Talk With a Friendly Human
Attila: The IT guy does not have it covered.
Attila: Maybe we need a little bit more advice.
You're listening to the Cyber Secured Podcast, helping you become safer in every way.
Now, your hosts, Matt and Attila.
Matt: All right.
Matt: Welcome back to the Cyber Secured Podcast.
Matt: My name is Matt.
Attila: And I'm Attila.
Attila: We are cybersecurity people.
Matt: We are.
Attila: And that means that we get phone calls and emails.
Matt: And we get to hear stories and be on the front lines, boots on the ground, see what transpires on people's actual computers.
Attila: And now we get to share those stories with you.
Attila: And we have a new one.
Attila: And this one's about ransomware.
Attila: You may think that ransomware is old hat, but believe it or not, it's not.
Matt: Yeah, it's kind of been around for a while, and it's not the primary source of attack any longer, but it's still out there.
Matt: If the bad guys can get in, if they can get access to your system, you know, it's a good tried and true method to get you to pay up for your data, or if you have sensitive data, to ransomware you over the sensitivity of people's personal information, or some secrets you've been holding on to in your company, if you've got things that I copyrighted.
Attila: But what is ransomware, Matt?
Attila: Maybe everyone who's listening has not heard of such a thing.
Matt: So, ransomware is basically when your data on your computer gets scrambled.
Matt: The files are still there, but you no longer have access to it.
Matt: And in any effort in trying to open the ransomware or use your computer, you'll typically get a message stating that you've been ransomwared, and you will often get a message saying who it is, and sometimes even get technical support from them on how to pay them.
Matt: If you don't know what crypto is or you don't know how to get a crypto account, they'll walk you through setting that up and putting money into it so you can send the money to them.
Attila: So the silver lining is that you get technical support that will help you pay the ransom so that you can decrypt the files that they have encrypted across your network.
Attila: Interesting.
Attila: You know, I was reading a recent statistic about ransomware, and in 2024, so last year, ransomware revenues dropped by about a third.
Attila: And what they are attributing this to, and this is according to the FBI, and what they are attributing this to, is the fact that people have better cyber hygiene.
Attila: So they're not clicking on all those links on the emails.
Attila: They're giving access to their computers to the bad guys, but they're also having better backups.
Attila: So when we get a call about ransomware, there's a good chance that maybe this individual or this company might have had some poor cyber hygiene.
Attila: So we got a call from this pretty nice person.
Attila: He runs a food distribution service.
Matt: It was about two weeks ago.
Attila: About two weeks ago, yeah.
Attila: And this is a wholesaler of fruits and vegetables, foods that you'd find in your supermarket, in your restaurant.
Attila: And he said, you know, I've unfortunately been hit with ransomware.
Attila: And I have an IT guy, and I think he's got it covered.
Attila: I said, that's great.
Attila: A few days later, we got another phone call.
Attila: He said, you know what?
Attila: The IT guy does not have it covered.
Attila: Maybe we need a little bit more advice.
Attila: And so I wanted to share what he experienced and what his company looked like.
Attila: This is a fairly small company in terms of computer count.
Attila: So they have lots of trucks that deliver food and fruits and vegetables all throughout the state.
Attila: But he has only about 20 computers in his office, in a server and an in-house phone server.
Attila: So there's some sort of phone system there.
Attila: And ransomware made its way onto those computers, most likely because one of his staff members accidentally clicked on an email, opened up whatever attachment was in there, got into their system.
Attila: And because he wasn't running any sort of antivirus or EDR, it just spread like wildfire.
Matt: I want to back up on how that can happen.
Matt: There's a lot of different ways.
Matt: Quite often, when you receive an email that contains ransomware, it will have, it looks like a PDF, and they'll even change the icon to look like it's PDF.
Matt: And there's a thing on Windows most general users don't know about where the default for Windows, when you load it up, you go into the interface, it removes the extensions, the files.
Attila: Oh, that's right.
Matt: And for people like us, our general go-to is to configure the system up so we know what the extensions are, and we will change the view and the way things click, just to make it more user-friendly to us, because we're more advanced users.
Attila: I love file extensions.
Matt: Yeah, and I love file extensions too.
Matt: It actually has never really crossed my mind the fact that having that turned on and being able to see the extensions has actually been kind of a saving grace, because I have seen those files that show up as.pdf.exe.
Attila: Oh, right.
Matt: And what is it.exe?
Attila: Executable.
Matt: Right.
Matt: Most people don't know that.
Matt: There's a couple different formats of executables in Windows.
