Hot Topics
CISO Suite Cybersecurity Malware Security Boulevard (Original) Threat Intelligence Videos and Podcasts 

The New Realities of Ransomware

Avatar photo by Alan Shimel on February 17, 2022

Alan Shimel and Mike Rothman from Securosis and DisruptOps talk Colonial Pipeline, JBS and all things ransomware. The video is below followed by a transcript of the conversation.

Alan Shimel: Hey, everyone. Thanks for joining us on another segment for TechStrong TV. My guest in this segment is the one, the only Mike Rothman. I feel like we’re on wrestling. Mike, of course, is the cofounder of Securosis, and I think it’s president-cofounder, or at least cofounder of DisruptOps, cloud, DevSecOps, cloud security, Securosis, of course, a well-known security ‒

Mike Rothman: General ‒

[Crosstalk]

Alan Shimel: Well, security gadfly and general pain in the ass ‒

Mike Rothman: That’s right.

[Laughter]

Alan Shimel: ‒ Mike Rothman.

Mike Rothman: What’s going on, man?

Alan Shimel: Mike, it’s good to see you.

Mike Rothman: Welcome to the summer ‒

Alan Shimel: I know you’ve been traveling.

Mike Rothman: ‒ of ransomware. It is the summer of ransomware, so I think that’s what we’re going to talk ‒

Alan Shimel: Is it just the summer? I thought it was the spring of ransomware and the winter ‒

Mike Rothman: Well, it’s been ‒

Alan Shimel: ‒ of ransomware before.

Mike Rothman: ‒ the last two years of ransomware, but now it’s front page, like kind of ‒

Alan Shimel: Absolutely.

Mike Rothman: NBC Today Show front page news. People can’t get their gas. That’s a problem, right? People can’t get their pork. That’s a bigger problem, right? They’re probably both pretty similar levels of problem, meat and gas.

Alan Shimel: I don’t know if they’re connected, but I have a different scale. When my wife’s family calls me up to ask about things that are security-related, that’s when I know shit got real.

Mike Rothman: That’s right. No, that’s exactly right.

Alan Shimel: Yeah. When my sister-in-law, who you have met, calls me up and starts asking me about ransomware, I shudder because I know that this is ‒

Mike Rothman: That’s right.

Alan Shimel: ‒ _____ across the _____.

Mike Rothman: It’s kind of like when you’re in a cab and the cabbie is telling you about tech stocks, and you’re just like ‒

Alan Shimel: Right ‒

Mike Rothman: ‒ “All right, it’s time to sell.”

Alan Shimel: ‒ “The world is about to end.”

Mike Rothman: Sell, sell, sell.

Alan Shimel: All kidding aside, it’s real. Here is a bit of good news I’ll share with you and our audience. I don’t know if you saw it today. I saw a word that, what is their name, Resident Evil, Res Evil, whatever ‒

Mike Rothman: Yeah, it’s REVIL, but yeah.

Alan Shimel: REVIL, right. I’m sorry. I’m doing movie titles in my head, but REVIL. Their sites were taken down off the dark web today, supposedly, which means that hopefully the good guys did that.

Mike Rothman: Right. I was doing a call with a client, who is in, I’ll roughly call it, the intel business, and we were kind of talking about, “Well, what is going to happen with all this stuff?” again, summer ransomware and all this, and I said, “At some point …” Again, the president and a number of other folks have been jawing enough about kind of intervening in these things, that at some point they’re going to do it, and they’re basically going to show people. It’s just like, “Okay, we’ve given you a lot of rope, and now that rope is done, and now you’re going to see exactly what we can do when we decide to set your city on fire.” If they set _____ on fire today, fantastic. I mean, I don’t care, but kind of the point is people have to be reminded. It’s like, “Yeah, we kind of don’t talk much about it, but I’m pretty sure the folks that are on the U.S. side from an offensive standpoint are, if not top, certainly top two or three in the world at doing this stuff, so they’re going to ‒

Alan Shimel: No doubt about it.

Mike Rothman: ‒ light it on fire and ‒

Alan Shimel: I think also, though, Mike, that the word to the countries where these folks are posted was, “If you don’t get your dogs in order, we will ‒

Mike Rothman: That’s right.

Alan Shimel: ‒ and don’t discount that that’s not what happened here.

