 My name is Connor Goodwin and I'm ProPublica's interim director of communications. Welcome to how ransomware is fueling an economy of extortion. For those new to us, ProPublica is a nonprofit newsroom dedicated to investigative journalism. Hundreds of businesses have been grappling with the repercussions of a ransomware attack on software provider Kaseya over the holiday weekend. The hackers then demanded $70 million in Bitcoin to restore data they are holding for ransom. This hack is just the latest and one of the most dramatic in a series of high profile ransomware attacks this year. ProPublica has been investigating ransomware since 2019. For a conversation today, we have gathered a panel of experts to address the growing menace of ransomware and answer your questions. Renee Dudley is a tech reporter at ProPublica. She was the leader reporter on ProPublica's 2019 series about ransomware, the extortion economy. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters, where she reported extensively on issues with college entrance exams. Jeff cow is a computational journalist at ProPublica who uses data science to cover technology and artificial intelligence. John Reed Stark is president of John Reed Stark Consulting LLC and over the last 25 years, his name has become synonymous with data breach response, cybersecurity and digital regulatory compliance. Thank you to our panel for joining today. Also, this session is being recorded and a link to the video will be emailed tomorrow to everyone who registered. Our moderator today is Pulitzer Prize winning journalist Daniel Golden. Dan is best known as author of The Price of Admission, an influential bestseller about preferences for white and privileged students in college admissions. He edited Renee's series on ransomware and also co-edited a ProPublica series on Latin American asylum seekers caught between the US government and MS-13 gang, which won the 2019 Pulitzer Prize for Feature Writing. Thanks again for joining us. I'll let Dan take over from here. Thanks very much, Connor. You know, we're here to talk about ransomware, which is one of the most pervasive of all cyber crimes with more than a million attacks each year, but by some estimates, a business is attacked by ransomware somewhere in the world every 10 to 20 seconds. One reason ransomware is interesting is because it requires the criminals to have two different skills, a hacking and cryptography. Essentially, the attacker hacks into a computer or a network. I encrypts the files so they can't be accessed and then demands a ransom payment, usually in Bitcoin or some other cryptocurrency in return for a key to decrypt the files. It's appealing to criminals, ransomware, is because it's a kind of one-stop shopping. You know, most cyber crimes like a data breach, you know, they steal the information like the credit card data, and then they have to resell it someplace else. In ransomware, the victim and the payer are the same person, so you don't have to incur that extra time and risk of finding another buyer. Those are a couple of my observations on it. Now we'll turn to the panel. Jeff, why don't you talk a little about who the hackers are, how they're organized and why they seem to operate with impunity? Yeah, so I think, you know, as we've all seen lately, and it has been the case for a very long time, ransomware has been around for earliest iterations, probably decades. But, you know, these cyber criminals largely operated Russia and former Soviet republics and elsewhere in Eastern Europe. And, you know, since the very beginnings of ransomware, I think they've really begun to organize. It's evolved into this industry. And, you know, like Dan said, it's a way for cyber criminals to make money predictably, and it's led to the specialization that you would see in any sort of other maturing industry, you know, if you were to think about it as sort of a business. And so these ransomware gangs are often comprised of, you know, like Dan said, cryptography experts, experts at intruding into computers. And also, you know, sort of what you would think of management as management, right, people who sort of organize all these different efforts and and also in some cases, you know, customer service, people who, you know, help their victims, you know, obtain Bitcoin and, and, and, you know, pay pay the ransomware organization. So it, they've become these, you know, very sophisticated and well organized groups. And it's been, it's been difficult to prosecute them. I think partly because, you know, they do, they do operate sort of, you know, in a non-state capacity in a country where the government, for example, the Russian government doesn't have a lot of interest in going after cyber criminals who don't support Russia. And a lot of these organizations, they, you know, they only attack, you know, companies outside of Russia and former Soviet republics. And so, you know, the Russian government doesn't have a lot of incentive to cooperate with, with, you know, US government other victims governments. So, you know, I think that that is one, definitely one big factor in ransomware impunity. I think another big factor was, you know, especially in the earlier days, people didn't really know how to deal with ransomware. And local law enforcement didn't really have the expertise to sort of, you know, track down the attackers. And now, now, you know, in the last, definitely in the last year, the federal government has really taken a starting to take a much closer look at wrapping up their efforts to prosecute, you know, ransomware attackers. I think Renee's done some research on some of the drawbacks even now of the federal response. Renee, maybe you can speak a little bit about the some of the shortcomings of even, you know, the FBI and people like that as well as the role of insurance companies as kind of enabling some of this stuff. So there's two issues there and there's some related, you know, there's law enforcement and cyber insurance. Now, on the law enforcement front, you have local law enforcement and federal law enforcement and local law enforcement is probably more likely to be a victim of ransomware attack than it is to actually be able to help a victim. It's just not what they're equipped to do. On the federal level, there's historically been a number of challenges. One is the FBI has been has been desperate over the years to get victims of ransomware to bring, you know, to complain to them, you know, to have complaints, complainants come forward for cases that they can actually investigate. There's a few reasons for that one is that, you know, victims may be reluctant to report because they believe that law enforcement can't help them. They may be reluctant to report because they don't want their attack to become public. Another issue is that the Justice Department has prosecuted