The Newest Cyber Threat That’s Crippling Your Business
Hi. There welcome to the CTO adviser virtual. Conference, my. Name is my collection agent. M coming, to you from 504. Battery drive, do. You guys know where that is that's. Men in black headquarters, and I'm, here with, Chris Khiladi, agency. We're. Gonna talk to you about something, that is really impacting. Companies. Enterprises. And really, people all over the globe ransomware. And how. We can be your first last, and only lion defense, against. It, but. Before we get into what. We're going to do and how we can help you maybe. We should kind of define what that means. Today. The, average payment. For a ransom or attack is over. 41, thousand. Dollars, that's. Going up six fold since 2018. Now. That, could be anything, from paying. For one machine, up. Through, trying, to get back in Christian, Keys for an entire, environment. Obviously. The, average only counts, for us once we know about and. When. You look at rants more it's, a small, portion of, the. Amount that it costs the global economy, for, cyber criminals. All. Over the place six. Trillion. Dollars. Annually. Just. By. 2021. And that. Is doubled, since 2015, the. Number of. Expenses. That are taken, from. Cyber criminals, to, the global economy is going. Through, the roof and. A. Big portion of that is for. Ransomware. The. Estimated. Cost for the. Impact, of ransomware attacks across. The globe is 11. And a half billion, dollars annually. Obviously. When we saw the other one go up like that this, is doing the same thing. And. It's. Not one. Space. But. The first place I'm gonna talk about is how. Much it's impacting. Government. Systems right now a, hundred. And seventy different government, systems, have, been impacted, since, 2013. Those. Are ones have been reported. 22. Of those in the first half of 2019. Everything. From. Pensacola. Florida. Having. A shutdown of all of their city services. The. City of Baltimore, in May, of 2019. Had. All of their systems under, a single ransomware, attack that they had to pay for. You. Get into April, and there were three major ones one. In Augusta, Maine where. There was a highly, targeted attack, that froze the entire city's. Network and, forced. That city center, to, a close. The. Same month hackers stole a half a million dollars, from the city of Tallahassee and, the. One that probably worries me the most is. Cleveland's. Airport. Suffered. A ransomware, attack, that. Bothers, me from flying into Cleveland. Then. There's ones like Atlanta. Or even. Jackson. County Georgia. Within. A year of each other there, was one major attack, and then. Jackson, County had, to pay 400 thousand, dollars. Just. To get their systems, back online. That. Talks about a lot around the u.s. but. This isn't just a US issue this. Is a global epidemic. That we're facing it's. Hitting the u.s., India. Indonesia. All, over. Europe in rows a quarter of this pie almost, covers, countries. Around Europe it. Reaches. Across the, globe from. One corner of the globe to the other. Cyber. Criminals, are attacking, our enterprises, and trying. To find ways to, make. Us pay, for. Them being criminals, and they're. Doing it at an alarming, pace. Right. Now a business. Falls victim to a ransomware, attack, every.
14. Seconds. It's. Coming down, expecting. It to be down by next year to, every 11, seconds, and. It's. Not just those government, entities, they're being impacted, no. Industry, is immune to this. Technology. Is getting, heavy hit. Heavy, professional. Services, heavy. Consumer. Goods when. You're looking at that new phone there's. Probably a chance they're trying to attack the company making it. Down. Into government and then health care unfortunately. Health care is on the rise on this one. Society, hasn't been great about it with all the issues going on and ransom. Or attackers are, attacking. Hospitals, and health care systems across. The globe right now. Now. We asked the survey, to find out how. Many companies, have. Any people have their company impacted. By ransomware. Two-thirds. Of you think that you didn't, now. That's interesting, because well. We're. Pretty sure that. A lot more of you did. Because. When you start looking at the ways people can get into your system, it's. A easy, easy, way, and people, don't change. So. Let's first look at it from, a technology standpoint. There's. Obviously, exploits. And vulnerabilities. Those. Are things were used to those. Are things that when you're running an IT shop you. Take the time to make sure that you've applied patches. You're. Locking down your firewall. Things, like that but. Things still get through. Now. The thing is that's. Not the only way it's. Not even the most prevalent way, right now, right. Now 91%. Of cyberattacks. Start. With a spear phishing, email. Normally. These are look. Urgent, look, really official. You. Look at this one it. Was coming from sterling, Savings, Bank. Appreciate. The gentleman. From the accounting, and billing team sending, us some information. Until. You dig deeper and you look at the email. Came. From a T - online dot de, email. Address, pretty. Sure sterling, savings a bank that's, not their email. Now. It's not just a simple. One like this, these. Are coordinated. Attacks there, are credentials, they're being stolen all over the place. 