Matt: There's.exe, theres.com, there's.bat, there's.pt, dll can actually execute as well.
Matt: But if you have file extensions turned off, which most people do, and you get a file that is parading as a pdf, that executable can not only run a malicious command in the background, it will even possibly run the opening of a pdf.
Matt: So then it looks like you actually open something, and you're not suspicious of what happened.
Attila: Oh, like an executable that's parading as a pdf that opens up and looks like a pdf when you run it.
Attila: Interesting.
Matt: And most email programs will filter for this kind of stuff, but it's not 100%.
Matt: And especially with older organization that has old servers, they might even be hosting their own email server, and it hasn't been updated in forever, so it might have actually gotten through.
Matt: I don't know personally what the case was and how they got in, but...
Attila: It wasn't necessarily clear how they got in, but he's thinking it was most likely suspicious email.
Attila: Only reason is, so many come through.
Attila: We all get a lot of junk mail.
Matt: Yeah, if you're a business, if you're a business and you're in the public and you make money, and it's obvious you make money, you're gonna get those emails.
Attila: Well, unfortunately, with this business, he also had some bad cyber hygiene.
Attila: So not only were they opening up emails, they didn't have the training program for their staff.
Attila: So the staff didn't know how to identify bad emails, right?
Attila: Especially if it came from someone who they trusted or they thought they trusted, and they all used the same password on all of their workstations.
Matt: And probably all the computers.
Attila: So why is that bad?
Attila: I mean, I get an email, I open up that attachment, I have the username and password on my computer, it's the same as my neighbors, how does it spread?
Matt: Well, if you get an attachment that has a malicious file, and it gets installed on there, that malicious file might give reverse access or remote access to the bad guy.
Matt: And so once they have that, they can sit there on that system and poke around your network.
Matt: Last week, we talked about how firewall in an environment is almost like the structure of a house for you.
Matt: But one difference between that house and the firewall or the routing, the network is in a house, you have eyes.
Matt: You can look around and see things.
Matt: But generally, the user on the computer doesn't have that kind of visibility.
Matt: They can't actually look around the room and see other computers in the space.
Matt: They're there, and there's commands on the computer that you can run to tell you they're there, but you don't know that.
Matt: And if someone is in the network on a system doing stuff, you wouldn't necessarily see that either.
Matt: That's where there's a differentiating line between a commercial firewall and something you would buy at Costco, which it sounds like that's what this gentleman had at the business.
Attila: He did.
Attila: He had a Costco or Best Buy firewall that was inexpensive and had no monthly fee.
Matt: Yeah, a commercial firewall that has been properly configured would see that kind of stuff.
Matt: It wouldn't necessarily block it, but at least it would see it, and with the proper software in place, that software could also send out alerts and do things that would hopefully alert some kind of team to act fast and block things.
Attila: That's the problem, is that after the fact, it's really difficult to do much other than damage control.
Matt: Yeah.
Matt: Well, and then once one of those guys get on those computers and they're looking around the network, looking at what's there, they're going to copy the password they see on the computer and try it on another computer.
Matt: And that's how they, in the world that we live in, we use a term called moving laterally.
Matt: That's how they would move laterally, move from one computer to another, another computer to another.
Matt: And even if they don't have the password for those other computers, if there is a server in that network, using a special type of communication with that server for getting files, the bad guy could actually see those packets, see that information, and they wouldn't necessarily need the password, but they could use the hash.
Matt: It's called passing the hash.
Matt: And then they could use that to get into other systems as well, including the file server, where all the work and data is that people use on a day-to-day basis for accounting or whatever they're doing for that business.
Attila: Well, luckily, this person does not have a business where he is handling sensitive data.
Attila: No one is really interested in the price of an eggplant versus your medical history or social security number.
Attila: So it makes sense that when he did contact the FBI, letting them know that this occurred, he did contact local law enforcement, not much really happened.
Attila: There wasn't a lot of assistance given to him because he's a relatively small company not dealing with critical infrastructure or anything that would be related to sensitive data.
Attila: Or even if he were unable to operate for a few days, it wouldn't really affect things.
Attila: But it would affect him personally.
Attila: And we started adding up these costs.
Attila: How much was this actually costing him in business, in terms of remediation costs?
Attila: Because he had to pay his IT guy thousands of dollars to be able to recover.
Attila: He had to go and buy new computers because the next day, when his employees were coming back to work, he needed something for them to work on.
Attila: We looked at an estimate of anywhere from $30,000 to $50,000 right off the bat.