thresholds that they need to surpass certain literal, you know, dollar thresholds to try to open a case and investigate. And again, historically speaking, the ransom has been relatively low, you know, in the hundreds or thousands of dollars per victim. Of course, all of this is changing now there's higher demands. There's the issue of double extortion. This is, this is where the hackers will steal a company's most sensitive data and publicly post it as a, you know, as a means of leverage so the attackers name the victims names are becoming public whether they want them to or not. But other issues remain, you know, for one, most of the attackers are located in countries that may be hostile towards, you know, towards cooperating with the US Russia is where some of the most notorious gangs are these and these days and those and Russia is not extremely likely to cooperate with us law enforcement. So that brings, you know, that brings us to the other issue that you mentioned which is cyber insurance. And, you know, I'll say that I recently spoke with a victim. She was the information security officer for a group of doctors offices that was recently attacked by Ryu grant somewhere. And she, she told me something that I think summarizes the way that many victims feel these days which is, she was surprised that law enforcement no law enforcement authority could really help her organization when she was attacked. And at the end of it, she said she was grateful that she had that her organization had cyber insurance and it's act, you know, cyber insurance has absolutely exploded in popularity in recent years. You know, two years ago we did a story about how insurers were readily agreeing to cover ransom payments. You know, at the time, seven finger figure demands were unusual. Now they're commonplace and the insurance companies are getting stretched so it's all interesting. It's all interesting and fast changing terrain. Thanks, Ray. John, can you speak a little bit to the sort of consulting industry that has sprung up around ransomware, as it's become a bigger and bigger deal, all these cybersecurity consultants, forensic investigators, data recovery companies. Can you give us a bit of a roadmap as to these kind of businesses and which ones are helpful and which ones aren't so helpful. Well, I mean, that's a great question, Dan. Finding someone to help you in this situation is like finding a plumber after a hurricane. There's still few and far between the experts, and they do charge very high rates on multiple levels, but just taking a step back. Because there are so many legal issues involved, I'm a lawyer also I teach a cyber law class at Duke Law School. And even though I'm a consultant, there's there's so many different disciplines that you need. So the data breach happens or the ransomware attack happens, you're going to need a law firm to quarterback the entire incident. Well, why? Why do you want a law firm there? Well, first of all, because there are so many legal issues, class actions, law enforcement liaison. Everything really has a legal dynamic to it. But also because what you hope to do is put all of the work you're doing because it's all in anticipation of litigation, let's face the reality, under the protection of the attorney client privilege. So you'll have a law firm on top, and then you'll have a digital forensic firm that the law firm engages. And that digital forensic firm will come in and look for indicators of compromise, work on the remediation, and try to get you back up and running after a ransomware attack. And see what kind of backups you have and see what kind of restoration possibilities there are. Then if you want to make the Bitcoin payment, you're going to have to hire a facilitator for that. And there are very few companies that will do that. Why aren't there more of them? Well, first of all, because remember, you're negotiating with a criminal and trying to trust that criminal to give you this encryption key. So you really need a specialist who's worked on these kinds of negotiations like that old Russell Crow movie about kidnapping victims. It's much like that sort of situation. But once you're talking to these facilitators, there's another dynamic that comes into play also and Renee touched upon this a little. If you're going to make the payment, you better make sure that that payment is not made to someone on the OFAC list, on the Treasury Department's list of prohibited countries or organizations that you can make a payment to you, because that's a strict liability violation. So if you make that payment, and you make it to a criminal organization that's on the Office of Foreign Assets Control, the OFAC list, then you also could be criminally prosecuted as well. Now, OFAC has come out with some very ominous warnings about ransomware making ransomware payments, including October 2020 guidance that specifically says that you should worry about this issue. So I did write an article about this night. It's a sort of a 12 point OFAC due diligence checklist. So, and the biggest part of that checklist is working with law enforcement. So if OFAC sees that you're working closely with law enforcement, even though they can't really do anything to help you, but you're at least reporting to them, if you're reporting to law enforcement, then that will be a mitigating factor in charging you if you make this this sort of payment to a criminal organization. And remember, you're trying to prove that this evasive criminal is not on this terrorist list. And it's like trying to prove the height and weight of a poltergeist. So it's a very, it's a very complex undertaking to figure out how to make the ransomware payment and how to remediate. And you see it with the CASEA CEO just put out a video today on YouTube, you can watch it on their website, you can watch it. And he doesn't really talk about the ransomware payment aspect of it. But he talks about just how many moving parts there are. And I was a little concerned when I watched that because the thing about these data breaches responses is that the facts change. On Monday, you might be thinking Omega on Wednesday, Alpha, and on Friday, Beta. Things change rapidly during these incident response things. So it's even, it's hard for any CEO though it's valiant him to do so, to get up and say, here's the situation, because he or she is very, very likely to be wrong, because circumstances change so much. You've written about some consultants in this field that are scammers, you know, they purport to recover the code for companies that recover the keys they don't have to pay the ransom but really they just pay the ransom and charge you a free fee. Can you speak a little about that? Yeah, we did a 2019 story that particularly looked at two companies, one based in Florida called Monster Cloud, and the other based in New