Understand the risks facing your cloud & get recommendations to boost your cloud security posture.
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

The Evolution of Ransomware, How Ransomware Gangs Work, And How You Can Prevent An Attack

Greg Edwards, the CEO of CryptoStopper, walks us through the history of ransomware, what accelerated the use of ransomware by cybercriminals, how Ransomware-as-a-Service and ransomware gangs work, and how you can protect yourself and your organization from an attack.

Ransomware attacks are only going to get worse. according to this episode's guest, Greg Edwards, CEO of CryptoStopper.

Greg, a serial entrepreneur who built and flies his own plane, witnessed first-hand the devastation and disruptions that ransomware attacks cause when he provided backup services with Axis Backup, a backup and disaster recovery company for the insurance industry he founded in 1998.

While he realizes that nobody can completely prevent ransomware attacks from happening, he's determined to stop them as quickly as possible, and that was what prompted him to found CryptoStopper in 2015 after Axis Backup was acquired by J2 Global.

Join our host, co-founder, and CEO of Horangi, Paul Hadjy, and Greg Edwards as they look at the history and future of ransomware, and what you can do to protect yourself and your organization from ransomware attacks. Along the way, they also talk about planes and flying, and how concepts in flying and cybersecurity are related.

Tune in to this episode of Ask A CISO to hear:

  • whether you should pay the ransom on ransomware
  • the history of ransomware and what major factor accelerated ransomware attacks
  • how Ransomware-as-a-Service and ransomware gangs operate
  • new developments in ransomware
  • what organizations need to do to protect themselves against ransomware attacks

About The Guest: Greg Edwards

Greg Edwards is the founder and CEO of CryptoStopper, a company offering ransomware detection software to stop actively running ransomware infections on Windows workstations and servers.

Greg has been a technology entrepreneur since 1998.  

Before Greg founded CryptoStopper, he started Axis Backup, a backup and disaster recovery company for the insurance industry. In 2015, Axis Backup was acquired by J2 Global, freeing Greg to create CryptoStopper and focus exclusively on cybersecurity.

Greg loves talking about cybersecurity, ransomware, airplanes and piloting, and entrepreneurialism.

About The Host: Paul Hady

Paul Hadjy is co-founder and CEO of Horangi Cyber Security. 

Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.

Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific. 

He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams. 

He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking. 

Transcript

Paul Hadjy

Alright, so, welcome to esteemed guest Greg Edwards. He's the founder and CEO of CryptoStopper, a company offering ransomware detection software to stop actively running ransomware infections on Windows workstations and servers.

Greg has been a technology entrepreneur since 1998.

Before Greg founded CryptoStopper, he started Axis Backup, a backup and disaster recovery company for the insurance industry. In 2015, Axis Backup was acquired by J2 Global, freeing Greg to create CryptoStopper and focus exclusively on cybersecurity.

Greg loves talking about cybersecurity, ransomware, airplanes, piloting, and

Entrepreneurialism. Interesting trivia: Greg built his own plane and also runs an MSP besides CryptoStopper.

So tell us more about this plane first, Greg. I also love planes.

Greg Edwards

Yeah, so thanks for having me, Paul.

So, the plane actually is a so it's a Lancair 360 which is a kit-built plane, single-engine. It's only two passengers so it's small but goes 230 miles an hour and has retractable gear and about a 700-mile range.

I live in the Midwest and can get to the East coast in one flight in less than four hours so it's better, way better than commercial, and I mean, it's a blast to fly!

Paul Hadjy

Yeah, I can imagine. I mean, I love planes as well, and I'm in love with the Honda jet. It's like a dream of mine. At some point in my lifetime, I want to own one of those or at least fly in one. I've done neither yet.

Greg Edwards

Yeah, well, let's keep growing our companies, and then we can both buy one.

Actually, the Cirrus jet is the one I would really love to have — single-engine jet that, about 330 knots and 29.000 feet can get you pretty much anywhere, at least in the U.S. and North America, South America.

