WEBVTT 1 00:00:00.120 --> 00:00:03.240 Have you ever stopped to think that ransomware, this thing 2 00:00:03.279 --> 00:00:08.279 that feels like a modern digital plague, isn't actually news 3 00:00:09.240 --> 00:00:13.759 a threat that's been quietly evolving for decades. What's really surprising, 4 00:00:13.759 --> 00:00:16.719 I think, is how it went from pretty simple beginnings 5 00:00:17.120 --> 00:00:20.559 to being this incredibly stealthy, sophisticated weapon we see today. 6 00:00:20.719 --> 00:00:22.399 Exactly, It's got quite a history. 7 00:00:22.600 --> 00:00:25.120 So today we're taking a deep dive into the world 8 00:00:25.199 --> 00:00:29.399 of ransomware. We're drawing insights straight from Revendrodos's book Ransomware 9 00:00:29.839 --> 00:00:33.880 Penetration Testing and Contingency Planning. Think of this as your 10 00:00:33.920 --> 00:00:37.119 shortcut to getting really well informed on well a super 11 00:00:37.159 --> 00:00:38.799 critical cybersecurity topic. 12 00:00:38.920 --> 00:00:39.880 It really is critical. 13 00:00:39.960 --> 00:00:43.719 We'll explore the well surprising timeline of how ransomware evolved, 14 00:00:43.799 --> 00:00:46.840 will dissect how big global events like the COVID nineteen 15 00:00:46.880 --> 00:00:50.200 pandemic totally reshape the threat landscape, and we'll unpack some 16 00:00:50.359 --> 00:00:52.159 infamous real world attacks. 17 00:00:51.799 --> 00:00:53.359 And crucially the defenses too. 18 00:00:53.719 --> 00:00:57.039 Right Most importantly, will uncover the practical strategies you really 19 00:00:57.079 --> 00:01:00.759 need to know for preventing and just as vital, recovering 20 00:01:00.759 --> 00:01:05.319 from these increasingly sophisticated threats. Expect some aha moments you 21 00:01:05.359 --> 00:01:07.840 know or covering everything from that agonizing question of whether 22 00:01:07.920 --> 00:01:10.359 to pay the ransom all the way to the strategic 23 00:01:10.400 --> 00:01:14.280 importance of things like penetration testing and solid contingency plans. 24 00:01:14.400 --> 00:01:17.319 Yeah, it's not just about understanding the problem exactly. 25 00:01:17.400 --> 00:01:19.640 It's about equipping you with the knowledge to mitigate the 26 00:01:19.760 --> 00:01:23.920 risks and actually fortify your digital world. Okay, so let's 27 00:01:23.920 --> 00:01:27.480 start by rewinding way back nineteen eighty nine. Can you 28 00:01:27.519 --> 00:01:31.680 believe the very first ransomware attack, the AIDS trojan, was launched. 29 00:01:31.680 --> 00:01:34.840 Then it seems like ancient history and tech terms, doesn't it. 30 00:01:34.840 --> 00:01:38.200 It really does. Joseph L. Pop, a biology professor, actually 31 00:01:38.239 --> 00:01:43.040 mailed out twenty thousand infected floppy discs floppy disks to 32 00:01:43.120 --> 00:01:45.200 attendees of a WHO conference. 33 00:01:45.359 --> 00:01:47.400 Wow physical media, right. 34 00:01:47.519 --> 00:01:50.280 The program encrypted their files and demanded a check, a 35 00:01:50.319 --> 00:01:52.879 physical check for one hundred and eighty nine dollars sent 36 00:01:52.920 --> 00:01:55.680 to an address in Panama. But interestingly, it was actually 37 00:01:55.680 --> 00:01:57.159 pretty easy to reverse engineer. 38 00:01:57.439 --> 00:02:00.920 Yeah, it wasn't exactly technically sophisticated, even for the time, 39 00:02:01.560 --> 00:02:03.000 but it established the concept. 40 00:02:03.280 --> 00:02:07.879 It did earned Pop the informal title father of ransomware. 41 00:02:08.240 --> 00:02:11.360 What's really fascinating, though, is what happened next, or rather 42 00:02:11.400 --> 00:02:15.360 what didn't happen after that Aid's trojan. Things went quiet 43 00:02:15.479 --> 00:02:19.080 for well almost fifteen years in the ransomware world. 44 00:02:19.240 --> 00:02:21.520 Fifteen years. That's a long gap, it is. 45 00:02:21.719 --> 00:02:24.400 But it wasn't total inactivity. It was more like the 46 00:02:24.479 --> 00:02:27.560 quiet before the storm, you know, as the whole dot 47 00:02:27.599 --> 00:02:31.280 com thing boomed, two new variants sort of crept onto 48 00:02:31.319 --> 00:02:35.919 the scene. There was GP codes spread through malicious links 49 00:02:35.919 --> 00:02:38.080 and phishing emails demanded like twenty. 