 Yeah, think tech tech talks at 3 p.m. on a given Tuesday Wednesday Wednesday Wednesday, thank you Attila. That's it. That's Attila. So as he runs a salanda and he's going to talk to us today about Reval our capital R capital E capital V I L making its mark here on think tech tech talks So interesting. So let me give you my impressions and then you can tell me the reality, right? First of all, these guys are very creative. They, you know, expanded the operation to support for the service. They give you Technical support, they take a piece of the action. It's like a regular business. Really creative. And then, you know, in order to avoid the, you know, the option that other victim would have of Encrypting data and the like they and having a backup they they take they take your data also and offer it to the public on auction. In order to undermine your business and your brand as well as locking it up. So it's like a two port approach. What a creative deal. And then, of course, we need to talk about You know, what's going on with Mr. Putin, who seems to have some sort of loose connection with re evil, re evil. So tell us this is a major, major attack. That was reported and then and then they went out of business just as best. What in the world is going on, you know, this makes you a tell a more relevant than you ever have been. And it makes the rest of us more scared than we have ever been. Let's talk about it. Well, there's a lot of moving parts here. So you're right, Jay. This, this is something that is scary. It does involve data exfiltration. Data exfiltration is when a bad actor gets inside of a network. They take the data and send it out. And that's pretty common, believe it or not. So most of the times bad actors are sitting inside of networks. And they're just waiting for instructions or they're selling access to the network or they're just waiting for the right time, such as what happened with our reval. I'm not sure how to best pronounce that. Maybe you'll have to help me. R. E. V. I. Reval, maybe. Anyways, I'm probably short for real, real evil. I would say reval, reval myself. In speaking with different members of Homeland Security, they all seem to pronounce it differently. So I don't know who to trust on that. So I guess if we get hung up on the pronouncement, that's, that's okay. But So this is a supply chain attack. And this is why it's so important. It's because the victims didn't necessarily do anything wrong. Right. And as a supply chain attack, unfortunately, they targeted what is called the managed services community, the MSP community. And these guys use tools to service computers for their customers. And that tool was, was unfortunately what was the part of the supply chain attack. And if we want to kind of go back to a series of events, it might help you understand what's going on here and why this does fall into the profile of a rebel and what, you know, which is why it made perfect sense for them to pursue this avenue. So probably about a month ago, a, a security researcher out of Europe somewhere discovered a zero day exploit with Microsoft windows, involved the print spooler. It was called the print nightmare. And the security researcher said, Hey, you know, I found something. Let me just put it on GitHub. And GitHub, as you know, is an open source community where you can post code and bad actors at rebel said, This is just what we needed. And what they instead did was they used that vulnerability to infect Right. The, the RMM tool, RMM is short for remote monitoring and management. And Kaseya is one of the more prevalent vendors that does this. As such, they have MSPs, right? So their clients are IT companies who are highly technical and are very offended by this, by the way. So this is this is big news in the IT community. Right. And then they took me the worst of it being offended. You know what I mean? Yeah. Well, and, and, and that, and that that became a real problem because there's a lot of trust between the IT right who essentially has these, you know, godlike overlord powers over your network and the customer, right? And these customers are everything from small companies like, you know, dental offices and small medical offices and dog groomers, right? Everything all the way up to Fortune 500. And defense contractors included. Yes, that they are in there as well. And unfortunately, this is unlike the SolarWinds attack, which was very similar. It was a supply chain attack. But in SolarWinds's case, their product Orion was specifically installed and marketed towards defense industry contractors. So that, that, that was the big problem there is because it did involve a lot of monitoring for a long period of time. They knew about the issue for quite a while. Now, of course, no one's talking about SolarWinds anymore, but what are you going to do, right? Everyone's now moved on to Kaseya. Now Kaseya, their Hatch Management servers were then infected by this zero day exploit. And the guys at Rebel made a very smart update. All the Kaseya clients, all the ones out there, and they pushed out this update and they deployed it on a very small number. Now, when I say a very small number, that was over a million computers on hundreds of businesses. And they said, if you