S6E11: "Ransom? Where?"

Posted 2021-07-18 23:59
Modified 2021-07-18 03:59
Comments 0

We talk about the increased (reporting) of ransomware attacks.

Goin’ down to the dickotheque.

• Just the Tip
• Notes
• 15 Clams
• Errata
• Music

Just the Tip

• Paden wasn’t able to join us this episode, so instead we talk about iterating in bash.
  • Specifically, Jthan wanted to iterate over a list of files. Rather than putting them into an array, I suggested that he use xargs (which he had no idea existed before).
  • You can find examples here.

Notes

Starts at 27m33s.

I was drinking Shiner Bock. Jthan was drinking an old-fashioned (with the same bourbon as last episode).

• Ransomware prevention (and a bit of mitigation)
  • Jthan read in a Slashdot article (which reports that paying ransoms for ransomware may now be tax-deductible) that a very significant percentage of businesses hit by ransomware still pay…
    • Because they have “cyber insurance”. Real thing, if you didn’t know.
    • Cyber insurers need to stop paying out for ransomware attacks. This will never get better if not.
    • Ransomware will end if companies stop paying the ransoms. It will get worse if they do. Stop paying the ransoms.
  • Backups are the key to making ransomware attacks irrelevant.
    • Ideally, backups should be append-only. Clients should NOT be able to prune its own backups.
    • Keep a cold-spare ready, already imaged/prepped with your most recent backup, but keep it airgapped or off until needed. In the event of a compromise/ransomware attack/etc., replace the hot with that spare and reimage the hot with the known-good backup. The old hot then becomes the new cold spare or, alternatively, the cold spare can be used to provide services while you are preparing to restore your hot.
  • Educating users about phishing and having a “disposable OS install” (via config management, iPXE/PXE, and backups) approach will go MILES in preventing and recovering from a ransomware attack (attempt).

15 Clams

In this segment, Jthan shares with you a little slice of life. The title is a reference to this video. (2m16s in)

Starts at 1h05m44s.

Audacity was bought a while back by Muse Group. They changed some privacy notices (likely to conform to GDPR requirements), and now people are calling Audacity “spyware”.

But don’t worry, that’s not really what’s going on.

Errata

• I didn’t out Jthan’s original quote in the shownotes! He (Jthan) originally (I want to say somewhere in season 3?) claimed he was “young, dumb, and full of cum”.
• I may have been thinking of something else, because Allagash does not have wine. (Their beer is fantastic, though.)
• I try to point out to Jthan that most ransomware attacks don’t occur as a result of 0days, but rather dumb everyday shit like phishing emails and downloading and running nasty shit. Ransomware infections are primarily due to user/staff error, not a targeted attack.
• Jthan, the scammers do not give a shit about emotionally manipulating you to scam you. You must not shy away from these in your training/testing phish campaigns.
• Jthan, the seed can still be generated locally and uniquely across multiple devices and allow for multiple simultaneous devices. Typically, the user is not interactively/manually creating the seed so unless that client software is opensourced and you’ve read through the code, you don’t know where that seed is being actually generated; the entire point is it’s transparent to the user whether local or remote.

Music

Author r00t^2
Categories Season Six