1 00:00:03,430 --> 00:00:06,920 Sean Aylmer: Welcome to the Fear and Greed Daily Interview. I'm Sean Aylmer. I've 2 00:00:06,920 --> 00:00:09,690 Sean Aylmer: talked a lot on this podcast about cyber security, but 3 00:00:09,690 --> 00:00:12,039 Sean Aylmer: if you have ever wanted proof of just how big 4 00:00:12,039 --> 00:00:15,190 Sean Aylmer: an issue it's becoming, here it is. New research from 5 00:00:15,190 --> 00:00:21,530 Sean Aylmer: McGrathNicol shows 35%, three five, of Australian companies have suffered a ransomware 6 00:00:21,530 --> 00:00:24,779 Sean Aylmer: attack. A staggering 83% of those businesses went on to 7 00:00:24,780 --> 00:00:28,150 Sean Aylmer: pay a ransom to have their computer systems unlocked or 8 00:00:28,150 --> 00:00:32,050 Sean Aylmer: their stolen data returned or deleted. Darren Hopkins and Shane 9 00:00:32,050 --> 00:00:35,330 Sean Aylmer: Bell are cyber partners at McGrathNicol Advisory, which is a 10 00:00:35,330 --> 00:00:38,400 Sean Aylmer: supporter of this podcast. Darren, Shane, welcome to fear Andre. 11 00:00:38,830 --> 00:00:39,310 Shane Bell: Thanks, Sean. 12 00:00:39,510 --> 00:00:39,930 Darren Hopkins: Thanks, Sean. 13 00:00:40,900 --> 00:00:43,060 Sean Aylmer: Shane, when you did this survey, were you surprised by 14 00:00:43,060 --> 00:00:45,500 Sean Aylmer: how many companies had actually been hit? I thought that 15 00:00:45,500 --> 00:00:46,530 Sean Aylmer: number was incredible. 16 00:00:46,770 --> 00:00:50,300 Shane Bell: A little, Sean. I think for us, there's always been 17 00:00:50,409 --> 00:00:54,310 Shane Bell: official statistics and anecdotal statistics. We obviously spend a lot 18 00:00:54,310 --> 00:00:57,210 Shane Bell: of time at the coalface on incidents. And so, we 19 00:00:57,210 --> 00:01:01,220 Shane Bell: were pretty alert to the fact that these ransomware attacks 20 00:01:01,220 --> 00:01:04,640 Shane Bell: are pretty common, and that's what's come through in the statistics 21 00:01:04,640 --> 00:01:07,490 Shane Bell: a bit ahead of perhaps some of the official statistics. 22 00:01:07,490 --> 00:01:10,950 Shane Bell: So I was a little surprised, but also not surprised 23 00:01:10,950 --> 00:01:11,750 Shane Bell: if that makes sense. 24 00:01:12,010 --> 00:01:15,800 Sean Aylmer: Yeah. Okay. I suppose many of us outside the industry 25 00:01:15,800 --> 00:01:18,030 Sean Aylmer: just aren't aware of how prevalent it is, Shane. 26 00:01:18,459 --> 00:01:21,709 Shane Bell: That's true. I think for those in the industry, and 27 00:01:21,709 --> 00:01:24,360 Shane Bell: particularly of those like Darren and myself who spend a 28 00:01:24,360 --> 00:01:27,500 Shane Bell: lot of time every single week for most of the 29 00:01:27,500 --> 00:01:31,100 Shane Bell: year working with organizations that are suffering these types of 30 00:01:31,100 --> 00:01:34,360 Shane Bell: events, we certainly know that they're a very common occurrence across 31 00:01:34,360 --> 00:01:35,730 Shane Bell: the business landscape in Australia. 32 00:01:36,600 --> 00:01:41,730 Sean Aylmer: Darren, what type of ransomware attacks were these companies experiencing? What were the attackers actually doing? 33 00:01:42,270 --> 00:01:44,870 Darren Hopkins: That's a difficult one to actually quantify. When we're looking 34 00:01:44,870 --> 00:01:48,490 Darren Hopkins: at ransomware, we often look at, we call it the threat actor group, 35 00:01:48,690 --> 00:01:50,930 Darren Hopkins: the group responsible for it. And each of those groups 36 00:01:51,360 --> 00:01:55,210 Darren Hopkins: has their own type of ransomware or software or kit that they use, 37 00:01:55,210 --> 00:01:58,020 Darren Hopkins: and they also have their own methods of attack. And 38 00:01:58,020 --> 00:02:00,600 Darren Hopkins: what we did see was a pretty even cross- section 39 00:02:00,600 --> 00:02:03,890 Darren Hopkins: of most of the large groups being representative in this statistics 40 00:02:03,890 --> 00:02:07,030 Darren Hopkins: that came through. Look ultimately, what we are seeing, which 41 00:02:07,030 --> 00:02:10,540 Darren Hopkins: is quite interesting, is that the attacks that the companies are 42 00:02:10,540 --> 00:02:13,780 Darren Hopkins: experience are changing. We're seeing an evolution all the time 43 00:02:13,780 --> 00:02:16,220 Darren Hopkins: of, the attack is working out what worked and what 44 00:02:16,220 --> 00:02:21,010 Darren Hopkins: didn't work and updating their actual processes themselves and adjusting 45 00:02:21,010 --> 00:02:23,619 Darren Hopkins: the way they attack business to be more successful. And even 46 00:02:23,620 --> 00:02:26,580 Darren Hopkins: in the last two months, we've now started to deal 47 00:02:26,580 --> 00:02:29,090 Darren Hopkins: with ransomware attacks that we may have to change their 48 00:02:29,090 --> 00:02:32,120 Darren Hopkins: name because there was actually no ransom software. There was 49 00:02:32,120 --> 00:02:35,280 Darren Hopkins: no malware injected into the business. They just got into 50 00:02:35,280 --> 00:02:38,300 Darren Hopkins: a business and they spent some time working out how 51 00:02:38,300 --> 00:02:41,560 Darren Hopkins: to destroy all of their systems, and they leave a 52 00:02:41,910 --> 00:02:46,720 Darren Hopkins: password encrypted backup behind. It's very nontraditional in that you don't have 53 00:02:46,720 --> 00:02:48,940 Darren Hopkins: a page saying, " You've got a countdown timer and you 54 00:02:48,940 --> 00:02:51,880 Darren Hopkins: need to pay this ransom." The threat actor contacts you 55 00:02:51,880 --> 00:02:54,220 Darren Hopkins: directly and says, " Hey, you need the password to restore. 56 00:02:54,550 --> 00:02:55,579 Darren Hopkins: Let's have a conversation." 57 00:02:56,120 --> 00:02:58,200 Sean Aylmer: It just seems that it's very difficult to get ahead of the curve 58 00:02:58,200 --> 00:03:00,330 Sean Aylmer: on this one, Darren. There are plenty of people out 59 00:03:00,380 --> 00:03:05,139 Sean Aylmer: there who are prepared to undertake this criminal activity, and 60 00:03:05,139 --> 00:03:06,790 Sean Aylmer: we always seem to be chasing our tail a bit. 61 00:03:07,200 --> 00:03:09,639 Darren Hopkins: Yeah, look, it's true. We get asked to help businesses 62 00:03:09,730 --> 00:03:12,100 Darren Hopkins: put together playbook. " Can you help us, guide us through a process when a 63 00:03:13,320 --> 00:03:16,450 Darren Hopkins: ransomware occurs?" And it's really difficult, because there is no standard 64 00:03:16,730 --> 00:03:20,609 Darren Hopkins: process. There are things that need for sure. But every time we've 65 00:03:20,610 --> 00:03:22,990 Darren Hopkins: done one, and we do a lot of ransomwares. I think 66 00:03:22,990 --> 00:03:25,460 Darren Hopkins: we've got three on at the moment that our teams are working 67 00:03:25,460 --> 00:03:27,850 Darren Hopkins: on at this point; all three are very different. All 68 00:03:27,850 --> 00:03:31,669 Darren Hopkins: three have different requirements around how you respond, and all 69 00:03:31,669 --> 00:03:34,030 Darren Hopkins: of the companies involved in these three have a very 70 00:03:34,030 --> 00:03:36,180 Darren Hopkins: different path they're going down at the moment because of 71 00:03:36,180 --> 00:03:38,130 Darren Hopkins: what's happened to them. It's very difficult. 72 00:03:38,410 --> 00:03:42,100 Sean Aylmer: Shane, what's the average ransom that businesses pay? 73 00:03:42,530 --> 00:03:45,630 Shane Bell: The stats on this get a little murky, Sean, but 74 00:03:45,630 --> 00:03:47,930 Shane Bell: we can see from the research that we've just done 75 00:03:48,000 --> 00:03:52,330 Shane Bell: that on average, the cost was about $1 million. So, I think we 76 00:03:52,330 --> 00:03:55,650 Shane Bell: had one in four respondents said that they'd paid less 77 00:03:55,650 --> 00:03:59,690 Shane Bell: than $ 500,000. We had one in five there abouts that 78 00:03:59,690 --> 00:04:03,670 Shane Bell: had paid between $ 500,000 and $1 million, and then one in three paid over $1 million. 79 00:04:04,290 --> 00:04:07,180 Shane Bell: So, I think that average is added over $ 1 million, which 80 00:04:07,180 --> 00:04:10,380 Shane Bell: is quite high. I think some of the other stats 81 00:04:10,380 --> 00:04:15,260 Shane Bell: that I'd seen through the industry were around that $600,000 to $800, 000 82 00:04:15,260 --> 00:04:17,300 Shane Bell: mark. So, it's quite significant sums. 83 00:04:17,690 --> 00:04:20,909 Sean Aylmer: Why do they pay it? Is it just because they can't operate unless 84 00:04:20,910 --> 00:04:21,300 Sean Aylmer: they pay it? 85 00:04:21,790 --> 00:04:24,370 Shane Bell: I think that was the line of thought that a 86 00:04:24,370 --> 00:04:28,010 Shane Bell: lot of people were gravitating towards, although I'm inclined in 87 00:04:28,010 --> 00:04:30,490 Shane Bell: what's come through in the research to think a little 88 00:04:30,490 --> 00:04:33,820 Shane Bell: differently, and that is that ransomware has evolved to be 89 00:04:33,820 --> 00:04:37,109 Shane Bell: an extortion play. And so, it's become less about the 90 00:04:37,110 --> 00:04:42,179 Shane Bell: operability or the inoperability of systems and more about reputation and the 91 00:04:42,180 --> 00:04:45,370 Shane Bell: risk of harm. So, reputation for an organization that's going 92 00:04:45,370 --> 00:04:49,380 Shane Bell: through ransomware event, they're very alert to that, and so 93 00:04:49,380 --> 00:04:52,409 Shane Bell: that's one of the key motivating factors. But then equally 94 00:04:52,770 --> 00:04:57,150 Shane Bell: the risk of harm to customers, employees, or to the 95 00:04:57,150 --> 00:05:00,110 Shane Bell: business; that seems to be a pretty key motivational driver 96 00:05:00,110 --> 00:05:02,750 Shane Bell: for organizations that are weighing up the " to pay or 97 00:05:02,750 --> 00:05:03,810 Shane Bell: not to pay" equation. 