(upbeat music) - Welcome to Forum 360.

I'm Stephanie York, your host today.

Thank you for joining us for a global outlook with a local view.

Today we're talking with Charles Mackey from Fortress Security Risk Management, a company dedicated to protecting people and organizations from cyber crime and Supervisory Special Agent Michael Brian for the FBI's Cleveland Cyber Criminal Squad.

We are delving into the criminal act of ransomware.

What we'll be discussing is what ransomware is, it's prevalence, what you can do to protect against it, if anything, and more.

With their extensive backgrounds in combating cyber crimes, I'm looking forward to this conversation about ransomware.

Welcome Charles and Michael, and thank you for joining us today.

- Thank you, Stephanie.

- Thank you.

- Happy to be here.

- Yes, great.

So if you could just tell us a little bit about yourselves, your backgrounds and what you do now.

Let's start with you, Michael.

- Yes.

So, I'm currently the supervisory special agent of our cyber criminal squad.

In the Cleveland office, we have two full cyber squads.

I've been in the FBI for 22 years, and most of that time I have spent working cyber crime.

So we have a pretty good ability to combat that or to target that with resources we have in our office, but it's a growing problem.

And as you can see, what we'll be able to talk about today, it's very prevalent in today's society.

- Yep, and you?

- Yeah.

Stephanie, I'm a security principle for Fortress Security Risk Management.

I've been involved in cybersecurity for probably the last 20 years of a nearly 40 year career in IT.

I've spent all my time either in technology or process or people or areas within IT technology.

And to Michael's point, this is an area that is really, really taking up a lot of our attention.

- Yes, I know.

So there's cyber crime.

And as part of that, there's ransomware.

Can you explain, one of you explain, in its simplest terms, what is ransomware?

- Well, ransomware is simply that.

It's the act of holding your company, your data, your computing technology hostage.

You are unable because the data is encrypted to get to the things that are important to you as a business.

And most often the ransom involved is some financial payment.

Someone breaks in, they encrypt your data, you no longer have access to it, and so to unencrypt that data and to get that data back, you typically have to pay a ransom or some other mechanism hiring us to help with that, acting with the FBI.

That's about as simplest form as you can get it.

- That's pretty simple, but it's very devastating.

How prevalent is ransomware?

- It's very prevalent.

Locally here in the Cleveland office, we probably get on average maybe three to five reports per week from different companies.

And these again are just reports that we get.

I think I've heard some other statistics out there that there's an entity getting hit with ransomware, maybe ever 11 or 12 seconds throughout the world.

So it's, obviously it's a growing problem and it's gotten worse over the last couple of years.

- Yeah.

So who's usually targeted?

Are they individuals, companies, nonprofits, what do you see or does it run the gamut?

- Yeah.

I mean, we're typically seeing an organization.

Early on, you might be a victim of ransomware just in your home computing environment, but more and more, the level of sophistication of the attackers of the bad actors are such that they're crime syndicates, they're nation-states, very well-organized, highly funded, very professional groups that are targeting industries of all kinds on a regular basis.

- Okay.

What are some things people or organizations can do to protect themselves?

Are there things they can do or are you just sitting back just waiting for it to happen?

- Yeah.

I mean, I think there's a lot of, and I think Chuck probably could talk more into that realm, but I think a lot of the things that we find out from working with victims is that they, maybe they didn't have enough focus on security, maybe they didn't have their backups correctly stored in an offline environment and they get hit with something and they think they're gonna be able to respond to it or recover from it, but they just didn't have everything in place or they didn't think about how they would recover from it until it happened.

It's kinda that like mentality of everything's fine until it's not, right?

So, and that's when they have to, then when they really realize, oh, we didn't really should've done all these other things.

And then that's where Chuck's organization would probably have more details on what they should have done ahead of time.

- Right.

Right.

So there are a number of things organizations can do to protect themselves.

From a process standpoint, they have to pay attention to what's going on in their environment on a regular basis.

From a technology standpoint, there are a myriad of tool sets that can help protect that.

But I think Stephanie, you know, the one basic thing that all organizations can do is to protect the integrity of their data via the way they transfer emails back and forth.

They have to have protection within emails because at the end of the day, what we're finding, even though there's some very sophisticated attacks that come in through other mechanisms, you really have to have the kind of web filtering and email protection against any kind of attack, but ransomware specifically, because this is where it often gets in, you don't Recognize the email, but you still click on the link.