300. Universities. Were. Attacked, by, a specific, group in 2018. Of. Those, three hundred a hundred and forty four were compromised. The, combined, loss, was. Over 31 terabytes, of data an IP. Worth, close to three, billion, dollars. Now. We. Issue. Whether. A friend. Had ever had their Facebook, hacked. Now. This one as expected. 80%. Of the people realized, yeah, my. Friend, probably. Had it I've seen this happen before. Now. When you get into it that's not surprising, because. There there, is malware that is spread, like. The Loki one they were spread through, facebook. Messenger, it, simply. Sent an SVG, file, that. Passed their messenger, and, redirected. You to. What looked. Like a YouTube, page. But. When you got there an issue to download a codec, to play the video what. Most people didn't realize was, that codec, was actually malware, before. You got to see any video from your friend. Now. That's not the only way. Now. We start, seeing things like, malvert, Iseman, now. A lot of people probably aren't real familiar malvert, Iseman but, we see these ads all the time and. It's, always interesting to see what people are doing to block ads especially. On, their home networks, and. On corporate networks where, it really does matter. For your enterprise. Essentially. When you're clicking on that ad it's. Not own the. Company that's providing the, ad the advertisement. Network to. Be able to check those URLs. They. Actually will put through whatever it is and it. Can be a malicious. Site that, it's just then redirecting. And installing, things on. Your, system. Definitely. Not, what you want to see. Now. I always enjoy this one we asked people what. Was the year of your first ransom, or attack. Now. A lot. Of people said 2001. It's. A little newer I think I, definitely would have thought older but, although it's pretty spread what, that says is people. Really aren't sure well I want. To give you that information now. 1989. So. Not quite as far back as 85, that was in the survey, but.
89. An. AIDS. Researcher. By, the name of Joseph pop actually. Sent, a. Survey. Out by, a floppy, disk to. AIDS researchers. Around the, globe hospitals. Researchers. Said. It was a risk, questionnaire. Source people filled out the information about. Their. Patients, they. Would get this information, and it was a survey, and a study. Except. That. It activated. After 90, reboots. After. Those 90, reboots, it. Would ask you for payment, of 189. Dollars and another, 378, for software release. Now. Back then these were all Windows boxes, they had to get rebooted a lot so. It wasn't uncommon. But. That's what it looked like then. Now. We. Get things like this that pop up on your screen when, you've been, infected, with ransomware, now. This does look pretty antiquated. And old until. You start digging in deeper this, looks like it could have been done in the 90s. But. There. Is some true Bitcoin, payment. They're giving you explicit. Countdown, timers, and when your data is not going to be available and. This. Is really locking down what. You're gonna see this. Is from one carpaccio, so. They. Do try to make it look very official. Other. Ones even try to make it look more official. Cryptolocker. Claimed. To be from the actual federal agency, in. Reality. No agency is going to send you this kind of message so. What I did was I took about. 22. Seconds, and I. Put, another logo on here and, then. I. Took. A little more time. About. Two minutes to. Find these other 15. Logos, that. Look official, in here as we. Click through and it clicks through and it ends. With. Our men in black logo. Now. In reality this is never, what a government, raid is, going. To look like, what. A government, aid really, looks like is this. Agents. From multiple, agencies, showing. Up guns. Drawn. Probably. Some black SUVs, coming, in to, take everything, in your environment. That's. What it, actually looks, like and, from. Here I want, to take it hand it over taejun. See and let. Him give you a real-world. Scenario. Of. A. Ransomware, case. Agency. Thank. You agent M my, name is Agency and. I'm here to tell you about a real-life ransomware, story, of a. Victim that we have from, the files of the men in black now. We've unlocked, this file to show, you what, really, happens, behind the scenes but. The names when the victims have been removed for, obvious reasons and we're. Going to tell you everything that happened and everything we're gonna go through, actually. Happen it's all 100%. True so. Let's start with how this actually got into the customers, environment, well. As Agent, M said it came in through a malicious, email the. User didn't, know anything, probably. Clicked the link to some cute. Puppies. Or kittens and, next, thing you know it. Starts, Auto installing. Well. It didn't just auto install, on their machine. It started, to propagate. Across, the network, and search. Out as many Windows servers, as it could find which.
