. They're experts when they say they're the cyber criminals at their game. They know there's a lot of, the attack surface has grown. There's a lot of vulnerable people out there. There's a lot of vulnerable devices. And this is what we saw in our Threat Landscape report. We saw a seven times increase in ransomware activity in the second half of 2020. And that momentum is continuing in 2021. It's being fueled by what you just talked about, by the work from anywhere, work from home environment, a lot of vulnerable devices unpatched. And these are the vehicles that ransomware is the payload, of course, that's the way that they're monetizing this. But the reality is that the attack surface has expanded. There's more vulnerable people and cyber criminals are absolutely capitalizing on that. Right, we've even seen cyber criminals capitalizing on the pandemic fears with things that were around the World Health Organization or COVID-19 or going after healthcare. Did you see an optic in healthcare threats and activities as well in the last year? Yeah, definitely. So I would start to say that first of all, the nobody is immune when it comes to ransomware. This is such a, again, a hot target or technique that cyber criminals are using. So when we look at the verticals, absolutely healthcare is in the top five that we've seen. But the key difference is that there's two houses here. You have what we call the broad blanketed ransomware attacks. So these aren't going after any particular vertical. They're really just trying to spray as much as they can through phishing campaigns. Now, there's a lot of web traffic out there. We see a lot of things that are used to open, playing on that COVID-19 theme again, right? Emails from HR or tax season scams, it's all related to ransomware because these are how they're trying to get the masses to open that up, pay some data to sort of pay some cryptocurrency to get access to their data back. Oftentimes they're being held for extorsions thing. They have photos or video or audio captures. It's a lot of fear they're trying to instill these people. But probably the more concerning is, it's just what you talked about healthcare, operational technology, these large business revenue streams, these are take cases of targeted ransom, which is much different because instead of a big volumetric attack, these are premeditated. They're going after with specific targets in mind, specific social engineering lures, and they know that they're hitting the corporate assets or in the case of healthcare, critical systems, where it hurts, they know that there's high stakes and so they're demanding high returns in terms of ransom as well. With respect to the broad ransomware attacks versus targeted, a couple of questions to kind of dissect that. Are the targeted attacks, are they in like behind the network firewall longer and faster, longer and getting more information? Are they demanding higher ransom versus the broader attacks? What are some of the distinctions there besides what you mentioned? Yeah, absolutely. So the targeted attacks are more about execution, right? So if we look at the attack chain, they're doing more in terms of reconnaissance, they're spending more cycles and investment really on their end in terms of weaponization, how they can actually get into the system, how they can remain undetected, collect and gather information. What we're seeing with groups like Ragnar Locker as an example, they're going in and they're collecting, in some cases, terabytes of information a lot. They're going after definitely intellectual property, things like source code, also PII for customers as an example, and they're holding them. They have a whole business strategy and plan in mind on their place, right? They hold them for ransom. It's essentially a denialist service in some cases, taking a revenue stream or applications offline so a business can function. And then what they're doing is that they're actually setting up crime services on their end, a lot of the newest ransom notes that we're seeing in these targeted attacks are setting up channels to what they call a live chat support channel that the victim would log into and actually talk directly live to the cyber criminal or one of their associates to be able to negotiate the ransom. And they're trying to have, in their point of view, they're trying to frame this as a good thing and say, we're going to show you that our technology works. We can decrypt some of the files on your system as an example, just to prove that we are who we say we are. But then they go on to say, instead of $10 million, we can negotiate down to $6 million. This is a good deal. You're getting 30% off or whatever it is. And but the fact is that they know, by the time they've gotten to this, they've done all their homework before that, right? They've done the targets. They've done all the things that they can to know that they have the organization in their grasp, right? One of the things that you mentioned, just something I never thought about as ransomware as a business. The sophistication level is just growing and growing and growing. And of course, even other bad actors, they have access to all the emerging technologies that the good guys do. But talk to me about this business of ransomware, because that's what it seems like it really has become. Absolutely. It is massively sad. If you look at the cyber crime ecosystem, like the way that they're actually pulling this off, it's not just one individual or one cyber crime ring that like say five to 10 people that are trying to orchestrate this. These are big rings. We actually work closely as an example to, you know, we're doing everything from the Fordigar Labs with following the latest ransomware