want your machines back, we want a ransom of $70 million. So seven zero. So that was the largest ransomware demand to date. So everything happened to these poor managed services companies that were stuck in the middle, right? They built up trust with these, these companies and all these offices. And they, they went out and had to try to mitigate this bug, which they had introduced to these, to these networks in the first place. And so there's a major uproar on that. There was a well over a million devices encrypted and demanding a ransom and it infected 70 million was for one or for the whole lot of them. Yeah, they were demanding that Kaseya. Now, luckily, IT people are pretty resourceful. So I believe that many of those systems were, you know, emergency patched, or should I say emergency recovered. And in the meanwhile, those that were not encrypted were emergency patched with Microsoft's CVE so that Microsoft did release, I believe, was for security updates. And unfortunately, we're discovering that some of those updates are breaking computers, they're disabling or destroying the ability for that computer to print. So machines are having to be re-imaged. There's a lot going on in the IT world in the background to try to scramble and get machines patched that are, you know, to keep them from, you know, continuing to be, you know, exploitable. And this really highlights how a supply chain attack and a zero-day put together can really mess up the community. Now, you know, the print nightmare bug, as it's been called, has been something that IT departments have been scrambling all week long to try to patch on, like, pretty much every window system has this bug out there. And they're discovering now that there's problems with specific print manufacturers, such as, like, say, like Zebra receipt printers or barcode readers, these kind of things break, sometimes when the print subsystem gets replaced in a rushed and emergency fashion is what Microsoft's been having to do. But that zero-day exploit, unfortunately, does give root backdoor access to the system, and it's not good. And that security researcher who messed this all up for everyone should not have published their findings on GitHub, and it wouldn't have spawned all these problems from happening. Now, let me unpack some of that before we go in further. So, how does this get processed as ransomware? How does this bugged vulnerability turn into a ransomware scenario? Well, once you have backdoor access to a system, you've got lots of choices. Ransomware is kind of the quick, dirty, and simplest way to get that malicious payload out there and make some money. Revol, evidently, does not have nation state ties. Evidently, you know, obviously is in Russia, but they're a for-profit organization, and that's fine. But they moved very quickly to take advantage of this exploit. They knew that the highest impact would be from Kaseya, and unfortunately, the news now, and this is probably, I think, the bigger problem, Jay, and I think we should really focus on this. Is that several whistleblowers have come forth from Kaseya over the past year-plus, well-documented, and either after they wrote up a very long and extensive brief indicating that there's a security vulnerability with the company, or that there's not best practices being performed with these companies, they are either fired or they're silenced. So, the same thing happened with SolarWinds, they knew well in advance that there was a security problem at their organization, they did nothing about it. So, that's a real problem, because that's what can prevent this from happening next time. Because, you know, I guess the best analogy to this entire incident is that it's a storm, much like what we have to deal with here in Hawaii. We have storms, you cannot stop the storm from coming, but you can improve your resiliency against that storm when it inevitably comes. And that's what we should really be focusing on, is how, as individual business owners or business operators or IT departments, how do we maximize our company's resiliency to the next supply chain, to the next whatever attack that's going to inevitably come. Well, this is so much here to talk about, I can tell you. So, what kind of, you know, warnings, early warnings that they have, you know, to sort of foretell of this fellow who revealed the vulnerability only a few days ago. How do they know that, so that they should have been, so they wrote their warning memoranda to their companies, and for the companies could have done anything about it. What did they find? What was the weakness they found? Look, people don't take cybersecurity seriously until there's an incident. You know this, I know this, right? When do people buy a security system for their home or for their business? After there's been a break-in, right? And in the same way, there's not a lot that's considered beforehand. And Kaseya, and I hate to say it, you know, we've had to deal with them on different occasions for different products. They're printing software companies, but they are what? I would call them more like a pac-man of the managed services world. They buy up companies that they think might fill a need or are generating revenue and they just add it to their