Transcription:
Patti Harman (00:04):
Welcome to the Dig In Podcast. I'm Patti Harman, editor in chief of Digital Insurance. Ransomware has the ability to instill fear in everyone from the smallest company to the largest corporation. It can affect operations on a global scale in minutes. And while companies are acutely aware of ransomware's risks, it reached a new high in the fourth quarter of 2024. According to a recent report from Travelers, this was due in part to bad actors focusing on repeatable methods to identify targets and access data. Today, ransomware still is very much a crime of opportunity. Joining me today to discuss ransomware attacks, how to mitigate their risks and how to respond if your business is targeted, is Dave Cunningham, senior case manager for Alvaka. Thank you so much for joining us today, Dave.
Dave Cunningham (01:03):
Yeah, thank you, Patti. It's an honor to be able to participate.
Patti Harman (01:07):
So I thought that we would start with just an overview of ransomware, and I want to know how has it evolved over the last few years, and do attackers tend to use previously successful methods to execute their attacks, or do they constantly change their approaches as their targets maybe get a little bit smarter?
Dave Cunningham (01:31):
Yeah, so what we're seeing is yes, they tend to use the same techniques over and over. They evolve over time, but it's unusual to have a kind of one-off technique that we haven't seen before. And I will say that up until about two or three years ago, about two and a half years ago, it really was the same playbook, same techniques that had been used successfully in the past, and they're continuing to use that. And then about two and a half years ago, there was a threat actor named Black Hat or Alpha V, and they tout themselves as being the most sophisticated ransomware threat actor. And they innovated a new technique at that time where they were able to evade EDR software, or endpoint detection response software, and they innovated this technique such that they could defeat the EDR and attack at the network level. And it was pretty devastating because people thought they had their security measures in place, and then they were getting attacked. And so this particular technique that they innovated is now copied by other threat actor groups. And so that's how we see this new technique quite a bit. And it's a network-level type of attack. And then there's tweaks over time as new techniques have been discovered, and then we'll see the threat after groups use those.
Patti Harman (03:15):
Are there certain trends that you're seeing with ransomware? And I'm thinking particularly maybe certain industries or businesses that are being targeted, or specific approaches used like phishing or other types of attacks?
Dave Cunningham (03:33):
Yeah, well, so in terms of the industries and businesses, so the trend that I'm seeing is that generally speaking, it is the unregulated industries that are attacked where unregulated in that security is not mandated. So these are distributors, manufacturers, professional services like law firms and CPA firms, a lot of school districts as well as state local government offices. So those are the unregulated industries that we see being attacked. Now, the one exception is healthcare. Healthcare is a regulated industry, security is mandated, but yet they are still being regularly and successfully attacked. And the reason for that, and I can only speculate, but it's number one, they're a high-value target. Number two, I come to find out that especially with hospitals, hospitals have very low operating margins. And so it's a struggle for them to make the investments that they need to make even though the security is mandated.
(04:49):
So that's my speculation as to why the healthcare organizations are so frequently attacked. As far as specific approaches that we're seeing have it, phishing still as an initial attack method is declining. So three or four years ago, it was the vast majority of attacks started off with a phishing attack. And we see that declining because now threat actors have discovered and are using techniques that where they can gain access into a network, into an environment due to no mistake or error on the part of an end user. So we're still seeing phishing attacks in about 50% of the cases, but then there are these new techniques that don't, where they can get in without any human error, at least on the part of the users. You could argue that it's human error on the part of the folks that are managing the security, but those are kind of the approaches that are being used.
Patti Harman (05:59):
When you were talking about the different entities that are attacked. I was remembering, I was at my local hospital maybe about two years ago, and they're like, oh, we're having trouble accessing records and strange things were happening, and my thought was they're having a cyberattack and I had to go home. And sure enough, later on, that's what I heard. And then another time I was on the phone with a friend who was a teacher and her school system was attacked and she said, oh, I'm having trouble getting into my computer. I said, it's a cyberattack. Turn off your computer and get offline right now just in case. And yeah, it's amazing just how quickly an attack can travel and what the impact can be. To follow up to what we were just talking about, are threat actors getting smarter? Do you find that they're adapting more quickly as companies improve their defenses?