York called Proven Data. And there are these consultants that come on that victims will call after they've been attacked. At the time, they were, you know, the first that would pop up on Google, and, you know, victims would come to them and get help to recover their files. These companies told victims that they could help them recover without paying a ransom. But as our story showed, they were paying a ransom, but not telling victims that that's what they were doing, charging them a hefty fee on top. So at the end of it, the victims were getting victimized twice. You know, as time goes on, and insurance becomes ever more prevalent, these days, insurance companies will typically give you a list of preferred vendors for you to pick from. And these aren't on those lists. But Monster Cloud still seems to be cheating people right based on that New Yorker piece. Yeah, I was just going to say, they continue to, you know, act independently and get, you know, not everybody has insurance and they're picking up clients that don't, and apparently still engaging in their same practices that we've written about. It appears as though at least in Monster Cloud's case, their behavior has been reported to the Florida Attorney General. So we'll see if anything happens from that. Yeah. Now, Jeff, I want to go back to something you were talking about with the structure of these businesses. And it's interesting how these ransomware gangs, they kind of mirror typical corporations, right? And I think they even have like human services, human resources people and things like that. But there's a structure that's come into vogue that you'll sometimes see referred to in the press called ransomware as a service. You know, where they, the gang doesn't necessarily do the whole attack themselves. I wonder if you or Renee or John any of you could speak to how that works and why they do that. Yeah. So, you know, I guess it's sort of the next evolution in the specialization of ransomware and people who, you know, are specialists at, you know, producing the cryptography software have set up a system whereby, you know, you can essentially pick up this malware payload yourself, you know, be, be, you know, intrude into somebody's network, you know, lock down their computers and then sort of share the ransom with the software developer. And so, you know, it's almost like, you know, obviously the registrators get a fee. It's like a franchising model, but they also don't really have as much control over who they're attacking. So some independent hacker will just buy this or on the dark web or something they get into a company, and then they find a developer and a partner with to launch the ransomware right and basically how do they split the money who gets what percentage I'm actually not as familiar with the percentages but I'm not sure if John and Renee can speak to that. I think I can I think the percentages vary but that's precisely right Dan and Jeff, I think the way Jeff phrase it is is perfect he said it's like a franchise. So, and that's, there's two, there's probably three major developments here that we're seeing in the last six months or a year that CEOs really need and companies really need to understand. And the first is this ransomware as a service is that it's much more sophisticated, not just because of this HR and customer service things but also because of the way they're selling access to companies that they've already broken into. So that's, that's really an incredible change second is the sort of name and shame game so in addition to saying hey we've encrypted your data. And we have the key and you have to pay us for it. They're also saying, we're going to dump it all on social media, if you don't pay us. So it's sort of a two ways of extortion that are and every day you don't pay us where we're doubling the ransom and every time you negotiate with us, we're increasing the ransom. So that's another big belt and then of course supply chains, using the supply chain model whether it be all the recent one solo wins because say it's just another level of evolution that shows you just how dangerous ransomware has become. And it what's amazing to me is how often people they just misunderstand that you know hey the reason why these companies are getting attacked is because their cyber is not up to par. And that frustrates me, because I work with companies every day it's sort of like your health you're doing the best you can. And I think when it comes to cyber, you know it's cyber scary it's an oxymoron. So you get it's like trying to have an undefeated your golden state warriors and you want to have that undefeated season, but you also can't give up a single point. It's impossible it's like sending your kids to kindergarten and not expecting them to come home for a cold or when they come home with a cold, blaming the teacher in the school. So you have to realize what's going on in the area of cyber. At the same time the rest whereas the services developing and the same time supply chains attacks are developing the wrong way to think about it is that, well these companies just don't have good defenses. One sector is better prepared than others and what what kinds of things ways are they trying to step up their cyber security like I notice you rarely see an attack on a, on a major bank or something they they seem to be better protected we see hospitals we see schools we see energy companies is that because they have lousy or cybersecurity or what, how do you attribute that. You know this is just really you try to make generalizations because it's all over the place you know how companies are different but I was at the sec I was the chief of the Office of Internet enforcement there for 11 years I was in the division enforcement for almost 20 and financial regulation is extraordinarily burdensome. The area of cyber the sec and FINRA have really gotten in front of this and set up lots of guidelines and use their examiners to go in and really push companies at the level of cyber. So they're just less attractive targets not that they can't get hit, because all you need is one small you're only as as strong as your weakest link and your weakest link is always a person. You see and it's sad with hospitals and schools and municipalities who don't have the funds for personnel. We were we're in the midst of a massive cybersecurity personnel crisis, you just can't find people there are over, think 3 million job vacancies last I checked in the cyber industry. For those of you out there listening if you got kids, tell your kids to do cyber, they'll be right in their own ticket for their whole life, and you don't need to be a rocket science to do the scientists to do it. You see hospitals municipalities and manufacturing, which don't have the regulatory oversight. I do see more victims in that area because they're easier