Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio

Voted "Best Cybersecurity Podcast" in the 2021 Cybersecurity Excellence Awards
Cyber Security Excellence Awards 2021

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 23

Ransomware Rundown with Dan Lohrmann

EPISODE SUMMARY

Ransomware is one of the biggest threats facing organizations today. It impacts businesses both financially and in regard to productivity. Mike and Joe are joined by Dan Lohrmann, Chief Strategist & Chief Security Officer at Security Mentor with past experience with Lockheed Martin, the NSA, and the State of Michigan.

We cover the gamut from data encryption to the latest ransomware attacks and even cyber insurance. Plus, guidance on the steps you should take now to prepare before becoming a victim.

Resources mentioned in today’s podcast include:
https://csrc.nist.gov/
https://www.nomoreransom.org/
https://www.cisa.gov/ransomware

powered by Sounder

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Joseph Carson:
Hi, everyone. Welcome back to another episode of 401 Access Denied. We're really excited to have a previous guest return with us today. This is going to be a fun, interesting topic, and it's one that I think that everyone should be concerned about, because it is the one topic that all organizations can have a serious impact, financially, business-wise.

Joseph Carson:
And we're here to talk about ransomware today. Ransomware is a serious threat, and for me, it's probably one of the biggest threats that all organizations will face this year and beyond, and for the previous years.

Joseph Carson:
I'm joined, again, with my awesome co-host, Mike. Mike, do you want to give us an update and your feedback and-

Mike Gruen:
Yeah. Yeah. Mike Gruen, VP of engineering CISO here at Cybrary. Not much has changed. We just keep pushing these out. But really excited to talk to Dan. As Joe said, previous guest. Ransomware, I think big trend, and it's just going to continue to be the trend of the next few years. Dan, why don't you jump in, introduce yourself, and we'll get started?

Dan Lohrmann:
Yeah. Thanks, guys. Great to be with you again, and really, I enjoyed the show we did back in, I think it was October or maybe end up September. We did a show on the election security. I think we got it pretty right on that one, so I felt pretty-

Joseph Carson:
Yeah...

Dan Lohrmann:
... If you go back and watch that show, actually, most of the stuff we predicted and said actually happened. And the problems were the problems, and the problems that weren't the problems didn't happen. That was a good show.

Dan Lohrmann:
But, yeah. Dan Lohrmann, my background, National Security Agency. I started mid-'80s and was in England with Lockheed and ManTech in the '90s, the US intelligence community, working with US and British intelligence.

Dan Lohrmann:
And 17 years in Michigan government. I had a lot of different roles in Michigan. I was an agency CIO. I was a CTO for the state, CISO for the state, first CISO for all 50 state governments. And then I ended my career with Michigan government in 2011 to 2014. I was the chief security officer over physical and cyber security.

Dan Lohrmann:
Now currently, I work with Security Mentor. We're a security awareness training company. I'm an evangelist for the company. I'm the CSO and chief strategist and do a lot of speaking, blogging, writing, and appearing on great podcasts like yours. And it's great to be with you guys.

Mike Gruen:
Yeah. Thanks for joining us.

Joseph Carson:
That's awesome.

Mike Gruen:
One of my favorite episodes, definitely, to date, was that one, not just because we got some things right, but also because when I said stupid things, you didn't make me feel stupid. That was great. I appreciated that. I like being told I'm wrong but-

Dan Lohrmann:
No stupid questions. No stupid questions.

Mike Gruen:
... Anyway, yeah. Right before we got started, we were sort of talking about ransomware and sort of the trends. I think people think of ransomware in terms of they encrypt your data, and then you pay, and they give you the data back unencrypted and supposedly delete it or destroy it, and then you never hear from them again.

Mike Gruen:
But that's not all there is to it. There's a much larger trend, and you want to just comment on that?

Dan Lohrmann:
Sure. I can.

Joseph Carson:
Yeah. Absolutely.

Dan Lohrmann:
Joe, go ahead.

Joseph Carson:
Yeah. Go. Go, Dan. You kick it off.

Dan Lohrmann:
No. We were just saying, we were just talking that there's a lot of new twists to it. It's coming a lot of different directions now. The latest, I hate to use the word trend, but one of the things that's going on is people keeping your data or selling your data in addition to holding you for extortion or ransom, and different plays on that.

Dan Lohrmann:
Threatening, "Well, if you don't pay, we're going to release this to the public." And if you pay, they still may release it, even though you do pay. Or into the dark web and/or there's a lot of, we'll talk about this, but there's a lot of different opinions.

Dan Lohrmann:
And we talk about the FBI and cyber insurance and lots of different aspects of this. But should you pay at all? And laws even around don't pay. We will not pay. And the good, the bad, and the ugly with that. There's a lot of twists to it.

Dan Lohrmann:
Obviously, the ransomware piece, we can get into this a little bit, versus just traditional extortion. We're talking about data on the Internet, data, digital assets that are being encrypted, and that's obviously making this more relevant for the Internet today.

Joseph Carson:
Yeah. Absolutely. The industry's evolved, which has really created, I guess, an ideal target for ransomware. And this is really coming into a lot of services are being connected online. They're going cloud computing. You've got critical infrastructure getting connected directly to the public Internet.

Joseph Carson:
We've also seen cryptocurrencies being really the currency of choice that really enables malicious actors to get the actual payment and ransomware cross border as well. Previously, it would have been through traditional means of financial, but there's been a lot of things. Connectivity and cryptocurrencies is what's really enabled ransomware to evolve over the years.

Joseph Carson:
And I've seen organizations have really tried to become more resilient to ransomware as well by having a much stronger backup strategy. And this is really where ransomware has evolved even further. As you're saying, Dan, it's no longer just about making your systems unbiddable or corrupted or data poisoning.

Joseph Carson:
Now it's moved into basically extracting the data and then threatening to disclose it, because if you have a good solid backup strategy, what it means is that you'll be able to recover. And now you're at risk, basically, from the attackers from disclosing it publicly.

Joseph Carson:
It's going to evolve. I think it's going to even evolve further into not just about data, but even systems, transportation, critical infrastructure. This is going to continue being where maybe public transportation isn't available. Maybe it becomes into those types. You're watching a sports game, maybe the Super Bowl on TV, and all of a sudden, ransomware that you can't watch it until you pay quickly in order to get it back online again.

Joseph Carson:
I think it's going to continue to evolve, and I think it's going to expand further into new areas, not just about data and disclosing, extortion of data information as well. I think it's going to be continued. This is the biggest threat, I think, that organizations face, because it has a real impact to the business itself, financially and productivity.

