View Transcript

Ryan Gore:

Welcome to the Briggs & Veselka podcast. My name is Ryan Gore with Briggs & Veselka. And today we have Mike Trpkosh or Cyber Mike, as he's known. Welcome to the podcast sir.

Mike Trpkosh:

Hey, thank you, Ryan.

Ryan Gore:

Mike is the director of cyber security at Pathway Forensics and has worked on countless projects, helping organizations build and organize their cyber security programs to defend against cyber attacks. So he's got a lot to say about many of the things that are coming out online and in the media. And Mike, there are a lot of stories floating around about new cyber attacks occurring. But before we get into that, can you give a brief overview of what ransomware is and how it works?

Mike Trpkosh:

Sure. Ransomware is a type of malware that is deployed onto a victim's machine. And what it does is it encrypts the files and folders on that machine, to where they're unusable by the victim, they'll receive a splash screen on their monitor that directs them to pay a ransom in generally a cryptocurrency like Bitcoin. And once they have paid the ransom, then they're provided with a decryption key or decryption tool that will unlock their files and make them usable again.

Ryan Gore:

So supposedly if you pay, correct? You're supposed to get your data back.

Mike Trpkosh:

Supposedly, yeah. The numbers actually Ryan have went up because if victims knew that once they paid, they still weren't going to get their decryption tools or the keys then they'd quit paying. So the attackers are motivated to provide them with a key that works so that they can get paid and other people will continue to pay as well.

Ryan Gore:

It's almost like a brand imagery for the industry. Right?

Mike Trpkosh:

It is.

Ryan Gore:

Trying to keep your brand reputation up.

Mike Trpkosh:

That's right.

Ryan Gore:

Yeah. And I think that is kind of interesting. I think a lot of individuals and organizations see criminals as sort of lone wolf for lone actors, and there's really been a big transition where this is now a full fledged business and economy, even with solutions like ransomware as a service. Can you talk about that transition?

Mike Trpkosh:

Yeah, sure. So ransomware as a service is generally ran by a group and then all other lines of business, or all other groups within that criminal organization are considered associates. So you may have one group that find vulnerabilities or they find victims. You'll have another group that does the actual exploitation. One group will actually handle negotiations. And another one is the group that handles payments. So they've turned it into basically a business. A lot of them even have customer service where they'll walk you through how if you're having trouble decrypting your files. I mean, it's just like going to any e-commerce site really.

Ryan Gore:

Wow. And how has this coming about? What has made it so attractive for criminals to pursue this so deeply today?

Mike Trpkosh:

Right. So you've really seen an explosion of the extortion type of malware due to cryptocurrency. Cryptocurrencies, like Ethereum, like Bitcoin, they're virtually untraceable. Now what you're seeing in the news today is there's been kind of a shift in the last little while. I'd say the last couple of weeks, you've seen a big change with the colonial pipeline where the FBI was able to get back some of the money, but the cryptocurrency generally was thought to be untraceable. And so criminals were able to move around anonymous way and move money around anonymously.

Ryan Gore:

Yes. And as far as the size of the market, that seems to have grown just exponentially as well.

Mike Trpkosh:

Sure. So it was once thought of that they were only going to attack large organizations, but that isn't the case anymore. Some groups attack smaller, like individuals in ransom, their home computers for the pictures or their music or whatever they have on there, but they take a smaller amount, but there's more targets. Whereas other groups will only attack large corporations and they're looking for the home run, so to speak whereas other ones are going to take singles all day long.

Ryan Gore:

Yeah. And in that moment, should victims be paying the ransom? What are some of the decision factors that people need to be considering there?

Mike Trpkosh:

And that's the main question. That's the big question. And every situation is different. Law enforcement is going to recommend that you never pay the ransom. And while that sounds good, your business still needs to operate. And so if you have not developed a business continuity plan, if you don't know how long your business can stay offline, or you do know, and you know that you cannot effectively rebuild your network in that timeframe, you have no choice, but to pay the ransom or you'll be out of business. So it really comes down to a risk decision. Can you rebuild and still remain viable as an organization or do you have to pay because you're not prepared?

Ryan Gore:

Yeah. And can you talk about what are some of the tactics criminals are using when companies don't pay? I mean, what are the risks there?