98 00:05:04,350 --> 00:05:07,490 Sean Aylmer: The public relations aspect of it is obviously increasingly important, 99 00:05:07,750 --> 00:05:09,330 Sean Aylmer: I think that's what you are saying. When I read 100 00:05:09,330 --> 00:05:12,560 Sean Aylmer: the report, what I found interesting was that, notwithstanding that 101 00:05:12,560 --> 00:05:15,520 Sean Aylmer: so many people have been attacked by ransomware; if one 102 00:05:15,520 --> 00:05:17,950 Sean Aylmer: of their supplies, for example, would be attacked by ransomware, 103 00:05:18,750 --> 00:05:21,570 Sean Aylmer: there wasn't a lot of empathy with that because the 104 00:05:21,570 --> 00:05:24,560 Sean Aylmer: respondents to the survey actually said, " Yeah, we probably wouldn't 105 00:05:24,570 --> 00:05:27,729 Sean Aylmer: trust our suppliers quite as much if they had been attacked by ransomware." 106 00:05:28,350 --> 00:05:30,739 Shane Bell: It is a little ironic, isn't it, that we can 107 00:05:30,740 --> 00:05:34,859 Shane Bell: have this scenario where it's, " Don't judge me too harshly, 108 00:05:34,860 --> 00:05:38,300 Shane Bell: but I may judge others a little harshly." But what's 109 00:05:38,300 --> 00:05:41,289 Shane Bell: become really apparent in this field of cyber security, and 110 00:05:41,290 --> 00:05:44,160 Shane Bell: Darren and I've watched this grow over the span of 111 00:05:44,160 --> 00:05:47,070 Shane Bell: our careers, some 20 plus years; it does play out 112 00:05:47,070 --> 00:05:49,630 Shane Bell: much more publicly now. And there is a bit of 113 00:05:49,630 --> 00:05:53,330 Shane Bell: victim shaming that goes on within the cybersecurity sphere where 114 00:05:53,670 --> 00:05:56,620 Shane Bell: the assumption made by people if you read about a ransomware attack 115 00:05:57,020 --> 00:05:59,950 Shane Bell: the paper is that they actually have poor security, which 116 00:05:59,950 --> 00:06:01,140 Shane Bell: isn't always the case at all. 117 00:06:01,890 --> 00:06:04,370 Sean Aylmer: It's really interesting. Stay with me, we'll be back in 118 00:06:04,370 --> 00:06:11,470 Sean Aylmer: a minute. I'm talking to Darren Hopkins and Shane Bell, 119 00:06:11,470 --> 00:06:15,360 Sean Aylmer: partners at McGrathNicol Advisory. Darren, what about insurance? Are many 120 00:06:15,360 --> 00:06:18,610 Sean Aylmer: companies using ransomware insurance? Does it work? It must be 121 00:06:18,610 --> 00:06:19,530 Sean Aylmer: expensive, I'd imagine. 122 00:06:19,990 --> 00:06:23,450 Darren Hopkins: Look, it's a good question, Sean. Most of the work 123 00:06:23,450 --> 00:06:25,549 Darren Hopkins: we're doing is actually on the back of someone being 124 00:06:25,550 --> 00:06:29,450 Darren Hopkins: insured where an insurance policy triggers and one of the 125 00:06:29,450 --> 00:06:32,650 Darren Hopkins: things you get access to is expertise and support to 126 00:06:32,650 --> 00:06:35,470 Darren Hopkins: help you. So on that bit, people who have got 127 00:06:35,510 --> 00:06:38,990 Darren Hopkins: the rents and where coverage will generally get help in 128 00:06:39,029 --> 00:06:42,710 Darren Hopkins: getting through the problem. As far as the actual ransom 129 00:06:42,710 --> 00:06:45,270 Darren Hopkins: covered, and that's an interesting one; not always, is the 130 00:06:45,270 --> 00:06:49,589 Darren Hopkins: answer. Some policies absolutely have a quite clear coverage for 131 00:06:49,890 --> 00:06:53,070 Darren Hopkins: you paying a ransom payment and recovering that payment you've 132 00:06:53,070 --> 00:06:55,089 Darren Hopkins: made is part of your policy. But there is certainly 133 00:06:55,089 --> 00:06:58,080 Darren Hopkins: some fine print that people should be aware of. One 134 00:06:58,080 --> 00:07:00,000 Darren Hopkins: thing we're seeing pop up all the time now is that 135 00:07:00,320 --> 00:07:02,180 Darren Hopkins: there's some fine print on a lot of policies that 136 00:07:02,180 --> 00:07:05,140 Darren Hopkins: says that they won't pay if the ransom was subject 137 00:07:05,140 --> 00:07:08,160 Darren Hopkins: to a sanctioned entity. So, that means that the threat 138 00:07:08,160 --> 00:07:10,460 Darren Hopkins: actor group that's done this is on a sanction list 139 00:07:10,460 --> 00:07:14,370 Darren Hopkins: somewhere. Now, that's difficult to determine. And