portfolio. SolarWinds is no different, by the way. And that's a pretty common trait in big corporate America, right? You know, you have the big guy buying up the little guys, that's their, part of their strategy is acquisition. You know, it's been like that for a long time. That's not going to change. But what really should change is how seriously they take their own cybersecurity, knowing that they are so responsible for so many businesses and lives. I don't look at a company as, you know, this money machine or a vet's office or a dentist's office. I look at it as someone's livelihood that then supports the community, which then pays for schools and pays for roads and everything that we depend upon. So when you attack a business like that due to gross negligence from a big corporate entity that's just more interested in, you know, policies and procedures rather than protecting the community or for which they are responsible for. Then that's really what is upsetting to a lot of those, such as myself, who are in the IT space, who have to try to mitigate some of the fallout. Now, luckily. What could the executives, what could the executives in that company, those companies do if they read the memorandum? If they hook the warning, what could they have done to prevent against this? Well, as in most things, there's always a solution, right? You don't have just a problem with no solution. Nobody knew about the Microsoft vulnerability until recently. You know, it only came to light short time ago. You're talking about memorandum that were written a year ago or whatever. Well, it was clear that they were following poor security policies, right? I mean, they had to get inside the server somehow. There were some issues with, there were some issues with how they were maintaining their existing staff. It's all kind of laid out, and the specifics haven't been revealed, but what they are saying is that there have been several whistleblowers came out and said, look, guys, we really need to do something about this. There is a real security risk. We are responsible for a lot of people's livelihoods. I'm going to say a lot. I mean, in the millions. And our product is vulnerable. We need to do something about this. Now, in SolarWinds, it was really obvious, right? Their password to their main server was SolarWinds123. Kind of easy to guess. Oh, jeez. That's ridiculous. You know, so, okay, so yeah, really, so you have this and, you know, the newspaper would suggest there was an awful lot of, a lot of, a lot of companies hide up in ransomware scenarios. And are we out of the woods on that? You know, unless we forget that Joe Biden had a telephone call about this large ransomware attack by Revol or Revol or Revol a few days ago, only a week ago or so. And, you know, of course, Vladimir Putin did not admit that he knew about it or it was his fault or anything. But, you know, in Russia, you know, Putin knows. Putin has connections. It's a capital concentration or intellectual concentration or certainly a computer nastiness like this. He knows. And so remarkably, less than a week after that, their website came down. And now they're not available for hacking as a service anymore. And their whole business is like disappeared, although we all know it'll probably reappear soon enough. But what about the guys whose beta was kidnapped? What about the guys who were suffered? If the site went down, if Revol isn't in business anymore, who do they call to get their data back? So data exfiltration is one piece of the puzzle. And the second is decryption. Data exfiltration, as far as I know, there's been no evidence of data exfiltration. I could be incorrect on that. Probably worth googling that. But data exfiltration is when they actually take the customer's data and they either publish it or hold it for ransom outside of the customer's network. And that could be independent of ransomware being deployed. And so it can go both ways. In this circumstance, I believe it was just a smash and grab, quick ransomware, sloppy deployment. Luckily, since most managed services companies already have a good disaster recovery plan in place for their customers, those that were affected were able to be brought back online. Or if they weren't, then a great expense to the managed services company, the man in the middle, they had to do what they could to get that business back up. But like I said, this is just magnifies the problem that already exists in our world. This is not unique. We see it a lot. It sucks. It's not great. But in order to be successful at your business, you got to suck at one thing first, because the SCUC is at the beginning of the word success. You got to have a good successful business disaster recovery plan, business continuity plan, and that's going to allow you to weather any storm that comes your way. So if I have a little company, or a medium-sized company, and I was attacked by something coming from Rival or Rebel, then if I had backed up, then I could get back online. And the problem with the printer software really wouldn't make too much difference to me, because I'd use the Microsoft patches. I'd get my data back, because I have it encrypted somewhere safe, end of the story. Am I right about that, or are there