Attila: And like we mentioned at the beginning of the podcast, this was a few weeks ago, weeks later, it's still costing him money.
Attila: And it's much slower for him to deliver the products.
Attila: And you gotta remember these are fresh products, so if there's any delays, there's also perishables that he has to throw away.
Attila: And so it did affect his business.
Attila: It did disrupt his business.
Matt: It sounds like he's kind of fortunate, though, that he's able to continue business.
Matt: Because didn't you have another business that got ransomwared and they basically put them out of business?
Attila: It happens all the time.
Attila: We've had about three or four cases where these are accounting firms.
Attila: Right.
Matt: Reputational damage.
Attila: The reputation is very difficult to recover from, especially when you're handling other companies' private data.
Attila: And when you start to dig into it, much of it has to do with behaviors.
Attila: The behaviors and habits of the employees are what's going to make or break the company.
Attila: And in this case, when we're talking about these accounting firms, they had bad habits of emailing company records back and forth.
Attila: That's a big no-no.
Attila: In this case, with this wholesale of fruits and vegetables, they did not have great habits about their email.
Attila: So they were opening up email messages, and they just didn't have great habits about setting up the network in the first place.
Attila: Having local administrator accounts, having a server on-premise, having a phone system on-premise, these are risky behaviors.
Matt: Well, and ideally, you would separate all that stuff out into things called VLANs, separate networks within networks that can't necessarily talk to each other, or they talk to each other in what we call a zero trust style, only communicating what they need at those specific moments.
Attila: I do see different network configurations in different size companies, though.
Attila: So the VLANs that you describe, those are really handy in larger networks, or networks where you're dealing with a lot of sensitive information.
Attila: But let's face it, most organizations have less than 50 employees, probably one network, maybe two, one to two sites.
Attila: They're on a much smaller scale.
Attila: So for them, using the cloud makes more sense.
Attila: You don't need a file server if you can put a lot of this stuff into Google Drive.
Attila: And outfits like Drive, Dropbox, box.com, they all have even compliance storage that can meet compliance requirements.
Attila: And all you have to do is put the stuff there.
Matt: I gotta say though, it doesn't necessarily mean that you're safe.
Matt: It doesn't necessarily mean that your problems are solved because all of that very easily gets undone by poor setup and poor employee behavior.
Matt: I just listened to a story about this gentleman that had gotten into a lot of the music industry files for EDM artists.
Matt: And it's crazy, like, you know, this is an industry with millions and millions and millions and millions of dollars.
Matt: And they're pumping out music and product and doing all kinds of work behind the scenes.
Matt: And of course, they have to trade a lot of data between the artist, graphic design work, marketing, and then the producers that are actually listening to the work.
Matt: So what this guy...
Matt: A lot of file sharing.
Matt: And so what this guy and a few others in his sphere discovered, this isn't a hacker, this isn't a sophisticated guy that knows hacking tools.
Matt: But what he discovered was when he went and found leaked passwords and things tied to some of these individuals for these companies, he was able to do what we call OSAT, Open Source Intelligence, looking up the individuals for these companies.
Matt: He was able to match them up with Dropbox.
Matt: I forget what's in the other ones that he mentioned, but they're definitely compliance-related services.
Matt: And he discovered that most of the users were all using the same login.
Matt: They didn't have individual logins.
Matt: It was like the same login for everything, because it was the easiest thing to do.
Attila: I see.
Attila: So the easiest, and there's no accountability that way.
Matt: And there's no accountability.
Matt: They don't know who's doing what, and they felt safe using the service because it was probably marketed as being safer than having a local file share.
Matt: And he didn't do anything malicious like encrypting files and holding them ransom, but what did happen was some of those early releases, things that hadn't actually made it to the world yet, the things that the artists were producing, got leaked.
Matt: And that's how a lot of these leaks with music happens.
Matt: It's not someone actually in the studio or the artists themselves.
Matt: It's these guys just poking around and using files or passwords that they find on the internet.
Matt: To get in, and yeah, it's mostly because of behavior that we're vulnerable now.
Attila: So to recap, the attack surface is moving from an on-premise, on-network type of environment.
Attila: Because a lot of small businesses are moving their resources to the cloud, the cloud is now the attack surface.
Attila: However, the cloud is still just as vulnerable, if not more so, if the employees that are using the services don't have good cyber hygiene.
Matt: Yeah, and in fact, it's much easier now to go after organizations' online presence than hacking into their local network, because hacking into a local network requires a huge skill level, tools, and knowing how to use those tools, and often kind of exposing yourself as you're doing that attack, whereas going after online credentials, going after those accounts online, someone that has some very basic coding skills could use AI to generate application to pull credentials down and just barrage services with trying to get into account, and they just step away and let it do its thing until they get a ping.