often that does 140 00:07:14,370 --> 00:07:17,470 Darren Hopkins: mean that in some countries, that threat actor group has 141 00:07:17,470 --> 00:07:21,150 Darren Hopkins: effectively been considered a terrorist. Now, I know that some 142 00:07:21,150 --> 00:07:23,590 Darren Hopkins: of the ransoms that we have seen paid from the groups that have paid 143 00:07:23,990 --> 00:07:26,600 Darren Hopkins: them are absolutely on those lists, and a lot of 144 00:07:26,600 --> 00:07:28,440 Darren Hopkins: businesses would not have even thought that they have to 145 00:07:28,440 --> 00:07:30,130 Darren Hopkins: go off and work out who attacked them before they 146 00:07:30,130 --> 00:07:32,020 Darren Hopkins: get that particular type of coverage. 147 00:07:32,860 --> 00:07:35,460 Sean Aylmer: So, what's the normal timeline after the attack? How quickly does 148 00:07:35,460 --> 00:07:38,850 Sean Aylmer: it go from initial incident to a payment being made? 149 00:07:39,060 --> 00:07:40,760 Sean Aylmer: Is it hours or is it months? 150 00:07:41,360 --> 00:07:44,530 Darren Hopkins: I think the stats in the survey indicated at 48 151 00:07:44,530 --> 00:07:47,260 Darren Hopkins: hours seems to be when a lot of these payments 152 00:07:47,260 --> 00:07:49,950 Darren Hopkins: are being made. We've seen a lot of payments made 153 00:07:50,030 --> 00:07:53,360 Darren Hopkins: for different reasons. And 48 hours seems to be about as 154 00:07:53,360 --> 00:07:55,630 Darren Hopkins: fast as you could probably do this. By the time 155 00:07:55,630 --> 00:07:58,130 Darren Hopkins: you've worked out what's happened, you've worked out who's doing 156 00:07:58,130 --> 00:08:01,300 Darren Hopkins: it and the amount. And more so, the process is 157 00:08:01,300 --> 00:08:03,840 Darren Hopkins: entered to determine, " Are they honestly able to give us 158 00:08:03,880 --> 00:08:06,810 Darren Hopkins: what we want back?" Not just paying money for the sake of it 159 00:08:06,810 --> 00:08:09,720 Darren Hopkins: with no guarantee. If you want to then talk to 160 00:08:09,720 --> 00:08:11,910 Darren Hopkins: them and try to obviously shrink their payment, it can 161 00:08:11,910 --> 00:08:14,620 Darren Hopkins: go into weeks. So, I've seen anywhere from 48 hours 162 00:08:15,390 --> 00:08:18,270 Darren Hopkins: to three weeks being about the most between a payment 163 00:08:18,270 --> 00:08:18,520 Darren Hopkins: being made. 164 00:08:18,920 --> 00:08:21,530 Sean Aylmer: So Darren, you can actually negotiate the amount? 165 00:08:22,040 --> 00:08:24,640 Darren Hopkins: You absolutely can. You can reduce the amount that you 166 00:08:24,650 --> 00:08:28,430 Darren Hopkins: pay through a negotiation. You are actually talking to real 167 00:08:28,430 --> 00:08:31,880 Darren Hopkins: people. The way this actually works is the ransom note 168 00:08:32,010 --> 00:08:34,340 Darren Hopkins: that most people see on their desktop actually has a link, 169 00:08:34,429 --> 00:08:37,260 Darren Hopkins: and that link goes to a location on the dark 170 00:08:37,260 --> 00:08:39,630 Darren Hopkins: web somewhere, which is where the threat actor group has 171 00:08:39,630 --> 00:08:42,260 Darren Hopkins: a... Let's call it their webpage. When you put in 172 00:08:42,260 --> 00:08:44,380 Darren Hopkins: that code that comes with your ransom note, that connects 173 00:08:44,380 --> 00:08:47,270 Darren Hopkins: you to a private page between your company and the 174 00:08:47,270 --> 00:08:49,250 Darren Hopkins: threat actor, so that you can actually have a chat 175 00:08:49,250 --> 00:08:51,080 Darren Hopkins: with them and they've actually got a chat function. Like 176 00:08:51,429 --> 00:08:54,730 Darren Hopkins: most of those websites; a shopping website, you pop up, 177 00:08:54,730 --> 00:08:56,960 Darren Hopkins: a little box is down on the right hand corner 178 00:08:57,030 --> 00:08:59,910 Darren Hopkins: for you to chat with someone. That's available, and that 179 00:08:59,910 --> 00:09:02,610 Darren Hopkins: is actually a real person you'll be talking to. When 180 00:09:02,610 --> 00:09:05,030 Darren Hopkins: you're negotiating, there's a range of things that you are talking 181 00:09:05,030 --> 00:09:07,220 Darren Hopkins: to them about. You're trying to get some proof of 182 00:09:07,220 --> 00:09:10,390 Darren Hopkins: what they've taken. You want to try to understand, " Did 183 00:09:10,390 --> 00:09:13,579 Darren Hopkins: they take my information?" and what information they took. They'll often 184 00:09:13,580 --> 00:09:15,420 Darren Hopkins: give you a list of what they've taken to prove 185 00:09:15,420 --> 00:09:18,540 Darren Hopkins: that. They'll send you screenshots of what they've taken. They'll want to 186 00:09:18,550 --> 