50 00:02:37.759 --> 00:02:39.520 Bucks, twenty dollars, okay, yeah, and. 51 00:02:39.400 --> 00:02:41.439 Like the AIDS turgeon, it was pretty easily cracked. Then 52 00:02:41.439 --> 00:02:44.039 you had our achieves. Now this one actually tried using 53 00:02:44.080 --> 00:02:47.439 a much stronger encryption oneenty twenty four bit RSA. That 54 00:02:47.520 --> 00:02:48.840 was a big step up technically. 55 00:02:48.919 --> 00:02:51.680 Okay, so they were getting more ambitious definitely. 56 00:02:51.240 --> 00:02:54.560 But the attackers made a rookie mistake. They used weak passwords, 57 00:02:54.560 --> 00:02:57.879 so victims could still recover their data pretty easily. It 58 00:02:57.960 --> 00:03:01.719 shows this early kind of trial and error phase. Attackers 59 00:03:01.719 --> 00:03:04.960 were focused more on quantity getting it out there, not 60 00:03:05.080 --> 00:03:08.000 so much on sophistication. 61 00:03:07.400 --> 00:03:09.159 Yet setting the stage really. 62 00:03:09.120 --> 00:03:12.520 Exactly, it laid the groundwork for this relentless cat and 63 00:03:12.560 --> 00:03:15.719 mouse game we're still in today, every defense leads to 64 00:03:15.800 --> 00:03:17.159 a new attack method. 65 00:03:17.280 --> 00:03:21.319 Okay, Building on that, the twenty tens, this is where 66 00:03:21.360 --> 00:03:25.000 things got really serious, right. Ransomware strains became way more powerful, 67 00:03:25.000 --> 00:03:27.840 more in cities, a real turning point, absolutely. 68 00:03:27.840 --> 00:03:30.000 That's when we saw the locker variants pop up right. 69 00:03:30.120 --> 00:03:32.560 Rollmlock was the first one that actually locked users completely 70 00:03:32.599 --> 00:03:33.479 out of their devices. 71 00:03:33.599 --> 00:03:38.000 Yeah, total lockout. And then twenty twelve, Reveton arrived, and 72 00:03:38.000 --> 00:03:42.479 this was big because it introduced ransomware as a service race. 73 00:03:42.520 --> 00:03:45.560 So like cybercrime is a subscription model pretty. 74 00:03:45.319 --> 00:03:48.680 Much, allowing less skilled attackers to basically rent out attack 75 00:03:48.719 --> 00:03:51.400 capabilities on the dark web made it much more scalable. 76 00:03:51.719 --> 00:03:54.080 Reveton also did that thing where it accused victims of 77 00:03:54.080 --> 00:03:54.639 fake crimes. 78 00:03:54.800 --> 00:03:57.280 Oh yeah, I remember that, like a fake FBI. 79 00:03:57.000 --> 00:04:00.759 Warning exactly, And it was a first to demand and bitcoin. 80 00:04:01.000 --> 00:04:04.520 That shift to virtual currency was huge untraceable payments. 81 00:04:04.639 --> 00:04:07.000 But the real game changer, the one everyone remembers from 82 00:04:07.039 --> 00:04:09.280 that era was Crypto Locker, wasn't it. 83 00:04:09.319 --> 00:04:12.560 Oh definitely. Crypto Locker up the anti massively. It combined 84 00:04:12.599 --> 00:04:16.240 the locker idea with serious encryption. Crypto used a two 85 00:04:16.279 --> 00:04:18.600 thy forty eight bit RSA. 86 00:04:18.240 --> 00:04:20.519 Key which is really strong. 87 00:04:20.560 --> 00:04:24.480 Incredibly strong, made recovery basically impossible without paying for the key. 88 00:04:24.839 --> 00:04:28.800 It mostly spread through phishing attachments, you know, infected email attachments, 89 00:04:29.199 --> 00:04:32.720 and it was insanely profitable, pulled in nearly twenty seven 90 00:04:32.800 --> 00:04:34.839 million dollars in just two months. 91 00:04:34.879 --> 00:04:38.399 Twenty seven million. Wow. That kind of money definitely. 92 00:04:38.079 --> 00:04:40.920 Gets attention, It absolutely does, and that success naturally led 93 00:04:40.959 --> 00:04:43.639 attackers to think bigger, you know, expand their target. 94 00:04:43.519 --> 00:04:46.800 Right because up until around twenty fifteen, it was mostly 95 00:04:46.879 --> 00:04:48.639 Windows machines getting hit, wasn't. 96 00:04:48.480 --> 00:04:51.560 It Almost exclusively Windows? But then simple Locker showed up 97 00:04:51.600 --> 00:04:54.360 in twenty fifteen and it specifically went after Android phones, 98 00:04:54.680 --> 00:04:58.600 encrypting files on sd cars, documents, photos, videos, Mobile became 99 00:04:58.639 --> 00:05:03.279 a target yep, and another one locker Pin also hit Android. 