Dan Lohrmann:
One more thing on what you just said, Joe. Excellent points, certainly about Bitcoin, all of it. We've seen some of that already with cities. My kind of focus, my career has been government, but SLED, the SLED market, state, local, government, education, where Baltimore had their ransomware, and Philadelphia, where you people... They shut down government. They shut down government in Atlanta.

Dan Lohrmann:
They shut down the government in Philadelphia and other cities, other small towns, counties, where they could... If you wanted to buy a house in Baltimore during that month, they weren't closing. You couldn't. It shut down whole industries because you couldn't buy and sell houses, because they couldn't issue all the different paperwork. And I won't go into all the specifics, but that people needed to do.

Dan Lohrmann:
People shutting down mail systems. Not so much just bringing down an electricity generator, but if they can bring down the operations, we've already seen some of that, actually bring down the business around a function, certainly of government, they have caused massive disruption to everyday life already, in America and around the world.

Joseph Carson:
Yeah. Absolutely. And Mike, any thoughts around... You were talking about the kind of move into the extortion work, as you were saying. What's your take on ransomware from your perspective?

Mike Gruen:
Yeah. I think we talked about it a little bit at the beginning with the, they have your data. Now you're paying to get it released, or paying to have it not released. There's this sense of, they have your data. You're paying to get the data back. And then there's also, if you have sensitive information, they might release it into the world. And then you have to pay to prevent that. There's all those aspects. And I think that's going to just continue to be a trend.

Mike Gruen:
And so I think where, from an industry perspective, where we need to really start focusing is how do we make it so that even if somebody has our data, it's useless to them anyway? Like encryption. There's all these different places where the data that we have is totally unencrypted and available, whether it's because the applications are running and have to be able to read and write and interact with them.

Mike Gruen:
We need to just do a better job. I think there's a lot from network engineering and other places, other practices, where how we secure things such that these types of risks aren't there. So what? You have my data. It's encrypted. It's not going to do you any good. And I don't know how we get there. I don't know how we bridge that gap.

Joseph Carson:
I think the big challenge that I've seen with organizations is managing that. It's a big cost to organizations. We've improved over the years to doing encryption during transit. When data is moving between systems or moving across the Internet in general, we've been good at actually encrypting in transit and with improvements in protocols.

Joseph Carson:
However, to have data encryption at rest, that's expensive and costly. And I think that's the challenge with organizations that are looking at this from a perspective is that, if I'm a bank, and I'm protecting the walls around what's my most valuable things, now I actually have to put everything into small encryption and protect it even further. What's the point of even having those walls?

Mike Gruen:
I guess where I'm going is that there's this other... You have a laptop. Let's just break it down real simple. I have a laptop. It's encrypted at rest when I have full disk encryption enabled, and so you need my password in order to get the data.

Mike Gruen:
However, once I'm on my computer, my operating system has unencrypted the data, and now it's not in transit, and it's not really at rest anymore, because I'm interacting. I'm using it. I'm working with it. At that moment, all of the data on my computer is available for all of the processes that are on the computer, which means that's the point at which I'm vulnerable.

Mike Gruen:
That's where malware is attacking. That's this one section that I think is really lacking in our security. It's like, "Great. It's encrypted at rest. If somebody steals my laptop while it was off, we're protected. And when I'm transferring data off of my laptop, it's protected." But there's this big gap where-

Joseph Carson:
Which is a big gap.

Mike Gruen:
... Right. It's a huge gap, and that's where malware comes in.

Joseph Carson:
When you're actually doing your work.

Mike Gruen:
Right. And I'm curious what Dan's thoughts are, but whenever I fill out these security questionnaires, like, "Is data encrypted at rest? Is data encrypted in transit?" Yes, and yes, but yet these problems still persist. Obviously, these aren't the only two places where there's a problem. And how are we attacking that? And I think that's where the biggest risk is, and that's where we need more focus. I'm curious, Dan, about your thoughts.

Dan Lohrmann:
Yeah. No. Totally agree. And I think I'm doing a couple other sessions earlier this week and then one tomorrow. It's about the human factor. Depending on which studies you look at and which polls you believe, it's all over the map, but anywhere from 60% to 90% of security data breaches could have been prevented had the end user done something differently.

Dan Lohrmann:
Now, that's a broad category. I agree. You could drive a truck through that. But had you not clicked on a link, had you changed your password, had you not reused your password. Whatever.

Dan Lohrmann:
In so many of these ransomware attacks, you say, "Well, it all began because Frank clicked on a link." To your point, then somebody gets in. I know last week you guys had SolarWinds. Somehow, these people are getting into these environments.

Dan Lohrmann:
And some of the stories, we could tell some stories. But some of the ransomware stories, I've got two or three I can share, are just unbelievable when you think some of these people have been in for a long time. They're in your systems. They're in your servers. They're in your laptop. They're watching. They're taking over your cameras. They're doing whatever they can.

Dan Lohrmann:
But what's happening is some stories, I won't go through a whole long list, but one company I know in Grand Rapids, it's literally, they had been in there for three months. It's almost like a movie. Five minutes before they hit the button, they call the CEO of the company, and it's like, "We own you. There's nothing you can do. Yada, yada, yada, yada, yada." Trashmouth talk. And boom, hit the button.

Dan Lohrmann:
They knew where the backups were. They were in the cloud. They were separated. But they had been in there for so long just watching and learning the systems that they had actually, yes, they encrypted the backups. They knew all of that, because they had been in there. They had been in their email accounts. They had been in the system accounts, and they basically owned them. And then ransomware was the way they monetized it.

Dan Lohrmann:
My point is I'm with you, and it's hard. Any one piece is difficult because there is always... Can we get better? Sure. The bad guys are going to keep evolving as well, and they're going to see what you're doing to protect yourself. I'm not saying there's no solutions there, because I'm all about answers and solutions, and we need to get to some of those at the end here, guys, of how people-

Mike Gruen:
Right. Absolutely.

Dan Lohrmann:
... protect themselves. I'm not hopeless, but it's a complicated issue.

Joseph Carson:
Absolutely. Just going back, I think there's a difference here, is that what I've seen is that for me becoming a single victim of ransomware on my system is one thing, but for what attackers will tend to do is they will go in and basically look in order to elevate to full domain credentials. And it's when they get domain credentials, and then they start finding out where all the servers are, where all the data is. Where is the backups?

Joseph Carson:
And now those credentials that I have, I can then unlock all the systems in the network with a full domain administrator credential. I can actually do map drives. I can access all the systems. I can elevate credentials even further.