Mike Trpkosh:

Yeah, sure. So what they call those are extortion models. And what we have is the old original ransomware where we lock your computer and you pay us to get the key. Well, then the victim started to wise up a bit and prepare better. And they started creating and taking backups more regularly that allowed them to rebuild and not pay the ransom and the criminals adapted. And what they're doing now is a double extortion model where they go into your system and they're in there for anywhere from a week to several months and they're snooping around and they're moving through your network and they're finding the crown jewel so to speak your confidential and sensitive data. And what they do is they will exfiltrate that data sometimes gigabytes, 250, 300 gigabytes of data, maybe even a terabyte of data. And then as an incentive or motivator to get you to pay the ransom, they threaten then to release that data publicly.

Mike Trpkosh:

And a lot of times it's confidential, maybe product information. It could be regulatory data where if they release that you're going to be fined or have brand degradation or reputational damage that is going to be very uncomfortable for you. So that's another incentive for you to pay. Third model that they use is called triple extortion. We've only seen a couple of examples of it, but what they're doing is for example, if they were to go to a police department or go to some type of the case that I'm thinking of in particular was a psychiatric clinic. And they went to each of the victims and sent them a note and said, "If you'll pay this much, we won't release your information." If the clinic doesn't pay us then we end up policing everybody else's. And so that's a triple level extortion.

Ryan Gore:

So they're directly targeting even your end customers to put pressure on you to pay it.

Mike Trpkosh:

Exactly.

Ryan Gore:

Wow.

Mike Trpkosh:

Yeah.

Ryan Gore:

that's just wild. I think people typically think of people hacking into the system, quote unquote is such a rapid occurrence, but you're saying that they're potentially hiding and waiting in your system for weeks at a time, even.

Mike Trpkosh:

Sure. I mean, there's examples out there where they've been in there for weeks, months, but just remember the longer they're in there, the greater, the opportunity that the organization will learn or determine that somebody's in their network. And so there's kind of a risk reward equation for the attacker that he asked to think, the longer I stay in here, the more information I can gather and exfiltrate, but the longer I stay in here, I run the risk of getting outed, and then they lock me out and I can't get back in. So what you're starting to see as the criminals are going in there, and they have almost scripts and they'll elevate their privileges very quickly. And then they know what they're looking for.

Mike Trpkosh:

They elevate to admin administrative privileges so that they kind of can go anywhere and do anything they want. And they have certain areas that they're looking for certain types of accounts or group policies, or folders and things. And they go right in there. Some of these larger ones, they were only in there for like four days and they found everything they needed. And exfiltrated it. Whereas some of the earlier ones that they were in there for over a month. So you can see that they're evolving, we'll know what they're looking for and they know how to find it very quickly.

Ryan Gore:

Yeah. So let's talk about some of these bigger ones that have happened in 2021, some really huge names and just massive ransoms being paid as such as the Colonial Pipeline. What happened there?

Mike Trpkosh:

Colonial Pipeline was actually a vulnerability. It was a VPN or a remote access account that was dormant. It was not being actively used. The password was found to be in a breach data that was already out in the dark web. And the attackers found that, and they were able to determine probably with an email address, none of this is confirmed, but it's supposition from the group that did the forensic analysis of that. They feel like they found a password and they matched it with an email ID. And that email ID was of a person that had worked at Colonial. And so then they took a chance that the person used the same password in multiple locations throughout their digital ecosystem.

Mike Trpkosh:

And they tried it and it worked and they were in and I think the forensics said they were in April 29th and Colonial Pipeline detected that the ransomware with was being detonated the payload was actually being detonated May six, about 5:00 AM. So they were in there for about a week, found what they wanted, maybe determined that the confidential data wasn't worth it. They just locked up everything because they knew that they'd kind of hit a major, major home run with this, with this attack.

Ryan Gore:

And they did end up paying?

Mike Trpkosh:

There's a lot of backstories going on about that, but they actually paid before they even made the public announcement that they'd been breached. They paid the ransom very quickly. And that's kind of strange in and of itself because this particular tool, the dark side tool is known to be very slow and not work very well. And so they paid immediately knowing they were getting a tool that may not even work very well and they paid it anyway. And there's some speculation that they paid based on our recommendation by law enforcement.

Ryan Gore:

And you mentioned dark side there. What is that exactly?

Mike Trpkosh:

A lot of folks refer to dark side, they're the attacker group that compromised Colonial Pipeline, a lot of people refer to them as a ransomware gang, but dark side is actually a ransomware as a service platform. Now it's used both ways, it's the platform, but people refer to that as the group, the group doesn't have a formal name, but they have several people that run the organization and then they have their associates that handle the different functions of the attack.