100 00:05:03.519 --> 00:05:06.079 It didn't just encrypt, it locked the device and changed 101 00:05:06.079 --> 00:05:09.399 the pin. And crucially, there was a version called Linux 102 00:05:09.439 --> 00:05:12.600 dot and coder dot one made just for Linux systems, so. 103 00:05:12.639 --> 00:05:14.600 Linux two nowhere was safe. 104 00:05:14.720 --> 00:05:17.839 Pretty much. It signaled that no os, no device type 105 00:05:17.879 --> 00:05:21.160 was off limits anymore. The attack surface just exploded and. 106 00:05:21.160 --> 00:05:23.920 The escalation just kept going. Twenty sixteen to twenty twenty, 107 00:05:24.279 --> 00:05:28.800 ransomware went truly global and got way deadlier, a huge 108 00:05:28.879 --> 00:05:31.720 leap in well destructive power, it really did. 109 00:05:31.759 --> 00:05:35.040 We saw ransom thirty two impacting JavaScript. But then these 110 00:05:35.079 --> 00:05:38.680 four new global variants emerged that just changed everything. Okay, 111 00:05:38.800 --> 00:05:40.839 like what, Well, First you had Petya. This was the 112 00:05:40.839 --> 00:05:43.600 first one to lock the master boot record. 113 00:05:43.360 --> 00:05:46.160 The NBR, so it stops the computer from even starting up. 114 00:05:46.160 --> 00:05:49.279 Exactly, renders the whole system unusable before Windows even loads. 115 00:05:49.399 --> 00:05:52.680 Then Zcryptor was the first to use worms self replicating malware. 116 00:05:52.839 --> 00:05:55.519 It could spread incredibly fast, turning into a ransom. 117 00:05:55.199 --> 00:05:57.639 Worm spreading on its own scary very. 118 00:05:57.560 --> 00:06:00.000 Then, of course want to Cry one of the deadliest evers, 119 00:06:00.040 --> 00:06:03.040 infected over one hundred thousand devices one hundred and fifty countries, 120 00:06:03.279 --> 00:06:07.079 spread like wildfire using that internal blue vulnerability. 121 00:06:06.639 --> 00:06:08.319 The leaked NSA exploit. 122 00:06:08.040 --> 00:06:11.639 Right, that's the one. Then GoldenEye came along, basically a 123 00:06:11.680 --> 00:06:16.480 mashup of Petia and WannaCry, but with even stronger encryption. 124 00:06:16.519 --> 00:06:17.600 Just getting worse and worse. 125 00:06:17.720 --> 00:06:21.399 And then not Petya. This one added a terrifying twist. 126 00:06:21.720 --> 00:06:23.920 It didn't just lock files, it could actually delete them 127 00:06:24.000 --> 00:06:26.480 if the ransom wasn't paid quickly enough, delete them. 128 00:06:26.560 --> 00:06:29.879 Yeah, Oh wow, that's a whole other level of pressure. 129 00:06:29.560 --> 00:06:33.879 Absolutely raising the stakes dramatically, which brings us closer to today. 130 00:06:34.160 --> 00:06:37.079 The twenty twenties marked another big shift, this time in 131 00:06:37.160 --> 00:06:38.199 attacker strategy. 132 00:06:38.319 --> 00:06:39.920 How So, we started. 133 00:06:39.600 --> 00:06:43.839 Seeing double extortion becoming really common. Attackers wouldn't just encrypt 134 00:06:43.839 --> 00:06:47.959 your files anymore. It also steal sensitive data like personally 135 00:06:48.000 --> 00:06:50.079 identifiable information PII. 136 00:06:50.439 --> 00:06:53.240 I'm threatened to leak it exactly. 137 00:06:52.720 --> 00:06:55.120 Leak it publicly or sell it on the dark web. 138 00:06:55.439 --> 00:06:57.360 Adds a whole new layer of pressure. You're not just 139 00:06:57.399 --> 00:07:00.079 worried about getting your systems back, You're worried about the 140 00:07:00.120 --> 00:07:02.120 massive data breach becoming public right. 141 00:07:02.120 --> 00:07:03.959 The reputational damage too huge. 142 00:07:04.319 --> 00:07:07.720 And alongside that we saw the rise of big game. 143 00:07:07.560 --> 00:07:09.959 Hunting, targeting the big fish precisely. 144 00:07:10.560 --> 00:07:14.800 Instead of spraying attacks widely, they started specifically targeting large 145 00:07:14.839 --> 00:07:20.000 corporations organizations they knew could afford massive ransoms. These attackers 146 00:07:20.040 --> 00:07:24.199 are patient, sophisticated. They might stock it systems for months 147 00:07:24.240 --> 00:07:28.639 looking for weaknesses, often exploiting things like Remote Desktop Protocol 148 00:07:29.040 --> 00:07:31.279 RDP or server flaws. 149 00:07:31.120 --> 00:07:33.040 Like that Revial attack in twenty twenty one. 150 00:07:33.079 --> 00:07:36.240 That's a prime example, affected over a million devices, through 151 00:07:36.279 --> 00:07:40.000 a supply chain attack demanding a staggering seventy million dollars 152 00:07:40.399 --> 00:07:44.040 shows just how targeted and potentially lucrative these operations became. 153 00:07:44.160 --> 00:07:46.759 Okay, before we move on, maybe we should quickly clarify something. 