00:09:23,010 Darren Hopkins: give you confidence that they are honestly in a position to 187 00:09:23,090 --> 00:09:26,660 Darren Hopkins: hold you to ransom, because they've got your material. During 188 00:09:26,660 --> 00:09:29,380 Darren Hopkins: that time, you will also be able to determine whether or 189 00:09:29,380 --> 00:09:32,500 Darren Hopkins: not they can undo the ransomware. So, can they unencrypt your 190 00:09:32,500 --> 00:09:34,309 Darren Hopkins: data? And there's a process that you can talk to 191 00:09:34,309 --> 00:09:36,690 Darren Hopkins: them about that. And then finally, of course, you can 192 00:09:36,690 --> 00:09:39,500 Darren Hopkins: talk to them about price. There's a risk there though, 193 00:09:39,500 --> 00:09:41,900 Darren Hopkins: and some of the statistics we've seen and even on 194 00:09:41,900 --> 00:09:44,439 Darren Hopkins: some of the matters we've worked on, there's an issue called re- 195 00:09:44,440 --> 00:09:46,990 Darren Hopkins: extortion that can come up. And the real risk is 196 00:09:46,990 --> 00:09:49,250 Darren Hopkins: that if you push too hard and you get too 197 00:09:49,250 --> 00:09:52,610 Darren Hopkins: much of a discount, the chance of re- extortion goes 198 00:09:52,610 --> 00:09:54,730 Darren Hopkins: up and there's a whole lot of statistics that sit around, " 199 00:09:55,200 --> 00:09:57,210 Darren Hopkins: Should I pay and what's the chance of re- extorting 200 00:09:57,210 --> 00:09:58,339 Darren Hopkins: and are they going to be honest?" 201 00:09:58,340 --> 00:09:59,250 Sean Aylmer: It's game theory. 202 00:09:59,500 --> 00:10:03,640 Darren Hopkins: It is. And how honest are these criminals? It's such a ridiculous 203 00:10:04,100 --> 00:10:04,780 Darren Hopkins: thought to have. 204 00:10:05,200 --> 00:10:07,410 Sean Aylmer: So, I remember reading a story, I think was the big 205 00:10:07,410 --> 00:10:10,130 Sean Aylmer: pipeline down the East Coast of the U. S. last 206 00:10:10,130 --> 00:10:12,530 Sean Aylmer: year. And the problem is once they actually paid their ransomware 207 00:10:13,270 --> 00:10:17,109 Sean Aylmer: to get the pipeline flowing again, it took weeks and 208 00:10:17,110 --> 00:10:19,400 Sean Aylmer: weeks. And in the end, they worked out a way 209 00:10:19,400 --> 00:10:22,079 Sean Aylmer: around, I think the actual owner of the pipeline worked way around 210 00:10:22,080 --> 00:10:25,210 Sean Aylmer: it before it actually got operating again. How big is 211 00:10:25,210 --> 00:10:27,250 Sean Aylmer: the issue that you can talk to the people who 212 00:10:27,250 --> 00:10:30,570 Sean Aylmer: are extorting you and they say, " Well, this is what 213 00:10:30,570 --> 00:10:36,329 Sean Aylmer: you need to do to clean your systems." How confident can you be that they're being 214 00:10:36,330 --> 00:10:37,070 Sean Aylmer: honest in that? 215 00:10:37,580 --> 00:10:42,110 Darren Hopkins: Interesting. During a negotiation, there are particular businesses whose whole 216 00:10:42,110 --> 00:10:45,640 Darren Hopkins: job is to negotiate on your behalf, and they have statistics 217 00:10:46,140 --> 00:10:48,390 Darren Hopkins: that go to each of the threat actors. For instance, I've 218 00:10:48,390 --> 00:10:51,130 Darren Hopkins: been in a meeting where I was subject to a 219 00:10:51,130 --> 00:10:55,020 Darren Hopkins: conversation about a threat actor where they said, " Look, 100% 220 00:10:55,090 --> 00:10:58,610 Darren Hopkins: honest, these guys. In the 120 odd ransomwares we've seen 221 00:10:58,610 --> 00:11:00,200 Darren Hopkins: of these guys, they have never gone back on their 222 00:11:00,200 --> 00:11:03,670 Darren Hopkins: word. So therefore, we should consider them honest." You're still 223 00:11:03,670 --> 00:11:05,020 Darren Hopkins: dealing with criminals. 224 00:11:05,220 --> 00:11:06,300 Sean Aylmer: Honor among thieves, here. 225 00:11:06,300 --> 00:11:09,170 Darren Hopkins: It is crazy. But, you've got to remember too that 226 00:11:09,220 --> 00:11:11,440 Darren Hopkins: for these groups, one of the things that they want 227 00:11:11,440 --> 00:11:13,590 Darren Hopkins: to do is they want people to think if they pay 228 00:11:13,590 --> 00:11:16,010 Darren Hopkins: a ransom, they will get their data back because the 229 00:11:16,010 --> 00:11:19,030 Darren Hopkins: likelihood then of you paying is higher. And the last 230 00:11:19,030 --> 00:11:21,600 Darren Hopkins: thing they want to do is just be seen to be just 231 00:11:21,610 --> 00:11:25,030 Darren Hopkins: dishonest because then the decision to pay or not to 232 00:11:25,040 --> 00:11:28,059 Darren Hopkins: pay is actually quite easy. It's, " Well, we can't trust 233 00:11:28,059 --> 00:11:30,010 Darren Hopkins: them in any