Mike Rothman: No, and listen. I think it would be fantastic if there was some intervention from higher powers that make this less of a problem, but that’s not really what I think we should talk about, right? I mean, that there are a whole bunch of companies, like every company that isn’t necessarily prepared to deal with this, and I get the same questions from all my friends and the kind of business that I get. Everybody knows that I do cybersecurity; therefore, I must be an expert on all this stuff, so, “What should I do in my business?” Sadly enough, it typically comes back to ‒

Alan Shimel: Time out. Mike, you make a living doing that, though. Who are you kidding?

Mike Rothman: But it doesn’t mean I want to do that for my friends and family.

Alan Shimel: All right.

Mike Rothman: I just want to be the guy drinking a beer and ‒

[Crosstalk]

Alan Shimel: I want it for the record on appeal. This is a guy who makes a living telling people about cybersecurity ‒

[Crosstalk]

Mike Rothman: ‒ and that’s the self-deprecating aspect of that ‒

Alan Shimel: All right, we’ll continue along. Go ahead.

Mike Rothman: ‒ and the fact that since I do this 60 hours a week, the last thing I want to do is talk ransomware ‒

Alan Shimel: _____ anyone else.

Mike Rothman: ‒ when I’m at a barbecue, right?

Alan Shimel: Exactly. Okay.

Mike Rothman: You know, so a lot of it gets back to the fact that we still suck at operational security. We’re not great at keeping things patched, we’re even worse at kind of fortifying the perimeter and what even does that mean now that we’ve got remote people everywhere? We’re not really good about managing our identities or our MFA to make sure that that happens all over the place. People constantly ask, “What should I be doing?” I’m like, “Do the stuff we’ve been talking about for the last 20 years.” Our pals at CISA, kind of the government entity, I mean they just published, again, it was a very good-looking infographic. It’s called Risk and Vulnerability Assessment, the RVA, mapped to the MITRE ATT&CK framework.

They have this thing, you can just Google that and find it, and it’s really fancy, and it says things like, “Mitigations for top techniques, application developer guidance.” Tell your developers not to do stupid stuff. Use your training. Tell your users not to do stupid stuff. Use your account management, privileged account management, password policies. All three of those identity-related, right? Network segmentation, network intrusion prevention, this is _____. We’ve been in this business ‒

Alan Shimel: Yeah, this is 101 stuff. I mean, here’s the bottom line, though. Let me take a contrarian position. Not unusual when I’m debating the great Mike Rothman. The thing that’s particularly insidious about the latest ransomware waves is that you can’t point to just one thing. It wasn’t that I sent you a phishing e-mail, and you clicked on it and BANG, I got you. Yes, that is one vector. The other vector is they’re getting in through your website. Another vector is they’re not necessarily encrypting your data, they’re taking down your web servers, they’re taking down your websites. It happened to us here at MediaOps two weeks ago, Security Boulevard and DevOps.com were both victims of a distributed denial-of-service attack. They were flooding the search bar was what we eventually found out after a day or so, and it’s a pain in the ass. I mean, because it’s the Whac-A-Mole game. You put a WAF up, but they’re changing IPs on the fly, and ‒

Mike Rothman: Right, and then if you look at Kaseya, that was a zero-day against that tool, which then gave them the ‒

Alan Shimel: Ability to go in and do the ransom.

Mike Rothman: ‒ _____ and the foothold to go in and do the rest of the stuff.

Alan Shimel: There are so many vectors here.

Mike Rothman: There is, so even if you do, and this is where I was getting to, even if you do the fundamentals well, which you have to do, you’re ‒

[Crosstalk]

Alan Shimel: ‒ be a victim.

Mike Rothman: So, let’s talk about backups, because everybody, it’s controversial. “Should I pay these guys? I have to pay them because ‒

Alan Shimel: Absolutely don’t pay them.

Mike Rothman: ‒ it’s going to take me a month.” You know, “It’s going to take a month to go do that.” But, the point is, and here’s where it really gets insidious, they’re not pulling the trigger right when they compromise the environment. They’re looking ‒

Alan Shimel: They’re waiting.

Mike Rothman: ‒ at mapping the networks. They’re finding the backups, and they’re destroying them. That’s where we have to be like, “Okay, we’ve got to have ‒

Alan Shimel: Let me give you a better insidious.

