WEBVTT - How Does Ransomware Work?

0:00:01.920 --> 0:00:06.640
<v Speaker 1>Welcome to brain Stuff, production of iHeart Radio, Hey brain

0:00:06.720 --> 0:00:11.840
<v Speaker 1>Stuff Lauren vogelbam here. In March, of Atlanta was hit

0:00:11.920 --> 0:00:15.160
<v Speaker 1>with a ransomware attack that infected nearly three thousand, eight

0:00:15.200 --> 0:00:19.440
<v Speaker 1>hundred government computers belonging to the City of Atlanta, including servers.

0:00:20.120 --> 0:00:23.640
<v Speaker 1>After the virus was deployed, the ransomware essentially locked all

0:00:23.640 --> 0:00:28.200
<v Speaker 1>the infected computers, rendering them impossible to access. Atlanta's court

0:00:28.280 --> 0:00:31.560
<v Speaker 1>system went down. Police were unable to check license plates,

0:00:31.680 --> 0:00:36.360
<v Speaker 1>residents couldn't pay bills online. Just three weeks before Atlanta

0:00:36.440 --> 0:00:40.240
<v Speaker 1>was hit, the small city of Leeds, Alabama, also experienced

0:00:40.240 --> 0:00:44.479
<v Speaker 1>an identical cyber attack, and before Leeds, in January, it

0:00:44.560 --> 0:00:47.760
<v Speaker 1>was the Hancock Regional Hospital in the suburbs of Indianapolis.

0:00:49.240 --> 0:00:51.440
<v Speaker 1>What these three attacks have in common is that they

0:00:51.440 --> 0:00:55.600
<v Speaker 1>were all hit by sam SAM ransomware. Each attack demanded

0:00:55.640 --> 0:00:59.000
<v Speaker 1>around the same amount, about fifty thou dollars in cryptocurrency.

0:00:59.720 --> 0:01:03.880
<v Speaker 1>Hank Hawk Regional Hospital and Leads, Alabama paid the ransom, However,

0:01:04.000 --> 0:01:06.920
<v Speaker 1>the City of Atlanta did not. Instead, it chose to

0:01:06.959 --> 0:01:12.040
<v Speaker 1>pay millions to get its systems back online. A ransomware

0:01:12.200 --> 0:01:15.520
<v Speaker 1>is when a cyber criminal accesses a network of computers,

0:01:15.840 --> 0:01:18.680
<v Speaker 1>encrypts all of the data and extorts the company or

0:01:18.800 --> 0:01:23.920
<v Speaker 1>organization to unlock it, essentially holding the network hostage. Before

0:01:23.959 --> 0:01:26.240
<v Speaker 1>the article of this episode is based on how stuff Works,

0:01:26.240 --> 0:01:29.760
<v Speaker 1>spoke with John Hulquist, vice president of analysis at Mandian

0:01:29.840 --> 0:01:34.240
<v Speaker 1>Threat Intelligence at fire Eye, an intelligence led security company.

0:01:34.520 --> 0:01:38.160
<v Speaker 1>He explained that these attacks are nothing new. However, in

0:01:38.200 --> 0:01:41.960
<v Speaker 1>the first half of the number of organizations impacted by

0:01:42.040 --> 0:01:45.200
<v Speaker 1>ransomware across the globe has more than doubled compared with

0:01:46.480 --> 0:01:50.000
<v Speaker 1>another report identified more than eight hundred extortion attempts that

0:01:50.200 --> 0:01:54.040
<v Speaker 1>likely had data stolen, and the targets are now becoming

0:01:54.200 --> 0:01:57.600
<v Speaker 1>much more high profile. In the US a loan Since April,

0:01:57.880 --> 0:02:02.240
<v Speaker 1>prominent companies like Colonial Pipeline, JBS Foods, the NBA, and

0:02:02.400 --> 0:02:07.120
<v Speaker 1>Cox Media Group have all been hit. Hackers typically access

0:02:07.160 --> 0:02:10.680
<v Speaker 1>networks through phishing attacks, which are emails sent to employees

0:02:10.720 --> 0:02:13.680
<v Speaker 1>tricking them into giving up passwords or clicking on malicious

0:02:13.720 --> 0:02:16.640
<v Speaker 1>links that will download the malware onto the company network.

0:02:17.520 --> 0:02:20.640
<v Speaker 1>A ransomware also looks for other entries into company networks

0:02:20.720 --> 0:02:24.120
<v Speaker 1>via passwords that are easily cracked, like one two three

0:02:24.280 --> 0:02:29.360
<v Speaker 1>q w E, for instance. So why so many and

0:02:29.400 --> 0:02:34.560
<v Speaker 1>why now, hulk Quist explains it like this. Originally, ransomware

0:02:34.680 --> 0:02:38.400
<v Speaker 1>was mostly automated and targeted small systems with vulnerable passwords,

0:02:38.480 --> 0:02:42.320
<v Speaker 1>open networks, and easy entryways. He calls it spray and

0:02:42.360 --> 0:02:46.160
<v Speaker 1>prey quote. The ransomware would go out and hit whatever