event. So, why would we ever pay?" 234 00:11:30,309 --> 00:11:33,620 Darren Hopkins: Whereas at the moment, a lot of these groups have got themselves to 235 00:11:33,620 --> 00:11:36,160 Darren Hopkins: the point where it's likely you'll get a tool to 236 00:11:36,160 --> 00:11:38,710 Darren Hopkins: get your data back, it's likely they won't release your data to 237 00:11:38,710 --> 00:11:41,070 Darren Hopkins: the dark web, and it's likely that you won't have 238 00:11:41,070 --> 00:11:44,650 Darren Hopkins: a harm issue beyond what you've already got. And that's, I 239 00:11:44,650 --> 00:11:47,550 Darren Hopkins: guess, what you're paying for is a higher chance of 240 00:11:47,650 --> 00:11:48,670 Darren Hopkins: not making it worse. 241 00:11:48,960 --> 00:11:51,520 Sean Aylmer: It's like having really high credit quality or something like 242 00:11:51,520 --> 00:11:56,520 Sean Aylmer: that. I'm not quite sure. Shane, I'm interested in where these 243 00:11:56,520 --> 00:11:58,020 Sean Aylmer: attacks are actually coming from. 244 00:11:59,490 --> 00:12:02,050 Shane Bell: That's one of the million dollar questions, Sean, I have to 245 00:12:02,050 --> 00:12:07,460 Shane Bell: say. And as anything where intelligence is an important part 246 00:12:07,460 --> 00:12:10,490 Shane Bell: of combating the threat, and cyber is no different in 247 00:12:10,490 --> 00:12:14,030 Shane Bell: that world. Cyber intelligence is a really important aspect of 248 00:12:14,030 --> 00:12:18,069 Shane Bell: understanding the landscape and the marketplace and the threat actors and 249 00:12:18,070 --> 00:12:20,900 Shane Bell: trade craft and all this terminology that I still get 250 00:12:20,900 --> 00:12:22,710 Shane Bell: to use even though I'm no longer in the military. 251 00:12:23,450 --> 00:12:28,790 Shane Bell: It's mostly Eastern block, Russian countries, affiliate programs. That's where, 252 00:12:29,140 --> 00:12:30,699 Shane Bell: for the most part, you can see a lot of 253 00:12:30,920 --> 00:12:35,150 Shane Bell: this activity coming from. Certainly the main ransomware operators seem 254 00:12:35,150 --> 00:12:40,160 Shane Bell: to operate from those jurisdictions. Affiliates. So, think of it as 255 00:12:40,160 --> 00:12:43,790 Shane Bell: like a franchisee type arrangement where there's a group that own the ransomware, 256 00:12:43,790 --> 00:12:46,849 Shane Bell: and then there's people that sign up to use the ransomware. They're 257 00:12:47,559 --> 00:12:52,689 Shane Bell: the little sub- gangs, if you like. The affiliates. That's again, mostly 258 00:12:52,690 --> 00:12:56,700 Shane Bell: out of regions, but it's really based on the infrastructure 259 00:12:56,700 --> 00:13:00,500 Shane Bell: that they're using to execute it. So, when you can see how 260 00:13:00,550 --> 00:13:03,540 Shane Bell: that attack lands in a person's environment, it's an IP 261 00:13:03,540 --> 00:13:05,990 Shane Bell: address that allows you to be able to understand where 262 00:13:05,990 --> 00:13:09,540 Shane Bell: that's come from. I won't get into the technical specifics, 263 00:13:09,540 --> 00:13:11,290 Shane Bell: but a lot of the IP addresses that we see 264 00:13:11,290 --> 00:13:13,150 Shane Bell: seem to be coming from that part of the world 265 00:13:13,150 --> 00:13:17,339 Shane Bell: now. There is very small amounts of commentary that are 266 00:13:17,340 --> 00:13:20,189 Shane Bell: starting to contemplate whether there's something more sinister at play 267 00:13:20,570 --> 00:13:25,240 Shane Bell: for highly sensitive information, whether there's things like nation state 268 00:13:25,340 --> 00:13:30,689 Shane Bell: threat actors that are subcontracting ransomware operators to be able 269 00:13:30,840 --> 00:13:33,760 Shane Bell: to steal the IP, make some money out of it, 270 00:13:33,760 --> 00:13:36,969 Shane Bell: then pass the IP off to nation state. That is 271 00:13:36,970 --> 00:13:40,020 Shane Bell: still early days in terms of how mainstream that type 272 00:13:40,020 --> 00:13:41,030 Shane Bell: of intelligence is. 273 00:13:41,380 --> 00:13:45,070 Sean Aylmer: Okay. And do they target businesses that are data rich, 274 00:13:45,190 --> 00:13:48,850 Sean Aylmer: or do they target businesses that are rich, full stop? 275 00:13:48,929 --> 00:13:52,360 Shane Bell: Yeah. I think there's a couple of different motivators behind 276 00:13:52,360 --> 00:13:55,559 Shane Bell: that and therefore why an organization might get a attacked. 