And in today's environments, they're able to spoof very, very accurately.

So you have to pay close attention and be diligent.

- Right.

So I get the emails from Amazon and AT&T, I mean, I'm saying companies' names, but they can come from anywhere.

And if you hover over the actual Amazon name, it shows a different email address, but some people don't hover over it.

I mean, long gone are the days where you know because there's so many spelling errors or there's not proper English and the email it's broken, that you know it's spoofed.

So, they're becoming more sophisticated even in that manner that you really have to do a little sleuthing before you click on the link.

I don't click on anything.

And even if it's from someone I know, I mean, I know to call them and say, hey, I didn't ask for this, did you send me this?

You know, because I'm so paranoid about it, thanks to my boss.

So, can you truly protect yourself though?

Like, even if you have everything in place, are you, 100%, you spend all the money and do everything, can you still get hit?

- Well, sure.

You know, it's like anything else.

I mean, in your personal life, you go out of your way to protect the integrity of your house, right?

You lock your doors, you lock your windows, your lock your garage.

You know, you leave your lights on, you might have a dog, you do all those things and you still get broken into.

And you know, some of it is just, if someone knows something about your organization and they want in, they'll try everything they can to get in.

So the idea is to frustrate them enough where they stop trying, right?

And that's were ideas of protection move into action, right?

So there's email filtering.

It used to be that there was antivirus.

Now those tools are pretty much out of date.

The new world is all based on behavior.

So you can begin to see what happens at an end point device.

So yes, can you fully protect yourself 100% all the time?

No.

But can you improve your chances?

Absolutely.

Do you want to have your chances improved on an ongoing basis?

Of course you do, right?

So you do the things to help protect yourself.

- So, what does something like that cost?

To protect yourself.

I mean, and is it worth the cost?

I mean, I know you say it is, but so I wanna know what the cost is upfront and then what the cost could be if you get attacked, right?

- Well, sure.

The cost fluctuates based on organization, executive leaderships decisions in terms of what they wanna do and, you know, that's entirely up to them, but of course it can cost hundreds of thousands of dollars to protect yourself, but it can also cost you millions of dollars to not be protected, right?

So there's not only the fact that you can be held ransom with ransomware, but there's also the fines that could be levied upon you based on the industry or the government regulation that you fall under.

There's also the loss of business.

I've not met a CEO in a company today that can't automatically calculate in his or her head, what the daily revenue loss would be if they had an outage of a substance, right?

So, when it takes anywhere from seven to 10 to 12 days to just kind of figure things out and get you up and running again, it can become a very costly proposition, much more costly than if you invest in the technology.

- Well, let's talk about that.

The seven to 10 to 12 days to get back up and running.

Is that what it usually is or is it-- - Yeah, I mean it can take that long or more depending on the circumstances.

And I think to Chuck's point, like, I think right now the average from what I've read I think it's about 220,000 is the average ransomware payment this year.

And that's changed probably like since last year, probably from the 170,000 and I think three or four years ago when ransomware was first starting, the average payment or average ransom was like $5,000.

But again, that's just the payment request to get your data back, that doesn't count hiring an outside company or having to, you know, all that downtime from your business, all the money you might've lost if your website, you know, if you were selling something or if you just have to have those resources, I mean, it can quickly spiral into really like millions of dollars, just like Chuck said.

- And that's if you pay the ransom, right?

- Correct.

- And get it back in seven days or so.

- So there's a, your viewers might be interested, Stephanie, in a web location called ransomwareclock.org spelled out that way.

And this is a, it's actually a tracker of known breaches and how much it costs.

And it clicks off the time in real time.

And you can see that if you go to it today, I think it's over $16 billion just for 2021 so far.

That's of known incidents, right?

And that's only about 10%.

So, extrapolate that out and you can see that the dollar figures roll up pretty, pretty quickly.

For any given organization, to Michael's point, $250,000, again, that's an average, you know?

What is the mean cluster, right?

We're probably up at a higher number and it can get unwieldy pretty quickly, pretty fastly.

- So how does an organization first learn it's been hacked like this?

What do you see?

- Typically like the reports that we will get.