pickings. That doesn't mean that a financial firm get hit I mean remember JP Morgan that wasn't ransomware, but that was a similar question that maybe Renee and Jeff have have other opinions. Renee I want to ask you something else which is given what what all you guys have described the, the, the higher demands, the, the double extortion schemes the ransomware as a service. Cyber and insurance insurers can, you know, continue to afford to cover ransomware payments I mean is this john these johns metaphor is it like you know selling flood insurance and in a hurricane. What's happening in the insurance field. In 2019 we did this story about the cyber insurance industry and you know at the time insurers were, you know would readily agree to cover ransom payments, because at the time it made financial sense to do so and now that ransoms are higher it doesn't necessarily make financial sense all the time anymore. But at the time, the idea was that by paying covering the cost of a ransom payment you're helping keep down claim costs. You know it's the fastest way to get the policy holder back in business. You know in insurance industry spokeswoman that we quoted in our story compared to paying fraudulent auto claims. It's something the insurer wants to do, because they know what encourages bad behavior but, you know, they figure it's not that much money is the path of least resistance. The problem is that all of these payments have contributed to ever greater demands. You know, we went from, you know, in the hundreds to the thousands, tens of thousands hundreds of thousands now we're regularly in the tens of millions of dollars for ransom payments and, you know, at, you know, people are still getting cyber insurance but as a result, you know, underwriters they've got higher claim losses in 2020 than, you know, any other year prior year policies are becoming more expensive coverage terms are getting more expensive and I think insurers are starting to rethink this business more broadly. In May, for example, one insurer in France said that they were going to stop reimbursing ransom payments for new policy holders. Yeah, in fact, isn't the case that, you know, in this double extortion thing when the ransomware gangs, when they go in and steal data, one of the things they look for is the cyber insurance policy. So if they see, oh, this company's covered for $10 million, boom, they demand $10 million. So, you know, the cyber insurance, it fuels the higher demands, higher ransom demands. Sorry, John, what are we going to say? You're exactly right, Dan. You know, I think there's a moral hazard here. There are two sides to this story. I've heard both of them. I can't figure out which side I'm on. On the one side, you say, look, the insurance payments have created this moral hazard so that, you know, companies don't worry about they make the payment and the cyber, the attackers break into insurance companies find out who's insured and attack those companies. So there's that side to it. So there's a school of people who say we should outlaw insurance companies from making these ransomware extortion payments. There's the other side to it that says, yeah, go ahead and do that. And look what happened with Colonial Pipeline. You'll have a gas crisis or you'll have a different crisis, but in that case it was a gas crisis. It looked like the 70s. For me, I remember the 70s when, you know, there were these long gas lines and it was very frightening for people. That was happening if Colonial Pipeline hadn't made that payment. So on the one hand, you might have some economic catastrophe that's terrible for the world with all sorts of anticipated and unanticipated consequences. But on the other hand, you have the idea that you're just making it worse by allowing the payments. So what I would say about cyber insurance though, is I would add to Renee, you know, if you, I think premiums are getting or they're doubling tripling in amounts. I don't think it's sustainable for the insurance companies to keep doing this, though they might just keep increasing the premiums. They're also setting up special requirements and giving companies the equivalent of a technological colonoscopy before they will pay. And then when you try to make your claim the insurance company is going to say, okay, well we're going to send in our adjuster to review all of your current cyber to make sure that the representations you made to us when you actually, you know, signed on to this policy, whether we're going to pay. Now, it's pretty disturbing when you call an adjuster after a cyber insurance incident, which I've done, and they've got a litigator on the phone with them to help them investigate the claim. I'm not saying that they don't want to pay, but I am saying that there are more and more fights. So those are all the things that are happening in this area. And it's the perfect storm for a company who's trying to defend themselves as best they can. That's really interesting. Jeff, can you speak a little to the role of cryptocurrency here and why do these ransomware gangs all want payment in Bitcoin. And, you know, given the fact that the FBI appears to be able to recover some of the ransomware payment in the colonial pipeline case. Is that no longer are these crypto currencies no longer as secure a hiding place for the ransomware gangs as they once were. I mean, I do think Bitcoin will still continue to be used, you know, I think one popular misconception about Bitcoin is that, you know, it gives you an anonymity, and it's not exactly true, right, like all the transactions that occur with a Bitcoin account are publicly available for people to search and analyze. But, you know, I think electronic forms of payment like Bitcoin like cryptocurrencies is really allowed ransomware to really flourish as a business model. You know, the, I think, you know, the original form of ransomware actually, you know, before cryptocurrency existed. You know, the guy who invented the concept had people send their payment to like a PO box in Panama. Right. And, you know, so that was much more traceable and sort of, you know, when you think about the concept of a ransom. When you think about like movies portraying that, you know, the sort of exchange of the thing for the money was always a dicey proposition right and so the cryptocurrency has really made that a lot easier. Even though, you know, you know, DOJ can, you know, shut sort of not not exactly shut down accounts but make certain accounts off limits. Or, you know, treasured retirement through through OFAC, you know, cryptocurrencies like Bitcoin can't really be shut down right you can't really like seize it like a bank account. And even though, you know, you can sort of trace where the payments have gone there's there's mechanisms called like tumblers or I forget another name for it, exchangers