Joseph Carson:
And ultimately, what they end up doing is once they've got the full domain credentials, that's been basically they will deliver the payload. And having full domain means they can map a drive to all systems in the network in an automated way. All of a sudden, they just drop the ransomware on every single system and execute it, and they'll delete their history and their logs of everything they've done prior to that point in time. And now all of a sudden, the organization's basically at a standstill. All systems are encrypted. Nothing's working.

Joseph Carson:
Now, the problem is, going back to Dan, absolutely, you mentioned about having backups, and they'll look for the online backups, and they'll encrypt those as well. What this really gets into is we have to face the challenge that online backups are good against hardware failures or, let's say, network failures or availability failures. They're not good for ransomware.

Joseph Carson:
When we talk about ransomware, you have to get into having a solid offline backup. That's the only thing is you have to look at a backup strategy, and your backup strategy is only as good as what you're defending against. And if you're only looking at that hardware failure, which is why we do backups in the first place, hard disks have a good three, five year life span. We always have hard disks failures, and that's where you get into RAID, and we get into off site backups in regards to fire and other physical types of damage.

Joseph Carson:
But if it's online, that's basically the risk. And therefore, we need to make sure that periodically, organizations have to make sure they actually do an offline backup and actually rotate it just like I rotate disks all the time, just to make sure that even if I do have a hardware failure or a ransomware attack, that I still have a backup of X amount of time.

Joseph Carson:
That's where you get into that you don't have to pay the ransom unless you get into the fear of the actually disclosing side, the extortion piece. That's where you start having to worry about. And then organizations are then challenged because if you have a breach and data's been stolen, that's... Actually in the Verizon data breach investigation report last year, for the first time, they indicated that ransomware was considered a data breach, where previously it was a security incident. And they changed that classification because ransomware is now stealing data and not just about encrypting it. That classification had been changed.

Joseph Carson:
And it really means that we have to look at ransomware now broader. It means that it has regulatory compliance issues. Now we have got data loss, data disclosure. Now I have to notify regulations, either through things like GDPR or California Consumer Privacy Act. All of those start to trigger, and now I'm now at fear of being in failure of compliance and having major fines that way.

Joseph Carson:
It's really extending and broadening the scope, and we have to make sure that with ransomware, it's a multi strategy approach. You can't just take one. And that's why we're talking about data encryption at rest. We're talking about having offline backups of systems, having good instant response. And ultimately, even getting into segregation of duties. Your backup team should not have the same credentials as your production team.

Joseph Carson:
It's a very, very difficult thing to defend against, but ultimately, the reason why, Dan, you mentioned it being for months at a time, is they're looking to continually elevate their credentials. They're mapping out. They're creating that site map. They're creating their digital, basically, footprint of the organization to understand when they do trigger that malicious payload, they want to make sure that the organization comes to a standstill. They want to make sure that they have no other choice or option but to consider paying the ransom.

Mike Gruen:
Well, and that's the other reason why they might be in the system for a long time. If your only option is to restore to backups three months ago, six months ago, how far back in time can you afford to go? And even with the risk of an offline backup, you might be just restoring something that they still own. And now-

Joseph Carson:
Correct.

Mike Gruen:
... you're just extending the period of time you're really SOL. Great. We restored from three months ago. Let's get back and running. And three months later, it's all happening again. I'm curious, Dan, what are your thoughts? How should companies be dealing with that?

Dan Lohrmann:
Yeah. These are great points, and Joe and both excellent analysis. I want to mention one thing before I answer your question, Mike. Just for the audience, some scale here. The growth in ransomware is phenomenal. I remember 2019, in 2019, I said ransomware was the top story of the year for state and local governments, because it had hit... It grew 180% from the previous year. Some people would even say 380% depending on what numbers you look at. I have different data behind that.

Dan Lohrmann:
But then 2020, it was 100% growth from there. It's really exponential growth, and the industries, lots of state and local government are being hit, but companies are being hit. Hospitals are being hit. And so I just want to mention that. This is really ubiquitous right now.

Dan Lohrmann:
And I agree with Joe. It is probably the top issue out there right now. If you were to look across the board in the cyber security industry, you've got to say ransomware is right at the top of the list. I just want to throw that in there.

Mike Gruen:
Yeah. Absolutely. I don't want to go into too deep onto why that is, but I do think there's lots of reasons why 2020 especially, we see this explosion. Part of it is it was a-

Mike Gruen:
... bunch of years ago. It was a new technology. And so only very sophisticated or whatever people had to write it. Now, it's turnkey. It's so easy.

Joseph Carson:
It's a service.

Mike Gruen:
Right. It's just easy money, and-

Joseph Carson:
So-

Mike Gruen:
... Yeah, so-

Joseph Carson:
... What's happening is that you've got multiple participators and attackers in this whole chain. You've got the actually ransomware traders, those who's actually developing it. They're the ones that's creating the code. They're not the ones typically deploying it. What they're doing is they're selling it as a service to those basically on the dark web. Basically, you can go and say, "Give me the latest version that you have." It's like a marketplace for ransomware.

Joseph Carson:
You've got the ones that's creating it. You've got those who are buying it. And then, you also have got out there, is you've got the scanners and the access, the people who's actually specialized in gaining access to organizations. They're not typically also the people deploying it. They're the one who's selling the access.

Joseph Carson:
You've got multiple actors here, multiple criminals as part of this whole organized, it's an organized crime with basically different gangs operating in different areas. This is really where we have to look at it as not one single operator. It's not the same person creating it. It's not the same person delivering. And it's not the same person who's actually gaining access.

Joseph Carson:
The person who delivers the payload has potentially either bought the credentials to gain access. They've actually bought it as maybe an affiliation program, the ransomware itself, so they'll actually pay back part of their profit. This is the problem is that it's multiple organized criminal gangs that's participating in this, all specializing in different skillsets.

Mike Gruen:
Yeah.

Dan Lohrmann:
Yeah. Getting back to Mike's question-

Mike Gruen:
Yeah. Yeah. Sorry. Sorry.

Dan Lohrmann:
... I think there's a lot of answers. There's no one silver bullet. I totally agree with Joe. It's a complicated question. I do think it starts with good online backups that are regularly done, online and offline backups. I'm saying offline backups. I actually meant offline backups that are tested, and testing those, and having quick response, having indicators of compromise, having different people in place and processes in place.

Dan Lohrmann:
Certainly for organizations and governments that I work with, having really good incident response plans, and being ready for this, being ready for sadly, when it happens. And really, the word that I keep hearing from the Department of Homeland Security and others in Washington, but it's a good word, is resiliency, is being resilient. And there's a lot of different ways you can be resilient, and we can talk about that.