You know, it's like, we came in this morning and tried to log into our computers and our system's locked, or there's a message up there with the ransom note that basically says, your information has been encrypted, contact us with the following information.

To get your data back, make us a payment in certain amount in Bitcoin.

- Wow.

Wow.

So, you get this message and most people are thinking, oh my gosh, we're shut down.

You know, how long has that criminal actually been in your computer in your system before you see that message?

Do you have an idea about that?

- Yeah.

I mean, it's months.

And it can even be years, right?

They can lay and wait for a long time.

They can monitor your behavior.

They can see what's going on.

They can begin to mimic different executives and individuals within the company to see how they correspond within and outside the company.

And then, so they're very patient, right?

Now, keep in mind that they have hundreds, if not thousands of different organizations that they're trying to penetrate.

So patience is, for them, just part of the job, right?

But it can take a while for them to actually exercise what they're going to do.

And with a ransomware, the first thing you're gonna do is they're gonna exfiltrate your data.

They're gonna take it out of the organization, and then they're gonna say, hey, we're gonna encrypt your data and then you could get it back if you pay a ransom, right?

So you really want to be as cautious as possible with how you're working with your suppliers and your vendors on the kind of data you have and how important that data is to you, because chances are whether you pay the ransom or not, it's gonna be out on the dark web somewhere.

- Wow, wow.

That's just, it's scary, right?

Can you detect unusual activity like that in those prior months, do you think?

- Well, again, it's like everything else, Stephanie, it gets to the level of sophistication and intent that the organization has.

For those organizations that are what I would call cybersecurity conscious, they understand that even though they're a boring company themselves, the data itself has a life of its own and that they need to structure themselves in a proactive way, they're going to have policies in place.

They're gonna have an incident response plan in place where it says, look in the case of some type of a material breach, here's what we need to do.

Here's how we need to communicate it.

Who does what within the organization?

So, the better prepared you are, the more specific you can respond to it and the better you can reduce the time of being out of business, right?

So, it all depends on what the organization structure is, and that comes from leadership.

- Right.

I'd like to remind our viewers and those who may have joined late, that we're here with Charles Mackey and FBI agent Michael Brian, and we're talking about ransomware, who is a target, how to protect yourself and what you should and shouldn't do if your system is breached.

Now, I'd like to ask you a question, Michael.

So our company has been hit with ransomware.

Should we call the FBI?

- Absolutely.

And I'll just highlight a couple of reasons why, and I think there's, sometimes there's a little bit of hesitancy to actually having to reaching out to law enforcement for various reasons.

A couple of things that just to kind of highlight what things we can't do, you know, we're not set up, we can't come up, we're not gonna be able to come out and rebuild systems and mitigate the actual response to that event that's happened.

But what we can do, the FBI has started looking at these from a national level, like no longer do we just open up a case, every little ransomware case in every office.

So, what we've tried to do is put together subject matter experts.

So an office like Cleveland might get assigned like a new ransomware variant that just is out there.

We're gonna be the ones that are gonna look at all the ransomware events throughout the US that are reported on that.

And the reason for that is that way we can start to build a profile of the actors, we can try to figure out how they operate, maybe how they get in, you know, the things that they might do, what they're gonna do with the information.

So, some of the value we hope to be able to give to a victim from that is maybe based on past experiences with other victims, we might be able to help them maybe move along a little faster and mitigate a little quicker 'cause we might have a little bit of information about how it operates.

But we can't build that sort of expertise if we don't have people giving us, you know, calling us with information about the incident that's occurring and the new variants that are out there.

- So, if I call you to come in, we have this incident, are you gonna tell me not to pay the ransomware?

'Cause I think that's what a lot of people are afraid of.

You know, the FBI is coming in, don't pay the criminals.

And the company is really at a detriment.

They don't have their information.

So tell me how you typically advise on that.

- Of course.

Obviously the government's I think everybody's knows what the answer's gonna be.

We do not advocate the actual payment of the ransom, but of course we understand that based on every circumstance is different, every situation is different and it's a business decision on, sometimes it just from a business standpoint, it makes sense to pay the ransom in order to get your data back so that you can actually get your business up and running and have a less downtime.

But what we would ask for that is if that is the decision that is made, that we can at least get some sharing of the information, at least from the payment of that, because that does help us following the money, following the Bitcoin transactions, that kind of stuff.