that that essentially try to obfuscate where the payments have gone. And so, you know, I think Bitcoin will still remain a popular way for ransomware to get paid. It's, you know, easier than ever for victims to obtain Bitcoin as well. So, you know, if you say hey, I want my payment of Bitcoins, it's pretty likely that they'll be able to figure out how to get the Bitcoin to you at the end of the day. I see what you mean so to sum up a little bit, we've got this escalating crisis we've got these gangs operating in countries that don't have extradition treaties with the US so we can't go get the criminals. They're increasing their demands, they're stealing data so even if you have good backups you might you might have to pay the ransom anyway, they've increased their sophistication to the point where anybody can pretty much go in and attack somebody and and you know they still the big gang still profit. So the question is, what do we do, you know so before we open up the audience for questions why don't we go around the panel and get each of your thoughts on, you know, what productive, if any, solutions or approaches or policies should be adopted. Renee, why don't we start with you. You know, in Europe, European law enforcement has had a lot of success by cooperating closely with private researchers and, and, and, you know, private sector companies. And I know that the FBI has said that they are interested in pursuing those kinds of relationships in the US and I think that, you know, by by establishing and maintaining those kinds of relationships and using the expertise of private researchers. I think there would be a lot more advances towards, you know, identifying criminals, maybe preventing attacks, that sort of sort of thing. Great, thanks. Jeff, what do you think. Yeah, I think, I mean, even, you know, john john has said, right, like cyber security is never 100% secure but I think, you know, individual companies and, you know, individuals can can still take steps to, you know, improve their cyber security I think in this, this sort of remote working day and age, it's sort of introduced even more vulnerabilities than ever and the attack surface is, is, you know, ever increased. And so better security and also better backups so that, you know, in the case that you are attacked, you can recover fairly quickly and not have to pay the ransom. Great, thanks. And john, what do you think. I agree with Jeff and Renee I think those are both really good ways I'm going to go a step further I think Bitcoin and crypto is sort of the killer app of ransomware. That's the reason why ransomware exists. I see no, I have struggled with this I don't see any legitimate use for cryptocurrency in the United States I don't see any good thing that it does. And I've studied it carefully all you ever hear all the people who promote Bitcoin to me, they always own it. So the more people they can convince to buy it, the better they're going to do. So I think three fast easy inexpensive reasonable and effective government solutions to combat the ransomware wave that we're in. I think that Biden should sign an executive order that no federal entity will accept crypto as payment for goods or services, or do business with any entity that transaction crypto. Number two, the IRS should require that crypto transfers of $10,000 and more be reported to the IRS, just like the way banks report cash transfers of that amount and brokers report securities transactions to the IRS. The IRS then should require US taxpayers holding more than 10,000 crypto offshore to file FinCEN form 114, known as the FBI are to report these holdings. I think the only way to get a chokehold on ransomware is to stop the flow of the Bitcoin, and I don't see any, any reason not to I, you know, I appreciate this with blockchain. I realize blockchain has incredible potential, and that there are all these businesses that will do all these incredible things with blockchain. But I don't want to conflate the two I'm just talking about using this as a currency. We are not in a country where you are supposed to be able to anonymously or pseudo anonymously conduct transactions we don't live in a country like that. As far as you if you go to the bank and you withdraw more than $10,000 there's a report of that. When I was at the SEC we could trace transactions. That's what this country is about. We don't allow that kind of financial privacy from the government, of course you have to get a warrant, or you have to use subpoena, but we don't have freedom of making anonymous transactions, and we shouldn't allow it because it fosters terrorism. As far as I can see Bitcoin is good for two things one is an investment because there might be some other person who's willing to use it for some reason, and two, as a means of conducting terrorism ransomware attacks, drug dealing, child pornography, and all the other things that are sold on the dark web. Great those are really intriguing suggestions I'll mention a couple things. You know, at times in the past on recent past companies or the government have had some success at disabling the infrastructure of the ransomware gangs you know, getting the servers that they use, or getting the host to not to use them on the server. Sometimes the email providers you know they in order to send a ransom note you need to you need a platform on which to communicate it and sometimes those email providers have been have to identify if their platforms are being used for ransom notes and then try and eliminate those users from from access. So those are a couple approaches also mentioned a shameless plug here. Renee and I are currently writing a book about one private group that's had some success in cracking the ransomware codes for victims so that they don't have to pay the ransom because the people writing about the ransom were the key it's a it's an all volunteer group around the world of about a dozen people called the ransomware hunting team so we're doing a book about them and and there's their story they they crack these codes for free now. Most of them cannot be cracked but if the hacker has made a mistake in some way or they sometimes they're they find resourceful ways to to acquire to get the key that can get the files opened again. So that's all the ransomware hunting team should come out next year. We're going to go back to Connor to respond to audience questions. Yeah, hi everybody. Thanks again for a great. That was a wonderful conversation. Now we're going to turn it over to the Q&A portion. So again if you'd like to ask a question you can click the Q&A icon at the bottom of your screen and type it into us. So I'm going to be again with one that, you know, was asked by several people and seemed of great concern but and I'll direct this to you john. What are some steps individuals can take to protect their data. Oh