What is Ransomware?

 

Podcast version of this episode:

Ransomware Interview Transcript Contents

  • 0:55 - What is a ransomware attack?
  • 2:05 - What happened during the City of Tulsa ransomware attack of spring of 2021?
  • 4:05 - How could an entity as prominent as the City of Tulsa have been victim to a ransomware attack?
  • 4:59 - What industries or organizations are the most susceptible to ransomware attacks?
  • 5:51 - What are some of the first steps that a company and organization should take immediately following a ransomware attack?
  • 8:22 - What are a few things that businesses and organizations can do right now to help prevent ransomware attacks?
  • 9:50 - How can businesses and organizations best protect themselves from ransomware attacks over the long term?

Ransomware Interview Transcript

Ken Lane:  

Well, hello everyone and welcome to another episode of Business Solutions Academy by JD Young Technologies. My name is Ken Lane, and in this episode, we're going to be taking a look at the potentially devastating effects of ransomware attacks on businesses and organizations, where they originate, and what you can do to protect yourself. So to do this, we're speaking with Damon DoRemus. Damon is the Chief Information Officer at JD Young Technologies and heads up the Manage Network Services Division. 

So, for all of those of you joining us in video form or via podcast episode, there's no need to take any notes as we'll be publishing a full transcript of this conversation. You can look in the description information of this episode for a link to the corresponding article in our very helpful resource center at jdyoung.com/resource-center. Damon, thank you for joining us. 

Damon DoRemus:

Thanks for having me. 

Ken Lane:  

So, Damon, the City of Tulsa, as it's been in the news, they recently received a ransomware attack. So, firstly, what is a ransomware attack exactly?

Damon DoRemus:  

So, ransomware is software that gets installed on computers, servers, desktops — it can even be on mobile phones. And typically what it does is it encrypts your files or encrypts the operating system — in some cases, the entire device — that's more like lockerware. But ransomware is the scenario where it encrypts the files, and makes it so that you cannot access the data, you cannot access the files without a key or a passcode. 

And then of course, in this case, we would call them "pirates" — they're holding your data hostage, right. And unless you pay them or unless you have the ability to unencrypt the files in some other way, which we wouldn't be able to do without a passcode, well, then they hold you hostage, and so therefore it's called ransomware.

Ken Lane: 

Okay, so what happened during the City of Tulsa ransomware attack of spring of 2021?

Damon DoRemus:  

So we don't exactly know, and it's unlikely that they're ever going to really tell us exactly, you know, "1-2-3" what happened, right? Because we probably don't want to give more information than we need to. However, more often than not, ransomware, unfortunately, comes in from a user interaction. A user receives an email, typically a phishing email, asking them to do something. And that is something is typically install some software or give up another password to someplace else. And so phishing is a broad term that's used. Usually, in ransomware, you have a spearphishing scenario where the bad guys look for someone who would likely have administrative access into systems that would be valuable to them. And they'll send an email to that individual or individuals they think might be in the org[anization] that might have those types of permissions, and try to get them to do something that they shouldn't — sort of a bait and switch kind of scenario, right? 

And then, once they're in, it's also pretty common that they sit there and wait. And they monitor and see what's going on in the network to see what targets are higher than others. And then, once they've got figured out a good map of what's going on inside the network, then they go ahead and start encrypting files. 

So, from an IT perspective, it's extremely difficult in that lots of users do need administrative access in order to be able to install some software. Some software requires administrative access just for it to run. And that's really poor programming, but it exists out there. We all have to deal with that. 

Ken Lane:  

Okay. Well, how is it that an entity as prominent as the City of Tulsa could have been victim to a ransomware attack? How would that happen?

Damon DoRemus:

So, we're all unfortunately targets. And the City of Tulsa or really any organization that has lots of information and needs access to it really quickly is a higher target, right? So, pipelines have been in the news of late. Obviously, municipalities are a good example of that. And just because they're a large outfit and their IT department is probably very well run. In fact, how they got back up so quickly is probably [attributed] to really good documentation and good IT management on their part. But they're still a massive target because they have lots of information, and they would be hurt by being down for a long period of time.

Ken Lane:

Okay. Yeah, you mentioned something about them being a key target because they probably hold a lot of information. So, what kinds of industries or organizations do you see are the most susceptible to ransomware attacks — if attackers really discriminate much at all?

Damon DoRemus:  

Well, you're right. To date, they haven't really discriminated a lot — it's been more of a shotgun approach, but we're starting to see much, much more targeted scenarios. And targeted scenarios can be financial, legal, obviously healthcare — anything that allows them to expand their reach and get more victims, unfortunately. 

So, really honestly anybody that has access to PII (personal identifiable information), financial information — any scenario where they can spread further, you're going to be a target.

Ken Lane:  

Goodness. So, what are some of the first steps that a company and organization should take immediately following a ransomware attack?

Damon DoRemus:  

So, the first obviously, is to talk to your IT department. If you don't have an IT department, when you want to talk to whoever your outsourced IT department is, and you know, if you don't have either one of those, well, we provide that, by the way. So, that would be helpful. 