Dan Lohrmann:
I certainly want to talk, we get into a little bit, guys, about cyber insurance and the good, bad, and ugly with cyber insurance, because I think that is part of the solution that a lot of people say, "Well, we can't stop it. It's coming, so let's buy cyber insurance."

Dan Lohrmann:
And there's a lot of pros to cyber insurance. I'm not anti cyber insurance. Same time, there's a lot of negatives with cyber insurance, too. And so we can talk about that if you want to go there.

Dan Lohrmann:
But, yeah. Great backups offline that are tested, that are regular, that you know are good and that you know are, Joe, I don't know if you can ever get there, but clean. And we've been talking about this for 30 years, having a good baseline that you know that you can go back to, that is stable, that you can run your business on.

Dan Lohrmann:
We could have said that in the '90s. Maybe it was viruses or different terms. But, yeah. I agree with you, Mike, earlier. You've got to coin that term, give people ideas out here. Coin that term extortionware. It is extortion. It's a new trend on this.

Dan Lohrmann:
But maybe a little later as well, I can tell you a little story that goes back to 2006 where, in an exercise we did in the state of Michigan, we actually ran into ransomware. This was seven years before it was even out there. Somebody said they coined the term in '89. I don't really believe that. But we had never heard of it before, but it came out in an exercise. If you want to hear the story, I'll tell it to you.

Dan Lohrmann:
But we actually ran scenarios in Michigan government when I was CISO and working with Department of Homeland Security, working with others, where we ran into this. We mocked it and laughed at it. Little did we know that seven, eight, nine years, 10 years later, 15 years later, this would become the number one issue in the world for cyber pros.

Mike Gruen:
Who was in the room at the time, because they're probably a billionaire, right? They did this, right? It's all them. That's the bad guy.

Dan Lohrmann:
No. Let me tell you the story real quick. It's a funny story, and I'll try to make it real quick, guys.

Mike Gruen:
Please.

Dan Lohrmann:
This is a funny story. We were part of CyberStorm One. I don't know if you guys know what CyberStorms are, but CyberStorms is one, two, three, four, five, six. Every two years, Homeland Security does this big exercise. It's a tabletop, like a exercise they do. I think they're up to CyberStorm Seven is the coming year. In 2018, I think they did CyberStorm Six.

Dan Lohrmann:
Four states were involved, Homeland Security, a bunch of federal agencies. UK was involved, I think New Zealand, Australia, France, Germany. It was a big exercise. How is your team going to respond to this major incident?

Dan Lohrmann:
And the easiest way to describe CyberStorm One is to literally think about if you've ever seen the movie Die Hard 4: Live Free and Die Hard. That was CyberStorm One. It was way over the top. It was a few years after 9/11, because we're used to buildings being blown up and things.

Dan Lohrmann:
The first thing that happened in CyberStorm One is they blew up our data center. Literally, a bomb went off. Boom. It's gone. No more data center. There was no cloud at the time. All these different things happened. They hacked our other thing. It was all hell broke loose. The city was in ruins. There was rubble. We were basically dead and game over.

Dan Lohrmann:
This was a five day exercise. We get to Thursday afternoon, and they said, "There's one more thing you've got to do before we can end the exercise." We're like, "Okay." We need a new Bull mainframe. We've got to get a Bull mainframe. Our whole payroll was running on Bull at the time. I don't even know if there is even a Bull anymore, out of France, if it even exists. We were running on a Bull, B-U-L-L, Bull mainframe.

Dan Lohrmann:
And we're like, "Okay. Well, how are we going to do that?" Said, "Well, read the instructions." We opened the playbook, and there it is. Call France on the red phone. We pick up the red phone, literally, the red phone on the desk. We pick it up. We're play acting this. President Clinton here, or whatever, President Bush.

Dan Lohrmann:
Picking up the phone. We need a Bull mainframe. It's Bull headquarters in France, and they're play acting this whole thing. They got a guy on there with a real thick French accent. I'm not going to try to imitate it. Literally, I can barely understand the guy.

Dan Lohrmann:
He's like, "We need a Bull mainframe." They're like, "Ah. Yes. We've got one Bull mainframe left. There's one in the world." And we're like, "Oh. One." He says, "Yes." I said, "Okay. Well, we want that. We'll buy it right now for $12 million." We knew it was 12 million.

Dan Lohrmann:
And then it was silence, and the guy says, "We want $45 million." And I'm like, "45 million?" I put my hand on the phone. Everybody in the room was like, "They want 45 million for the Bull mainframe." And then everyone's like, "Ah, it's extortion. It's extortion." And everyone's yelling.

Dan Lohrmann:
And so we went through the whole thing. We negotiated. We bought it for 23 million. The exercise ended. It was all tabletop.

Dan Lohrmann:
Next day, we're doing the hot wash, which is the last day, going through the good, the bad, and the ugly, what went well. What did you like? What didn't you like?

Dan Lohrmann:
One of my engineers raises his hands, really sharp guy who's very, very famous now, good guy, making a lot of money. He says to me, "Dan, that whole thing with the Bull mainframe. That would never happen. They were extorting money because of a Bull mainframe." One guy said, "Yeah. They were holding us for ransom. That's unbelievable. That would never happen in this world."

Dan Lohrmann:
And then somebody else, literally, I kid you not, somebody else in the back says, "Yeah. Let's write it on the board. Ransomware." Everyone was laughing as if this is a big joke. This is 2006, guys, 2006.

Mike Gruen:
Right. Wow.

Dan Lohrmann:
This all happened. And DHS thought about this seven years... I say seven years, because 2013, if you start looking at all the literature and going back in history, some people like doing this. Some people are like, "I don't want to take the time."

Dan Lohrmann:
It was about 2013 when you really started seeing a growth in ransomware. Obviously, it got bigger and bigger and bigger and bigger, and I said it was the story of the year in 2019, in my opinion. Now, it's clearly number one. But back, 2013, it started showing up.

Dan Lohrmann:
2006. I challenge anybody to show me an article that says, "I was hit by ransomware in '06." I don't think it's out there. I haven't seen any.

Dan Lohrmann:
But my point is, what's the moral of the story? Organizations, do cyber exercises. Do tabletops. I don't know what the thing's going to be in 2030 or 2025, but if you play out some scenarios and really think them through, what would you really do if this happened or that happened?

Dan Lohrmann:
Work with some scenario planners. We worked with Homeland Security. Obviously, there were some smart people in that room that thought about this. They knew what they were doing. They had done their homework, and they put that into the scenario in '06.

Dan Lohrmann:
And so my point is, you can predict the future of your organization if you know your business, you know your organization, you know your backups, you know your systems. You do your job well and do it really well.