that's a great question. I think what I tell a lot of individuals who asked me the first thing is to work on all your notifications so you're, you're worried about your credit card transactions and different things like that so you want to make sure that whatever bank you're using whatever bank you're using is giving you all sorts of notifications whenever there's any activity, because banks and credit card companies I think have gotten pretty good at dealing with consumers. I think that's that's number one. Number two, you know, it's obvious keep changing your passwords. It's really, it's really impossible to be vigilant all the time. You know, even me who, again I've been doing cyber since 1992 or 1993, you know, occasionally you're going to click on something that you shouldn't, and that's frustrating, and even no don't use your password but try to be careful like that. And take as many steps as you can to think about, you know, when you're using if you go to, even these simple things when you go to a hotel, don't use their Wi Fi only use Wi Fi that you think is protected that you think is safe, and that's probably your own Wi Fi and that's it. Don't use any personal information on any machine or any device that you're not familiar with, keep updates on all the patching on all the security that you're using, put in all kinds of antivirus and other types of defenses into your systems. The same things that people have been doing forever just be vigilant. And, you know, I think people should be more worried about their private information than about their financial transactions because I do think again the credit card companies and the banks are pretty good at helping you when you've been hit like that. But if you're putting personal things in emails, and those emails get picked up, and then they get suddenly dumped into social media, that's always something to worry about as well so think about using email, think about using encrypted communications. Think about encrypting your data, backing up your data. There are lots of amazing ways to back up your data these days that are incredibly efficient and incredibly cheap. I could go on for a long time. I'm curious to hear what Jeff and Renee have to say and Dan also. Yeah, I guess from an individual level. I think, I think backups definitely are very, very important. I think, you know, if a ransomware attacker hits you and, you know, they've got your, your data and it's encrypted, and you don't want to pay. That's sort of the end of it, right? If you have a backup and you can sort of restore your data and proceed as usual. The difference between an individual and a company is, you know, you don't, you probably don't have, you know, suppliers, you know, waiting to ship you their product or customers that you need to serve right away, right. And so, you know, from a personal individual level, I think good backups and keeping it separate from your machine will at least protect you from sort of having to pay some sort of ransom to get to get your data back. Data that's, you know, probably really only important to you personally. Renee, this is a follow up to your response to the final question about how the extortion, the economy extortion might be disrupted. Can you give an example of how European law enforcement has worked with a private company successfully? Yeah, earlier this year, a group of private researchers had identified the infrastructure of a botnet called EMOTET that was used to spread ransomware. And working together with the Dutch National Police and Europol and a variety of other national law enforcement, they took down a good portion of the botnet. You know, of course, the caveat there is often after a big disruption of one of these botnets and there's been several of them, they'll reform and continue the same old thing that they were always doing. And it certainly delivers a blow to them when it happens. And Jeff, how do some governments benefit from the burgeoning ransomware industry and how can it be stopped without their cooperation? Yeah, it's an interesting question. I, you know, I actually don't have a good handle on sort of how the Russian government, you know, sort of views, views this burgeoning industry within their own borders because at the end of the day it really, I mean it results in these, you know, payments flowing from outside of the country's borders into the country, right? So I'm not, you know, I'm actually not sure what the government views it, but Dan, if you know. Yeah, there's a couple of things that maybe could be said on that, which is a lot of these attackers from Russia, when they launch a ransomware attack, the program includes code that halts the attack if they encounter, you know, Russian language code or in the victim network or the victim computer because they don't want to attack, you know, systems in their own country. And so, you know, from the Russian government's point of view, if it's launched from Russia and it's got protections to make sure that none of the victims are not Russian. I don't think the Russian government considers it a crime or cares very much. They might even enjoy the fact that it's, you know, taking money from, you know, Western capitalists. So, a lot of the attackers in Russia, you know, they take that precaution in order to stay on decent terms with the Russian government and protect their own mess. And John, how often are smaller entities like utility co-ops and school districts, how often are they targeted for ransomware attacks? Very often. And, you know, again, I just know sort of what I work on. But sometimes my weekend, like I'm surprised this weekend, I didn't really get too many calls about this. I talked about looking through the doing a Google search. Sometimes people respond to ransomware just by doing a Google search. It's such a new area. So I'll get a call on a Sunday from someone who I Googled ransomware and I found you. And that's normally not how I've ever gotten clients before. But there's really just so much desperation. The smaller companies, it can be very tricky because typically they don't have good backups. It's almost like those old, like, roach motels, you know, the roaches check in, but it doesn't check out. That's the same thing that goes for the data. And oftentimes, you try to go to your backups, like I had one small law firm recently that got attacked. And they found out that their backup company hadn't been doing their backups the way that they should. So they lost everything. And it's very tough for these smaller firms. I think they don't have the personnel. They don't have the infrastructure. They don't do quarterly testing. They don't test their backups. So they really don't have the same sort of infrastructure and they get hit. And the feeling that I get from most of them is just will tell me how to make this payment so