Dave Cunningham (06:59):
Well, yes and no. So yes, they're adapting, but they don't need to adapt very quickly because it's hard for these organizations. You could say, well, just, obviously we need to improve cybersecurity measures. But the larger the company, the more difficult it is to just implement security measures very quickly. And it's like any IT project, it takes time. So these measures are being slowly, I mean, these environments are being slowly improved. And so the threat actors, they are adapting, but they don't have to adapt that quickly. So the technique, for example, the technique that I mentioned that Black Cat had pioneered, it's still, I mean, we saw that two years ago. It's still the main technique that we see, and then organizations are becoming aware of it and then they're making changes, but it takes time. So I say it's like a cat and mouse game, but the mouse is not very fast, so it's pretty easy for the cat to keep up to it.
(08:12):
As far as adaptations, what are those adaptations? The first one is that threat actors can now routinely defeat endpoint detection response software. So that's an adaptation. There's a smaller case. There are some methods for defeating multifactor authentication. Those are less common. The other adaptation that we're seeing is that the social engineering techniques are becoming more sophisticated in terms of just tricking a user or a service provider to a grant access. But getting back, okay, so why is it hard for these organizations to keep up with this? These competing environments are getting more complex over time. It used to be all that people are slowly moving to the cloud, they're in these hybrid environments, so now what we call the attack surface has grown. So that gives plenty of opportunities for threat actors to gain a foothold. And then the last thing I'd say is that the phishing emails with AI, they are becoming more realistic. More deceptive. They're better written. It's just not obvious when you read a phishing email that it's somebody that has English as a second language. And we're also seeing that these phishing emails are targeted. So citing specific information that a user would think that, well, this is not generally known. So those are the adaptations. But again, they're pretty slow.
Patti Harman (10:08):
As an editor, I get a lot of press releases all the time, and I get information from people that I may not know. And I have found that I've become much more cautious in terms of clicking on something or opening an attachment because if I don't know you and I can't verify this information, I just delete it because it's the safer course of action and I just can't assume that everything that comes in my inbox is what it purports to be. So we continually hear that humans are the weak link in defending against ransomware attacks. Are there common mistakes that they're making or areas where they leave their data or their companies vulnerable to attacks still?
Dave Cunningham (10:57):
Yes. So this is an area, and this topic is a topic where I have kind of a contrarian point of view, and I'm definitely in the minority when I say what I'm going to say, but there's kind of a conventional wisdom that says that our humans are our weak link or our strongest link, a strongest protection, and I just do not buy that at all. And so I'll give you an analogy. Let's see how tortured this is. So imagine we have an ocean liner and it's going to sail across the North Atlantic and we'll give it a random name like the Titanic. So it's going across the ocean. And yes, we can go to the passengers and make them aware and to give them training. OK, you need to know where the lifeboats are and make sure when you get in the lifeboats, you don't fall in the water, get hypothermia.
(12:01):
And by the way, keep an eye out for icebergs, right? But my contention is the guy that the people that need the iceberg awareness training is the captain and the crew. It is their responsibility, it's on their watch, and they are the people. And for the captain of the Titanic to blame the passengers for not telling 'em about the icebergs that they should have seen, I think is a dodge. And so bringing it into the world of IT and cybersecurity, the captain and the crew, that's the owner in the IT leadership, and it is primarily their responsibility to secure, to secure these environments. So that's what I have to say about that. Now, when we get into security awareness training, invariably we generally are talking about phishing. So then I'm going to give you my unpopular, uncommon opinion on phishing, is what I will say is phishing. The risk of a phishing attack is this is a risk that this is a problem that's solved. We've known how to effectively mitigate the risk of a phishing attack for at least 15 years.