Paul Hadjy

Is that the one with the detachable canopy?

Greg Edwards

Yeah, well, so it's got a, what they call a CAPS system that's a ballistic parachute that shoots out the top and it also has an unassisted lander —  it's called HOME and any passenger in the plane can just push a button and it'll take you to the nearest airport. 

So the main reason for the ballistic parachute is because the pilot’s incapacitated, and so Garmin built this HOME system that will communicate with ATC and land the plane at the nearest safe airport.

Paul Hadjy

Amazing stuff! Yeah, I'm super fascinated about that stuff, and it's super interesting and we should have a separate conversation I think that…

Greg Edwards 

We could talk about that the whole time, so yeah, we need to start a pilot and plane podcast!

Paul Hadjy

Yeah, so question number one, and that's kind of get this out of the way: obviously, your company spends a lot of time with ransomware, but I think this is a common question in this space, but should organizations pay ransom on ransomware?

Greg Edwards

It’s a complicated answer. The easy answer is no. They absolutely shouldn't pay but sometimes they have to pay. A lot of the ransomware now will also wipe out the backups so, especially if there's locally connected.

So many organizations still have, using the same admin username and password for their backups as they are for everything else, and so these attackers will destroy those local backups as well as the data, and in cases like that there's really no choice, and what else do you do, if especially if, you are a small to mid-sized business all your data's wiped out, all your backups of your data is wiped out.

I mean there's really no other choice than to pay and sometimes, so like in the Colonial pipeline event they paid a five million dollar ransom even though they had good backups. They paid it just so they could get back up and running more quickly.

So, yeah, absolutely, easy answer is no, don't pay, but sometimes you have to.

Paul Hadjy

Yeah, I totally understand that. I think I’ve definitely seen situations where people had no other option but to pay and, you know, sometimes that works out okay but sometimes it doesn't.

I'm very curious about this too. Like, you know, the history of ransomware, like when did it start, what was the original ransomware, and kind of how has it evolved. Tell me a bit.

Greg Edwards

Yes, some of the very original ransomware, I wouldn’t consider these like modern ransomware but one of the very first ransomware, I believe it was 1993, that came out and was distributed via floppy disks. You might not even be old enough to remember those, Paul.

Paul Hadjy

I definitely remember the first games I played were on floppy disks, but it was early in my lifetime, yes, I'll say that, admit that.

Greg Edwards

So but really the modern ransomware started in around 2012, and really, once bitcoin became widely available and these attackers realized oh we can get paid completely anonymously so why not create as much pain as we possibly can for these companies and even individuals and then demand a ransom and that's really when modern ransomware kicked off. 

When you look at cybercrime in general and look at the number. If you just compare the number of malware and the number of cryptocurrency transactions, you'll see that they almost mirror each other exactly. 

I'm not saying that cryptocurrency is bad or that cryptocurrency was, you know, the root of all of this, but it's what allowed these attackers to get paid anonymously and really drove the cybercrime from the typical hacker in a hoodie that we always we still see, which I don't know why people use, but you know, you think of the hacker and a hoodie in his mom's basement. That's kind of what we thought of as hackers pre-2012 and 2010, and now it's become organized crime, and I mean it's an entire business for lots of people. I mean ransomware is their business.

Paul Hadjy

Yeah, and that's interesting you mentioned that too, and I think a lot of people just don't really understand the scale and function of some of this ransomware. I don't know if you call them companies or organizations, let's say, but I'm curious to hear your thoughts and any interesting statistics you have around that.

Greg Edwards

So I mean I think one of the most interesting things is that in Russia it is completely legal to run a ransomware organization whether you want to call it a company or organization, or whatever you call, it's completely legal as long as you're not attacking companies within Russia and so young entrepreneurs coming up that have a technology background, why wouldn't they do this? 