154 00:07:47.000 --> 00:07:50.680 People often use malware and ransomware interchangeably, right, But there's 155 00:07:50.680 --> 00:07:51.079 a difference. 156 00:07:51.199 --> 00:07:53.439 Yeah, it's a good point. They're related, but not the same. 157 00:07:53.759 --> 00:08:00.000 Think of malware as the umbrella term for any malicious software, viruses, worms, spyware, adware, unise. 158 00:08:00.160 --> 00:08:03.720 It goal is usually to cause damage, disrupt systems. 159 00:08:03.360 --> 00:08:05.639 Or steal info, and ransomware is. 160 00:08:06.079 --> 00:08:10.360 Ransomware is a specific type of malware. Its primary defining 161 00:08:10.399 --> 00:08:13.879 purpose is extortion. It's designed specifically to lock you out 162 00:08:13.879 --> 00:08:16.519 of your device or encrypt your data and hold it 163 00:08:16.600 --> 00:08:20.279 hostage until you pay a ransom. It mainly spreads via phishing, 164 00:08:20.639 --> 00:08:23.600 and it's notoriously hard to remove without paying, which, as 165 00:08:23.600 --> 00:08:25.800 we'll discuss, is usually a bad idea. 166 00:08:25.920 --> 00:08:30.199 Whereas other malware can often be cleaned up by antivirus software. 167 00:08:29.839 --> 00:08:35.000 Often yes, standard antivirus or anti malware tools can frequently 168 00:08:35.039 --> 00:08:38.840 detect and remove many types of malware, Ransomware, especially the 169 00:08:38.919 --> 00:08:41.799 encrypting kind, is a much tougher beast once it's taken hold. 170 00:08:42.200 --> 00:08:44.159 The key difference is that extortion. 171 00:08:43.919 --> 00:08:47.639 Motive got it. Okay, so we've seen how the threats evolved. 172 00:08:47.919 --> 00:08:50.639 Now let's talk about how external events can just completely 173 00:08:50.720 --> 00:08:53.759 change the game. The COVID nineteen pandemic, I mean, it 174 00:08:53.799 --> 00:08:56.919 turned everything upside down almost overnight, didn't it force this 175 00:08:57.039 --> 00:08:59.159 massive rapid shift to remote work. 176 00:08:59.039 --> 00:09:01.720 Oh completely Suddenly you had what ninety nine percent of 177 00:09:01.759 --> 00:09:05.159 the workforce trying to connect remotely. That speed, that urgency 178 00:09:05.200 --> 00:09:08.960 to just get at working created huge cybersecurity vulnerabilities. 179 00:09:08.279 --> 00:09:11.000 Because security wasn't always the top priority in that scramble. 180 00:09:11.080 --> 00:09:15.320 Yeah, exactly, getting people connected was priority one. Security often 181 00:09:15.360 --> 00:09:18.840 came second, and that rapid shift created a whole new 182 00:09:18.960 --> 00:09:22.320 set of threats. You had home networks suddenly connecting directly 183 00:09:22.360 --> 00:09:26.159 to corporate networks, the lines totally creating backdoors that it 184 00:09:26.399 --> 00:09:29.200 security teams had a nightmare trying to patch and monitor. 185 00:09:29.519 --> 00:09:32.840 People were using personal devices, laptops, phones that often didn't 186 00:09:32.879 --> 00:09:38.120 have the same security standards as corporate equipment, easy entry points. 187 00:09:37.840 --> 00:09:39.480 And we saw things like zoom bombing too. 188 00:09:39.799 --> 00:09:43.320 Yeah, that became a real issue. Uninvited people crashing video calls, 189 00:09:43.519 --> 00:09:47.600 sharing malicious or offensive content. Zoom patched it, sure, but 190 00:09:47.759 --> 00:09:51.039 it highlighted the risks, and other platforms like Microsoft Teams 191 00:09:51.159 --> 00:09:54.639 saw huge growth partly because of those concerns. 192 00:09:54.399 --> 00:09:58.279 And the existing tech struggled, like VPNs oh massively. 193 00:09:58.600 --> 00:10:01.840 Traditional virtual private new networks VPNs were mostly designed for 194 00:10:01.919 --> 00:10:05.240 maybe twenty thirty percent of staff working remotely. Sometimes they 195 00:10:05.279 --> 00:10:07.879 just weren't built to handle nearly everyone connecting all at once. 196 00:10:08.200 --> 00:10:11.720 They buckled under the strain, became slow, unreliable, and left 197 00:10:11.759 --> 00:10:13.879 big security holes attackers could exploit. 198 00:10:14.080 --> 00:10:18.240 So with traditional defenses like VPNs clearly struggling, what stepped 199 00:10:18.279 --> 00:10:20.799 up to fill the gap? How did companies adapt well? 200 00:10:20.960 --> 00:10:24.679 In direct response to those VPN weaknesses and the much 201 00:10:24.720 --> 00:10:29.360 bigger attack surface, Something called the next generation firewall really 202 00:10:29.399 --> 00:10:32.320 came into its own. It emerged as a much more powerful, 203 00:10:32.519 --> 00:10:35.120 more comprehensive substitute. 