I can get back to work. And, you know, hopefully they have cyber insurance and their cyber insurer comes in and says, here's how we are going to work the payment scheme out so that we're confident that the transaction is bonafide. But it's getting different. And, you know, if you look at the Kaseya data breach, the ransomware attack, and you look at the CEO Fred Vakola's YouTube video, he talks a lot about how he worked with DHS and how he worked with the FBI. And I think that is a trend, you know, Renee touched upon it. And lawyers are sometimes nervous about telling their clients to work with government because the next thing you know the FBI comes in and looks at everything and finds five other crimes that you're engaged in. So you've now put your client in a worse situation. So nobody likes to invite the FBI or invite you could invite if you're a government contractor and you invite DHS in. They might say to you hey this is a problem and then you get to barred and you can't do any more government contracting work. So there are risks to doing that and I was encouraged by the Kaseya CEO. The benefits are that you can really stand up and say hey we're working closely with law enforcement on every angle. Now expecting law enforcement to get your money back for you. I think that that recovery and colonial pipeline was a bit of a fluke I reviewed all the documents the affidavits, and there's it's not clear how the government obtained the private key to get that they might have gotten it from from maybe from one of the cryptocurrency trading platforms. I don't know, but they need that key in order to access. They can they can maybe identify where it is. And remember, even if you identify where the criminal is, and you identify where the accounts are, you know when I was the sec get extraditing and successfully prosecuting that person or entity is it takes 15 different agencies federal agencies before you can even just talk to someone in a foreign country, let alone interview them, or let it on somehow subpoena them because you don't have any authority. So it's a giant roadblock, once anything is in a foreign country, and it requires a drag net of of federal US federal agencies just to get the smallest things done. School districts as the question asked. There's been a real surge in attacks on schools during the pandemic, for the simple reason that they're very vulnerable because, as we know a lot of schools went from having in person classes to having virtual classes so if you can disable their computer network, they're not they can no longer conduct education in any way they're the teachers are cut off from the students. And as a result, you know that pressure translates into increased pressure on the school districts to have to pay the ransom. So the gangs saw an opportunity and they seized it and there was a rash of attacks on schools. And Renee, riffing off of what John just said about, you know companies maybe being or consultants maybe being reluctant to go to the FBI and FBI, you know, not necessarily stepping up to the plate. You know if they're not up to the task like who if anyone is sort of stepping into the breach and you know filling this role. And well, like we talked about earlier, you know there's a lot of work being done by by private private researchers and private companies, you know, particularly in disrupting botnets there was an example. Last year where Microsoft got a court order to disrupt a botnet that was being used to infect victims with Ryuk. You know and then of course, you know, like Dan mentioned there's the work of the ransomware hunting team. They've cracked more than 300 major ransomware strains and variants since they've started collaborating and that saved about 4 million victims from paying collectively billions of dollars in ransom. You know it's a really interesting group. They mostly, you know, they have day jobs and cybersecurity they collaborate on ransomware and their spare time. And they, they, they do it. They do it for free. In 2019 we profiled one of its key members. An interesting guy named Michael Gillespie, who overcame myriad personal struggles cancer poverty, all while dedicating a spare time to cracking ransomware and helping victims and he'll be, he'll be further looking at his life story in our in our upcoming book. Dan, I'd be curious to hear what common vulnerability is are being exploited and how my local reporters be able to check in and see if those vulnerabilities exist near them. Well, you know, some of the common vulnerabilities exploited are simply, you know, sort of getting in by fishing, you know, some, some hospitals were hit during the pandemic when, you know, employees despite whatever training they got clicked on suspicious files and it, you know, let in the virus just like you know hacks always get in and that's that's a very common method for local reporters. It's difficult because if if a, if a victim pays the ransom they generally don't like people to know about it you know they they feel you know they are in a way of betting crime and so they feel guilty about it. But I think the best way is some of the victims are public entities, you know they may be local governments local police departments, school districts as we've discussed public hospitals. In those cases, sometimes a public in public records requests and universities have also been hit State universities. So you file public records request to try and get the ransom note, the transcripts of negotiations with the ransomware gangs, you know reports on how they got in now. In some cases, it's frustrating because you file this public records request, and you know they ought to comply with it, but they respond and they say, Well, we're not going to comply because there's an ongoing investigation. You know you and I and and they know everybody knows that this investigation probably is not going to lead to any arrest for the reasons we've discussed, but they use that as an excuse but some places do and some places don't. And sometimes there you can be creative in the way you use a public records request for example, in one state there was an attack on a local hospital, and I couldn't get to use a public records request with that hospital. But I figured that the hospital had probably reported what had happened to the State Department of Health. So I sent a public records request to the State Department of Health, asking for all its communications with the hospital that was hit by ransomware, and sure enough that the local hospital had filed a report. I was able to get that report and it was very illuminating had a lot of details about how the attackers got in the same way with local school districts if they've been hit, they may have to tell their State Department of Education so I recommend a public records request to the State Department of Education as