WEBVTT - The Scourge of Ransomware Attacks.  Allan Liska talks to Armstrong & Getty

0:00:01.600 --> 0:00:03.960
<v Speaker 1>When you're ready to ride Metro, we want you to

0:00:03.960 --> 0:00:06.560
<v Speaker 1>know we're ready for you. Here are just a few

0:00:06.600 --> 0:00:08.399
<v Speaker 1>of the people at Metro to tell you how we're

0:00:08.440 --> 0:00:11.320
<v Speaker 1>doing our part to keep riders safe. We're cleaning like

0:00:11.440 --> 0:00:18.360
<v Speaker 1>never before greatly. You've found half sut of station. No mask,

0:00:18.840 --> 0:00:22.200
<v Speaker 1>no Metro need one. We have a few extras at Metro.

0:00:22.520 --> 0:00:25.079
<v Speaker 1>We're doing our part to keep the DC area moving.

0:00:25.320 --> 0:00:27.720
<v Speaker 1>Find out more at well mata dot com slash doing

0:00:27.720 --> 0:00:31.800
<v Speaker 1>our part. So listen. If you heard about the recent

0:00:32.760 --> 0:00:35.879
<v Speaker 1>wave of ransomware attacks in some small towns in Texas,

0:00:36.159 --> 0:00:39.560
<v Speaker 1>it was hospitals a while ago, UM, and it's coming

0:00:39.600 --> 0:00:43.440
<v Speaker 1>to a business or town near you. Well, we've invited

0:00:43.440 --> 0:00:47.600
<v Speaker 1>on Alan listco is a threat intelligence analyst UM to

0:00:47.800 --> 0:00:52.080
<v Speaker 1>talk about UM ransomware attacks and how they work and

0:00:52.120 --> 0:00:54.720
<v Speaker 1>the rest of it. Alan works, it recorded future Alan.

0:00:54.720 --> 0:00:58.680
<v Speaker 1>How are you good? How are you guys doing today? Terrific? Hey,

0:00:58.880 --> 0:01:01.200
<v Speaker 1>for folks who are not to what's going on, could

0:01:01.240 --> 0:01:05.160
<v Speaker 1>you just explain how a ransomware attack unfold. Say, we're

0:01:05.240 --> 0:01:11.160
<v Speaker 1>we're both working at the City of Pleasantville, Texas. What happens?

0:01:11.240 --> 0:01:13.440
<v Speaker 1>So there are a couple of different ways that it

0:01:13.520 --> 0:01:17.000
<v Speaker 1>generally works. The most common way that we see is

0:01:17.240 --> 0:01:20.400
<v Speaker 1>you click an email, uh you know, it'll look something

0:01:20.520 --> 0:01:23.800
<v Speaker 1>like a uh, do you have an overdue invoice? Click

0:01:23.840 --> 0:01:26.640
<v Speaker 1>on this invoice, or you have a package coming click

0:01:26.720 --> 0:01:30.760
<v Speaker 1>on the the this link to find out when it's arriving.

0:01:31.120 --> 0:01:34.319
<v Speaker 1>And it turns out, instead of being uh, you know,

0:01:34.360 --> 0:01:39.080
<v Speaker 1>an invoice, it's actually malware. It installs the ransomware on

0:01:39.200 --> 0:01:42.920
<v Speaker 1>your system, and then it jumps from your system to

0:01:43.000 --> 0:01:46.160
<v Speaker 1>the rest of the network that you're attached to. So

0:01:46.280 --> 0:01:48.400
<v Speaker 1>if it was just your system would be fairly easy.

0:01:48.480 --> 0:01:50.640
<v Speaker 1>They delete your computer and give you a new one.

0:01:51.000 --> 0:01:54.720
<v Speaker 1>But when it when these ransomware attacks hit hundreds of

0:01:54.800 --> 0:01:58.960
<v Speaker 1>systems in the same organization, then it becomes a crisis.

0:01:59.360 --> 0:02:01.760
<v Speaker 1>And then what what does it look like at that point?

0:02:01.760 --> 0:02:04.240
<v Speaker 1>Does your computer go blank? Do you get an email?