(13:33):
This is something that yes, we want to train people not to click on phishing links, but again, going back to my analogy, who's responsible for this? And I think that we have to have a different attitude about phishing emails. And so again, I'll give you another analogy and that is, so let's say you own a restaurant, fine dining, and what is the acceptable number of rats to be running across the dining room that the diners are going to see? And the answer is zero. We have a zero tolerance. If you own a restaurant for rats in the dining room and we don't say the diners, OK, look, I need to make you aware of how to deal with the rats. What we do is we have an attitude that's unacceptable to have rats in the dining room. Well, that should be our attitude about phishing emails because a phishing email in an organization is potentially far more destructive in terms of a rat in a dining room is not going to bankrupt the restaurant, but a phishing email can bankrupt a company. So I think that we should have a zero tolerance when it comes to phishing emails in an inbox. And so my company, and we don't spend a lot of money on phishing protections, but I probably get maybe one phishing email every three or four months. We have technical technology that has been readily available, and we can limit the phishing emails that anybody would even see.
(15:21):
So we've kind of got this zero tolerance, and if I do get a phishing email, I send it to the help desk and say, Hey, this one got through, can you please block it? So that's the first thing I would say. Then the next step is we've got the technical measures. So let's say a phishing email gets into your inbox. If you click on that phishing email, what should happen? What's going to happen? The answer is nothing should happen because the workstation can be configured such that you're not able to execute code.
(15:58):
And nothing really should happen. And then let's say it does execute well, then the endpoint detection and response software should catch it and block it. And let's say if that doesn't work and it gets beyond that, then the network monitoring should catch it and blocking. So what I am saying to folks is that the attitude in it, should we, it should not be, well, I hope somebody doesn't transfer, click on a phishing email. Rather as we, let's assume that there will be phishing emails, some of them will be clicked. Let's make that be a non-event, because any attitude where we're going to rely on humans not to make human errors, that's a bad strategy. So anyway, that's my rant on phishing. It's a solve problem. It's fairly straightforward to mitigate this risk.
Patti Harman (16:55):
I didn't realize that there were so many different opportunities to stop the impact along the way. That makes a huge difference. And you're right, it does remove the human aspect of it because there are so many other ways to anticipate it and stop it throughout the course of what could occur.
Dave Cunningham (17:14):
Yeah, the other human factor that we were always talking about phishing, there is one place where we do need to give better security awareness training, and it's around multifactor authentication because it's an extremely strong measure, but it does introduce friction into our workflows. And then there's oftentimes there's some pushback from the users on adopting this or the executives, they'll opt themselves out. It's like everybody else has to use it, but I'm going to keep myself make an exception for myself for convenience reasons. And so one of the things that we do need to educate folks on is just like you can stop a phishing email so many ways along the way, well, multifactor authentication stops a threat actor multiple steps through the whole attack chain.
Patti Harman (18:13):
Yeah, and it's interesting. I've noticed when I log into different places that have MFA, even the length of the code that I get from some, it used to be four numbers, now it can be eight or nine numbers. It's just really, really changed over the last year or two. Has the increased use and adoption of AI by companies affected the risk of a ransomware attack? Does it make it easier for them or does it make it harder for them to be attacked?
Dave Cunningham (18:50):
Well, I would say we have the use of AI by the company that's trying to protect themselves and then AI by the threat actors. So what I'm seeing is that the AI has allowed more better written phishing emails. But I will say that in the cases, because running anywhere between five and 10 cases at any given time over the last five years and I have yet to see an attack where AI was implicated, it is something that we talk about, we're concerned about it, but at least so far we've not seen AI being implicated. Same thing when it comes to using AI to protect yourself. So the security vendors are talking machine learning and AI and all of that, but I haven't seen the adoption yet. And I will say that the measures, we already have robust measures that are very effective, and those are working if people will have those in place.
Patti Harman (19:59):
Okay, that's really good to know. We're going to take a short break now and we'll be back in just a few minutes. Welcome back to the Dig in podcast. We're chatting with Dave Cunningham, senior case manager for Alvaca. So we were talking about AI, and I want to ask you a follow-up, which is, can the adoption of AI provide companies with a better opportunity to maybe identify and preempt ransomware attacks? And you just touched on this a little bit, but I want to go a little bit deeper on that.