I mean it's not illegal. There's no moral dilemma. They're essentially taking funds from wealthy western countries and distributing it — it's almost like a Robin Hood effect where they're not doing anything illegal in their mind, they're not doing anything unethical in their mind so why not?

Paul Hadjy

Yeah,  that's interesting. I didn't know that. Kind of like on the newer side of ransomware, what was the interesting and new sort of developments that you're seeing?

Greg Edwards

So, this isn't that new but, really, the exfiltration of data, so the multi-layered ways of extracting funds, so not only locking the data up on the local systems but then exfiltrating that data and then holding them for ransom with the threat of releasing that information. So, that's probably and that's been around now for 18-24 months so, not like it’s brand new.

One other thing that I think is really interesting that I'm seeing more and more of is written guarantees so if the company pays, these organizations will give them a written guarantee that they won't attack them for at least 365 days. Like, really?

Paul Hadjy

Only one year. That's the guarantee you're buying, I guess. 

Greg Edwards

Right, I mean, that'd be like you know if you were kidnapped and, oh, we promise we won't kidnap you again for a year. It's ridiculous but we're seeing it.

Paul Hadjy

That's quite interesting. I haven't heard of that one either. That was a new one for me — the written guarantee side of things. So what are the most common vectors from where the attacks come from, and of course, what’s the weakest link in most organizations?

Greg Edwards

Of course, the weakest link is still humans, but the most common attack vector still… 53  percent of attacks come through email, so email attachment which has always been the case. I mean that percentage actually has gone down and down over time, but email is still the most common and then we're seeing a lot of supply chain attacks so the Kesaya attack, the SolarWinds attacks,  those where they're infecting known good software and coming in that way, and then the Log4j. I mean I've seen a ton of attacks happening because of Log4j, so it's ever-evolving but email and human mistakes are still the most common ways that ransomware is getting in.

Paul Hadjy

Yeah, and I mean on the Log4j stuff and I know it's at the top of every security person's mind, but how has that affected ransomware?

Greg Edwards

So what Log4j does is allows for remote code execution so what happens if an organization is vulnerable to Log4j, typically what happens is that the attackers will open a back door and a lot of times the way that these crime units are set up is that there will be organizations that specialize in breaking in and then they'll sell that access via the dark web to other organizations and then those other organizations now generally are ransomware gangs that will, then so imagine you've got a Log4j vulnerability within your organization.

You don't know it as the IT team. You have an attacker that opens up a back door into your system. They then sell that information on the dark web to a ransomware gang then they can do whatever they want and so that's, they're just looking for how can they make the most money the quickest, and utilizing the Log4j vulnerability, getting access in, and then perpetrating ransomware.

Paul Hadjy

You touched a bit on the ransomware gangs, but how do these gangs operate?

Greg Edwards

So the most common way now is through Ransomware-as-a-Service which is a whole other component to ransomware that most people don't understand. There are a few organizations that create, just like software as a service, right?

You've got the major companies that create Software-as-a-Service, whether there's the major organizations that create Ransomware-as-a-Service and then they sell it to their affiliates to then actually go and deploy and utilize it.

Paul Hadjy

Which one is more profitable for them? I guess the development?

Greg Edwards

Typically the affiliates, they're gonna make a small amount, you know, they're gonna make small amounts and, actually in the Colonial pipeline attack that was exactly the case — an affiliate of REvil, so REvil is one of the biggest of the Ransomware-as-a-Service gangs. An affiliate perpetrated, got in, and launched the ransomware attack against Colonial pipeline, got a five million dollars ransom. and then from what I've seen it's about a 40-60 take where the affiliate gets 60 percent and the ransomware service company gets 40 percent, so the ransomware service companies are the ones that are making all the money. 

I mean the affiliates can have some good one-time and maybe several, maybe they'll have hundreds or even thousands of hits, but the Ransomware-as-a-Service is getting a big piece of every one of those.

Paul Hadjy

Yeah, so, it's like a channel partnership, almost.

Greg Edwards

Exactly, yeah.