Ryan Gore:

Gotcha. And the FBI recovered money on this for Colonial Pipeline?

Mike Trpkosh:

Yeah. So I kind of hinted at that just a minute ago. So they actually recovered almost well over half. And depending on that, the conversion rates at when Colonial Pipeline paid the ransom, they paid 75 Bitcoins, but the prices dropped significantly. They recovered, I think 64 and change. And the equivalent wasn't the same as what they paid, but it had more to do with the conversion than it did the FBN, not finding all the Bitcoins.

Ryan Gore:

Are these attackers basically able to just cash out immediately as soon as they receive that Bitcoin, or is there a typical laundering process?

Mike Trpkosh:

Yeah. So they're going to move that money around. And what they're doing is they're moving it from... Bitcoin utilizes an electronic wallet and they have what they call a private key. And the folks listening to this need to think of a private key, like a password. It's a big, long number or string. And so what happened is Bitcoin utilizes a public ledger. Anybody can go out and follow a transaction. Now it gets very complicated. It moves all over the place. And it's almost impossible at times to follow, but obviously law enforcement has a way to do it. They were able to follow it.

Mike Trpkosh:

What nobody could figure out was how they got that private key or that password to the Bitcoin wallet, where that Bitcoin was stored. And so the race was before they cashed out of Bitcoin and turned that into currency. And you have to be careful doing that as a criminal because it's going to send off red flags everywhere if you cash out $4 million of Bitcoin, that's going to be very noticeable. So they generally will parse it out in little patience and move it around to different wallets. So it isn't all coming from one place, but before they had a chance to do that, the FBI was able to capture that wallet. They had the key and they were able then to get that Bitcoin back.

Ryan Gore:

Wow. Wow. That's interesting.

Mike Trpkosh:

It's actually amazing.

Ryan Gore:

Yeah.

Mike Trpkosh:

I don't know of it ever happening before this.

Ryan Gore:

Yeah. That doesn't sound very typical at all for these types of stories. And what were some others? I think JBS holdings had issues as well.

Mike Trpkosh:

So JBS USA is an organization, a global organization out of Brazil that is probably one of if not the largest food processors. In the USA, they're their meat processors and JBS USA was attacked. And they were compromised. And what ended up happening there was they also paid the ransom immediately and they came out publicly and said, we paid the ransom. They asked for 22 million, we gave them 11. And they gave him the ransom, knowing that the key didn't work. And so there's tons of speculation out there as to why they did it. There's thinking thoughts that maybe the FBI told them to do that. But I think what I've read and from different sources, it almost sounds like they had confidential data that they said, "Look, we're going to have to rebuild our own network. Your key is not going to work, but we'll pay you. So you don't release this data because it was actually half of what they asked for."

Mike Trpkosh:

So it was almost like that double extortion model model. First model, the key didn't work. Second one was don't release this data. And what'll happen is they'll say, how do we know that we can trust you to delete that data? And most of these groups will tell you we're not deleting it. We're going to tell you where it's at. And you can go out there to this remote server and you delete it yourself. And you just trust us that we don't have copies of it. And so far it hasn't been shown that they're breaking their promise so to speak. Now, one of the other things I've read several negotiation transcripts between the attackers and the victims.

Mike Trpkosh:

And one of the things is that they pay for that you're also paying for is for them not to attack you again, because one of the facts or one of the pieces of information that companies are always asking for us, "How did you get in?" And most of these attacker groups say, if you pay the ransom, we will one, we will not come after you again, two we'll tell you how we got in so you can fix the hole. And then three, we won't publicly disclose the data. So that's what a lot of these organizations are paying for as well as just getting their data back or having their data, not publicly disclosed.

Ryan Gore:

It's such an interesting duality of they're clearly criminals, but at the same time, part of their business is built on good faith and giving you the tools to defend yourself in the future, which is such an odd thing that I don't think we've ever seen before.

Mike Trpkosh:

Well, even this dark side group, there's talk they'd been around since 2019, but really the first time that people have seen them and they became known to security researchers was I think in August of 2020, and they had a published code of conduct. We will not go after schools. We will not go after healthcare organizations and we will not go after I think one was funeral homes. And I don't understand that, but there's targets that they say they won't go after. They also have tried to make donations to charitable organizations and reporters have followed up. And once they've told the charity that this donation came from a ransomware group, the donations were sent back.