Dave Cunningham (20:33):
Yeah, I think that there will be those opportunities as AI is adapted and the security measures are enhanced to leverage AI. But I see it as a future thing, something in the near future because all the vendors seem to be working on this. But kind of like I said before, it's one of those things where we have adequate security measures today to really mitigate the risk. And I would follow up and say any client or insured, as they're filling out their insurance applications for underwriting, there's a number of controls that the carriers will ask for. And frankly, if somebody's able to say yes to pretty much most of those controls, then they're in a very good posture to be able to block an attack.
Patti Harman (21:33):
What kind of steps can companies take then to lessen their risk of a ransomware attack?
Dave Cunningham (21:40):
So this is another one where I tend to rant if I'm not careful because I think in cybersecurity, we do our clients in the community a disservice when we overwhelm people with all of these things that we're going to tell them that they ought to do. Because if you tell somebody that there's 15 different things that they need to do, well, if everything is important, nothing is important, and that becomes, creates paralysis, and it really prevents people from putting in place effective measures. So my attitude is that we have to understand that not all cybersecurity measures are created equal. There are 20% of the measures and the controls that will give you 80% of the risk reduction, the results. So my recommendation is people understand what the most effective measures are and do those first before they do anything else. Do the most effective measures first, and this is a chat that I have with clients every time we have a case that I always get the question, which is how do we not do this again?
(22:52):
And so this is what I say to them about implementing the most effective measures. And in my opinion, there are four measures to do that are super effective. And I've, in hundreds of cases, I've never seen an organization that was attacked successfully if they had these four measures in place. So the first measure is we got to prevent the attack. The most effective measure to prevent the attack is multifactor authentication because it prevents initial access and it prevents the threat actor from progressing through the attack chain. The next thing we need to be able to do is detect an attack in progress and block it because we're not going to have perfect security. So we have to understand that even with all the measures we have, we may have an attack. So we have to have the ability to detect and block that attack. And the way that that is done is by monitoring the environment with, well with XDR, extended detection and response, and I can get into why that is, but having XDR in place and monitored 24/7 by a third party soc, it's difficult for an organization that's smaller than a large enterprise to have a security operations team to be able to work 24/7 and all this.
(24:23):
So you detect and block the third is to have the ability to recover. So let's say you didn't prevent it, we didn't block it. Now that the attack proceeded and all the way through, now we've got encrypted encryption in the environment, we need to be able to recover from that. Now what that means is having a backup system that actually can recover because backup systems, we always run into these cases where the bad guys have gotten in, they destroy the backups, and the reason why they destroyed the backups is the backups. Were never designed not to be destroyed by threat actors.
(25:06):
So the word we use is the backups need to have immutability, meaning it is virtually impossible to delete that data. So that has to be hard. Then to take that one step further, not only do we need immutability, we need it locally because a lot of folks will say, well, we've got backups in the cloud and they're immutable. The problem with that is the time of recovery is so long. If somebody has a hundred terabytes of data up in the cloud, it takes days or weeks to get that data back down and rehydrated into the environment. So it's important that the backups are immutable, they're local, we still need a backup copy in the cloud, and then they're tested. So that's the third measure. And then the fourth measure is people are saying, well, what do we need to do in what order and all that.
(26:07):
And so the recommendation is to have a security risk assessment performed by a professional because when you do a security risk assessment, you figure out what your actual risks are and then you rank them from in priority, critical, high, medium, and you essentially now that becomes the basis for a roadmap for improvement. So now we're working on the most important things because otherwise people, they're not sure what they need to do, what first? And then that leads to the paralysis that I was talking about. So doing those four things, I've never seen an organization that is doing what I'm just mentioning and then still got fully attacked.