trends, doing the protection of mitigation, but also working to find out who these people are. What are their tactics and really attribute and paints a picture of these organizations. And they're big. You know, we've worked on some cases where there's over 50 people just in one ransomware gang. One of the cases we worked on, they were making over $60 million US in three months, as an example. And in some cases, keep in mind, one of these targeted attacks, like in terms of ransom demands in the targeted cases, they can be in excess of $10 million just for one ransom attack. And like I said, we're seeing a seven time increase in the amount of attack activity. And you know, what they're doing in terms of the business is they've set up affiliate marketing, essentially. They have affiliates in the middle that will actually distribute the ransomware. So they're basically outsourcing this to other individuals. If they hit people with the ransomware and the people pay, then the affiliate in the middle will actually get a commission cut of that. Very high, typically 40 to 50%. And that's really what's making this lucrative business model too. Wow, my jaw is dropping just at the sophistication, but also the different levels to which they've put a business together. And unfortunately for every industry, it sounds very lucrative. So how then, Derek, do organizations protect themselves against this? Especially knowing that a lot of this work from home stuff is going to persist. Some people want to stay home, what not, the proliferation of devices is only going to continue. So where do organizations start? And how can you guys help? Start with the people. So we'll talk about three things. People, technology and processes. The people, unfortunately it's not, this is not just about ransomware, but definitely applies to ransomware, but any attack. Humans are still often the weakest link in terms of education, right? A lot of these ransomware campaigns will be going after people using nowadays which seems like tax themes purporting to be from the IRS as an example or human resources departments or governments and health authorities, vaccination scams, all these things, right? But what they're trying to do is to get people to click on that link still to open a malicious attachment that will then infect them with the ransomware. This, of course, if an employee is up to date and holds their skills so that they know, basically a zero trust mentality is what I like to talk about, you wouldn't just invite a stranger to your house to open a package that you didn't order, but people are doing this a lot of the times with email. So really starting with the people first is important. There's a lot of free training, information and security. So awareness training, we offer that at 49. There's even advanced training we do through our NSE program as an example. But then on top of that, there's things like a phishing test that you can do regularly, penetration testing as well. Exercises like that are very important because that is really the first line of defense. Moving past that, you wanna get into the technology piece. And of course, there's a whole, this is a security fabric, there's a whole array of solutions. Like I said, everything needs to be integrated. So we have EDR and XDR as an example, sitting on the endpoint because oftentimes they still need to get that ransomware payload to run on the endpoint. So having technology like EDR is, it goes a long way to be able to detect the threat, quarantine and block it. There's also of course, multi-factor authentication when it comes to identifying who's connecting to these environments. Patch management, we talk about all the time. That's part of the technology piece. You know, the reality is that we highlighted in the threat landscape report, the software vulnerabilities that these ransomware gangs are going after are two to three years old. They're not breaking within the last month or so they're two to three years old. So it's still about the patch management cycle, having that holistic integrated security architecture and the fabric is really important. NAC network access control, the zero trust network access is really important as well. One of the biggest culprits we're seeing with these ransom attacks is using IoT devices as launch pads as an example into networks because they're in these work from home environments and there's a lot of unsecured or uninspected devices sitting on those networks. Finally, process, right? So it's always good to have all in your defense plan, training and education, technology for mitigation but then also thinking about the what if scenario, right? So incident response planning, what do we do if we get hit? Of course we never recommend to pay the ransom. So it's good to have a plan in place. It's good to have the, you know, identify what your corporate assets are and that the likely targets that cyber criminals are going to go after and make sure that you have rigid security controls and threat intelligence like 40 guard labs applied to that. Yeah, you know, you talk about the weakest length there are people I know you and I have talked about that on numerous segments. It's one of the biggest challenges but I've seen some people that are really experts in security read a phishing email and almost fall for it. Like it looked so legitimately from like their bank for example. So in that case, what are some of the things that businesses can do when it looks so legitimate that it probably is going to have a, unfortunately a good conversion rate? Yeah, so this is what I was talking about earlier that let these targeted attacks especially when it comes to spear phishing when it comes to the reconnaissance they got so clever it