204 00:10:34.600 --> 00:10:38.039 Next generation firewall. What makes it next generation several things. 205 00:10:38.240 --> 00:10:42.080 First, it offers full network traffic visibility. It inspects every 206 00:10:42.159 --> 00:10:45.279 data packet, whether it's at the gateway, moving internally, externally, 207 00:10:45.399 --> 00:10:50.519 or even across cloud platforms. Total visibility, seeing everything right. Second, 208 00:10:50.600 --> 00:10:54.039 it uses AI and machine learning to stop threats immediately. 209 00:10:54.399 --> 00:10:58.840 Not just known viruses, but brand new threat vectors, specialized malware. 210 00:10:58.879 --> 00:10:59.679 It's never seen. 211 00:10:59.519 --> 00:11:01.480 Before proactive defense exactly. 212 00:11:02.000 --> 00:11:05.000 Third, it gives you really tight control over software as 213 00:11:05.000 --> 00:11:08.799 a service SAUCE applications. It monitors who's accessing what cloud apps, 214 00:11:08.840 --> 00:11:11.320 preventing rogue applications from causing trouble. 215 00:11:11.080 --> 00:11:13.879 Like controlling access to things like salesforce or office through 216 00:11:13.879 --> 00:11:15.200 sixty five precisely. 217 00:11:15.440 --> 00:11:18.519 And Fourth, and this is crucial, It automatically implements a 218 00:11:18.639 --> 00:11:19.960 zero trust framework. 219 00:11:20.360 --> 00:11:24.000 Zero trust that sounds important, What is it? 220 00:11:24.000 --> 00:11:28.759 It's a fundamental security principle, Never trust, always verify. It 221 00:11:28.799 --> 00:11:32.320 means you don't automatically trust anyone or anything trying to connect, 222 00:11:32.720 --> 00:11:36.240 even if they're already inside your network. It requires multiple 223 00:11:36.320 --> 00:11:40.919 layers of authentication for all employees, all devices, constantly verifying 224 00:11:40.960 --> 00:11:42.399 identity and permissions. 225 00:11:42.919 --> 00:11:45.840 No inherent trust makes sense anything else. 226 00:11:45.960 --> 00:11:48.879 Yeah, One more thing. It helps create secure access for 227 00:11:48.960 --> 00:11:52.960 third parties like suppliers or partners. Using a clientless SSL 228 00:11:53.039 --> 00:11:56.919 protocol makes those external connections basically invisible from the outside, 229 00:11:56.960 --> 00:11:59.080 harder for attackers to find and exploit. 230 00:11:59.240 --> 00:12:02.440 So comparing it to old school firewalls to big leap, 231 00:12:02.519 --> 00:12:03.320 isn't it huge? 232 00:12:03.480 --> 00:12:06.120 Traditional firewalls were like you know, digital bouncers. At the 233 00:12:06.120 --> 00:12:08.080 main gate, they checked who was coming in from the outside, 234 00:12:08.120 --> 00:12:09.639 but once you're inside, they didn't do much and they 235 00:12:09.679 --> 00:12:12.399 weren't designed for cloud stuff or sauce apps at all. 236 00:12:12.480 --> 00:12:14.720 So next gen firewalls protect the cloud. 237 00:12:14.360 --> 00:12:18.879 Too, yes, and sauce applications. They help mitigate identity theft 238 00:12:18.919 --> 00:12:22.840 because of things like zero trust. They fortify the internal network, 239 00:12:22.919 --> 00:12:26.200 not just the perimeter, and they allow for really granular 240 00:12:26.279 --> 00:12:29.840 access rules. You can set rules based on the specific employee, 241 00:12:29.879 --> 00:12:32.399 the device they're using, even the type of content they're 242 00:12:32.399 --> 00:12:33.120 trying to access. 243 00:12:33.240 --> 00:12:34.919 Much more specific control, much more. 244 00:12:35.039 --> 00:12:38.000 Traditional firewalls couldn't do anything like that. It's really a 245 00:12:38.039 --> 00:12:40.960 fundamental shift in how you approach defense, moving from just 246 00:12:41.000 --> 00:12:45.320 guarding the walls to constantly verifying everything happening inside and outside. 247 00:12:45.360 --> 00:12:48.320 Okay, that makes sense. Now let's shift focus a bit. 248 00:12:48.360 --> 00:12:51.960 How does ransomware actually, you know, get onto your system 249 00:12:51.960 --> 00:12:54.159 in the first place. What are the main ways it's deployed. 