Dan Lohrmann:
Just like football. The defense is going to change. The offense has got to change. They take away the wide receiver. We're going to run the football. It's a little bit like football analogies. They're going to change. We're going to change. We're going to adapt. We're going to call an audible. We're going to be Tom Brady at the line, and we're going to make a change, and we're going to be ready for what's coming at us. And if you do that well, you can win football games.

Dan Lohrmann:
And so I think organizations shouldn't just throw in the towel. I think they need to do all the things Joe talked about. They need to do their basics. They need to have good plans. They need to have good security awareness training. They need to be teaching their people those things. But they also need to be doing incident tabletops and those kinds of things as well.

Mike Gruen:
Yeah. No. I think the big thing that I talk to lots of people and I ask, "What are you guys doing around incident response?" We have an incident response plan. But are you running through it? Great. You have a plan. What happens when it happens? Do you actually know? Have you run through it?

Mike Gruen:
I think Joe and I were talking about, do I have Joe on speed dial so that I can get... My organization, we're small. We can do a little bit, and we can figure some stuff out, but there's a certain point at which we potentially are going to do more harm than good. And do we have people who we can rely on who can help us through this?

Mike Gruen:
And so I think these are all important things. Have tabletops and go through it, I think are some of the biggest. Be prepared. It's just such an inevitability for so many organizations, that the best thing you can do is just be prepared for it, I think, is a great takeaway.

Joseph Carson:
Yeah. Absolutely. It is so critical to do these exercises. It's so important to go through the incident response plan and practice it, and not just doing it in silos within your IT team or your security team. You have to involve every other department, and even third party external companies you deal with as well. It's important that you bring everyone involved. The CFO needs to be involved. You need to have your legal team involved.

Joseph Carson:
Your communication, your support team need to understand about when you're in a situation, you might have customers calling you. You might have, all of a sudden your phone line is unavailable because so many people's calling to find out what's going on.

Dan Lohrmann:
Absolutely.

Joseph Carson:
It's really important that these take what I refer to as a full 360 approach, that you basically make sure that everyone in different departments are involved. And that's where you get creativity. That's where you get, Dan, as you mentioned, people become creative into different potential scenarios that may have never been seen before.

Joseph Carson:
And that's where you start really understanding about what's important to the business. How do you become more resilient? And I think those are what's critical. Organizations need to practice this. And just like you would do a fire drill, just like you do safety talks and safety scenarios, this is a safety scenario.

Joseph Carson:
And going back also, one thing that I find as well is sometimes organizations, when people are leaving the office and going home, an incident I've seen that actually was lucky enough that a lot of the desktops were unimpacted by the ransom, was that they actually turned them off at night when they left. When they leave home, 5:00 in the evening, 6:00, whatever, they shut down the systems.

Joseph Carson:
And most attackers, if you're in a country, most attackers are on different time zones. They're not down the street in a coffee place attacking your organization. They're in a different time zone, typically, in their lunch hour or their evening, attacking you.

Joseph Carson:
And what that means, most likely, it's out of your business hours. It's outside of normal business hours. If your systems are off or switched off, you have proper segmentation as well, but when the attackers do deploy the payload, that if systems are not turned on, you have a better chance of having some systems becoming protected from being affected as well.

Joseph Carson:
There's a lot of different scenarios that organizations need to practice in these tests and incident response that will help them become more resilient.

Dan Lohrmann:
I totally agree. And I think one of the tabletops, especially, I'm with you. We did statewide ones. We used to do, even later, in '11, '12, '14, '13, '14, I've done a number of them even in the last couple of years with different states and governments bringing in, like you said, the private sector partners, bringing in the utilities for what would happen if we had... We did.

Dan Lohrmann:
We had a blackout in the USA in 2003 in Michigan. We went down. The Northeast went down. And we lived through that. Saying all the power going out for a couple days, whether it's cyber or whether it's a storm or whether it's ice or whatever, that's not that far fetched.

Dan Lohrmann:
And so I remember after that blackout, we had two of our three data centers at the time that did not have generators, literally. And we came out of the blackout of '03. I'd spent four days at the emergency command center for state police in Michigan, and we came out with a laundry list of action items. Going to take this in a different direction. But people need to act, after.

Dan Lohrmann:
I think the story a couple weeks ago, we would be neglecting the topic. What happened in the UK? You guys can speak to it, too, but a company got hit. They paid the ransom. And then they, I don't know if they went on vacation or what they did, but two weeks later, they came back and did the same thing over again, and they had to pay twice.

Mike Gruen:
That's-

Dan Lohrmann:
Crazy? They didn't do anything, or if they did, they didn't stop anything, and it was like a double whammy. I got the article, if you guys want to bring it up and we could talk about it. But the reality is you've got to really take action.

Dan Lohrmann:
And you've got to think about the ramifications of what's going to happen and get different people involved, whether it's power outages, whether it's, you said it, critical infrastructure, Joe, or your core business, being able to learn from that and then apply the lessons learned.

Dan Lohrmann:
In that blackout, I was just going to say, we went out right away. We got generators for those other data centers. It seems so obvious. Why wouldn't you have... but at that time, data centers weren't... We were kind of consolidating from literally hundreds of broom closet servers all over the state government.

Dan Lohrmann:
And now we created these things called data centers, which 20 years ago, was kind of a new thing. Not totally, but we had a lot of random servers that we consolidated into much more secure spaces. And then they were being protected adequately.

Dan Lohrmann:
We went out. We got generators for them. Next year, we have a big ice storm in Michigan. Lansing's dead for a day, but all of our data centers have backup power because we had the generators in place. It actually helped us for other things.

Dan Lohrmann:
My point is resiliency is obviously cyber security, but it's also really all of the aspects of the business, as Joe mentioned. And we would get the governor involved. We'd get the cabinet involved in government.

Dan Lohrmann:
You need to get your business leaders involved. And there could be different levels of tabletops. You can do them at your department level. You can do them at the company level. You can do them literally at the state level. We've done them where it was, like I said, the utility's involved. The hospital's involved.

Dan Lohrmann:
What is the scenario? We did them for bird flu, getting ready for COVID, not really thinking we'd have a worldwide pandemic in 2020. But those things were in place because of some of the processes and plans we put in place a decade earlier.

Mike Gruen:
And I think-

Joseph Carson:
Yeah.

Mike Gruen:
... testing is an important part, because you have this power failure. You go out, get generators for your data center.