Paul Hadjy

Yeah, very interesting. So tell us a bit more about CryptoStopper, like what do you guys do, and how does it work?

Greg Edwards

Yeah, so CryptoStopper, so really at the heart of it is a file integrity monitoring system that we utilize bait files, so deception technology, that we deploy and then we're monitoring those bait files and then also monitoring for other indicators of file change activity that's ransomware related, so it's at the heart of it it's file integrity monitoring that's agent based on every endpoint and server that we manage.

Paul Hadjy

Okay, quite interesting, and what complements it and what kind of measures you recommend companies adopt alongside of it?

Greg Edwards

Yeah, so full layered security. I mean I don't ever say that CryptoStopper is the one silver bullet like you still need next-gen AV, patch management, just good general cyber hygiene, and following the NIST framework

So, yeah, I mean it's a full layered approach and CryptoStopper is just one of those layers, and really what I was seeing when I owned the off-site backup and disaster recovery company, I was seeing more and more attacks coming through that were causing full-on recoveries because of ransomware and utilizing that backup as last line of defense just was inefficient.

I mean it just took way too long even when we had a cloud-based backup and recovery system before the cloud was even the cloud but still, even taking two hours and then switching all the users over to a cloud-based system as opposed to an on-prem system, it was just too disruptive and so that's where CryptoStopper, being that last line of defense rather than relying on backup as the last line of defense, and so CryptoStopper is not preventative, it's damage control.

Paul Hadjy

I see. How you kind of come up with the idea to start this business? Obviously, you had a successful exit previously, but what kind of got you into this?

Greg Edwards

Yeah, so in 2016, I started a company called Watchpoint Data and it was a Managed Security Services practice and so we were using, at the time, best of breed cybersecurity and EDR tools and still not able to stop ransomware.

I mean ransomware would still come through even we would detect it, it would still take us a couple of hours to recognize, see the alerts, have the SOC team respond, and get it shut down.

And two hours, is, I mean, devastating, and so we built a very first version was a power shell script that would recognize, utilizing bait files, would just sit on a server and watch for that encryption activity and stop, and it took about, our average time to detection with that power shell as you can imagine wasn't very efficient but took about 9 seconds to detect and stop an attack, but it was automated and much better than two hours.

And so over, it actually took us about three years to develop the algorithm and turn it into an actual C# application and we have a fully managed portal and can manage the... it's not complete, we don't call it agentless yet but we're getting to the point where we'll just have a service that's running, and the portal control the entire system so, really, an evolution over time out of necessity.

Paul Hadjy

What's the biggest piece of advice that you would give to organizations that are trying to defend against ransomware?

Greg Edwards

So I mean the first thing is just taking it seriously and get leadership buy-in, like, that's the thing. Right now that I'm now finally, after screaming this for 10 years, finally seeing that CEOs and boards are taking cybersecurity seriously so that is absolutely the number one thing is that you've got to have, from an organizational level, you've got to have executive buy-in and then it's all about implementing the layered security, so there's not one individual thing that I would recommend. It's a layered approach and having that executive leadership buy-in.

Paul Hadjy

Yeah, I think that makes a lot of sense. Definitely, leadership and executive buy-in in terms of cyber as a whole. I think the world is changing, and a lot more companies are starting to think this way, but there's still a lot of companies that don't, especially in Asia actually. It's a learning thing and, I think, lots of, unfortunately, other people's bad experiences become like what kind of sets the tone for others.

Greg Edwards

Exactly. and I would say, I mean, it's U.S. too. I mean it's still shocking to me when I hear CEOs say well it's not going to happen to us why would they attack us and I just almost lose it at this point when I hear that but it's so, while I mean the U.S. may be at least appearing that we're taking it seriously, I think it's just starting from the standpoint of the Fortune 500 companies absolutely have taken it seriously but when you get below that thousand-employee-sized organization, which is the bulk of business in the U.S. and around the world, that's where they're still not taking it seriously enough and not setting appropriate budgets to handle it.