250 00:12:54.399 --> 00:12:57.720 There are two primary methods attackers use. The first is 251 00:12:57.759 --> 00:13:03.039 what's called MOUSEPAM, basically malicious email phishing emails, yeah, exactly, 252 00:13:03.440 --> 00:13:08.159 emails with malicious attachments often disguised as invoices or important documents, 253 00:13:08.360 --> 00:13:11.519 maybe a dot ex file hid inside a ZIP or 254 00:13:11.519 --> 00:13:13.799 They have phony links that look legitimate but take you 255 00:13:13.840 --> 00:13:17.679 to a malicious site. They often use clever social engineering 256 00:13:17.720 --> 00:13:19.799 to trick you into clicking, making it look like it's 257 00:13:19.799 --> 00:13:22.480 from your bank or HR, creating a sense of. 258 00:13:22.600 --> 00:13:25.279 Urgency, preying on human psychology totally. 259 00:13:26.080 --> 00:13:30.200 The second main method is malvertizing malicious advertising. Right cyber 260 00:13:30.240 --> 00:13:33.799 attackers buy ad space on legitimate websites, but the ads 261 00:13:33.799 --> 00:13:37.679 themselves contain malicious code or link to malicious sites. You 262 00:13:37.759 --> 00:13:40.080 click on what looks like a normal ad, maybe even 263 00:13:40.120 --> 00:13:43.120 on a reputable news site, and you're infected. Well. Clicking 264 00:13:43.200 --> 00:13:45.440 the ad can trigger a couple of things. Sometimes it 265 00:13:45.480 --> 00:13:48.559 directly downloads malware. Other times it redirects you through a 266 00:13:48.600 --> 00:13:51.960 series of sites, often using hidden elements called iframes, which 267 00:13:51.960 --> 00:13:54.879 are like invisible web pages within the page you're seeing. 268 00:13:55.399 --> 00:13:59.080 These gather info about your computer location, browser type, vulnerabilities, 269 00:13:59.320 --> 00:14:01.879 and then deliver are the ransomware payload best suited to 270 00:14:01.960 --> 00:14:05.159 exploit your system. You might not even realize anything happen 271 00:14:05.279 --> 00:14:09.159 until the ransom note appears. Sneaky okay, so once it's deployed. 272 00:14:09.279 --> 00:14:12.120 Ransomware isn't just one thing, right, There are different types. 273 00:14:12.559 --> 00:14:14.919 Yeah, they generally fall into a few categories, kind of 274 00:14:15.039 --> 00:14:18.399 escalating in severity. First, you've got scareware. 275 00:14:18.639 --> 00:14:20.960 Scareware sounds like what it does pretty much. 276 00:14:21.000 --> 00:14:24.360 It's designed just to frighten you. You get annoying pop ups, 277 00:14:24.639 --> 00:14:28.240 maybe claiming your computers infected with hundreds of viruses, often 278 00:14:28.279 --> 00:14:32.200 mimicking real anti virus software warnings. They demand a small 279 00:14:32.240 --> 00:14:34.519 payment to fix the non existent problem. 280 00:14:34.720 --> 00:14:36.799 Annoying but maybe not devastating. 281 00:14:37.000 --> 00:14:41.480 Usually not installing real anti molware software generally gets rid 282 00:14:41.519 --> 00:14:43.759 of it. It's more of a nuisance designed to panning 283 00:14:43.840 --> 00:14:45.320 people into paying a small fee. 284 00:14:45.559 --> 00:14:46.279 Okay, what's next? 285 00:14:46.320 --> 00:14:49.240 Up the ladder screen lockers. These are more serious. They 286 00:14:49.320 --> 00:14:52.759 completely lock your computer screen. You can't access anything. Instead, 287 00:14:52.799 --> 00:14:55.000 you see a message, often claiming to be from law 288 00:14:55.080 --> 00:14:57.600 enforcement like the FBI or Secret Service. 289 00:14:57.639 --> 00:14:59.559 The fake FBI warning again. 290 00:14:59.519 --> 00:15:04.200 Exactly accusing you of some illicit activity like downloading illegal 291 00:15:04.240 --> 00:15:08.240 files or visiting prohibited websites, and demanding a hefty fine 292 00:15:08.360 --> 00:15:12.159 to unlock your computer. And people should know, real law 293 00:15:12.240 --> 00:15:13.600 enforcement doesn't operate. 294 00:15:13.360 --> 00:15:17.159 Like that, right, absolutely not. Everment agencies will never demand 295 00:15:17.159 --> 00:15:20.559 payment via pop up screen like that. With screen lockers, 296 00:15:20.639 --> 00:15:25.120 recovery often needs professional help. Sometimes, depending on the variant, 297 00:15:25.200 --> 00:15:27.440 the device might be effectively bricked. 298 00:15:27.799 --> 00:15:31.279 Ouch. Okay, So what's the worst time that would be? 299 00:15:31.480 --> 00:15:36.039 Encrypting ransomware This is the most common and damaging type today. 