Mike Rothman: ‒ a different idea.”

Alan Shimel: I saw a number today, Mike, 31 percent of small-medium businesses that are hit by ransomware wind up going out of business, out of business. That’s penalty. Yeah, that’s insidious. That’s terrible.

Mike Rothman: Right, so how do we recover? The magic is, and a lot of what we do, obviously, is cloud-centric now, so a lot of folks have backed up and said, “Oh, we back up things to the cloud.” It’s like, “Okay, that’s great. It’s great that you have stuff in, let’s say, an S3 bucket, or Azure Blob or wherever it is. That’s great, but, again, if they’re persistent in your environment, they’re looking and they’re seeing that network connection, they’re seeing the data go up there. They go up and they get rid of that data, so what do I do?” Well, AWS has this thing, it’s called S3 Glacier, and what you can do is you can move your data, your backup to Glacier, and you can lock Glacier down where you can’t change it. It becomes immutable data. That’s one of the things that we have to start getting better at, and that’s an advanced notion, right? Joey Bag o’ Donuts, or Bob’s Dental Service, you know, kind of, “Cavities are us,” they’re not going to get there. But, for those companies that are targeting and trying to protect terabytes, maybe even petabytes of data, you can move this stuff, and Glacier is cheap, right? Glacier is cheap, so you ‒

Alan Shimel: Very cheap.

Mike Rothman: ‒ pay for Glacier a little bit, you do it once a week, and you know what? Maybe you lose a week of data; you don’t go out of business, and that’s the point. We have to start thinking not just about doing the basics of security better, we have to start thinking about how do we protect that data? How do we make it immutable so that even if somebody does come in and they blow away my S3 bucket, I still have something sort of recent in Glacier. I want to use PaaS services. My ransomware is not getting at my data that’s in DynamoDB, or Azure SQL, so my data has got to be, and so we have to start thinking about kind of these data protection strategies because we’re probably not going to get there from protecting our devices and our networks from these things. I’ll get off the soapbox now.

Alan Shimel: Never underestimate Joey Bag o’ Donuts’ security chops.

Mike Rothman: I will tip my hat to a guy I used to work with, a former colleague called Jack Hembrough, and he was old-school. I mean, at Application Security, Inc. and Raptor back in the day, and ‒

Alan Shimel: Oh yeah, I remember those.

Mike Rothman: ‒ just a really fantastic guy. Joey Bag o’ Donuts was his kind of example company, the example small company, basically stuff you would never want to build a security product for because they have no idea what they’re doing.

Alan Shimel: Yeah. No, I knew people named Joey Bag o’ Donuts. They live near the airport. But, anyway ‒

Mike Rothman: Yeah, that’s right, in New Jersey.

Alan Shimel: Yeah.

Mike Rothman: They were in the sanitation business.

[Laughter]

Alan Shimel: Yeah, _____ sanitation. But, anyway, you’re right, Mike, there is a thing. You mentioned before, though, the whole issue of do you pay the ransom or not. I used to be of the opinion if it made sense and it expedited getting your data, in some cases maybe it made sense. I’ve now come the other way, where I think you don’t negotiate with terrorists. Fuck them. Don’t give them the money. I’m curious, what is your thought on that?

Mike Rothman: I’m more in your former bucket, but mostly just because there are some organizations that can’t recover, so if my choice is pay or go out of business, I’m probably going to pay. Hopefully, you don’t pay twice, because you’re just opening it up, so if you’re not protecting yourself at that point, shame on you. Again, I mean, if anything, summer ransomware really should be a wakeup call to everybody to say, “Get your act together, because it’s coming for you. It’s statistical. It’s not that you’re better at security, it’s not that you’re lucky, it’s that they just haven’t gotten around to it yet, and they’re going to get you. When they do, you’ve got to be ready.” Obviously, if you’re ready and you can recover within a reasonable amount of time, then no you don’t pay, and I think that everybody’s goal should be to ensure that they can recover within a reasonable amount of time. I don’t think that’s outlandish. That’s not an unreasonable goal. It doesn’t have to be in real time, but it can’t be three months, either.