Patti Harman (26:51):
That's interesting. And I've never heard anybody lay those four factors out before. That just makes so much sense. So let's say in the event that somebody does suffer a ransomware attack, what should they do? And I'm thinking what their immediate response is is going to be different to what their long-term response should be. And I think a lot of times it's just like, what do we do? Where do we start? And they're totally overwhelmed.
Dave Cunningham (27:17):
Absolutely. That's the way that we see it. Now, my smart alec answer, the first thing that they should do is they should pull out their hard copy incident response plan and start at the top and follow all the steps. That's what folks should do. And by the way, carriers, I think every carrier provides as a resource sample IR plans, but we rarely see those in place. And I could go on as well, if they've got an IR plan, they're probably doing some other things right as well and they're not getting hit. But anyway, so let's say somebody doesn't have an IR plan in place. So you have the technical measures that you have to take, and then you have the non-technical. Who do we contact and talk first? So I'll start with the technical measures. First thing is disconnect from the internet. Just go ahead and just that basically cuts the threat actor off.
(28:21):
The next step is to walk over to the backup system. We don't know if it's destroyed yet, and isolate it, take it offline, disconnect it from the network. Next one is to leave the systems on running. People say, well, should I shut down? And the answer is, we don't want to shut down in the middle of an event, corrupt the data, potentially make it unrecoverable. Another thing that it can be done at that point is we want to prevent the systems from being able to communicate with each other so that you have a lateral movement. So the easiest way to prevent that is you power off the network switches the core network, so just pull the plug. You don't even have to disconnect cables and you can do that. And then the last thing is to have the network engineer go and capture the firewall logs because sometimes those will roll off the edge of the earth if they're not being logged somewhere. So capture, that's going to be really important information to have. So those are kind of the first immediate within the first hour to do.
(29:27):
Now, who are you going to contact? So first step is open an insurance claim, call the carrier, open a claim. Now carriers, if you've got cyber liability insurance, if the carrier has a team that they're going to bring in, and they're very experienced at running cases and recoveries with the idea of minimizing the cost and risk of the whole event now, but when time is of the essence, sometimes carriers, depending on the carriers, they're very responsive and even 24/7, they will go ahead and get engaged. But time can go by and if your systems are down and you have an active threat actor in the environment, we can't really afford to wait 24 hours or over a weekend. The first professional that every insurance carrier is going to bring in is going to be a breach counsel attorney that's arguably is the most important professional to engage. My recommendation is you open the case with a carrier or do whatever you need, but really you've got to get a breach counsel attorney engaged. The people that are in this space, they are, it's a 24/7 type of operation, kind of like an emergency operating room.
(31:00):
And then the breach counsel attorney can then bring in the other firms professionals, data forensics firms, restoration firms like us, or probably 30% of our cases. I'm the one that gets the first call because people know me and then they say, Hey, we're having an event, and then I will go ahead and engage or bring in an attorney and help 'em open up their claim and all of that. So that's kind of the technical and non-technical. Now, there's some things to not do, mistakes that you want to avoid making. One is if there's ransom notes and the threat actor saying, Hey, you got to call us. And so our suggestion is don't reach out to the threat actor to figure out how big is the ransom and all that that can be handled in due time. There's no urgency to reach out to that guy. Another thing is don't attempt to clean the ransomware.
(32:11):
So people will get on, they'll put on malware bytes or something like this. They'll try to, this is not a problem that's fixed with malware bytes. And by making changes in the system, then you risk damaging, damaging data, encrypted data, making it unrecoverable. So we don't want to try to clean this ransomware. Another thing that is a big mistake is people, they get hit and then they realize, okay, we've got good backups. So it's like we got to get back in business. They start recovering their backups. So we still have a threat actor in the environment. If the threat actor sees he's watching what you're doing. And so he is going to intercept that process. He may destroy, he may have a key logger, he is able to capture the backup system, the password of the backup system. And now we have seen a number of cases where somebody started their backup process and then bad guys are watching what's happening, and then they go in and destroy the backups. Then I would say the last thing to not do people in it is to not communicate to the market that we have had a ransomware attack. I think people want to be transparent, they want to tell people what's going on, but there's so much legal liability at stake here that we do not want to prematurely disclose what's going on. We want to limit those communications to the outside world and the messaging is really, we're having a system. We're having some kind of an IT problem. We'll get back to you once we have it resolved.