Mike Gruen:
Similar story, but the data center that we were using, this is a long time ago, they had generators, but the time it took for the generator to come back online, all of these machines went down. It wasn't a total outage, but it took a long time to... Oh, some machines actually had UPSs and were able to last long enough. Others didn't. And then we spent hours trying to get the system back online, all of these various systems back online in an appropriate way.

Mike Gruen:
It's not just, oh, we got the generator. It's like, now test it. Make sure it works. What's our process? Gasoline goes bad. Are we changing the gasoline in there? What are we doing to stabilize it? Those types of things.

Mike Gruen:
There's so many more than just get the generator, and I think that's where these tabletop exercises and going through it and actually, physically testing things in some cases to learn, oh, no, it takes 10 minutes to switch over from regular power to the backup generator. And what are we doing?

Joseph Carson:
And you could have 10 minutes in your UPS as well.

Mike Gruen:
Exactly.

Joseph Carson:
I'm not going to make it.

Mike Gruen:
Exactly. 10 minutes is pushing it on some of them.

Joseph Carson:
Everyone grab a battery and start heating it up to keep it going.

Mike Gruen:
Right. Well, now we all have electric cars. We just have to just do the inverter to run the data center.

Joseph Carson:
I've seen a transition over my time. To come back to one thing that Dan, you mentioned it, and Mike as well, I've seen a case a few years ago where an organization had basically become a victim of ransomware, and they restored from the backups and continued perfectly onwards and thought they were quite resilient, until they end up finding that basically, the ransomware was in the backup itself.

Joseph Carson:
And they simply had restored it, and it was there basically waiting on a schedule for so many machines to be infected, and then it triggered. And all of a sudden, they realized that now they'd actually had the ransomware twice within the space of a month. And no longer it was 15 days of data they'd lost. They'd lost the entire month. And then they had to go and find out which backup to go to. When's a good backup?

Joseph Carson:
To go back to one of Dan's points as well is that even those who become victims who did pay the ransom, that sends a signal to other criminals, because we're not just dealing with one ransomware guy in the world. There's hundreds of them, even thousands of them, even some that are state sponsored that are basically given a blind eye by some governments in order to carry out their criminal activities, as long as they don't do it in their own, let's say, national borders. And this becomes a major issue.

Joseph Carson:
You end up getting those scenarios about, if you do pay, then you basically open yourself up become, if you don't try to change and you don't try to put resiliency in place and modify your security controls to close those back doors that had been exposed, that you end up becoming a target of other gangs who will say, "Hey."

Joseph Carson:
And that's not to say that the ransomware gang that you dealt with that you paid the ransom, they will go and sell the access to other organizations as well to make more money. And now all of a sudden, you become a target of those.

Joseph Carson:
This is a major issue. And it's part of the incident response. It's part of those assessments. You have to perform risk assessments. You have to understand what is critical to the business. How much do systems cost when they're not running for the business? What's that gap? What's that cost? And therefore, it will give you an idea of basically the tangible financial cost or the impact, and therefore give you some idea about what you should be investing in to reduce that risk.

Mike Gruen:
Yeah. And I think, and Dan, I'm sorry to jump in, but I think part of my job a lot of times is trying to justify the cost of whatever it is that we're doing. I think, to Joe's point, right. Tying it to business outcomes, values, okay, or whatever you want to call it, that's how you get what you need in-

Joseph Carson:
Correct.

Mike Gruen:
... at the top of the organization. That's how you get the money. But also, to what Dan was talking about earlier, it could be from an ice storm. It's not always cyber. It's also tying into, what are some other... let's think about all of the risks and make sure that... and it makes it much easier to budget for when you're saying, "Hey, no. These are all these various things that could result in this, and this thing that I'm looking to purchase or this thing I'm looking to do sort of helps to satisfy or mitigate all of these various risks, including weather, flu, pandemics-"

Joseph Carson:
Yeah. Squirrels and rats are the biggest cyber criminals.

Mike Gruen:
... Exactly. Mice. Bed bugs. If you're-

Mike Gruen:
... Depending on what industry you're in, bed bugs might be a real problem. I think it's also working with other departments to tie these risks together or understand the risks of the business and do that.

Dan Lohrmann:
Yeah. I think, guys, there's two points on that. Mike, I think you mentioned earlier, COVID, and it's changed for a lot of organizations, too, in 2020, because now you're working from home. Maybe you've got data backed up in the cloud. Maybe you've got cloud services, software as a service. You've got different opportunities and different services.

Dan Lohrmann:
But maybe an ice storm brings down Michigan, and all the homes are down. If 100% of your employees are all over Lansing and an ice storm hits and power... Thankfully, that didn't happen this winter, but where before you could maybe keep the building up or keep the network up and everybody was on the network, and maybe even, maybe not, your PCs were backed up or had backup power, generators, whatever, now maybe not so much.

Dan Lohrmann:
But my point is it's a constantly changing environment. And COVID, work from home is a whole 'nother topic we could talk about, but certainly complicates things. I think that a lot of studies coming out now, we said it last spring pretty widely, that there's data breaches being created now by all these business process changes.

Dan Lohrmann:
But as things change, and now they change back again or change partially back to maybe going back to the office, maybe not, it's an evolving thing. It's not a moment in time, static. You've got to constantly be thinking ahead, thinking about the next thing.

Dan Lohrmann:
I also want to bring up, guys, and I really would like to talk, get your thoughts on the cyber insurance question, because I think for a lot of people, their answer is, "Oh, we've got cyber insurance. We're good."

Dan Lohrmann:
There's one quick story I'd like to share with you, if you don't mind, quickly, and then-

Mike Gruen:
Please. Sure.

Dan Lohrmann:
... and then just kind of, there's a bunch of questions. We could spend the whole set. Maybe next time I come back, we just talk about cyber insurance. But it-

Mike Gruen:
Yeah. I would love to have you back for cyber insurance. I have some friends we can bring on. It'll be great.

Dan Lohrmann:
... It's a great topic. Overall, I want you all to know I think there arebenefits to it, and they're getting smarter. They're getting better. The prices are going up. Because people are getting hit, they have checklists. They say, "You have to do these things before we're going to give you the policy."

Dan Lohrmann:
And I think CFOs sometimes really will listen to the chief security officers, because they say, "We can't get the cyber insurance policy unless we do these 10 things which, oh, by the way, I've been saying the same things for the last few years, but I couldn't get the CFO to pay for."

Dan Lohrmann:
There's a lot of good with that. There's a local company here in Lansing, I'll just share the story, that was hit. They had cyber insurance. They had a $5 million policy. I'm not going to go into too many details about it, but I'll just say at a high level, generically, they didn't want to pay.