Brings Me to the first, question for this section which is how. Long did you all think that ransomware. Incubates, now, I thought it was interesting that so many people thought it was six months if. I saw one of those six month timers I'd be wondering if those guys really want their money or not I think. What we're seeing mostly, isn't that one to two week range it's. A short time period the whole idea of ransom. Is you, got to get something done quick, get, them paid or you're not getting your data back so. I'm not quite sure about six months I'd probably have to go ask some of those folks why they thought it was so long but that's an interesting answer. So. After this I started. To propagate, and, slowly. Go. Through the, environment over. The course of about two weeks. It. Then. Encrypted. All the drives of all the Windows servers that I could find now. What, it did was it waited. And it was patient and after. It's figured. It couldn't find anymore is when it kicked off and overnight. Did. The encryption, process so, as you can imagine the. Stat of the IT staff and, all the folks that had, alerts and pager duty and all these other things started. Going off in the middle of the night trying. To figure out what happened, and their, first inclination, was, well we'll just recover, from backup. Well. Brings. Me to my next question. Why. Not bring system and most your backup applications, run on well. It's good to see over 50 percent are using dedicated appliances. But, this customer, fell on that 32, percent their, backup, systems were, also running Windows, which, meant those were encrypted, as well. They. Had zero access. To any of their backup data on, any of their backup systems. Basically. They. Were up to proverbial, creek without a paddle. So. Next. Thing that started, to happen was, well bored and rolled around an, employee. Started, coming into work and, realized. They, can't access their systems, started. Calling the helpdesk. Customers. Started calling. Basically. The, IT team had already been there and they decided, well, we're. Met we're in a hole our. Data is being held for ransom send. Everybody home there's nothing we can do we can't help you know every individual, user right now. Well. This, is where it gets a little more interesting, probably. Wondering why we asked some of you if you have a Bitcoin account. Surprisingly. 40%. Don't. Well. This. Customer, decided to pay that ransom. Wasn't. That much, it was, $70,000, it was easy for them to deal with but. They. Finance, folks turned, everybody and said ok we got the money where, do we send it where do we write the check, well you can't write a check you got a Senate Bitcoin well. Who's got a Bitcoin account. Nobody. Nobody. At this organization had, a Bitcoin, account. Now. You. Think the, obvious, thing you would do would. Be to go to coin base or someplace. Like that and open up a Bitcoin account. Well. Instead, of doing that they. Actually wired, the money to. The to a friend, of, somebody. In the Information, Technology Group, who, had a Bitcoin, account so. This is gotta get, $70,000. Wired to him to go pay their ransom could. You imagine I can't even I can't even comprehend. Sending. That amount of money to somebody who's not even an employee, when. You could have just opened up an account, the. Point is, what. Peep in stressful situations is, not always the, smartest decisions, and. This proves it well. They. Got their keys back hey, guys luckily, they, got it paid the gentleman, paid their their ransom. They. Got a four hundred Keys, unmarked. In a text file. So. Begins, the. Mess. To ensue. Now. You. Got four hundred keys on a spreadsheet, or. In a text file what do you do you go to the first server you try the first key and then the second key then the third key then the fourth key you, get to the hundred or so key in you yell bingo because, that one worked you. Cross that one off the list and, you go to the next server now. Imagine trying to coordinate, this with multiple people. Because. As, somebody, yells bingo, you, might not have gotten to that key yet which is cool so you can cross that one off but. Tracking, who's. Got what keys and, who worked, and which ones didn't.