If we can have that information as part of our investigation, it can be helpful to try and to figure out who it is that's doing that and seeing if there's something we can do to kind of stem the tide on their operations.

- So, the don't negotiate with terrorists thing doesn't always apply here and you know that sometimes companies will negotiate with the terrorists and you will still help them.

- Absolutely.

Just because they've paid doesn't mean, okay, well we're done with you.

That's just, we understand that it's just the situation that they're in.

- Are there advantages?

Do you see, as an outside company to calling in the FBI or disadvantages, what do you see?

- Well, we always encourage organizations to reach out to law enforcement and specifically the FBI for all the reasons that Michael just mentioned.

And we ourselves, we don't advocate one way or another if an organization should pay or not, the decision is left up to executive leadership.

And more than likely, if that organization has the discipline to understand what's going on in our organization, they have a communication plan.

They are talking with their attorneys, their legal counsel, their outside attorneys, their insurance company, you know, maybe they have cyber insurance and they're talking to their insurance agent as well.

So, we don't make a recommendation one way or another, and we absolutely encourage them to work with the FBI.

It's important to be able to understand as much as we can about what's taking place.

It's the only way we, as a company that works in this business has a good idea of what's taking place.

And to Michael's point about aggregating support around the country, we absolutely like that idea.

It makes everybody's life a lot easier and frankly gets a better probability of getting either your money back or exfiltrating the bad actor from your environment.

- Sure.

So, I'm a company, I've been hacked.

I call the FBI, I call your company Fortress to come in, the wheels are going, I pay the ransom.

I decide, you know what?

I can't be down a month or more.

I need to be back up in a week.

I pay the ransom.

How do I know I'm gonna get that information back?

How often, I mean, do people get their information back when they pay?

- Absolutely they do.

Is it a guarantee?

I would say nothing is ever guaranteed when you're dealing with the type of criminal element.

Certainly it is successful.

I think it's highly successful.

It doesn't, and also, isn't also a guarantee of future, of you pay the ransom, once you got your data back, now you're off and running, it is never gonna happen to you again.

I think there's a high rate of ability to be reinfected either from the same group or another group, depending on what you may do and things you may follow based on maybe a entity like Chuck's group coming in to help out.

- Yeah.

Well, it's like this, the criminal enterprise is in fact an enterprise.

And I hesitate to use the word professional because it seems like an oxymoron in this case.

But the fact is these are businesses and they have customer service representatives that will help you bring your data back.

So, it's a little different environment where you're actually working with the villain, but this is the nature of what's going on in the world today.

So the key is, look, if you're going to pay the ransom and you feel you have legitimate reasons to do so, absolutely go ahead and do that.

We'll still continue to work with you and we'll help you in any way we can, but know that by and large, the fact of the matter is, your data has already been stolen from you and it's likely gonna show up on the dark web or someplace, and you need to continue to monitor.

So, when a company like ours comes in and helps you through that process and presents you with a remediation plan, please stick to the plan because you have to fix what's broken and you need to continue to track what's taking place out there to eliminate the potential for re-exposure.

- So something you said just astounds me.

You said they were professionals, which I get, but they have customer service reps.

So if I pay the ransom and I'm having trouble getting my information back, I can call the terrorists and they'll send me to a customer service rep that will walk me through the process to get my information back, is that true?

- So it's not as glamorous as that, but they do have people that will help you really through the process.

Now, again, using the word professional might be a stretch, but the fact is they are an enterprise, right?

And their objective is to accrue funds.

And their objective is to be able to leverage those funds for whatever activities they want.

If it helps them get the funds easier, they're probably gonna help you through that, yeah.

And not every organization that's out there doing ransomware certainly does that.

Some are just down and out criminals, right?

So, that's never gonna change, but it's just the nature of the world today.

- And I suppose you get your information back pretty reliably, because if you didn't people wouldn't pay the ransom.

So, they see that if they pay the ransom, you get your information back, the next person will pay the ransom to get their information back.

It's this vicious cycle.

- Yeah, I'm not sure there's a five-star rating out there for that, but-- - So, how often or I mean, so this person comes in or this entity and they hack you and you get your information back, you go through all the right things.

How do I know they're not lying and wait to do it again?

I mean, you kind of touched on that.

I mean, I would feel that that person is like, okay, but he's just, he puts something in your computer to go back to, to do it again.