0:02:04.320 --> 0:02:05.840
<v Speaker 1>Or how do you how do you get the word

0:02:05.880 --> 0:02:10.000
<v Speaker 1>that you've been compromising? You owe somebody money, so your

0:02:10.040 --> 0:02:13.640
<v Speaker 1>operating system itself isn't affected. Instead, what it does is

0:02:13.680 --> 0:02:17.720
<v Speaker 1>it encrypts all of the relevant files on your system,

0:02:18.040 --> 0:02:23.080
<v Speaker 1>so your images, your your any word documents or PowerPoint

0:02:23.160 --> 0:02:26.919
<v Speaker 1>documents or spreadsheets. Uh, if you've got databases on your system,

0:02:26.960 --> 0:02:29.560
<v Speaker 1>they all get encrypted, and then it pops up with

0:02:29.639 --> 0:02:33.640
<v Speaker 1>a message saying you've been hit by whatever the ransomware is.

0:02:34.400 --> 0:02:36.720
<v Speaker 1>If you want to get your files back, send me

0:02:36.800 --> 0:02:40.920
<v Speaker 1>bitcoin um. And they often have a little portal that

0:02:41.000 --> 0:02:44.200
<v Speaker 1>you go to. Uh. You give them your their big

0:02:44.200 --> 0:02:46.640
<v Speaker 1>your bitcoin, and then they give you a key so

0:02:46.760 --> 0:02:49.359
<v Speaker 1>you can un encrypt your files. Well, and from my

0:02:49.800 --> 0:02:52.160
<v Speaker 1>reading about this, the guys who do this are pretty

0:02:52.160 --> 0:02:55.880
<v Speaker 1>good in that they make the ransom amount significant, but

0:02:56.080 --> 0:03:01.240
<v Speaker 1>less than you'd probably spend on rebuilding everything. Right, So,

0:03:01.639 --> 0:03:05.160
<v Speaker 1>generally speaking, you're talking, uh you know, so ransoms in

0:03:05.200 --> 0:03:08.240
<v Speaker 1>general have gone up a few years ago. I mean,

0:03:08.280 --> 0:03:10.320
<v Speaker 1>just like anything else you have inflation, they have to

0:03:10.360 --> 0:03:17.000
<v Speaker 1>keep up with their costs. Uh. Uh So you have

0:03:17.120 --> 0:03:20.320
<v Speaker 1>kids in college or something. You don't know, right, college

0:03:20.360 --> 0:03:27.560
<v Speaker 1>is expensive even in Estonia. Um, anyway, go on, certain

0:03:28.560 --> 0:03:31.160
<v Speaker 1>that's okay. Um. So a couple of years ago they

0:03:31.160 --> 0:03:34.079
<v Speaker 1>generally were asking for a few thousand dollars, but now

0:03:34.120 --> 0:03:37.080
<v Speaker 1>the ransoms tend to be in the six figures um,

0:03:37.120 --> 0:03:39.960
<v Speaker 1>so somewhere between a hundred thousand and three hundred thousand

0:03:40.040 --> 0:03:43.360
<v Speaker 1>dollars generally what they're asking just real quick, can we

0:03:43.400 --> 0:03:45.720
<v Speaker 1>go back to the original email you shouldn't have clicked on.

0:03:46.320 --> 0:03:49.840
<v Speaker 1>Are the good ones able to like mimic? I don't know.

0:03:49.960 --> 0:03:52.600
<v Speaker 1>I might get an email from Jack saying, hey, you

0:03:52.680 --> 0:03:57.440
<v Speaker 1>gotta see this story. Are they that good? Yes? So? Um,

0:03:58.520 --> 0:04:01.240
<v Speaker 1>if if it's a target did ransomware attacks, So, if

0:04:01.240 --> 0:04:04.280
<v Speaker 1>they're specifically coming after you, that's exactly the kind of

0:04:04.320 --> 0:04:07.200
<v Speaker 1>tactic that they'll use. We've seen that. We also have

0:04:07.320 --> 0:04:10.400
<v Speaker 1>seen you'll get an email from like the seat that

0:04:10.480 --> 0:04:13.640
<v Speaker 1>looks like it's coming from the CEO of I Heart Radio. Hey,

0:04:13.680 --> 0:04:16.440
<v Speaker 1>I need you to do this for me immediately. Um.

0:04:16.920 --> 0:04:20.080
<v Speaker 1>And of course if you're getting an email from the ceo, uh,

0:04:20.360 --> 0:04:23.480
<v Speaker 1>your your your first involces. Yes, I better do this

0:04:23.600 --> 0:04:26.479
<v Speaker 1>right away without necessarily thinking, Wait, why is he sending

0:04:26.480 --> 0:04:30.320
<v Speaker 1>me an email from a Gmail account or a dot

0:04:30.360 --> 0:04:35.360
<v Speaker 1>areu email address type thing? So, do you have any

0:04:35.360 --> 0:04:38.200
<v Speaker 1>idea how many places this has happened around the country?