Massive. Massive manual. Effort I can't, even imagine I just wouldn't want to deal with it I'd probably have my hat on the wall and leave, well. It, goes from bad to worse, and we'll get to that in a second. We. Also asked, all you you, know what's your tolerance. For, paying a potential, ransom, since this number was thrown out of here at $70,000. Well. We. Always have the joke answer whichever bill likes take advantage, of that we don't want to negotiate with terrorists, but, I'm willing to bet that if you took those 77. People and that question wasn't there most, of them would fall smack. On that 100k, or 1 million because it's an even split of 11%. So. This. Tells me that most. People understand, the gravity of the problem and they're willing to pay to. Get their stuff back. Well. Let's get back to that customer, story. So. They start finding systems, they start unlocking, systems, and then, systems start crashing, and they try to figure out why are the system's crashing, well. Come. To find out if the, system was over 50% full. The. Way the decryption, process were. Is it didn't just decrypt, the data in place it. Made a duplicate, copy in a decrypted. Fashion, so. If you were already over 50% utilized. On a on, a virtual, disk and it. Doubled. The size the, system crashed so now they got to stop everything, come to a complete. Halt. Go. Identify. The systems, that are over 50% full, first, before they even touch them start. Shuffling data, around, so. That when they get to it and they get the right key it won't crash and they can fully unencrypted. The, information. This. Is an unknown that, they would not, have even. Thought of the. First get in the unmarked Keys this problem a then. Having, the. D encryption, has double the amount of data problem. B then they go have to shuffle data around problem C I mean, this is why it's called the snowball, effect it, just goes from bad to worse. Well. At the end of the day what. Actually, happened, to this customer, was they. Told employees to, return after, a three-day. Outage, and I actually think for this amount of mess, three. Days it's. Pretty, darn good I give. Them a lot of credit I don't, think there's a lot of lot, of victims. Out there that could do it in three days now mind, you is probably three days straight 24, hours a day. None. Of us want to have any part of that. So. Finally. We. Wanted to explain. What happened, from business impact, well there's obvious. Lost employee productivity lost, revenue, they. Missed the actual contracts. They had SLA, is for Justin's just-in-time. Supply, operation, they broke contract, and had to pay out on the SLA, most. Importantly, was their own reputation with, their with their own employees their. Business partners and your customers, all asking how could you let this happen you. Seem like a really big company. Finally. Three-day. Losses, totaled, 12 million dollars so. Even though the ransom, was seventy thousand it, costs, the company 12, million in, the. Most important, which should actually be the last one on the slide is it, exposed, the IT teams, lack of preparation tools to deal with an attack like this they. Simply, were not ready, how. Many of us think we would be ready well. We asked that question and, surprisingly. 43%. Of you are right there in the middle so. I don't know if that means you think you already you, think you're not ready or you're. Just waiting to see what happens because. That's an awful, lot of people right. There in the center, but. It's something to think about how, would you deal with this if it came around on your front doorstep. Now. I'm gonna kick it back to H&M, to, talk a little bit more about how this isn't just an individual, problem but how it causes global, economic, disruption, around the world agent M.
Thanks. AJ we. Were. Looking at something. That really has impacted. Globally. On it thing. Called not petia, now, not petia really. Defines where cyber warfare has. No nation wide boundaries. Now. Not pattu was known to be a state, sanctioned, attack on the Ukraine, by. Russia in. 2017. Now. I've utilized a couple patches, there. Are a couple of vulnerabilities, I should say that became patches, and they, were patched there. Was in March of 2017, and, then. Even. Before the, may 2017. Attack these were patched. The. Systems, just weren't they. Actually utilized, a piece of software called enemy, Docs as the. Entry point M adopts, is very similar to QuickBooks. Now. It started, in the Ukraine so. Let's look at the Ukrainian impact, first. 90%. Domestic, companies, use, this Emma dock software. Almost. A half a million customers, at that point now. When it got impacted, it took down some very large segments. Now. The one that really jumps out to me on this one is the, fact that the radiation, monitoring, at the. Well nuclear, plant went, down that. Worries me, not. Just a little but a lot on that one and. It. Wasn't a slow thing either. Oxshott. Bank that second, largest bank in the Ukraine. Within. 45. Minutes, 90%, of their systems were infected. But. It didn't just impact. The Ukraine it, had a global, impact. Multinational. Companies were impacted. From, FedEx, -. The company that makes Cadbury. Eggs -. One. That makes lice all 10, trillion, dollars. Worth of impact. Now. I'm going to show you just one of these the, 300 million dollars it says that it costs maersk to, do this. Now. If you're, not familiar masks, their. Shipping line out of Denmark, about. 