can become so realistic that it becomes a very effective weapon. That's why the sophistication and the risk is rising like I said but that's why you wanna have this multi-layered approach, right? So if that first line of defense does feel if they do click on the link if they do try to open the malicious attachment first of all, again through an extra generation firewall sound boxing solutions like that this technology is capable of inspecting that acting like, you know, if this we even have a 40 AI as an example artificial intelligence machine learning that can actually scan this in events to know is this actually in attack? So that element goes a long way to actually scrub it like content CDR as well content disarm as an example this is a way to actually scrub that content so it doesn't actually run in the first place but if it does run again this is where EDR comes in like I said at the end of the day they're also trying to get information out of the network so having things like botnet protection through the next generation firewall like that they have with 40 guard security subscription services is really important too so it's all about that layered approach you don't want just one single point of failure you really want it's this is what we call the attack chain and the kill chain there's no magic bullet when it comes to attackers moving they have to go through a lot of phases to reach their end game so having that layer defense approach and blocking it at any one of those phases is so even if that human does click on it you're still mitigating the attack and protecting the damage keep in mind a lot of damage in some cases 10 million dollars plus right is that the average ransom 10 million US dollars well the average cost of data breaches that we're seeing which are often related to ransom attacks is close to that in the US I believe it's around just under nine million dollars about 8.7 million just for one data breach and often those data breaches now again what's happening is that the data it's not just about encrypting the data getting access because a lot of organizations you know part of the technology piece and the process that we recommend is backups as well of data I would say organizations are getting better at that now but it's one thing to back up your data but if that data is breached again cyber criminals are now moving to this model of extorting that saying unless you pay us this money we're going to go out and make this public we're going to put it on pay spend we're going to sell it to nefarious people on the dark web as well. One more thing I want to ask you in terms of proliferation we talked about the distributed workforce but one of the things and here we are using Zoom to talk to each other instead of getting to sit together in person we saw this massive proliferation in collaboration tools to keep people connected families, businesses I talked to a lot of businesses who initially will say oh we're using Microsoft 365 and they're protecting the data well they're not or Salesforce or Slack and that shared responsibility model is something that I've been hearing a lot more about lately that businesses needing to recognize for those cloud applications that we're using and in which there's a lot of data traversing that could include PII or IP we're responsible for that as the customer to protect our data the vendor is responsible for protecting the integrity of the infrastructure share it with us a little bit about that in terms of your thoughts on like data protection and backup for those SaaS applications. Yeah, great question, great question tough one it is so I mean ultimately everybody has to have I believe it has to have their position in this it's not, it is a collaborative environment everyone has to be a stakeholder in this even down to the end users the employees being educated enough to date as an example, the IT departments and security operations centers of vendors being able to do all the threat intelligence and scrubbing but then when you extend that to the public cloud what is the cloud security stack look like how integrated is that are there scrubbing and protection controls sitting on the cloud environments what data is being sent to that should it be sent as an example what's the retention period how long does the data live on there? It's the same thing as, you know when you go out and you buy one of these IoT devices as an example from a say a big box store and you go and plug it into your network it's the same questions you should be asking, right what's the security like on this device model who's making it what data is it going to ask me the same thing when you're installing an application on your mobile phone that is this what I mean about that zero trust environment it should be earned trust so it's a big thing, right to be able to ask those questions and then only do it on a sorted need need to know and need to implement basis the good news is that a lot of the cloud stacks now and environments are integrating security controls we integrate quite well with Fortinet as an example but this is an issue of supply chain it's really important to know what lives upstream and how they're handling the data and how they're protecting it absolutely. Such interesting information and it's a topic ransomware that we could continue talking about Derek, thank you for joining me on the program today updating us on what's going on how it's evolving and ultimately what organizations in any industry need to do with protecting people and technology and processes to really start reducing their risk and thank you so much for joining me today. It is a pleasure, take care. Likewise, for Derek Mankey and Lisa Martin you're watching this CUBE conversation.