people left high and dry on this? It's a little bit of both. Hard to tell at this point, because there's just so many victims. But those that took advantage of cloud services most likely have their data. Those that outsourced certain parts of their operation for specific things. So, for example, they subscribe to a software as a service like Adobe, instead of purchasing an individual license copy and then losing that installation file. That's really easy to restore. If they're a subscriber of Office 365 and they are in a plan, which includes the software, it's very easy to just wipe the system or re-image it and then bring it back online and download the software and you're back up and running very quickly. So the good news is that part of COVID has forced us to be more nimble and cloud-dependent. And so when something like this does happen, it's a lot easier to then recover versus having extended downtime. So it just really depends. Well, conceptually, as long as I keep my data safe in a backup, I'd say an encrypted backup probably best, then I can come back again. I would not be affected by this. This is really awful what happened, but the prepared companies will have survived. Others maybe not because it's not like you can pick up the phone and negotiate with somebody who went offline and disappeared into the Ukraine somewhere. So the other thing I wanted to ask you about is this. Every year of entrapment, it's when government police or prosecuting authorities will make like they are engaged in the crime with the other criminal, and they'll suck them in and they'll deceive the other person and they'll even talk like a criminal. And in the process, they're gathering information as to prosecute, arrest and prosecute. And in this case, what's happened here is really a step forward. Tell me if I'm wrong. These guys are very creative. Now they're offering it as a service. You can go on the website, at least recently. You can bring the software down. You can be a criminal in a matter of seconds. You can go be a criminal overnight. And I'm sure that some kids in this country, an adult too, would have done that. And then of course, you have to share your ill-gotten gains with them. There's a lot of contact. I mean, there's a lot of contact interaction between the customer, so to speak, who gets the criminal software and the one who gives them the criminal software reval. And so that leaves a lot of opportunity for the FBI or somebody who would engage in this kind of, entrap is the right word, the wrong word, because entrapment itself is illegal. But some kind of situation where they stuck them in, deceive them, and then nail them. Is it easier with the software as the service model to bring the criminal in and nail them? Well, to be fair, the reval is just one of many. In fact, I believe it was April of last year, there was another shutdown, let's see, of another large-scale software to grant somewhere as a service and cybercrime as a service-type organization. And they just pop right back up. This is not going away. These are like mushrooms. You just chop them down, and then they pop right back up again. It's because it is political. Yes, but they're more advanced every time you look. Each generation of mushrooms has new and creative tricks, like this thing about taking your data also and auctioning it. And the other thing I wanted to ask you about, you said before, you didn't think that Putin had any connection with them, don't you? I mean, doesn't it seem like he may? I mean, there's a remarkable coincidence here, a week after this contentious conversation between Biden and Putin, the thing goes offline. Now, I guess some commentators would say, well, it was subjective. Riegel decided that there was too much heat, heat coming from, obviously, the US, but also from Putin himself. And they decided the better part of valor he would be to disappear like a mushroom and come up later. What do you think happened there? And is there any issue at all about them coming up later? They'll be back a few days or a week. They'll be back and they'll be even more creative, am I right? You're right. And the one I referenced earlier was Trickbot. So if you want to Google Trickbot, you'll see it's the same thing. It's ransomware as a service. It's business email compromises service. They make a product, people pay for it, they use it, they infiltrate. And when Microsoft shut down their networks back in back back last year, April, I believe, well, what happened? It was later they came back stronger than never. So there's going to be Trickbot. There's going to be another rebuild 2.0. They just come, they just go, I wouldn't count on these folks going away. And yet to answer your question about whether there's any sort of politics involved, perhaps, I mean, I don't think I'm qualified to say yes or no. I'm not even sure anyone in law enforcement or FBI or Homeland Security may have the answers to that either. It's hard to tell. But you must think about where they are. There must be telltale signs about where they are, about how well, for example, they write and speak the language. You think they're in Russia, you think they're in Eastern Europe, you think they're in Asia. I always felt that Siberia was a good place