Alan Shimel: Mike, another thing I wanted to mention about the ransomware, though, as I mentioned before, it’s not just the encryption of assets, the denial of service. There are multiple ways of kind of bringing these organizations to their knees and extracting money out of it. What I find interesting is we were dealing with sort of state-sponsored, like last winter, the supply chain attacks, the other stuff, we saw a lot of state-sponsored stuff. Ransomware seems just like good old fashioned financial pilfering, right?

Mike Rothman: Yeah, that’s right. That’s right, smash and grab.

Alan Shimel: Yeah.

Mike Rothman: Smash and grab.

Alan Shimel: No, don’t kid yourself. There are countries, like in North Korea, that’s how they get their foreign currency _____.

Mike Rothman: Yeah. No, that’s right, but I also think that it is wink-wink, nod-nod with a bunch of these state environments who they don’t lock down, even though they know exactly who the actors are. In a lot of cases, they’re using either discarded or old attacks kind of that the nation state had come up with, so there is definitely collusion between your nation state and your bigger malware networks. I think that’s what kind of CISA and Biden and a bunch of these guys have been talking about it, is you’ve got to step into this or else we’re going to. I think we’re starting to see kind of some of that already, which would be great.

Alan Shimel: Let me try to bring a little closure to this. Where do we go? Does it just become part of the woodwork, like COVID is always going to be around and we live with it, or does something fundamentally change? Don’t tell me humans are going to change about ‒

Mike Rothman: No, humans are not going to change. Phishing has become part of the landscape, and you just kind of deal with it. I think ransomware and what it’s done is it’s changed the math, because when it was phishing, “Okay, we had some data loss and maybe we’ve got to tell our customers. They’re pissed off, and maybe our stock takes a hit for three days, and then we move on.” You’re out of business for X amount of days, like you’re a meatpacker or you’re Colonial Pipeline or some of these people, I mean the consequences are more severe. The economic impact is much different in this scenario, so I think that’s going to drive another wave of investment in security products because now we have to. Again, hopefully it helps in terms of helping us do the easy stuff better.

Hopefully, as we move towards SaaS and re-architect our applications and do our DevOps type things that you spend the other half of your time, or 60 percent of your time kind of doing and focusing on, hopefully that gives us better reliability, better kind of survivability, better resilience on these infrastructure components. But, we’re not going to have a choice, and the problem is right now you have a lot of really cool tech on the security side, whether it’s analytics, or whether ‒ if it doesn’t directly relate back to ransomware right now, it’s hard. It’s hard to get a hearing with customers now because if it ain’t ransomware, it ain’t, you know, and so ‒

[Crosstalk]

Alan Shimel: ‒ job one.

Mike Rothman: ‒ killing it, the network security guys are killing it now with old-school technology. Again, we’ve just underinvested for a long time, and I think that’s something that’s changing.

Alan Shimel: I hope it is. Again, I don’t know if I’m as optimistic as you.

Mike Rothman: I didn’t say it was going to have a big impact. I just said a bunch of security companies are going to get richer.

Alan Shimel: Yeah, they’ve been getting richer. They’ve been getting richer. You look at ‒

Mike Rothman: It is strange to know well billionaires, and you do, too, right? I mean, we know billionaires, and that’s a kind of strange thing. That was always kind of those other people. It’s like, “No, it’s that dude. I’ve had beers with him many times, and we chat on the ‒

Alan Shimel: He ain’t that smart.

[Laughter]

Mike Rothman: The guys I know that are billionaires are pretty smart. They may not be great people, but they’re very smart.

Alan Shimel: Okay, I’ll go with that.

Mike Rothman: Don’t touch that one.

Alan Shimel: I don’t want to name names here. Adam 12, Adam 12, One Adam 12. The names have been changed. Anyway, Mike, it’s a pleasure as always having you on talking security with our friends from Securosis and DisruptOps. Come back and talk soon.

Mike Rothman: I will. I always do.

Alan Shimel: All right. Say hello to your family, say hello to your business partner, the redhead there. Tell him we miss him. One of these days bring him around with you.

Mike Rothman: Yeah, we could do that.

Alan Shimel: All right. Mike Rothman, Securosis and DisruptOps here on TechStrong TV. We’re going to take a break. We’ll be right back.

[End of Audio]
Recent Articles By Author
Avatar photo More from Alan Shimel
Alan Shimel , , , ,
Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 82 posts and counting.See all posts by alan