The Backup Wrap-Up

Polymorphic malware is the kind of threat that changes its own code — its signature, its behavior, even the command-and-control server it reports to — specifically so your antivirus can't catch it. In this episode, Dr. Mike Saylor of Black Swan Cybersecurity joins Prasanna and me to break down exactly how this works, why signature-based detection keeps losing the race, and what defenders actually need to do differently.Mike walks us through ViraLock, one of the most well-known early examples of polymorphic malware, and explains the gap between infection and detection that attackers exploit. We also get into the difference between polymorphic and metamorphic malware — and metamorphic is a lot scarier. Then we cover waterhole attacks, a red team story that will make you rethink how fast attackers can own a network, and what behavioral detection looks like when it's actually working.If you thought keeping your antivirus updated was enough, this episode is going to change your mind.Chapters:00:00:00 – Intro01:35 – Meet the guests: Prasanna Malaiyandi and Dr. Mike Saylor02:58 – What is polymorphic malware? The ViraLock story05:52 – How polymorphic code changes its own signature10:04 – Disguised executables and the human factor12:23 – Polymorphic vs. static malware: what's the real difference?14:15 – Metamorphic malware: nation-state-level scary16:01 – The Frankenstein virus: a conceptual metamorphic example16:52 – Waterhole attacks: infecting the shared file everyone downloads18:32 – How polymorphic malware stays alive: the red team story21:28 – Behavioral detection and baselining: how you actually fight back26:57 – Risk-based defense: protect what matters most

A PyPI software supply chain attack hit LiteLLM — a library pulled into developer environments 97 million times a month — and if you use it, you may already be compromised. This wasn't a fake package or a typo-squatting trick. Attackers stole real credentials, published malicious code as the real thing, and walked out with SSH keys, cloud credentials, Kubernetes tokens, API keys, and more — all encrypted and sent home before anyone knew what happened.I'm doing something I've never done before: an emergency episode, recorded and published immediately because this is that serious. I brought in Dr. Mike Saylor, co-author of our book Learning Ransomware Response and Recovery, and my co-host Prasanna Malaiyandi to break down exactly what happened, how to find out if you were hit, and what you need to do to protect yourself going forward.We open with a story from 1982 that perfectly captures what this attack really is — getting poisoned by something you trusted completely. That framing matters. This wasn't a failure of the library. It was a failure of the supply chain. And it can happen again.Chapters:00:00:00 - Intro: Why this is an emergency episode00:01:35 - Meet the guests: Dr. Mike Saylor and Prasanna Malaiyandi00:02:31 - The Tylenol poisoning analogy and what it means for software supply chains00:05:51 - What LiteLLM is and what the malware actually did to your environment00:09:04 - Dependencies explained: why you're affected even if you didn't install LiteLLM directly00:12:24 - How to find out if you were hit: the first things to check right now00:14:23 - IOCs and TTPs: what to look for in your logs and on your systems00:19:07 - Network indicators: unusual traffic and what it tells you00:22:12 - How security teams can find out if developers installed it without telling anyone00:30:38 - Action items for the future: inventory, pinning, and hash verification00:36:55 - Sandboxing new downloads before they touch your environment00:37:59 - Immutable backups: why this attack makes the case for them00:40:33 - Modern authentication: MFA, its limits, and why passkeys matter00:46:53 - Where to get threat intel so you hear about attacks like this faster00:53:23 - Wrap-upIf you installed or upgraded LiteLLM on or after March 24, 2026 without a pinned version, stop what you're doing and listen to this episode first.The story:https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/ https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/ https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaignhttps://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/ https://www.upwind.io/feed/litellm-pypi-supply-chain-attack-malicious-release https://docs.litellm.ai/blog/security-update-march-2026 https://www.helpnetsecurity.com/2026/03/25/teampcp-supply-chain-attacks/ https://www.darktrace.com/resources/the-cisos-guide-to-cyber-aihttps://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/Resources:https://www.stopransomware.comhttps://www.cisa.govhttps://www.cve.org/