(33:56):
So that's kind of the do's and the don'ts.
Patti Harman (33:58):
That is a great list of do's. And I know when I hear in the news that something's happened, my initial thought is, oh, that's a ransomware attacker. That's a cyber attack. And you just know based on what they are saying or even what they're not saying. What has transpired, and it was interesting you were talking about this sort of being almost like a medical emergency. I know a number of people at different carriers who work in the cybersecurity departments, and you're right, they're on call 24/7. They can be out, they can be at a concert or wherever it is, and all of a sudden if something happens, they're right there in the thick of it. So what factors affect how long a company will be down or unable to function due to a ransomware? And I realize that there are a number of factors involved here.
Dave Cunningham (34:50):
So I'll give you the factors and then I'll give you some kind of average restoration times. So one of the biggest factors is just the extent of the compromise because not all ransomware attacks are fully successful. Where they get through, hopefully we've interrupted the attack in the middle.
(35:09):
And so the attack has been blocked. They maybe got in and they started to do some damage. They started to exfiltrate data, but the attack was interrupted before it went to the end and they encrypted the ransomware. So it's the extent of the compromise that affects how long it's going to take. It may just be a few days in that situation. The other thing that affects it is the size and the complexity of the environment. So if we have a single office and they've got a handful of servers and some workstations and it's a single site, that's one thing. If we have a larger organization, they've got multiple offices, they've got workloads in the cloud, they've got all these remote users, but they also have workstations at all the different offices, and let's say some of those are compromised, well, that's going to be a lengthier recovery. And I'll just interject to say, well, we're talking about how long does it take before from the initial attack until we have the critical applications up and running, we're essentially back and able to conduct business. And we may not be at a hundred percent, but at least we're ... limping along. Another thing that affects the time is the viability of the backups. Are they restorable? They've not been to, I always say every time you do a test backups, the first test will always fail. And if your first test is a ransomware attack, then chances are you're not going to be able to recover.
(36:42):
Another thing is just the availability of the resources because there's a whole bunch of work that needs to be done. I always joke, it's like we got six months of work to do in six days, and people are thin on their IT departments, and so do they have the resources to work in a full-court press 24 hours a day for the next two weeks? And most organizations don't have the staff available. So here are the industry averages, and I think I've got this from carriers, is that if there's been a full compromise and the backups are not viable, so a ransom pay has to be paid to purchase a decryption key on average, that's a 19-day restoration period. So the business interruption losses are crazy in these situations. And if it turns out that actually the backups were not destroyed, but it's a full compromise, then the industry averages 12 days because there's a lot of work to do to contain the threat and get these systems back up and running. We feel really good. The key apps to get back in are usually the ERP. We've got to be able to make payroll, we've got to be able to process accounting, manufacturing systems. When we're able to get that under five days,
(38:17):
We feel really good about that. And then our fastest, actually, we had some special circumstances, full compromise. We still had 'em up in the day, within a day. So that was cool because they had some technology in place, essentially immutable snapshots. So that's kind of the way that works.
Patti Harman (38:39):
It's interesting that there's such a range of time, and it really does depend on what people have done. Are there usually warning signs before a company suffers a ransomware attack, something that somebody might notice the system running slower or just weird popups or something like that?