well because think about who the victims are in touch with what public entities are they in communication with and then for those entities and see if you can get the communications. Perhaps Renee or John can answer this one, but someone was curious about, you know, looking at the economic impact these attacks have had, you know, they've had really big targets in recent weeks JBS which is one of the largest food processors and the colonial pipeline. Yeah, is there anyone looking into how ransomware is and what impacts, it's making on the economy. I think I can say I can tell you this that the SEC is incredibly active in this space because the SEC expects all of these companies that are impacted by these attacks to report accurately how it impacts them economically. The SEC did something incredibly unique just a few weeks ago, where they literally reached out to a whole bunch of companies who are apparently impacted by the solar winds attack. And they said to those companies hey, if you botched if you made a mistake in the way that you in your public filings disclosed the impact, especially the financial impact upon your business of the solar winds hack. We're going to give you amnesty up until I think it was a date in July might be today, July 6 I can't remember what the letter said, but they literally for the first time I'd ever seen, they offered people amnesty, if they would correct their filings. And with that expectation, I think that companies figure out the economic impact, and that they disclose that potential and this latest casea, you'll see, though, any of those companies that are public companies and have this situation, they're going to have to figure out what the economics are so the SEC is pressuring companies very intensely to figure out the economic impact of these ransomware attacks. But to add on to that, you know, we, we reported in 2019 about how company publicly traded companies have been reluctant to report that they've been victim because, you know, of course, an attack ransomware attack might show, you know, shows that you've been vulnerable and that's not necessarily something that you want to disclose to the public or that you want investors to know. Instead, they've used all manner of use euphemisms. We've had an incident or, you know, a cyber event or, you know, this or that. And, you know, the question came up of whether, you know, this is this is enough as far as the SEC is concerned. You know, on on just more broadly about the the entire, you know, the more kind of global economic impact of ransomware, you know, the impact, you know, in the US economy, an entire ecosystem of incident responders and insurers data recovery firms and insurers have cropped up around responding to ransomware and somebody that I talked with regularly put it in a way that I thought was kind of interesting, which was, you know, I'm not sure if you're familiar with those kind of fake motivational posters you sort of see them as memes sometimes but there's one that's like consulting and, you know, there's, you know, a picture of all these consultants sitting around and the punchline of it was, if you can't solve the problem help prolong it. And there's, you know, they think there's a serious question of whether all of the people that have come around the ransomware response space are prolonging the problem by continuing to pay ransoms and be a part part of the, you know, ongoing prolonged response. And then I think this will be our last one. Dan, can you please speak to, you know, kind of give a an overview of the different just the different kinds of targets and the different levels of sophistication of ransomware attacks. It might be considered low hanging fruit with sort of simple preventable steps, and which are, you know, more sophisticated and might require like an active defense. Sure. Well, in terms of the beginning of that question I mean it might be easier to shorter list of places that aren't targeted than the ones that are I mean ransomware. They're targeting pretty much every sector as we've discussed and have we as we see and I mean in the pandemic obviously they targeted a lot of hospitals and schools that were particularly vulnerable body universities, all kinds of different businesses. And they still continue to target individuals and yes there is a big range of sophistication I mean you'll get, you know, a teenager who buys a, you know ransomware kit off the shelf on the dark web and you know the code may be full of mistakes and they do a lot of research for a small amount of money they do what used to be called the spray and pray approach of, you know, just sort of indiscriminately targeting hundreds of thousands of places, hoping to you know break into some and get some money with small amounts of money to the places that the, you know, the experienced gangs, like the ones Jeff discussed that are well organized, they do a fair amount of preliminary research, you know they'll identify a target. They'll look to see how much the cyber insurance coverage is, they'll look for potentially compromising information that might force the CEO or the board to just decide to pay the ransom. And then they'll use a very sophisticated code that you know their developers who might be, you know, computer science graduates and an underemployed in Russia or Ukraine have worked hard on perfecting and making sure they don't have any mistakes. They'll launch that and then they'll demand, they'll pick a demand that is maybe not quite enough to bankrupt the company but it's certainly the maximum they think that the victim can afford. And it's a very high powered sophisticated well researched attack that leaves, often leaves a victim in the dire straits and then some of them are more professional than others in regards to negotiating. You know, if they demand $30 million and the company comes back and says, you know, we'll pay you $5 million, you know, some of these ransomware gangs are very good at negotiating. They're ruthless, they're hard-hearted, they stick to the point, they won't be deterred and they post samples of the data they've stolen on the web to the dark web to show that they mean business. And they're every bit of match for the negotiators that the victims are hiring. So it can be a very sophisticated high stakes conflict. Well, that's our time for today. I want to thank our panelists Renee Dudley, John Reed Stark and Jeff cow for this excellent conversation and our moderator Daniel Golden. And thank you to our audience for joining us today and for all of your thoughtful questions. Again, this event has been recorded so you'll receive an email tomorrow with the full video of today's event to everyone who registered. We will also post this recording on our YouTube channel. So from all of us at ProPublica, thank you for joining us and have a great rest of your day.