0:02:46.160 --> 0:02:48.680
<v Speaker 1>system it could get. The attackers were known to be

0:02:48.840 --> 0:02:51.840
<v Speaker 1>quite friendly. They would unlock the data, even offered discounts

0:02:51.880 --> 0:02:55.760
<v Speaker 1>sometimes and then move on with their life. But then

0:02:56.000 --> 0:03:00.440
<v Speaker 1>things changed. Hull Quist says criminals started making large directed

0:03:00.440 --> 0:03:04.720
<v Speaker 1>attacks on bigger companies with more money, and ransom's skyrocketed

0:03:05.320 --> 0:03:09.080
<v Speaker 1>in Companies paid more than four hundred and six million

0:03:09.120 --> 0:03:13.320
<v Speaker 1>dollars in cryptocurrency and ransom to attackers. Hulk Was said,

0:03:13.800 --> 0:03:16.680
<v Speaker 1>these new targets have to pay out because often they

0:03:16.720 --> 0:03:21.160
<v Speaker 1>are critical infrastructure they have to get back Online. Consumers

0:03:21.200 --> 0:03:24.000
<v Speaker 1>are actually a factor because they are forcing these companies

0:03:24.000 --> 0:03:28.080
<v Speaker 1>to make hasty decisions as far as paying. That was

0:03:28.120 --> 0:03:31.079
<v Speaker 1>the case in the Colonial Pipeline attack. The hack took

0:03:31.120 --> 0:03:33.680
<v Speaker 1>down the largest fuel pipeline in the United States on

0:03:33.720 --> 0:03:37.720
<v Speaker 1>April and prompted mass fuel hoarding across the East Coast.

0:03:38.360 --> 0:03:41.240
<v Speaker 1>CEO Joseph Blount told The Wall Street Journal that the

0:03:41.280 --> 0:03:44.240
<v Speaker 1>company paid the ransom four point four million dollars in

0:03:44.240 --> 0:03:48.360
<v Speaker 1>bitcoin to bring the pipeline back online, but the decryption

0:03:48.440 --> 0:03:52.000
<v Speaker 1>key that the adversaries provided didn't immediately restore all of

0:03:52.040 --> 0:03:56.320
<v Speaker 1>the pipeline systems. The good news for Colonial is that

0:03:56.360 --> 0:03:59.040
<v Speaker 1>the US Department of Justice announced on June seven that

0:03:59.080 --> 0:04:02.200
<v Speaker 1>it recovered six three point seven bitcoins valued at about

0:04:02.200 --> 0:04:04.920
<v Speaker 1>two point three million dollars the Colonial had paid to

0:04:04.960 --> 0:04:09.320
<v Speaker 1>its hackers. Of course, not paying the ransom can be

0:04:09.360 --> 0:04:13.120
<v Speaker 1>just as problematic. Hulk Was said, some of these companies

0:04:13.160 --> 0:04:15.640
<v Speaker 1>don't want to pay, so they forced them to pay

0:04:15.720 --> 0:04:18.960
<v Speaker 1>by leaking their data publicly. That's a proposition that a

0:04:19.000 --> 0:04:22.560
<v Speaker 1>lot of organizations do not want a part of leaked

0:04:22.560 --> 0:04:25.440
<v Speaker 1>emails and other proprietary information, he says, can be far

0:04:25.520 --> 0:04:28.840
<v Speaker 1>more damaging to some companies than simply paying up can

0:04:28.880 --> 0:04:31.120
<v Speaker 1>open them up to legal trouble or end up hurting

0:04:31.120 --> 0:04:36.760
<v Speaker 1>their brand. Other hackers simply demand payment without even installing ransomware.

0:04:37.440 --> 0:04:40.000
<v Speaker 1>That's what happened during the attack on the Houston Rockets

0:04:40.000 --> 0:04:43.839
<v Speaker 1>in April. No ransomware was installed on the NBA team's network,

0:04:44.160 --> 0:04:47.320
<v Speaker 1>but the hacking group threatened to publish contracts and nondisclosure

0:04:47.360 --> 0:04:49.800
<v Speaker 1>agreements that it claims it stole from the team system

0:04:50.000 --> 0:04:54.320
<v Speaker 1>if they didn't pay up. There are several new initiatives

0:04:54.400 --> 0:04:56.760
<v Speaker 1>laid out by the Biden administration in response to the

0:04:56.800 --> 0:05:00.840
<v Speaker 1>Surgeon ransomware attacks. On May twelve, President Biden signed an

0:05:00.839 --> 0:05:03.760
<v Speaker 1>executive order designed to improve the cyber security in the

0:05:03.839 --> 0:05:08.040
<v Speaker 1>federal government networks. Among its executive actions will establish a

0:05:08.040 --> 0:05:12.960
<v Speaker 1>Cybersecurity Safety Review Board modeled after the National Transportation Safety Board.

0:05:13.560 --> 0:05:17.000
<v Speaker 1>The panel will likely include public and private experts who

0:05:17.000 --> 0:05:21.279
<v Speaker 1>will examine cyber instance similar to how the NTSB investigates accidents.