300 00:15:36.080 --> 00:15:39.919 It doesn't just lock your screen. It gets into your files, documents, photos, databases, 301 00:15:40.000 --> 00:15:44.240 everything and encrypts them using complex algorithms. 302 00:15:43.679 --> 00:15:45.360 So you can see the files, which you can't open 303 00:15:45.399 --> 00:15:46.279 them exactly. 304 00:15:46.360 --> 00:15:50.840 They're scrambled useless without the unique decryption key. The attackers 305 00:15:50.879 --> 00:15:54.600 then demand a large ransom, usually in bitcoin or another cryptocurrency, 306 00:15:54.759 --> 00:15:55.879 in exchange for that key. 307 00:15:56.000 --> 00:15:57.919 And do they actually give you the key if you pay? 308 00:15:58.320 --> 00:16:02.320 That's the big gamble. Some times yes, but very often 309 00:16:02.399 --> 00:16:05.639 attackers just disappear after getting paid, or the key they 310 00:16:05.639 --> 00:16:09.120 provide doesn't work properly, and because they use virtual currency, 311 00:16:09.159 --> 00:16:12.679 the payments are practically impossible to trace or recover. It's 312 00:16:12.759 --> 00:16:15.639 devastating because your data is effectively gone forever if you 313 00:16:15.679 --> 00:16:17.120 don't have backups. 314 00:16:16.799 --> 00:16:20.320 Which leads to that awful dilemma if you get hit. 315 00:16:21.080 --> 00:16:25.320 It's especially with encrypting ransomware. Do you pay? It must 316 00:16:25.360 --> 00:16:27.399 be an agonizing decision. 317 00:16:27.159 --> 00:16:30.080 It really is. For individuals. For huge companies, it's a 318 00:16:30.159 --> 00:16:33.320 terrible choice. On the one hand, paying might be the 319 00:16:33.320 --> 00:16:34.960 only way to get your data back if you don't 320 00:16:34.960 --> 00:16:37.559 have good backups. It's a small mite, though. 321 00:16:37.320 --> 00:16:38.919 But the downsides are huge. 322 00:16:38.720 --> 00:16:42.279 Right, absolutely massive. First, there's zero guarantee you'll get a 323 00:16:42.279 --> 00:16:46.639 working key. You're dealing with criminals. Second, paying marks you 324 00:16:47.039 --> 00:16:50.679 or your organization as willing to pay. You become a 325 00:16:50.799 --> 00:16:54.440 prime target for future attacks, often with even higher demands. 326 00:16:54.480 --> 00:16:56.879 They know you're vulnerable and willing to cough up exactly. 327 00:16:57.200 --> 00:17:00.840 Third, the payments, usually bitcoin, are untraced. You won't get 328 00:17:00.840 --> 00:17:03.799 that money back. And fourth, this is a really serious one. 329 00:17:03.919 --> 00:17:06.400 Paying the ransom can actually be considered a crime in 330 00:17:06.440 --> 00:17:09.920 some circumstances, especially by the US federal government if the 331 00:17:09.960 --> 00:17:13.400 attackers are linked to sanctioned entities or state threat actors, 332 00:17:13.680 --> 00:17:15.680 paying could even be viewed as treason. 333 00:17:16.000 --> 00:17:17.119 Treason why yeah. 334 00:17:17.519 --> 00:17:20.680 And on top of all that, many cyber insurance policies 335 00:17:20.720 --> 00:17:23.279 may not cover losses if you choose to pay the ransom, 336 00:17:23.400 --> 00:17:26.839 although there have been high profile exceptions, like the Colonial 337 00:17:26.880 --> 00:17:30.279 pipeline case, where the impact on critical infrastructure complicated things 338 00:17:30.720 --> 00:17:32.920 but generally panning is strongly advised against. 339 00:17:33.160 --> 00:17:35.839 So the best approach is to avoid getting into that 340 00:17:35.880 --> 00:17:38.319 situation in the first place. How do you avoid having 341 00:17:38.359 --> 00:17:39.240 to make that choice? 342 00:17:39.599 --> 00:17:44.279 Proactive measures are absolutely everything. The number one thing backups, 343 00:17:44.480 --> 00:17:48.920 regular reliable backups. You should have daily backups, ideally following 344 00:17:48.920 --> 00:17:51.480 the three to one rule, at least three copies on 345 00:17:51.519 --> 00:17:54.559 two different types of media with one copy off site. 346 00:17:54.720 --> 00:17:57.480 Off site is key for things like fire or flood 347 00:17:57.880 --> 00:17:59.599 or even a really destructive attack. 348 00:18:00.640 --> 00:18:04.200 And beyond just off site storage, leveraging cloud infrastructure is 349 00:18:04.240 --> 00:18:07.400 a really smart move now platforms like Microsoft Azure or 350 00:18:07.680 --> 00:18:09.640 Amazon Web Services AWS. 351 00:18:09.839 --> 00:18:12.480 How does the cloud help specifically with ransomware? 