80,000. Employees across. 130, countries, now. They have some, vessels, of their own but. Really, they're supporting. 18,000. Vessels around the globe in, the waters at any. Given time. Big. Annual revenue. Handles. The fifth of the world shipping capacity, and they're. Running or not a huge environment, for thousand servers and about. 45,000. Pcs out, of the UK. Now. They got impacted, because of a single, system that was sitting at the, port of Odessa Ukraine, that, was running the ME docks. When. It got impacted. Had. A 20%. Reduction in operations. Globally for, them and what. That meant was. 17. Of their 76. Main ports were impacted, just. One example was, the one in Elizabeth, New Jersey that. Had almost a 20 mile backup of. Trucks. That couldn't get into the port because. They couldn't track containers. Couldn't. Track bookings, they. Couldn't get to anything on it so. What did they have to do to try to recover, well. The first thing they did was they handed Deloitte a blank cheque. Brought. In 200 different Deloitte, employees, there. Are 400, IT employees. And they. Realized they had backups, for most of their servers. But. We talked about having, Windows boxes, and. All. Of their domain controllers, were. Obviously Windows boxes, and a lot of those don't get backed up because. Why would you back them up they're, replicating. All over the place well. They all got wiped at one time. Except. For one. That. One happened. To be in Ghana and was. Only up because they had a power outage. Once. They finally reached someone they found out that, no one from Ghana had, access, to fly into, the UK to. Get the hard drive to them so, they had to drive the hard drive from Manor to, Nigeria. Fly. It up to the UK. Then. They could start recovery. Now. The recovery took a while and after about three days port, started, coming back online, but. All their employees were not even allowed to touch their systems. About. A week later two weeks later, staff. Started, getting their systems back so that they could start going back to work now a. Lot of this I know we talk about different things whether, it is, all. Local for them or whether things were cloud-based and, in. A hybrid. Cloud environment. Like what. We're looking at for a lot of things in the conference, today. It. Didn't matter it wouldn't. Matter, but. We, do have ways to help with that and we. Have things that can be that. Defense. For you but. Before we go into the exact defense let's, talk about what that means, so. Agency, you want to give them a rundown of some. Defense-in-depth. And take, a look at how, we might be able to help with this. Defense. In depth sounds. A little bit like a throwback doesn't, it we. Used to use this term learners, phrase a lot back in the day but. It actually applies even. To this problem, and I'm going to talk a little bit about how that is the case and how we can address it. Well. Some, for most the first layer of protection, is training, we, got to train our people we got to train, them to understand. That that, email might not look correct, if you're in sales and you're getting an email from a bank wanting. Money or, telling. You to go look at an invoice it's, probably, not right it's probably not for you send.
That Over to the IT team, so we can take a look at it proper training can stop more attacks, than any software, out there. Second. Is, stopping, it at the edge so, let's say that email does get through and user, a clicks, on it well when they click on that link it's, gonna try to go to a website well. There's a lot of tools out there like Open DNS and, next DNS and piehole and umbrella and all these things that can actually capture it at that moment they click it before it exits, the company, and brings that information, in edge. Solutions, are all around us and many. Of them are Enterprise ready. Third. Come. On client. Ain't a virus, we've been talking about this since I was a little boy but. It's been around forever gotta. You gotta have a V running you got to have your scans up today you got to have your your, libraries. Up to date but. There's plenty of them out there we all know that this is a key component in a key layer of protecting, ourselves. Fourth. OS. Patches, I'm gonna pull, something out of one of the folks from the community but patch your stuff I mean, really it's not that hard just patch your stuff because. If you do unlike. The example that agent M gave they, would have been protected, because the patches, were, already out for, that particular, malware. If. You don't patch your stuff well. All bets are probably gonna be off v, is our backups, well. If. You have your backups on a system, that is potentially. Gonna be infected, by, malware. Like, a Windows machine you might, want to rethink your solution, you. Might want to figure out how, you can have something that won't be affected, and won't be attacked at the same time as everything else, and. Finally. If all else fails you're gonna have to recover, so how do you do that right, how do you do dr testing, how can you do an instant mass restore, how can you have the capability. To ultimately, go, back in time and fix, the problem, when. Training fails it's, not caught at the edge. Antivirus. Misses it and your stuff isn't patched, you're. Only left with your backups, and your ability to recover and that. Brings us to where cohesive, is your first last, and only line of defense against, us were scum of the universe known, as ransomware, so.