0:04:38.240 --> 0:04:41.679
<v Speaker 1>And what the how many how many towns, counties, whatever

0:04:41.720 --> 0:04:44.479
<v Speaker 1>are paying the ransom versus saying screw you, I'm not paying.

0:04:44.480 --> 0:04:49.480
<v Speaker 1>It will start over right. So when we did our research, uh,

0:04:49.720 --> 0:04:53.280
<v Speaker 1>we we found um and we don't know, we don't

0:04:53.320 --> 0:04:55.080
<v Speaker 1>think this is all of them in fact, we know

0:04:55.200 --> 0:04:56.760
<v Speaker 1>it's not all of them because a lot of them

0:04:56.800 --> 0:04:59.839
<v Speaker 1>aren't public they reported, but since two thousand and thirteen,

0:05:00.080 --> 0:05:05.119
<v Speaker 1>sound two hundred and fourteen publicly reported attacks against state

0:05:05.160 --> 0:05:08.000
<v Speaker 1>and local governments. But I don't know if that's ten

0:05:08.040 --> 0:05:11.800
<v Speaker 1>percent or of the total number. That's already a lot

0:05:11.880 --> 0:05:13.719
<v Speaker 1>more than I think most people would have guessed that

0:05:13.760 --> 0:05:16.000
<v Speaker 1>this has happened across the country. Wow, And I can

0:05:16.080 --> 0:05:19.000
<v Speaker 1>understand why people people keep it quiet because you don't

0:05:19.000 --> 0:05:23.200
<v Speaker 1>want to encourage you, right exactly. So one of the

0:05:23.240 --> 0:05:25.600
<v Speaker 1>things that we've seen in our research, first answer your

0:05:25.600 --> 0:05:29.280
<v Speaker 1>previous question, state and local governments are actually better than

0:05:29.360 --> 0:05:32.760
<v Speaker 1>most organizations of paying the ransom and not paying the ransom,

0:05:32.760 --> 0:05:36.680
<v Speaker 1>I should say so. We found report based on public reporting,

0:05:36.680 --> 0:05:39.840
<v Speaker 1>we found about seventeen percent of state and local governments

0:05:39.839 --> 0:05:46.000
<v Speaker 1>pay the ransom versus about of overall ransomware victims. So

0:05:46.000 --> 0:05:49.480
<v Speaker 1>they're actually significantly less likely. And we think that's because

0:05:49.520 --> 0:05:52.440
<v Speaker 1>it's much harder to pay the ransom when you're paying

0:05:52.440 --> 0:05:54.520
<v Speaker 1>it with tax care money. So like if you're a

0:05:54.600 --> 0:05:57.359
<v Speaker 1>bank or you're a hospital that gets hit, that's your

0:05:57.440 --> 0:05:59.919
<v Speaker 1>money that you're paying with. It's much harder to go

0:06:00.040 --> 0:06:02.400
<v Speaker 1>the taxpayers and say, hey, we just gave a hundred

0:06:02.400 --> 0:06:06.080
<v Speaker 1>thousand dollars to some guys in Russia, um to get

0:06:06.080 --> 0:06:09.480
<v Speaker 1>our files back. That that's a much more difficult conversation

0:06:09.560 --> 0:06:12.760
<v Speaker 1>to have. Alan Liska has a company called Recorded Future.

0:06:12.800 --> 0:06:16.000
<v Speaker 1>He's written a couple of books on network security and

0:06:16.040 --> 0:06:18.120
<v Speaker 1>that sort of thing that are more and more important

0:06:18.160 --> 0:06:22.000
<v Speaker 1>these days. Hey, real quick, Uh, if if my town

0:06:22.120 --> 0:06:25.760
<v Speaker 1>gets hit with ransomware, and I don't know, say there's

0:06:25.839 --> 0:06:27.719
<v Speaker 1>like three weeks a month that they're trying to figure

0:06:27.720 --> 0:06:30.000
<v Speaker 1>out what to do or whatever, how does that affect

0:06:30.360 --> 0:06:34.400
<v Speaker 1>taxpayers and citizens? What sort of things get messed up? Well?