0:05:22.560 --> 0:05:25.359
<v Speaker 1>Biden's team also released an open letter on June two,

0:05:25.640 --> 0:05:29.839
<v Speaker 1>addressed to corporate executives and business leaders, which emphasized that

0:05:29.880 --> 0:05:33.159
<v Speaker 1>the private sector has a responsibility to protect against cyber

0:05:33.200 --> 0:05:37.520
<v Speaker 1>threats and that organizations quote must recognize that note company

0:05:37.560 --> 0:05:40.720
<v Speaker 1>is safe from being targeted by ransomware, regardless of size

0:05:40.760 --> 0:05:44.400
<v Speaker 1>or location. We urge you to take ransomware crimes seriously

0:05:44.720 --> 0:05:49.039
<v Speaker 1>and ensure your corporate cyber defenses match the threat. So

0:05:49.080 --> 0:05:51.360
<v Speaker 1>what can you do to ensure that your network is safe?

0:05:52.040 --> 0:05:55.359
<v Speaker 1>In May, the Cybersecurity and Information Security Agency and the

0:05:55.440 --> 0:06:00.000
<v Speaker 1>FBI released best practices for preventing business disruption from ransomware attacks.

0:06:00.680 --> 0:06:03.479
<v Speaker 1>In IT, they list six mitigations the companies can do

0:06:03.600 --> 0:06:08.120
<v Speaker 1>now to reduce the risk of being compromised by ransomware. First,

0:06:08.320 --> 0:06:12.720
<v Speaker 1>require multi factor authentication for remote access to operational technology

0:06:12.880 --> 0:06:17.120
<v Speaker 1>and I T networks. Second, enables strong spam filters to

0:06:17.120 --> 0:06:21.800
<v Speaker 1>prevent phishing emails, especially emails containing executable files, from reaching

0:06:21.880 --> 0:06:26.359
<v Speaker 1>end users. A Third, implement a user training program and

0:06:26.440 --> 0:06:30.159
<v Speaker 1>simulated attacks for spear phishing to discourage users from visiting

0:06:30.200 --> 0:06:35.320
<v Speaker 1>malicious websites or opening malicious attachments. Fourth, filter network traffic

0:06:35.360 --> 0:06:39.800
<v Speaker 1>to prohibit communications with known malicious IP addresses. Prevent users

0:06:39.839 --> 0:06:43.440
<v Speaker 1>from accessing malicious websites by implementing URL block lists and

0:06:43.600 --> 0:06:49.440
<v Speaker 1>or allow lists. Fifth, update software including operating systems, applications,

0:06:49.440 --> 0:06:52.600
<v Speaker 1>and firmware on I T network assets and a timely manner.

0:06:53.080 --> 0:06:58.359
<v Speaker 1>Consider using a centralized patch management system. And Sixth, limit

0:06:58.400 --> 0:07:02.479
<v Speaker 1>access to resources over network, especially by restricting remote desktop

0:07:02.520 --> 0:07:07.520
<v Speaker 1>protocol and requiring multi factor authentication. Hul Quist says that

0:07:07.560 --> 0:07:09.920
<v Speaker 1>the entire purpose of the game now is to hit

0:07:10.040 --> 0:07:13.000
<v Speaker 1>a huge target who's likely to pay and one that

0:07:13.120 --> 0:07:17.040
<v Speaker 1>has to pay, and taking critical infrastructure offline is not

0:07:17.120 --> 0:07:20.320
<v Speaker 1>out of the question that he says the US is

0:07:20.400 --> 0:07:24.800
<v Speaker 1>not prepared for. He said, our sophistication is our Achilles

0:07:24.880 --> 0:07:28.240
<v Speaker 1>heal in this space. It makes us more vulnerable to incidents.

0:07:28.720 --> 0:07:30.520
<v Speaker 1>One of the lessons we should be taking from all

0:07:30.560 --> 0:07:32.960
<v Speaker 1>of this is we are not prepared for cyber war,

0:07:33.600 --> 0:07:36.200
<v Speaker 1>but we do know that they've targeted healthcare and other

0:07:36.240 --> 0:07:45.720
<v Speaker 1>critical capabilities. Everybody is learning from this. Today's episode is

0:07:45.720 --> 0:07:49.080
<v Speaker 1>based on the article surge in ransomware attacks exposes US

0:07:49.120 --> 0:07:52.440
<v Speaker 1>cyber vulnerabilities on house to works dot com, written by

0:07:52.440 --> 0:07:55.600
<v Speaker 1>Sarah Glin. Brain Stuff is production by Heart Radio and

0:07:55.640 --> 0:07:57.760
<v Speaker 1>partnership with house to works dot Com, and it's produced

0:07:57.760 --> 0:08:01.040
<v Speaker 1>by Tyler Klein. For more podcasts my heart Radio, visit

0:08:01.080 --> 0:08:03.600
<v Speaker 1>the i heart Radio app, Apple Podcasts, or wherever you

0:08:03.640 --> 0:08:16.080
<v Speaker 1>listen to your favorite shows. H