- Exactly.

Like that's the way these guys operate in the cyber world.

Like they get onto networks and they're always good.

They just, they wanna have like persistence on that network.

So they're gonna put in back doors and other things in place.

So, can you 100% guarantee that your system's clean and you're not gonna get a compromise again?

I think that's the problem back to like what Chuck was saying before.

If the criminal element wants to get in, if they wanna break in your house, they're gonna break in your house if there's something that they want.

They're gonna try to stay on if they find a network that has good information on it, like a larger corporation, that's already paid, has some good information out there.

You know, they have motivation to stay on there because there's a potential that they can reinfect or do another ransom attack and make money again, because there's already a history of being able to be successful previously.

- So recently the FBI recovered some money that was paid.

I mean, I read about it, so, I know it's not super secret.

Can you tell me a little bit about that?

'Cause I thought that was really interesting.

- Yeah.

I mean, I can't get into too many details on it 'cause it wasn't our case.

Like I said, we're not the experts on it, but the Colonial Pipeline was an example of that, where the East Coast where the pipeline centers were hit with ransomware and there was the panic buying of all the gasoline and stuff, there was a high dollar ransom that was paid off.

I think it was over $4 million.

Due to some circumstances best part of that investigation of having access to some information and being able to do some things, DOJ and FBI was able to retrieve, I think it was about 2.3 million of that.

So, it is a possibility.

Does it happen a lot?

I will say no.

it's not like, 'cause you don't wanna get people's hopes up like, hey, if we pay it, we're gonna be able to recover it.

But there are things that we can try to do.

And certain circumstances that is the goal to try to mitigate this to some respect.

- But I would imagine the more people report, the more information you get, the more sophisticated you get and information and intel to be able to retrieve at some point maybe.

I mean, it's just how much information you're getting is what's limiting you.

A lot of people don't report.

- Correct.

Yeah.

That is the goal to try to have as much reporting and constant feedback back and forth between the victims and law enforcement and other entities.

- And it does work.

I mean, most recently there have been examples of where through the intervention of firms like ours and the FBI, funds have been recovered.

Criminals have actually been arrested.

On a global basis, there are high levels of attention being placed on ransomware and crime, not only here in the United States, but our partners in countries as well.

So it does work.

- Are ransoms always paid in Bitcoin?

Is that the choice?

- I think Bitcoins, you probably know more, Bitcoin's predominant, but some type of cryptocurrency is typically the method.

- And that's because, it means to my understanding, it's not traceable to any one person, it's just like a number or something?

- Yeah, it makes a lot harder.

In fact, you'll see the US Treasury just recently put sanctions on a cryptocurrency exchange because it was determined that that was, you know, most of what was happening in that cryptocurrency exchange was fraudulent.

- So you said there's a resource ransomclock.org?

- Ransomware, ransomwareclock.org.

- Ransomware, Ransomwareclock.org.

- Right.

It's an available resource that anybody can look up on the internet.

And it not only shows you the calculations of how much is been involved in ransomware payments this far, this year, but the total cost of what it might take is it's kind of aggregated and there are multiple sources available on there that can help you with sources like from the FBI and other locations to learn how to protect yourself, do the kinds of things that create diligence in your environment.

And it's a great free resource for any company or individual out there.

- That's great.

And do you have a resource that people can go to on your site, the FBI site?

- Yes, Internet Crime Complaint Center or IC3.gov is a conduit to report cyber crimes in particular ransomware, but any type of cyber crime can be reported to that portal and that information gets put into a system and that we can analyze that and it gets pushed out to offices that are working those.

- Great, IC3.gov.

- Correct.

- Great.

So, there is no question that cyber criminals are out there and ready to attack.

We learned today that it can happen to anyone in any organization and it could hit you personally.

I'm so grateful that we were able to discuss specific actions you can take to protect against and respond to ransomware attacks.

Thank you, Charles and Michael for joining me today.

I'm Stephanie York.

Thank you for joining us today on Forum 360, a global outlook with a local view.

- [Announcer] Forum 360 is brought to you by John S. and James L. Knight Foundation, the Akron Community Foundation, Hudson Community Television, the Rubber City Radio Group, Shaw Jewish Community Center of Akron, Blue Green, Electric Impulse Communications and Forum 360 supporters.