Fileless malware is one of the most dangerous attack types out there — it never writes to your hard drive, lives entirely in RAM, and can steal your credentials before your antivirus has any idea it's there. In this episode, I bring in Dr. Mike Saylor — my co-author on Learning Ransomware Response & Recovery — to break down exactly how this attack works, why it's so hard to detect, and what you can actually do to protect yourself.Mike walks us through how fileless malware hides in memory, how bad guys maintain their foothold even after a reboot by modifying registry keys or rewriting the operating system itself, and why the ArcGIS attack is a perfect real-world example — attackers sitting undetected inside a network for two years. We also get into MFA, specifically why a lot of MFA setups are done wrong, why passkeys are the better answer, and when it's time to bring in an EDR or XDR tool.Fair warning: the action items here are a bit more advanced than our usual stuff. Think of this as the 401k conversation — don't have it before you've built your emergency fund. But this is stuff you absolutely need to know.00:01:26 - Welcome & intro00:04:43 - What is fileless malware?00:09:16 - How fileless malware achieves persistence (ArcGIS case study)00:15:02 - Can fileless malware spread beyond one machine?00:16:43 - Defending yourself: MFA done right00:20:38 - Why passkeys beat MFA00:23:00 - EDR and XDR explained00:28:03 - How modern EDR tools detect fileless malware00:30:01 - Wrap-up and action items

A living off the land attack is one of the sneakiest techniques in a ransomware operator's playbook — and in this episode, Dr. Mike Saylor breaks down exactly what it is, how it works, and what your organization can actually do about it.Instead of bringing their own tools into your environment (which might trip your alarms), attackers just use what's already there. PowerShell. WMI. RDP. The same tools your admins run every single day. To your monitoring systems, it looks completely normal. That's the whole point.Mike and Curtis cover why attackers prefer your tools over their own, how recon can quietly run for 30 to 90 days before the attack goes loud, and what defenders can actually do about it — removing admin privileges, system hardening, golden images, application whitelisting, and free tools like Nmap and Wireshark. There's also a match.com story involving organized crime and a wooden casket on someone's front porch that you really don't want to miss.0:00 - Intro1:21 - Welcome and Book Announcement3:28 - What Is a Living Off the Land Attack?5:38 - Real-World Example: Conti Ransomware and WMI8:12 - Why Attackers Use Your Tools Instead of Their Own13:05 - Admin Privileges: Best Practice vs. Reality17:31 - The Louvre Heist Analogy20:08 - Recon Phase: Low and Slow24:16 - What Defenders Can Do25:55 - RDP and Remote Access29:48 - The Recon Timeline: 30-90 Days30:48 - PowerShell and System Hardening34:10 - Network Discovery Tools (Nmap and Wireshark)37:37 - Application Whitelisting and Geo IP Blocking42:08 - Action Items and Wrap-Up

Password manager vulnerabilities aren't just about bad code — and a new research paper out of Zurich just proved it. Researchers analyzed three of the most popular password managers and found fundamental design flaws baked into the very architecture that's supposed to keep your credentials safe. Curtis and Prasanna break it all down and tell you what to do about it.If you've ever been that person who asks "but what if the password manager gets hacked?" — this episode is for you. And if you haven't been asking that question, you probably should start. A research team looked at LastPass, Bitwarden, and Dashlane — products with a combined 60 million users representing roughly 23% of the password manager market — and what they found wasn't sloppy programming. It was something harder to fix: architectural problems at the core of how encrypted vaults work.Curtis walks through how the zero-knowledge encryption model works, why the vault recovery process creates an inherent trust problem, and why the researchers were able to exploit that trust by impersonating the server during vault recovery. Prasanna adds another layer — the field-level encryption issues inside the vaults themselves, where there's no strong verification that data hasn't been manipulated. It's not theoretical. It's a real attack surface.The good news? Curtis still believes password managers are the right tool for today — better than sticky notes on a monitor (yes, he saw that in real life) and better than reusing passwords. But he's also clear that passkeys are the right direction for the future, even if the current implementation is still a little rough around the edges.https://eprint.iacr.org/2026/058.pdfhttps://www.theregister.com/2026/02/16/password_managers/https://www.forbes.com/sites/daveywinder/2026/01/23/lastpass-issues-critical-warning-for-users---password-attacks-underway/