Dave Cunningham (38:57):
Yes. Well, and keep in mind that these threat actors are trying to be stealthy. So they're trying to get in there and trying to exfiltrate as much data as they can. So I have a recent client, they're a law firm, larger law firm, and the bad guys were in there for four months undetected, and they were able to exfiltrate all of the sensitive client information. It was pretty devastating. And they were undetected because they didn't really have any warning signs. And once they finally started to get some warning signs, it was because they were right at the end of the attack chain and they were going to start to encrypt the data. And that's when the client, but even then they were unable to block the encryption of that. But some of the things that people will see is the most obvious is a user. They get an email, it's a phishing email. They click on the link and they'll realize, oh, wait a minute, this is a phishing email. And they call it, it's like, I just clicked on this phishing email. So that's a ... sign something. They'll do it and it's like I clicked on it and nothing really happened, but then three days later, they're fully attacked. Another one is, like you were saying, alerts that are coming out of the EDR and the DR systems. These are great because we love in those cases to be able to intercede and prevent it from proceeding fully. IT guy or people will go in, they'll try to get into their accounts, they're locked out. It's like, well, why am I locked out of my account? And the IT people will see, oh, wait a minute, we've got some new accounts that have been set up in the environment. It's like, okay, well those are the accounts that the bad guys set up for operations. They'll see that, oh, wait a minute, we have this remote access tool that's loaded. There's new software that's been loaded. Where did that come from? And then just generally, it does seem like right before, as the attack is coming to a conclusion, users don't notice the performance is slowing down. They can't get into programs. So they've got gremlins in the environment and no, they got worse than gremlins. You got threat actors in the environment.
Patti Harman (41:25):
Are there any risks you're watching or factors that companies should be monitoring, let's just say in the next six to 12 months because it changes so quickly?
Dave Cunningham (41:36):
Yeah, so I was thinking about this. So there is a new technique. It's been out for a couple of months, and this is something that people do need to be, your audience needs to be aware of because it's a social engineering attack that affects end users, and I think we call it email bombing. What happens is the bad guys will collect a number of email addresses for the users at a company. Then they'll go out and they'll subscribe all these users to receive subscriptions and bulk mail and advertisements and all this. So then they come in on Monday and you're looking at your inbox and I got a thousand subscriptions and advertisement. It's not a phishing email because it doesn't have any malicious code. It's bulk commercial email and newsletters. And so then what'll happen is, and then they go to their spam filter that's all clogged up. They can't even work. So then the phone rings and it's like, oh, I'm calling from the IT department and it's the bad guys are impersonating social engineering.
Dave Cunningham (42:56):
They say, Hey, we're working on this email problem. Everybody's getting too, and we're going to need to get into your system remotely and clean this up. And the reason why this is so crafty is they'll use the same method that the normal IT department uses for remote access, like it's called Microsoft remote support. So they're used to dealing with IT, people using this support method that a guy calls up says, I'm from it, we're going to use that. And then from there they get in. So that is something to be watching out for. So if you find that you got a whole bunch of email in your inbox, then it's a call to the IT department. This is really weird. Don't take incoming calls.
Patti Harman (43:39):
Okay. That's very good to know. Thank you.
Dave Cunningham (43:43):
And I will say this is over half of the new attacks that we've seen recently.
Patti Harman (43:47):
Interesting. Okay.
Dave Cunningham (43:49):
Yeah,
Patti Harman (43:51):
We've covered a lot over the last few minutes. Is there anything I haven't asked you that you think our audience should know about ransomware risks?
Dave Cunningham (44:00):
Well, what I would say is I don't want it to be gloom and doom and fear of fud, fear, uncertainty, and doubt. This is a risk that can be mitigated through proper controls by having cyber liability insurance and having security measures in place. Also, understand that not all attacks are full compromises. For every attack that you hear about, there's many more that are not reported, but also many attacks that are stopped in their tracks and they don't successfully conclude for the threat actor. So all is not lost. I would say the other thing I would say is that insurance carriers are really a wealth of resources for people that are trying to figure out what they do. So the carriers can provide best practice recommendations to follow, and then they can provide those incident response templates.
Patti Harman (45:01):
Very true. Well, thank you so much, Dave for sharing your insights with our audience. Thank you for listening to the Dig In podcast. I produced this episode with audio production by WenWyst Jeanmary. Special thanks this week to Dave Cunningham of Alvaca for joining us. Please rate us, review us, and subscribe to our content at www dig-in.com/subscribe. For digital insurance, I'm Patti Harman, and thank you for listening.