352 00:18:12.519 --> 00:18:15.240 Well, if you're using virtual machines or vms in the 353 00:18:15.240 --> 00:18:18.480 cloud and one gets infected with ransomware, you can often 354 00:18:18.559 --> 00:18:21.079 just delete the infected VM and spin up a brand new, 355 00:18:21.200 --> 00:18:24.240 clean one from a backup image in minutes minutes. 356 00:18:24.720 --> 00:18:28.839 That's incredibly fast recovery compared to trying to decrypt exactly. 357 00:18:29.039 --> 00:18:32.920 It dramatically reduces downtime and pretty much eliminates the incentive 358 00:18:32.960 --> 00:18:36.200 to pay the ransom you just restore from your clean backup. 359 00:18:36.400 --> 00:18:40.240 Okay, backups are critical. What about protecting things inside the network, 360 00:18:40.680 --> 00:18:43.519 preventing the ransomware from spreading or gaining access in the 361 00:18:43.519 --> 00:18:44.079 first place. 362 00:18:44.599 --> 00:18:48.279 That's where identity and Access management or IAM comes in. 363 00:18:48.680 --> 00:18:52.720 IM solutions are crucial. They cover the three a's identification, 364 00:18:52.880 --> 00:18:57.720 who are you, authentication, prove it and authorization? What do 365 00:18:57.759 --> 00:18:58.319 you allowed to do? 366 00:18:58.559 --> 00:19:00.359 Like the digital gatekeeper inside the system? 367 00:19:00.400 --> 00:19:04.400 Precisely? Good IM involves things like automated logs tracking who 368 00:19:04.480 --> 00:19:09.200 accessed what when, tools for managing employee permissions efficiently, comprehensive 369 00:19:09.279 --> 00:19:12.079 databases of log in credentials securely stored. 370 00:19:12.240 --> 00:19:14.400 And there are specific guidelines within IM. 371 00:19:14.720 --> 00:19:19.480 Yes some key principles. First, role based access controls or RBAC. 372 00:19:19.920 --> 00:19:23.039 This means assigning permissions based strictly on someone's job function, 373 00:19:23.400 --> 00:19:26.119 give them only the minimum access they absolutely need to 374 00:19:26.160 --> 00:19:29.079 do their job. The principle of least privilege, so if an. 375 00:19:28.960 --> 00:19:32.240 Account gets compromised, the damage is limited. 376 00:19:31.920 --> 00:19:35.200 Exactly the attacker can only access what that specific user 377 00:19:35.200 --> 00:19:40.960 could access. Second, multi factor authentication MFA. Don't rely on 378 00:19:41.079 --> 00:19:44.000 just a password. Deploy at least three unique ways to 379 00:19:44.160 --> 00:19:45.799 verify identity. 380 00:19:45.440 --> 00:19:48.720 Like password plus a code from your phone plus maybe 381 00:19:48.720 --> 00:19:49.359 a fingerprint. 382 00:19:49.480 --> 00:19:52.680 Perfect example, password something you know a token or phone app, 383 00:19:52.720 --> 00:19:55.559 something you have, biometrics, something you are makes it much 384 00:19:55.559 --> 00:19:58.160 harder for attackers to gain access, even if they steal 385 00:19:58.200 --> 00:20:01.680 a password. In the third one, work segmentation. This is 386 00:20:01.799 --> 00:20:06.039 huge break down your IT infrastructure your network into smaller 387 00:20:06.200 --> 00:20:10.039 isolated segments or subnets. Each subnet should have its own 388 00:20:10.079 --> 00:20:14.480 security controls, maybe even its own MFA to move between segments. 389 00:20:14.039 --> 00:20:16.839 So if attackers get into one part, they can't easily 390 00:20:16.839 --> 00:20:18.680 move sideways to other parts of the network. 391 00:20:18.720 --> 00:20:21.720 That's the goal. It contains the breach, limits the attackers 392 00:20:21.799 --> 00:20:24.920 lateral movement and buys your security team time to respond. 393 00:20:25.039 --> 00:20:29.920 Okay, so backups, IAM, MFA, segmentation. These are all vital defenses. 394 00:20:30.359 --> 00:20:32.440 How do you pull this all together into a coherent 395 00:20:32.480 --> 00:20:33.960 plan before an attack happens. 396 00:20:34.200 --> 00:20:37.599 You need a comprehensive written ransomware plan and it needs 397 00:20:37.640 --> 00:20:41.640 several key ingredients. First, you need a designated response team. 398 00:20:41.759 --> 00:20:44.799 This has to be cross departmental IT security obviously, but 399 00:20:44.880 --> 00:20:49.519 also legal, HR, maybe finance and accounting. Everyone needs clearly 400 00:20:49.559 --> 00:20:51.759 assigned roles and responsibilities so. 401 00:20:51.759 --> 00:20:54.240