277 00:13:55,890 --> 00:13:58,579 Shane Bell: The most basic of that is that it's unsophisticated and that 278 00:13:58,580 --> 00:14:02,300 Shane Bell: it's because you've got vulnerabilities in your environment. Your IT 279 00:14:02,740 --> 00:14:06,030 Shane Bell: hygiene hasn't quite kept up to speed, the vulnerability exists 280 00:14:06,100 --> 00:14:09,929 Shane Bell: and you're unlucky. That's a pretty common attack on an 281 00:14:09,929 --> 00:14:13,890 Shane Bell: organization. So, that's indiscriminate of size or sector or anything 282 00:14:13,890 --> 00:14:16,429 Shane Bell: like that. That's just whether you've got good IT or 283 00:14:16,429 --> 00:14:20,230 Shane Bell: bad IT in place. There are obviously more sophisticated attacks 284 00:14:20,230 --> 00:14:24,440 Shane Bell: that'll look to do big game hunting or whale hunting, 285 00:14:24,450 --> 00:14:26,650 Shane Bell: they call it out there. I don't advocate for any 286 00:14:26,650 --> 00:14:29,210 Shane Bell: of those things, game hunting or whale hunting, but that's 287 00:14:29,210 --> 00:14:33,190 Shane Bell: the terminology that's used obviously, which is about a sophisticated 288 00:14:33,710 --> 00:14:36,130 Shane Bell: attack on a large organization because the payday could be 289 00:14:36,130 --> 00:14:38,670 Shane Bell: significant. So, those types of attacks occur as well, and 290 00:14:38,860 --> 00:14:44,370 Shane Bell: they'll be organizations that are data rich, money rich. Or 291 00:14:44,370 --> 00:14:46,910 Shane Bell: if it plays out publicly, has a bit of a 292 00:14:47,540 --> 00:14:49,220 Shane Bell: hacktivism type of element to it. 293 00:14:49,550 --> 00:14:52,150 Sean Aylmer: Yep. Yep. Yep. Okay. So, I mean, it sounds to me 294 00:14:52,150 --> 00:14:54,520 Sean Aylmer: that you can never be 100% sure that you can 295 00:14:54,520 --> 00:14:58,660 Sean Aylmer: prevent ransomware, but what should companies be doing, Shane, to 296 00:14:58,660 --> 00:15:00,020 Sean Aylmer: prepare themselves? 297 00:15:00,450 --> 00:15:03,750 Shane Bell: Well, we talk to businesses of all shapes and sizes, 298 00:15:03,750 --> 00:15:08,110 Shane Bell: and I like it that the Australian cyber security communities isn't just focusing on 299 00:15:08,190 --> 00:15:11,300 Shane Bell: the publicly listed companies and providing advice there and focusing 300 00:15:11,300 --> 00:15:15,230 Shane Bell: on small medium enterprise and businesses of that size. It's 301 00:15:15,230 --> 00:15:18,960 Shane Bell: about having good IT hygiene. That's a term I mentioned before. 302 00:15:18,960 --> 00:15:21,150 Shane Bell: You need to be able to do the basics really well 303 00:15:21,150 --> 00:15:24,770 Shane Bell: and very regularly. It's no set and forget with cybersecurity. 304 00:15:24,770 --> 00:15:29,980 Shane Bell: So we often talk about patching systems. It's easy to 305 00:15:29,980 --> 00:15:33,300 Shane Bell: fall out of a routine on patching vulnerabilities on systems. 306 00:15:33,590 --> 00:15:36,240 Shane Bell: How many people get the alert on their iPhone that 307 00:15:36,240 --> 00:15:38,330 Shane Bell: says Apple's released an update and you go, " Oh, I'll 308 00:15:38,330 --> 00:15:40,270 Shane Bell: do it later. I'll do it later"? You need to not 309 00:15:40,270 --> 00:15:43,180 Shane Bell: get into that habit with some of the basics, and 310 00:15:43,180 --> 00:15:46,500 Shane Bell: then you build into a cybersecurity program where your focus is on 311 00:15:46,500 --> 00:15:50,030 Shane Bell: resilience. One of the core components of resilience that's becoming 312 00:15:50,030 --> 00:15:53,480 Shane Bell: increasingly important in a ransomware type of event is your ability 313 00:15:54,170 --> 00:15:58,080 Shane Bell: to respond and recover. So, you need to be able to withstand what's happening, but get 314 00:15:58,080 --> 00:16:00,620 Shane Bell: out the other side. And so, this is where I 315 00:16:01,440 --> 00:16:04,540 Shane Bell: use some of my military experience to talk to my clients about 316 00:16:04,540 --> 00:16:07,240 Shane Bell: the fact that I navigated ships for a lot of 317 00:16:07,240 --> 00:16:10,650 Shane Bell: years in the military, and there was no chance that I was 318 00:16:10,650 --> 00:16:14,610 Shane Bell: ever allowed to start of that ship off a wharf alongside in 319 00:16:14,610 --> 00:16:19,480 Shane Bell: Sydney without extensive planning, months planning knowing what you needed 320 00:16:19,480 --> 00:16:21,920 Shane Bell: to do, and people need to think about cybersecurity that 321 00:16:21,920 --> 00:16:24,940 Shane Bell: way. Lots of planning, lots of training, lots of rehearsing. 322 00:16:25,000 --> 00:16:27,420 Shane Bell: You need to get out the other side. So, it's not if but 323 00:16:27,420 --> 00:16:29,070 Shane Bell: when, and you need to put a lot of effort 324 00:16:29,070 --> 00:16:29,810 Shane Bell: into your training. 