for them. Vladivostok and all that could be anywhere. But two guys, and I say you guys, people in the industry must have some idea, even by way of rumor, about where these guys are and who they are. Well, post incident response and evaluation, sometimes you do discover who's in there. And for instance, in the case of SolarWinds, which wasn't that long ago. I know everyone thinks it's ancient history, but that was just like six months tops. They were inside, but everyone was pointing the finger at Russia. But then it turns out that once China got wind of it, they were in there too watching what was going on. So who knows how many advanced persistent threat actors that could be in nation states that are out there looking in all these networks and finding vulnerabilities and taking their time. That's the other thing about this Kasey attack. There could still be infected machines out there. And they could do a second wave. I mean, this was just over the July 4th weekend, right? They deployed it on a Friday morning before. I mean, it could very easily happen later. This is not over. And I don't think it's going to be over anytime soon. So what about the success of the FBI for recovering half of what was paid in the colonial pipeline a month ago? They seem to be successful in getting half of it back. Did anything that they learned or demonstrate that they found in that case helped the community deal with this going forward? Did they discover a new way of dealing with ransomware? I really do like the fact that they chose to spend $800,000 more than they had to to pay with Bitcoin versus Ethereum. So Bitcoin has a better, what's the best word, paper trail along the blockchain. So they were able to work with the FBI and get some of that back, which was good. Ethereum is less so. And I believe, if I remember right, their operational cost was something like $400 million a day. So a few million bucks here or there was a lot less impactful to the pocketbook than having the whole system shut down. Is that lesson that we learned with the FBI and colonial pipeline going to be useful? Or is it just run off the hacker's backs and it doesn't affect their ability to do this, in fact, do it better at all? Did that change things? Did it reach some sort of tipping point? Absolutely. You're asking the right question. What can we learn from a colonial pipeline attack and how does it apply here? Well, guess what? Colonial pipeline attack, they paid the ransom. What happened? They got a decryption. You haven't had to deal with post ransomware and decryption software, but it's not like nice production value software. It's really garbage. And it doesn't work very well to decrypt stuff. So what did the colonial pipeline do? They said, heck with it, we're going back to our backups. And they had a good business continuity plan in place. So even though they did the negotiation, they went through all the rigmarole, they paid the ransom, it still didn't help them. Having that business continuity plan, getting everything back up and running was the saving grace. That's what saved their hide. And so we can all learn from that, especially with this latest supply chain attack. Well, it seems to me that this is a soft target because you can be anywhere. Even if you don't have any skills in coding, you can take it off one of these acting as a service website. But as you said, there are others. And Rivo will be back. And you can do this. And every time they have this big number type of ransomware news headline, the price goes up. And you can make more extravagant demands every time. And more people can get involved. There's like no limit because nobody got arrested in a colonial pipeline. Nobody was actually identified. They got they got a half of it back, but that doesn't really float my boat because these guys are still impugned that wherever they are, they're completely impugned. Nobody ever got caught, prosecuted, convicted or punished in any way. So it just seems to me there's a global process here. This is just it's set to expand and expand and expand until there are sanctions, until there's accountability. And so far, no accountability. So my question to you, of course, business has got to, you know, business has got to take steps. And you know, companies like yours can help them. But there'll be more business involved, more damage involved, presumably more destruction of the economy if somebody wants to do that. And nobody is stopping them. What's the future of this? Well, the future for sure is right now. The problems that you're describing out of control ransom, ransomware, you know, bad actors out there destroying networks, that's happening today as we speak back probably during our conversation. Probably a bunch of networks got taken out. So you got to, like you mentioned, you got to hire the right people to come in and help you be resilient against these kind of things. Do you have a clientele here in Hawai'inae who were victims of this? I'm sorry. Hawai'intel is being picked up? No, you have clientele here in the state of Hawai'i who were victims. Well, I'm not a liberty to name names, but I can tell you for sure, we are not immune here in Hawai'i. I knew you'd say that. And to me, it sounds reasonable. There are