Paul Hadjy

Yeah, definitely agree. It still surprises me that people don't understand cyber and then sort of categorize it as an important business initiative for the business, because, I mean, frankly, in a lot of cases it's actually an advantage for many businesses when selling as well. If you can show that your company takes cybersecurity seriously, it's much easier to get through procurement with a lot of, especially larger businesses that do take it seriously and get to procurement which is painful.

Greg Edwards

Yeah absolutely, this will sound bad, but several years ago I wasn't a huge proponent of compliance because I felt like it really was you were just checking boxes, but you weren't actually making the organization more secure.

My opinion has flipped on that and I feel, like now, and the frameworks really have changed enough to, if you're following even SOC 2, so SOC 2 is probably the lightest of the, what I would consider real cybersecurity compliance frameworks, and even SOC 2 now, if an organization is following SOC 2 and is audited then they're going to be pretty secure.

Still, other things that they should be doing but those compliances now and, as you were saying through procurement, I think are going to become requirements where you just add, whether you're a software company or even a service organization, if you're not SOC 2, at least SOC 2 certified, you're going to get thrown out. I mean, I have in our organization, we don't entirely throw companies out if they're not SOC 2 certified, but that's a strong indicator to me of how seriously a company's taking their cybersecurity.

Paul Hadjy

Yeah for sure I mean Horangi just got our SOC 2 Type II certification quite recently and yeah I mean it [...]

Greg Edwards

Congratulations!

Paul Hadjy

Thank you! Yes, its a lot of hard work from the team. I think it's good and I think ultimately [...]

Greg Edwards

Yeah, so when I started that discussion everything, oh this guy thinks compliance doesn't matter, like, we got to get him off here!

Paul Hadjy

No, I mean it definitely, like SOC 2, specifically, I think is one of the better ones because it actually monitors the specifics of what you're actually doing, instead of just like, hey it's just what I'm writing that I'm doing, they would literally monitor the controls which is important.

Greg Edwards

Yeah, absolutely, and that's why I think that that shift is what has made the compliance worthwhile. I mean it's always had some value, but now that they actually have teeth tied to it, that they're monitoring that you're actually doing the things. It's not just policy-based like you have to show evidence that it's actually done.

Paul Hadjy

Yeah, which I think is, you know, ultimately important, right? Anyone can write a policy or, you know, copy-paste it, right?

Greg Edwards

Yeah, and five years ago, you could get your compliance certification just off the policies

Paul Hadjy

Yeah, seen organizations do that for sure.

Another question I have is: for 2021 for you all, how was it, and what's your plans for the Year of the Tiger 2022?

Greg Edwards

The Year of the Tiger. I like it! 

So 2021, we launched channel only and had just explosive growth so we went from 2,000 endpoints deployed to 14,000 endpoints deployed and the goal for 2022 is to 10 times that and get over 100,000 endpoints deployed and so I see 2022 as just massive growth for CryptoStopper.

Paul Hadjy

Nice. And you guys are investing mostly through channels on that front?

Greg Edwards

Yeah, so we go through Managed Service Providers primarily here in the U.S., but we do have partners around the world

Paul Hadjy

Nice and one other question I have on the piloting and flying side of things is kind of like is there any correlation between piloting and cybersecurity?

Greg Edwards

Yeah, so I think that the biggest correlations are in the redundancies. 

So, in flying everything, every system has a backup, there's a checklist for everything and that, so it really is like a layered approach to your safety, and when you talk about risk management in a plane, you're talking about life and death. 

So following those checklists and having all of the right redundancies built in, and building that plane myself, you know, actually seeing the components going into it, seeing those redundancies- that really showed me the correlation between cybersecurity and owning a plane and being a pilot.

Paul Hadjy

I have never actually flown a plane by myself but one thing I've been reading about is, I get more into it is, like, the planning aspects, which is something I don't think most people think about. 