Matt: Hey, I got into an account.
Matt: Oh, wow.
Matt: Okay, cool.
Matt: And they're in.
Attila: So, spray and pray your passwords that you've obtained for a company you're trying to infiltrate, instead of having to write custom software and trick people into installing it on to their computers.
Matt: Yeah.
Matt: A lot of this just all comes down to good behavior.
Matt: And we mentioned it last week, or maybe it was a week before, using a password manager.
Attila: Password manager.
Matt: That makes a huge difference.
Matt: Like, personally, I don't know the passwords to really any of my online stuff because it's all in my password manager.
Matt: I just know the password to it.
Attila: So, password is just one half of the puzzle.
Attila: First one is the email address, and there are some now email masking services.
Attila: Some are inexpensive, but DuckDuckGo, for example, is free, and allows you to create an email forwarder.
Attila: So, instead of giving out your Gmail username, and then only focusing on your password, you can have a unique combination of an email address and a password to doubly obscure your identity with a specific provider.
Matt: Right.
Matt: Actually, you want to hear something really cool that I started using recently.
Matt: I forgot what the service is called exactly.
Matt: It's something like email sub or email forwarder.
Matt: I can't remember what the title is exactly, but we will put in the description.
Matt: We'll put in the description.
Matt: So, yes, what Attila is talking about is very useful.
Matt: Apple has a similar feature where it can give you a completely new email that forwards to your thing.
Matt: I personally don't really care for it because I want my email somehow tied to the service.
Matt: But what I saw was actually advertised by Network Chalk, but a lot of people have talked about this online.
Matt: Gmail, Microsoft, and a few other services have this.
Matt: Not every email provider has this.
Matt: But you can do your name plus, the plus symbol icon, and then whatever you want at youremailprovider.com.
Matt: So, if I'm matt at gmail.com and I sign up for...
Attila: eBay.
Matt: eBay, right.
Matt: I could do matt plus ebay account, whatever I want, just in there, at gmail.com.
Matt: And that will go to my matt at gmail.com account.
Matt: And where that's helpful, what Attila's talking about is now, people can't try matt at gmail.com as an account on eBay, because they don't know that I used matt plus, whatever I put in there.
Attila: Double safety.
Matt: Yeah, I like it.
Matt: You just have to remember that's what you used or have that saved in your password manager.
Attila: Which they are free.
Attila: They even have a free version, most of these providers.
Attila: So I know you like Bitwarden.
Attila: We also use Keeper.
Attila: We are not endorsed by either of those products.
Attila: We just want to spread the word that they are good and decent today.
Matt: Yeah, I have friends that use other ones.
Matt: I think one password is one of them.
Matt: Just a couple other ones.
Matt: And they like their password managers as well.
Attila: It doesn't matter.
Attila: Just use something.
Attila: Yeah.
Attila: And the reason I wanted to talk about this particular company as our little story for today is to kind of illustrate what we see out there.
Attila: The big boys, you know, the T-Mobile hacks, they, you know, and the local utility company.
Attila: Those companies and those outfits have a lot of resources.
Attila: They get a lot of press.
Attila: But the small guys, those that are less than 50 employees, doing good in the community, serving local businesses as their clients.
Attila: They're the ones that are getting hit and suffering.
Attila: And it's a much bigger deal for a small company to be hit with a $50,000 recovery bill than, you know, another Verizon or T-Mobile or other big company that has more resources.
Attila: So wanted to let you guys know, if you are a small business and this has happened to you, we hear you.
Attila: You have been heard.
Matt: You have been heard.
Attila: Well, that's the end of our show.
Attila: Perfect.
Attila: We did a great episode.
Attila: I think so.
Matt: I think so too.
Matt: Yeah.
Matt: Ransomware is still a thing that's going on out there.
Matt: The tech service has moved to the cloud.
Matt: So, you know, no matter what, no matter what kind of setup you have, just be safe out there.
Matt: Do your due diligence.
Matt: Use a password manager.
Matt: Use good practices.
Matt: And if you don't know what they are, look it up online.
Matt: You know, the world is your oyster.
Matt: That information is there.
Attila: You can do it.
Attila: I'm Attila.
Matt: I'm Matt.
Attila: Stay safe out there.
This episode was brought to you by Cypac.
To learn more about keeping your business safe from threat, crime, and disaster, visit Cypac.com.