325 00:16:30,690 --> 00:16:33,590 Sean Aylmer: Okay. And one final one, Darren. Does paying a ransom make a company 326 00:16:33,590 --> 00:16:38,000 Sean Aylmer: more susceptible to being targeted again, because the infiltrators know 327 00:16:38,180 --> 00:16:38,830 Sean Aylmer: that they'll pay? 328 00:16:39,400 --> 00:16:42,470 Darren Hopkins: Well, look, it really depends on where the company landed. 329 00:16:43,020 --> 00:16:46,870 Darren Hopkins: One thing is if they've paid a ransom; these honest 330 00:16:47,150 --> 00:16:49,580 Darren Hopkins: criminals that we were talking about, they're less likely to 331 00:16:49,580 --> 00:16:51,110 Darren Hopkins: want to come back and have another go at you. 332 00:16:51,190 --> 00:16:54,130 Darren Hopkins: It's obviously part of their reputation they're preserving. But quite 333 00:16:54,130 --> 00:16:56,460 Darren Hopkins: clearly, if you've been found to pay a ransom, other 334 00:16:56,460 --> 00:16:59,330 Darren Hopkins: groups will see you as a target because they know 335 00:16:59,330 --> 00:17:02,020 Darren Hopkins: that you are willing to actually make that payment. What's 336 00:17:02,020 --> 00:17:05,230 Darren Hopkins: really important, and to Shane's point, we're talking about what 337 00:17:05,230 --> 00:17:08,260 Darren Hopkins: should businesses do; it's what you do after the ransomware event 338 00:17:08,320 --> 00:17:11,730 Darren Hopkins: that's going to really be the important factor that will reduce the 339 00:17:11,730 --> 00:17:15,840 Darren Hopkins: risk. So, most business will exit ransomware event with systems back 340 00:17:15,840 --> 00:17:18,640 Darren Hopkins: up and running to some degree. They may have paid, they may not have, 341 00:17:19,130 --> 00:17:23,180 Darren Hopkins: and they should have a program of work around remediation. So, " 342 00:17:23,180 --> 00:17:24,990 Darren Hopkins: How do we stop this from happening again? What do 343 00:17:24,990 --> 00:17:26,850 Darren Hopkins: we need to do? And did we actually find out 344 00:17:26,850 --> 00:17:29,550 Darren Hopkins: how they got in?" The expectation is you spend a 345 00:17:29,550 --> 00:17:31,959 Darren Hopkins: lot of time making sure that you remove yourself as 346 00:17:31,960 --> 00:17:35,580 Darren Hopkins: being a target. I would say 90% of the ransomwares 347 00:17:35,580 --> 00:17:38,100 Darren Hopkins: we've dealt with could have been quite easily prevented with 348 00:17:38,660 --> 00:17:41,810 Darren Hopkins: some basic changes to their systems. Or as to Shane 349 00:17:41,810 --> 00:17:44,179 Darren Hopkins: said, some good hygiene in the way that they look after then. That's 350 00:17:44,480 --> 00:17:46,900 Darren Hopkins: the majority of those attacks could have been defeated quite 351 00:17:46,900 --> 00:17:50,300 Darren Hopkins: quickly, and that's the real key piece there. But I 352 00:17:50,300 --> 00:17:52,470 Darren Hopkins: have actually seen some clients who didn't go down that 353 00:17:52,470 --> 00:17:55,810 Darren Hopkins: path and have been hit three times. And we often 354 00:17:55,810 --> 00:17:58,730 Darren Hopkins: talk to clients, and I had one in particular, and 355 00:17:58,730 --> 00:18:01,350 Darren Hopkins: this is a worst case scenario for a ransomware event; the 356 00:18:01,350 --> 00:18:03,619 Darren Hopkins: business ended up in an insolvency event. They had lost 357 00:18:03,619 --> 00:18:07,760 Darren Hopkins: everything and they were unable to rebuild their systems and 358 00:18:07,820 --> 00:18:09,980 Darren Hopkins: they weren't able to pay the ransom because their IT 359 00:18:10,300 --> 00:18:14,350 Darren Hopkins: person had decided to delete the notes. For that particular group, that 360 00:18:14,350 --> 00:18:17,869 Darren Hopkins: was it. There was nowhere to go and they were unable to 361 00:18:17,869 --> 00:18:18,730 Darren Hopkins: recover at all. 362 00:18:19,100 --> 00:18:21,150 Sean Aylmer: I don't think we're ending this in a high note, but it's been 363 00:18:21,150 --> 00:18:24,690 Sean Aylmer: a fascinating conversation, nonetheless, and I've learned a lot. Darren, 364 00:18:24,690 --> 00:18:26,221 Sean Aylmer: Shane, thank you for talking to fear and greed. 365 00:18:26,221 --> 00:18:26,561 Shane Bell: Thanks, Sean. 366 00:18:26,920 --> 00:18:27,470 Darren Hopkins: Thanks, Sean. 367 00:18:28,410 --> 00:18:31,070 Sean Aylmer: That was Darren Hopkins and Shane Bell, cyber partners at 368 00:18:31,070 --> 00:18:34,760 Sean Aylmer: McGrathNicol Advisory, and supporters of this podcast. This is the 369 00:18:34,760 --> 00:18:37,090 Sean Aylmer: Fear and Greed Daily Interview. Join me every morning for 370 00:18:37,090 --> 00:18:39,340 Sean Aylmer: the full Fear and Greed podcast with all the business 371 00:18:39,340 --> 00:18:42,170 Sean Aylmer: news you need to know. I'm Sean Aylmer, enjoy your day.