You have to like file flight plans and like all these things that are part of the process that are necessary, also with security, to be successful right which I think is interesting.

Greg Edwards

Right, yeah, so I would highly recommend: go get your pilot's license. It is much easier in the U.S., I don't know in Singapore, you know, how and in Southeast Asia, how easy it is and how accessible it is, but in the U.S., I mean it's not inexpensive, but it is comparatively very easy to get your pilot's license compared to other places in the world.

Paul Hadjy

Yeah, actually, I was looking about in Singapore randomly and you can do a simulator for certain parts but then they actually send most people to the U.S. to do the practical stuff because it's just easier, because Singapore is an island and you can fly in circles but that's pretty much it.

Greg Edwards

Right, oh it's crazy. 

I mean you can fly, and one great thing about being a private pilot owning your own plane I mean you can fly into small cities so I have family that lives in South Dakota and you can fly from here which, I live in the Midwest, so fly from here to there and land in these tiny little towns and you don't have to worry, like, you know with a commercial flight you have to go multiple hops to get to these smaller cities. 

Paul Hadjy

Yeah, they're often not great airports either so it's like, yeah, it must be much better on your private plane.

Greg Edwards

Cool, and I definitely recommend it and there are places so there's several flight schools, especially in Florida and Arizona, where you come for two weeks and get your pilot's license

Paul Hadjy

I'll have to check that out. My family's in Florida too.

So what are kind of some predictions from you and CryptoStopper for 2022, like ransomware?

Greg Edwards

So ransomware's gonna get worse. That's an easy one, right?

Paul Hadjy

I would agree, yeah.

Greg Edwards

So, really the biggest thing is the supply chain attack, so I do see as companies are getting better and better about cybersecurity that, then the attackers are just going to keep moving to harder and harder detection methods, and the best way to do that is through supply chain attacks.

So, if you embed your ransomware, and I'm not giving away anything here that they don't already know, so any of the attackers that are listening, they already know this. 

When they embed that ransomware into known good software and it's executing through that system then the traditional antivirus is not going to stop it, and so I see that continuing to rise. We've seen file-less malware and file-less ransomware rising over and over the years and it's just gonna continue to rise too.

Paul Hadjy

Okay so to kind of close this off, what's one last piece of advice you have for the listeners and anyone interested in ransomware?

Greg Edwards

Yeah, so, I mean go get CryptoStopper, but I mean take it seriously and take the threat of ransomware seriously and if you're in IT, assume mostly IT professionals listening, that you've got to learn how to sell this to the executive management and the company and the way to do that is through risk management and risk mitigation, and we're seeing in the U.S. that cyber liability insurance, the applications are finally reflecting the necessity for good cybersecurity and so that's driving a lot of discussions and that's a great opportunity when you have that next cyber liability renewal to take that to the executive leadership team and say, see all these things that I've been screaming for that we need? Now we're being required, so let's get it done.

Paul Hadjy

Yeah, I agree. I think one of the most important skill sets in a good, especially a security manager, a security person, is really the ability to sell to IT executives because, ultimately, if they don't believe in whatever you're investing in then it doesn't matter right?

Greg Edwards

Right, and that's unfortunate that that's the case and most of us as security geeks, we're not great at sales, right? That's why we went into security so we didn't ever have to talk to other people and go sell, but it is, I mean you have to sell it up the chain. 

Paul Hadjy

Yeah, yeah, it's important to make sure that the executives understand the risk and ultimately security is just business risk it's very important, especially in our industry.

Greg Edwards

Absolutely.

Paul Hadjy

Alright, Greg, well, thanks so much for the time, and really appreciate you hanging out with us for 30 minutes.

Greg Edwards

Absolutely. Thanks for having me.

Paul Hadjy
Paul Hadjy

Paul is a technology visionary working across the US, Middle East, Singapore, Korea, and New Zealand to build business in both the private and public sectors. Paul spent over 6 years at Palantir and was the Head of Information Security at Grab.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.