no barriers, no borders. You know, why not? You know, it actually would be fun. There is a sense of humor involved, which leads me to believe these guys are not only creative but young. I mean, for example, I thought it was really cute that in the latest version of the ransomware software as available then from Reveal the website, there was a trial period where they would take your data or lock it up. And then if you were in the trial period, I signed up for it, in the trial period, you could unlock it just so that it would be demonstrated to you that the unlocked aspect of the ransomware worked. That's so cute. They got that from all these trial versions of software that we see all day long. It's like business. It's like a creative little business that comes and goes. And they get a substantial percentage of what you recover in your ill-gotten gains. If you get a million dollars, there's some kind of oddball deal where they get a part of that. That is the Reveal types. They get a part of what you recover. I'll tell you, put me on the jury, Attila. Put me on the jury. I will do what has to be done. But we haven't seen any juries. We haven't seen any prosecutions. So my question, my last question to you is, with all the knowledge that we have, that you have about the vulnerabilities and the way these guys conduct their intrusion into the networks, do we have a way, some way to identify them and go out there and arrest them? They could be doing this from Moili-Ili, not Ukraine. Let's assume for this discussion, they are doing it from Moili-Ili. They're a little one-bedroom apartment. So can we identify them? Can we bring them to justice or is it just impossible and leaving us as the globally vulnerable? Well, hopefully our friends at the FBI are not listening because they are very interested to find out if there's any bad actors here on Island because it is criminal, of course. So I would venture to say that you're right. We don't know who they are. And I'm also going to say that you're right. You got to do something about this. So everyone knows what to do. Everyone knows how to lose weight, but it's the action that makes the difference. Everyone knows how to keep their business secure, but it's the action. It's the decisions that matter. So until you change people's behavior, we're going to keep having overweight people. We're going to keep having cybersecurity incidents, unless you hire a professional. Last question. There are other professionals who might be interested in this conversation, namely lawyers. So if I'm damaged by this and there's a you know, a smoking gun kind of whistleblower memo out there, and I find it, doesn't it seem clear that the company who ignored the whistleblower, the company who knew or should have known about a vulnerability and did nothing as enormous, even total liability to me for failing to protect me? Well, that brings us up a good point. And it reminds me of GM's gross negligence back in the early 2000s with their safety belts, I believe. I'm not sure. They had something. It reminds me of pharmaceuticals that have had this numerous times. It reminds me of food manufacturers that have had E. coli and they knew about it. This is not a unique circumstance. It just happens to affect computers. You're right. You're right. But we have to we have to think along those lines, though, because as a community, we can't let this happen. So what are your closing suggestions to the public who may say in response to this conversation, I'm too small. I don't care. They're never going to care about me. Well, this is systematized, so no one is immune. And if any indicator on the news gives you any sort of direction, just know it's not a matter of if but when. Just like living here in Hawaii, we can expect storms. This is a way of life and it's part of the risks that we take on deciding to live in the most isolated landmass on the planet. You're going to have storms, you're going to have weather. And the best thing that you can do is prepare and be resilient. And there's lots of resources to do this. There's many community resources now being pushed out by the SBA. In fact, we have some good friends and relationships there at the SBA. They have some good cyber resources there. More and more IT professionals are becoming cyber aware and security aware, you know, speak with your cyber professional, or should I say your IT professional will see what the limits of their knowledge are on these kind of things. We work pretty extensively with in-house IT teams to help augment their capability and make them look good because sometimes there's just too much to be covered by a single IT person. You do need a professional. Now, who would have ever thought that this becomes so important in our world and important for coverage here at Think Tech? So I feel confident and hopeful that you and I will be speaking again because there'll be some other prices along a similar lines going forward. I look forward to a continuing relationship with you. I'm glad to help. I think the last time we talked about something was just a few weeks ago. So, you know, just a matter of time. Exactly what you're looking at. Yeah, it fell as a rest. Ilanda really appreciate it. Thanks guys. Stay safe out there.