0:06:34.560 --> 0:06:37.080
<v Speaker 1>So and and that's been a real problem, and that's

0:06:37.080 --> 0:06:40.200
<v Speaker 1>one of the reasons why attackers are starting to focus

0:06:40.240 --> 0:06:45.000
<v Speaker 1>in on cities and towns because it becomes a big

0:06:45.000 --> 0:06:48.360
<v Speaker 1>deal in the press when this happens. Because constituent services

0:06:48.400 --> 0:06:51.920
<v Speaker 1>are interrupted, so you can't pay your water bill, for example,

0:06:51.960 --> 0:06:55.560
<v Speaker 1>because all of that's digitized. You can't buy a house

0:06:55.680 --> 0:06:58.640
<v Speaker 1>because they can't do title transfers. H if you have

0:06:58.680 --> 0:07:00.640
<v Speaker 1>a court case spending, you may not be able to

0:07:00.640 --> 0:07:04.320
<v Speaker 1>go to that because court dockets get encrypted. When Atlanta

0:07:04.440 --> 0:07:07.800
<v Speaker 1>was hit last year, Hartfield Jackson had to shut down

0:07:07.839 --> 0:07:10.280
<v Speaker 1>their WiFi for a couple of hours because they were

0:07:10.280 --> 0:07:14.119
<v Speaker 1>afraid the ransomware that was spreading was going to jump

0:07:14.160 --> 0:07:17.160
<v Speaker 1>from the city to their WiFi network and then potentially

0:07:17.160 --> 0:07:22.239
<v Speaker 1>to people in the airports. Alan Liska is a threat

0:07:22.280 --> 0:07:26.480
<v Speaker 1>intelligence analysts company has recorded Future. Um, if you need

0:07:26.720 --> 0:07:30.080
<v Speaker 1>this sort of help, we'll have a link Alan so

0:07:30.120 --> 0:07:33.200
<v Speaker 1>that folks can find you and recorded Future really easily.

0:07:33.440 --> 0:07:38.680
<v Speaker 1>But great stuff. Enjoyed the chat. Thanks, thank you very much. Yeah,

0:07:38.720 --> 0:07:40.880
<v Speaker 1>I tell you what man that is. Oh, that's got

0:07:40.880 --> 0:07:43.360
<v Speaker 1>to be a bad feeling. Hey, your files are encrypted.

0:07:43.400 --> 0:07:46.240
<v Speaker 1>Send us a hundred thousand dollars. I think I'm anti

0:07:46.320 --> 0:07:48.960
<v Speaker 1>paying these people. But there was I think it was

0:07:49.000 --> 0:07:52.600
<v Speaker 1>in Pennsylvania. There was a city that instead of paying

0:07:53.360 --> 0:07:57.440
<v Speaker 1>the seventy thousand dollars, they spent several million dollars, right,

0:07:57.560 --> 0:07:59.800
<v Speaker 1>And Allen was talking about going to the taxpayers for that.

0:08:00.000 --> 0:08:01.600
<v Speaker 1>Have any thousand? Well, how do you go to them

0:08:01.640 --> 0:08:04.560
<v Speaker 1>for the several million? Well you don't. It just gets

0:08:04.560 --> 0:08:09.360
<v Speaker 1>built into the money they regularly spend. Yeah, because taxpayers

0:08:09.400 --> 0:08:12.040
<v Speaker 1>are generally I hate to say stupid, but we don't.

0:08:12.080 --> 0:08:14.480
<v Speaker 1>We don't pay enough attention. Yeah, fair enough to where

0:08:14.480 --> 0:08:19.360
<v Speaker 1>our money is spent. Back to paperman, index cards, file cabinets.

0:08:19.720 --> 0:08:23.480
<v Speaker 1>They were able to do it before carbon copy. Carbon

0:08:23.600 --> 0:08:30.200
<v Speaker 1>copies exactly, mimi agraph machines by the telegraph. When you're

0:08:30.200 --> 0:08:32.640
<v Speaker 1>ready to ride Metro, we want you to know we're

0:08:32.679 --> 0:08:34.960
<v Speaker 1>ready for you. Here are just a few of the

0:08:34.960 --> 0:08:37.079
<v Speaker 1>people at Metro to tell you how we're doing our

0:08:37.160 --> 0:08:40.320
<v Speaker 1>part to keep riders safe. We're cleaning like noble before

0:08:40.880 --> 0:08:46.520
<v Speaker 1>half build it greatly. You've found half out of no mask,

0:08:47.040 --> 0:08:50.400
<v Speaker 1>no Metro need one. We have a few extras at Metro.

0:08:50.720 --> 0:08:53.240
<v Speaker 1>We're doing our part to keep the DC area moving.

0:08:53.480 --> 0:08:56.079
<v Speaker 1>Find out more at Wellta dot com slash doing our

0:08:56.160 --> 0:08:56.400
<v Speaker 1>part