But I mean, the obvious things — start unplugging access to the internet, right? We don't want the infection to go further than it already has. And if you catch it early enough, and you have the ability to restore from backup, the damage may be limited. Unfortunately, we're seeing that, more often than not, they've gotten in some time in the past. And they've been lurking in the background. So, running over real fast and unplugging the router is a great idea. But it may be too late — it just depends on the level of the infection and how long they've been there. 

Ken Lane:  

It's kind of a tourniquet on a snake bite type of approach?

Damon DoRemus: 

It can be absolutely, you know, because really, truthfully, there is no silver bullet against ransomware other than restoring from backup. We can put in amazing software that filters how applications run. We can put in antivirus software, anti-malware software. We can do phishing training for our end users — which we provide that for free for our Managed Service customers, by the way. 

And I think that's honestly more valuable than any antivirus software because it's the smell test. If you receive something in an email and looks like it's asking you to do something that doesn't make a lot of sense, smells fishy, well, chances are, it's bad, right? And we're all so busy that we just click, click, click, because we're all so busy trying to get everything done. 

So, regardless of all this technology that we put in place, at the end of the day, unfortunately, usually, it's just a quick mistake that nobody really meant with any malice. It just happened, right? So, really, training is definitively the best thing to be able to circumvent this. And then you know, as before, there's no silver bullet aside from restoring from backup.

Ken Lane:  

So, almost retraining behaviors is almost just as essential as any kind of antivirus or something like that. 

Damon DoRemus: 

It absolutely is. Yes. 

Ken Lane:  

Okay. So, what are a few things that businesses and organizations can do right now to help prevent ransomware attacks? We had just spoken about behavioral shifts and all that.

Damon DoRemus:  

Well, obviously training and obviously antivirus. We look at all IT security as a layered approach, right? So, it starts with the firewall and then starts going all the way there all the way to the end-user. And the end-user is the ultimate firewall, right? I mean, the end-user is picking and choosing what to do is, at the end of the day, the end of that long string of all these layered approaches. 

But starting with the firewall, then we might have filtering in place for email. We might have antivirus. We might have anti-malware. We might have our NOC (network operations center) and SOC (security operations center) and SIEM (system information and event management) services that are also looking at the computers on a regular basis — looking for activity that looks suspicious. 

So, doing all of those things, again, as a layered approach —good passwords — if you're not using two-factor authentication on anything that you possibly can use, you should be. People frequently think of email is not something that they need to secure. But it all starts with email, right? So, if you don't have two-factor authentication turned on for your email client, you should do so immediately. And really anything else that you have the ability to turn two-factor [authentication] on, you should do it. And that's gonna stop a lot of it.

Ken Lane:  

Okay, so we got two-factor [authentication], behavioral changes, probably just certain backup programs. How else can businesses and organizations best protect themselves going forward from ransomware attacks over the long term?

Damon DoRemus:  

So again, there's no silver bullet [for ransomware] other than restoring from backup. 

We frequently make errors and thinking about what backup is. So, it's common that people say, "Okay, well, I've got a little USB hard drive that's connected to my computer. That's a backup." Well, sure it is but if you get hit with ransomware, it's going to encrypt that backup because it's connected to your computer. So, there wasn't really a backup. So, in our world, we don't consider data to really exist until it's in three places. So, on the local drive that you're already working on, right, then maybe to a backup drive that's physically connected, or, say, a network-attached storage that's connected to the computer, and then off-site someplace. Obviously, we would prefer it to be off-site and encrypted at our data centers but really, even if it was off-site, in a medium that was not connected to the internet — say a USB flash drive that was password-protected, and it was at grandma's house, that's okay, too, right? Because we have, we have three different scenarios of our backup. We've got the real-world example, then we've got an immediate near-term backup, and then we've got an off-site backup. 

And that off-site backup, in the near term, we're essentially creating what we call a versioned backup, right? And so our Managed Services plan actually puts an even more robust versioning of backups where we could go back, you know, an hour ago, 15 minutes ago, six months ago, a year ago, right? So, if there's a scenario of a ransomware attack, we could go backwards in time to what we consider to be known good, and be able to restore files.

So, businesses, even home users, just keep in mind that a backup only really exists if it's in three places.

Ken Lane: 

Awesome. Well, that was immensely informative. Thanks, Damon for making the time to chat with us today. 

For those of you guys tuning in, if you learned something new today, and feel that others could benefit from this information as well, we always appreciate that thumbs up on YouTube, and hitting that subscribe button so you don't miss any other helpful episodes, as well as sharing this with your friends on social media. 

So, if you'd like to learn more about cybersecurity threats, or any other business solutions-related topics, you're invited to check out our Resource Center at jdyoung.com/resource-center, or you can search for Business Solutions Academy by JD Young Technologies on your favorite podcast player. So thanks a lot, Damon and everyone else. We'll see you next time. 

Damon DoRemus:  

Thanks so much.