Mike Trpkosh:

Now on one hand, they're trying to tell you, we're not bad guys. We're strictly commercial. All we want is money. We don't subscribe to any hacktivism. We don't subscribe to geopolitics. It's purely a money thing for us. So they almost are trying to create this image of Robin hood, but they could have immediately when they realized that they were taken down Colonial Pipeline and the impact it had to the Eastern United States, they could have immediately said, "Whoa, we didn't realize that's the extent of this. We're backing off." But they didn't. So on one hand, you got to wonder if it's PR trick just to make people sympathize with them a little bit, but you never know.

Ryan Gore:

Yeah. And I've read even we've had a text in our own backyard with the Houston Rockets even.

Mike Trpkosh:

Correct. Yeah. So they were hit with a ransomware attack and right now the negotiations are still ongoing. So there's been a undisclosed demand, but what it's rumored to be is they have 500 gigabytes of data from the rocket's organization. Now, if you look at the high profile athletes that are on that team, I can imagine that there's things in there about their health and you would not want that stuff out.

Ryan Gore:

Well, I think that kind of brings all of this to a good point of many firms and organizations there. They see cyber crime is a problem. Like you mentioned, just for these larger companies and something that couldn't happen to me, but that's just really not true and firms of all sizes are falling victim to this. And we just hear about these big ones. If someone is listening to this and does not have any sort of cyber program in place, what are those first two things that they really need to focus on right out of the gate?

Mike Trpkosh:

So you definitely want to have multi-factor authentication. I mean, that's just table stakes if you really think about it, because what that does is multi-factor authentication requires you to have your password as well as your user ID. And then you have to have that third token. And a lot of these accounts, especially these remote access accounts, if you're using remote access, which the majority of us are now that we're a year into the pandemic. Most people working remotely that remote access should require that third factor of authentication or that token and that would have not allowed these attackers to get into Colonial Pipeline. And a lot of attacks they couldn't get in. The other thing would be security awareness.

Mike Trpkosh:

I mean, you've got to have good backups as well as security, where she want everyone in the organization to understand that they could have a 10 out of 10 in their security posture. But if somebody clicks, the wrong link, it doesn't matter. And so you want to have backups that are offsite and offline. You want to have multi-factor authentication and you want to make security awareness, let your people know you're an important part of the team. And everybody is part of the cyber security team. You have to understand the risk that you post to the organization as a user. And you also have to understand that you're a valuable asset to the organization and you can help prevent some of this stuff.

Ryan Gore:

And building on that too, let's say a firm has a working cyber program in place. They feel they've been successful with that. What are two more things that you would recommend they check immediately to make sure that they have in place outside of multi-factor authentication and then that extra education for users?

Mike Trpkosh:

Yeah. So you want to make sure keep all of your software and your operating systems up to date, make sure your patches are up to date, make sure software is up to date. That you want to keep your antivirus software up to date and then keep everything where it needs to be. And one of the main things is restrict user's abilities and their permission levels. If you have a system admin, he should have an admin account and he should only be using that account when he's doing admin work.

Mike Trpkosh:

Otherwise, he should be using a user account, keeps privileges and permissions low, and that makes the attacker work hard. He may still get that elevated privilege, but he's going to have to work a lot harder to get it. If he's able to compromise an admins account he's off and running, the minute he gets in the door. And don't click on links. If you don't know where the link is going, like I tell people all the time and our organization, nobody cares about dancing bears and you shouldn't be clicking on anything that is a link to it or anything like that. It doesn't have anything to do with what you're doing and just leave it alone.

Ryan Gore:

Gotcha. Well, Mike, thank you so much for your time today. Anyone listening, if you would like to get in touch with Mike, please feel free to contact us, there'll be links below. And Mike, yeah, thanks so much for joining us.

Mike Trpkosh:

Hey, thanks for having me, Ryan.

Ryan Gore:

Thank you for listening to the Briggs & Veselka podcast. That's it for this episode, if you'd like to listen to past and future upcoming episodes, go to our website at bvccpa.com. Thank you.

 

On episode 2 of the Briggs & Veselka podcast, we are joined by Mike Trpkosh, Director of Cybersecurity at Pathway Forensics, as he discusses the evolution of cybercrime and the newly formed economy cyber criminals pursue.

Contact Us

Submit

Desktop Tablet Mobile