Dan Lohrmann:
They were like, "We're not paying." Cyber insurance company said, "Oh, well, we know these people, and we can talk them down to 1.2 million," which is interesting in and of itself. We could talk about that.

Dan Lohrmann:
By the way, if you don't go this route, it's your decision, but if you don't go this route, we're only going to give you 1.2 million. We're not going to give you five million, because we think it's going to cost you eight million to rebuild all your systems and to do all the things you need to do.

Dan Lohrmann:
It's almost like, I don't want to use the word extortion from the cyber insurance company. I didn't say that. But that's a little bit of how the security team may feel sometimes. It's kind of like, "Well, what are we going to do?"

Dan Lohrmann:
Guess what they did. They did what the insurance company did. They paid the ransom. They got 80% of their data back, and they got some data that wasn't... They got it resolved.

Dan Lohrmann:
But there's a lot of morals to that story, and a lot of people say, and I even did an article about a year ago about, do insurance companies encourage paying the ransom? And they keep claiming they don't, and they come out publicly saying they don't, and it's always the company's decision. And I think they really believe that. But there's a underlying question around, are their policies and procedures encouraging negotiating and paying the ransom?

Dan Lohrmann:
And even in New York City, just came out, a commission around what insurers can and can't do in New York. People are talking about it becoming a new model for the country and maybe the world, around practices and ethical practices, best practices around cyber insurance. And so that just came out.

Dan Lohrmann:
And so there's a lot to this. There's a lot of aspects of it. But there's definitely a relationship between ransomware, paying ransoms. Obviously, people buying cyber insurance, they think that this is going to help them if they get hit, and it's going to pay for the expenses they're going to incur. I'd love to hear your thoughts on it, guys.

Joseph Carson:
Absolutely.

Mike Gruen:
Can't I just pay the bad guys ahead of time so they don't attack me?

Joseph Carson:
That's the challenge. I am a person that I'm very against fueling future cyber crime. If we provide continual funding cyber crime, it's just going to get worse. They're going to be able to hire more sophisticated developers and people, and it's going to be basically an increasing, ongoing problem that we will never fix, if we keep funding it.

Joseph Carson:
And this is a collaborative approach. I've even seen some governments getting into thinking about cyber offensive in this area, that they will attack ransomware gangs and countries. And this gets into, really, because what you end up doing is you're attacking the victims that they're abusing and using their system to attack you. It gets into even more complicated when you're looking at the cyber offensive.

Joseph Carson:
But going back on Dan's mention around cyber insurance. For me, I came across 10 years ago, I worked in the maritime side of things, working in maritime protection and security and cyber. And it was at the highlight of the piracy.

Joseph Carson:
And we're in the same situation that the shipping companies were between 2006 and 2012, 2013, where pirates used the same thing. It was basically taking hold of ships and therefore basically, they were holding them ransom. And those shipping companies had to pay so the pirates would not damage or hurt the crew or even damage the goods they were carrying. If it was a ship that was carrying, let's say, oil, and they turned off the heating, and all of a sudden that oil would thicken and create cracks.

Joseph Carson:
There's a lot of challenges, and I see similarities in how the insurance worked then is how we're working today in cyber, is that ultimately, the cyber insurance's goal is to basically minimize the cost as much as possible. If that means paying the insurance, paying the ransom, that means they're going to take that path.

Joseph Carson:
They may say publicly that they won't. They may say a statement that they won't. But ultimately, they'll look at the financial side of it and determine.

Joseph Carson:
And I've even seen cases where the insurance companies have went directly, even without the company's approval or authorization, and paying the ransomware directly and doing those negotiations without the company or the victim being involved.

Joseph Carson:
We have to get into, really, I'm about not paying the ransom and not fueling future cyber crime. And we have to come into, what is the right thing to do? And the right thing to do is make it more difficult for a ransom to be successful, not taking the opposite way out of actually paying it once it's already happened.

Joseph Carson:
I've seen even, I'll give an example. Years ago in Ukraine, there was actually, we're all familiar with the NotPetya side of things and a lot of victims. And in Ukraine, they were struggling significantly with a lot of ransomware cases.

Joseph Carson:
And there was one particular incident that ultimately, doing investigation, there was a lot of investigations of different ransomware cases. And this particular one, looking at the case file itself, it didn't follow the normal, typical route that you would see.

Joseph Carson:
If you work in a lot of ransomware cases, they tend to be very identical, very, very similar. The path in may have modified a little bit. Their elevation path may have been very slight differences. But the flow and the attack path was very, very similar to most cases.

Joseph Carson:
And ultimately, this particular one, it didn't follow that routine. And after further investigation, they found out the, actually, company themselves had actually deployed the ransomware themselves. And this was ultimately to cover up another crime of basically financial fraud. And ultimately, if you look at the story, is the company affected themselves to hide a financial fraud. As a result of going through this ransomware case, they were actually going to get financial funding from insurance as a result of it.

Joseph Carson:
We have to look at how ransomware kind of works and what the risk is, and we have to actually look at actually mitigating the actually impact itself of ransomware, how it gets in organizations and how it's used, rather than being the reactive side and actually trying to deal with it after. I'm more of the proactive side.

Joseph Carson:
And we have to get to, also, the point where there's certain countries which are actually harvesting these types of criminals, and I think it takes a international cooperation to mitigate that as well. It means we have to really look at providing not a safe place for them to operate from, and this means holding countries accountable for actually providing safe havens for ransomware gangs.

Joseph Carson:
Cyber insurance is great, but cyber insurance and ransomware together, it's a difficult combination.

Mike Gruen:
I haven't looked at what New York passed or whatever, but I think it's interesting to think about it from the terms of if cyber insurance is limited to helping pay for the cost of repairing and not allowed to pay the actual ransom. You're talking about a long term strategy for us to get out of this where we're paying for things.

Mike Gruen:
But the problem is companies, there's the short term tactics of, well, we've done the math, and it'll be so much cheaper and so much easier for us just to pay this as us as a little company. That cooperation, that broader thing is so hard.

Mike Gruen:
I think companies, especially, are so money driven that it's like, "Well, why would we risk going out of business when we can just pay a much smaller amount and get over this and get back to business as usual?" And I think that that's going to be a big challenge.

Joseph Carson:
Backups. Backups.

Dan Lohrmann:
I think to that point-

Joseph Carson:
Don't be in the position in the first place.

Mike Gruen:
Right.

Dan Lohrmann:
... Right. And that's why I was asked. A bunch of articles came out about four or five months ago around laws, and you're going to see this come up again. It's going to pop up again. Here's another prediction for you.