Let's Dig in a little bit not. Too much on how kec solves, this and sort of a five-step, approach. Well. First it's. About a reduced attack surface, we, give you the ability to protect control, and even leverage, your data over time we. Can consolidate backups. Do, global deduplication. And most importantly, manage all your operations globally. In a single UI and. A product called helios. Second. We, have tools such as cyber scan that can help you assess your security, posture we. Can actually scan a virtual, machine and tell you if it has potential, vulnerabilities. And do, you actually want to take the chance of rejecting, those vulnerabilities, during, a recovery, we. May know about, it because, it's, on our system, and we've scanned it and we may warn you to not use that a backup copy and use a different one. Third. Is our ability to defend, against, becoming an actual target, how, do we do this we do this by being an immutable filesystem. Multi-factor, authentication. Worm, capability. We, basically, lock ourselves down, to, not be a victim, should. Have buttons that say don't be a victim with cohesin, you on it because it would be kind of cool because this is a key, component of what we do. Forth. Is we actually have machine, driven anomaly, detection so. If we take a backup over time and we see what, we consider to be anomalies, for example, size. Of the backup set changes. Dramatically. Overnight, or between, backups, or over the course of some backups, or, better yet when, we go to index, that virtual machine and one, day we can index 400 files and next day we can only index two because they're all encrypted well. Guess what we're gonna throw you an anomaly, detection and, tell, you we, think you have a problem we can't tell you what the problem is we can just show you as this graph indicates. That. At this point in time something. Went amiss between. This back up in this back up we see a problem, we'll, even identify, the. First known, good, snapshot, for you to recover back to instantly. Which, brings me to our ability to recover we. Call an instant master store let, me walk you through how we actually do this but, you definitely want to get a demo of this the. First thing we do is we take your first backup and we set that aside and that's usually a full backup when. We take your next incremental, we'll. Take a zero. Cost clone of the first backup we'll, take the incremental, and we'll apply it to that clone this. Gives us two fully hydrated, images, with sub five-minute rpoS, we. Rinse and repeat this process so, every time you do the next incremental, we take another clone and. We apply that incremental, to it now I've got three fully hydrated, images, what, this results, in is a catalog.
Of Always, ready images, we. Call it snap, tree and something, you want to take a look at. Finally. When, we want to do an instant recovery, with near-zero, RTOS, we, have almost, no limit to the number of virtual machines we can do we, can do thousands, of these we do demos, of it with with hundreds, and you know 200 VMs, all at the same time, when. We do this process, what what's interesting about it is we actually will present. The data store to the, hosts we'll mount your recovered, VM run. It on the cohesive, data platform, while it's being. Restored. Which, brings it online within seconds, and that, will initiate a storage V motion to put it back on its primary storage or its its, SSD, tier or, wherever you want it to go or even a whole different, storage array for example you. Just a lot of options and this is something that you want to take a look at. So. In summary how. We become, the last line of defense for predictable, recovery, is first by having a reduced a reduced, attack, surface, as a single, global platform. Products. Like cyber scan that can assess your security, posture and your vulnerabilities. Defending. Against, becoming a victim ourselves. By having a mutable file system, and Worm capabilities. Being. Able to detect, a ransomware attack, on the backup copies. With. Helios, in machine driven anomaly, detection and finally, our ability, to respond, and respond, quickly to, a ransom attack ransomware. Attack with, global search and instant mass restore to bring your systems back online. With. That I'd like to thank everybody for listening to this presentation today. You, can visit us at the virtual booth and by, all means get. In touch with an se or somebody, to give, you a demo of some of these capabilities we've, talked about today and, keep yourselves protected, from ransomware. Definitely. Well and I think now, we. Can let people go, check. It out hopefully, they stay healthy and, we promise not to flash them with. The little stick that's done yeah. We don't want you to forget.