Dan Lohrmann:
So, let's just pass a law that you can't pay ransoms. We have a law. Extortion's against the law as well. We have laws, but unfortunately, we can outlaw extortion, but doesn't necessarily mean extortion's going to stop.

Dan Lohrmann:
To your point, people have asked me my opinion. I just don't think it's going to work if you just pass a law saying you can't pay the ransom. I-

Mike Gruen:
Right, because the companies will just pay the ransom under the... It'll just be a different breaking of the law.

Dan Lohrmann:
And it's already happening.

Mike Gruen:
Right.

Dan Lohrmann:
It's already happening. And there are people who say, and again, I don't want to quote numbers here, because I don't know which one's right, but I hear people say that even the numbers we have with ransomware are low, that the vast majority is never reported, and that there is stuff that never makes it to the paper, never makes it in the criminal, never gets reported to the FBI or local police or whatever, or other criminal justice organizations around the world.

Dan Lohrmann:
I'm there. It's a very complicated issue. I'm with you. While I agree with Joe, I'm not for paying the ransoms, but I also realize on a case by case basis, it's probably Pollyanna-ish to think you can just pass a law outlawing ransom paying. It's not going to work. And in individual situations with an individual company, who am I to tell that CEO, "Don't pay it?" I'm not-

Mike Gruen:
Actually, I think all you're going to do is create a new gray industry of consultants who you hire to negotiate this stuff. It's just going to create a new black market or whatever.

Mike Gruen:
I think back to some of the stuff that was happening in the drug cartels in South America and, oh, it's just the sort of cost of doing business down here. It's like, oh, yeah, well, my people might get kidnapped. That's cool. They're not going to get harmed. I'm just going to pay them off. I'll get my people back, or whatever it is. It just became sort of a cost of business, which is not the direction we want to see ransomware going.

Joseph Carson:
That's one thing, is the law has to be very, let's say, has to have some flexibilities. I remember, unless it's in a life or death situation, then there's no room for negotiation. That was always the case.

Joseph Carson:
And I remember a few years ago, there was a cancer research company, became the victim of ransomware. And that was a case where basically, five years of research was at risk of being completely lost. And you're looking at that situation. You're thinking, "Well, okay. There is a clause for creating exceptions of considering negotiation."

Joseph Carson:
And ultimately, from a negotiation perspective, the criminals realized the impact of this themselves and got some ethics and morals and were able to assist and reduce it down significantly. But that's not always the case.

Joseph Carson:
The law itself has to be flexible enough to look at certain situations, but it also should be in the situation where it doesn't create that gray area where people will go and find a criminal way of paying for it, because ultimately then, we have to make sure that then executives and boards are held accountable for that.

Joseph Carson:
We just looked at a case a few years ago with Uber that when they paid the attackers to destroy the data, they created a criminal act. And this is where the situation, you hold people accountable for those actions. And that's why you have to make sure that that's in place as well.

Joseph Carson:
It's not just a law that says yes or no. You can't pay ransom. It has to be very well thought through of a lot of different scenarios.

Dan Lohrmann:
Yeah. Guys, I know we're almost out of time. I want to just mention some resources for our listeners. I don't know. One of them is nomoreransom.org. It is a good resource. It's in multiple languages globally, wherever you're watching from today. Nomoreransom.org. You can read about it. In some cases, they can give you the de-encryption key. They actually can help you. They walk you through the process. They can get you in touch with law enforcement if you want to go that route, and it's got a lot of really good advice there.

Dan Lohrmann:
There's a number of other great websites out there. I would just encourage people, again, proactively for solutions. I could list a bunch, but Homeland Security, CISA. CISA's got a great website on this. FEMA, CRSC, Computer Security Resource Center, csrc.nist.gov. Another great one you can look at for tabletop exercises and planning. I love that library, by the way. Csrc.nist.gov for a lot of things, for a lot of topics we're not even talking about today. It's a great resource.

Dan Lohrmann:
But I encourage you, do your homework in advance, because don't just listen to all this and say, "Yeah, great," and then shut it down. You've got to take action in your organization and make steps and ask the good questions and plan in advance, because this is going to happen to an organization that you're a part of.

Joseph Carson:
Absolutely. I agree. We'll try and make sure that a lot of those resources are put in the footnotes of the show itself. Absolutely. Any final thoughts or any final mentions, Mike, as well?

Mike Gruen:
Yeah. No. I think Dan said it, and I think my final thought is really, at the very least, do incident response. Do the planning, disaster recovery. Do the tabletops, those types of things. They're things you can start doing today. They don't require a huge investment in technology. Just start working through it. Help identify where your problems are and where your blind spots are. It's the first step, if you're not doing that.

Joseph Carson:
Absolutely. And for me, having been involved in a lot of ransomware cases over the years, I can't emphasize enough the importance of having offline backups. You don't want to be in the situation where you're completely at loss of all the data and basically, your business has come to a halt, and you have to start thinking about paying the ransom. That should not be the situation.

Joseph Carson:
Solid offline backup strategy. That will provide you a lot of good bases to make sure that at least you can recover and you can get back to operations as soon as possible.

Joseph Carson:
Ultimately, ransomware, for me, is the biggest threat to organizations. It's the one that it doesn't curve by what business you're in. It's there for pure financial profitability, and it will take advantage of your business's connectivity and the systems that you have and the data that you're actually critical to.

Joseph Carson:
It's really critically important that you do take this serious. Ransomware is a serious threat. And that you need to take action. Just like Dan and Mike said, you really can't just sit back and think that, "Okay, I'll put this later. I'll do it in six months' time or three months' time or a year."

Joseph Carson:
This is not something that you can actually delay and put off. You must take action now. And a lot of the resources that Dan had mentioned, no ransomware, no more ransomware, that's critical. It's important to look at that and educate yourself.

Joseph Carson:
Hopefully, a lot of the topics, Dan has been great. Mike's input has been fantastic as well. And I think you really need to take action. Ransomware is a big threat, and once you listen to this, hopefully, you've learned something, and you'll be able to take value away and take immediate action.

Joseph Carson:
This is an important topic, and I'm pretty sure it won't be the last time we'll talk about it. I'm pretty sure I think myself and Mike mentioned that we'll actually even later talk about instant response, how to respond to not just ransomware but security incidents in general.

Joseph Carson:
Again, many thanks for tuning in. We're really excited about these podcasts. Every two weeks, 401 Access Denied. Listen in on your favorite, whether it be Spotify or on Apple Podcasts, wherever it may be. Join us every two weeks, and hopefully you get entertained. Again, thank you. Stay safe, and offline backups, one more time. All the best. Bye.

Mike Gruen:
So long.

Dan Lohrmann:
Bye.