What is an initial access broker — and why does it matter to your organization? In this episode, W. Curtis Preston and Prasanna Malaiyandi are joined by Dr. Mike Saylor of Black Swan Cybersecurity to break down the role of the initial access broker in today's ransomware attacks.Most people picture ransomware as a single bad guy with a keyboard. The reality is way scarier. There's an entire criminal supply chain out there, and the initial access broker is the specialist at the front of it. These are the people who do nothing but break in — stealing credentials, exploiting vulnerabilities, hijacking sessions — and then sell that access to other criminals who do the dirty work. Dr. Mike Saylor walks us through a real case study from 2024 where an employee's personal Gmail account — with a Google Docs folder literally named "passwords" — became the entry point for a corporate ransomware attack months later. This stuff is real, it's happening constantly, and most organizations have no idea how exposed they are.We cover what IABs target, how they package and sell access, what "coincidental passwords" are and why they're so dangerous, and what practical steps you can take today to make your organization a harder target.Chapters:00:00 - Intro: What Is an Initial Access Broker?02:12 - Welcome, Introductions, and a Little Judging03:33 - Defining the Initial Access Broker04:31 - Real Case Study: How Bob's Gmail Became a Corporate Breach07:16 - How IABs Package and Sell Access10:32 - How Stolen Credentials Get Bundled and Priced29:48 - RDP, VPN Vulnerabilities, and What IABs Are Hunting32:54 - Web Shells Explained35:08 - Session Hijacking and Man-in-the-Middle Attacks36:16 - Would Eliminating IABs Stop Ransomware?36:49 - How the Cybercriminal Ecosystem Evolved to Create IABs39:51 - Practical Takeaways: What You Can Do Right Now40:45 - The Numbers: 37 Billion Records and the ShinyHunters Breach

Ransomware as a service has turned cybercrime into a franchise business — and in this episode, Dr. Mike Saylor and I break down exactly how it works, who's buying, and why the buyer might end up as the patsy.If you thought ransomware was just a lone hacker writing code in a basement, this episode is going to change how you think about it. Ransomware as a service means that today, literally anyone — no technical skills required — can pay someone to launch a ransomware attack on their behalf. You hand over the money, tell them what you want, and sit back and watch your crypto wallet. That's it. No portal. No dashboard. No login. Just a chat on the dark web through the TOR network and a prayer that they actually do what you paid for.Dr. Mike Saylor walks us through the full criminal ecosystem — from the initial access brokers who collect and sell validated email addresses, to the botnet operators who rent out millions of compromised computers by the hour, to the affiliate programs that tie it all together. We cover the franchise model, the "no honor among thieves" reality of these transactions, and why the person who buys into ransomware as a service might just end up as law enforcement's fall guy.This is one of those episodes where the more you learn, the more you realize how much the threat picture has changed — and why your backups are more important than ever.Chapters:00:00:00 - Episode Intro00:01:17 - Introductions & Welcome00:03:25 - Setting the Stage: CryptoLocker and the Birth of a Criminal Industry00:07:17 - Defining Ransomware as a Service: The Franchise Model00:10:36 - The Amazon/AWS Analogy and How Botnets Power the Attacks00:17:10 - No Portal, No Dashboard: How Dark Web Transactions Actually Work00:19:17 - Why Do RaaS Operators Offer the Service? The Lottery Ticket Theory00:21:59 - The Affiliate Model: How the Criminal Ecosystem Specializes00:26:33 - How Many RaaS Groups Exist — and Who's Buying?00:29:36 - RaaS as Subterfuge: The Conti Group and the Costa Rica Attack00:30:49 - Who Are These Criminals, Really?

The cryptolocker virus was the attack that turned ransomware from a nuisance into a full-blown criminal industry — and in this episode of The Backup Wrap-up, we break down exactly how that happened. W. Curtis Preston (Mr. Backup) sits down with co-host Prasanna Malaiyandi and cybersecurity expert Dr. Mike Saylor to trace the full evolution of ransomware and explain why CryptoLocker was the turning point.If you've ever wondered how ransomware went from fake pop-up messages to billion-dollar criminal enterprises, this is the episode for you. We start with the earliest days — scareware attacks that did nothing more than frighten you into paying — and walk through the progression of encryption methods that made ransomware increasingly dangerous. Dr. Mike Saylor breaks down the difference between symmetric and asymmetric encryption in plain language, and explains why the move to public-private key pairs made it so much harder for victims to recover without paying up.Then we get into the cryptolocker virus itself: how it spread through fake FedEx emails, why it kick-started phishing awareness training, what Operation Tovar did to shut it down, and — just as interesting — what the bad guys learned from its failures. We cover the role of the Zeus botnet, how Bitcoin became the payment method of choice, and why ransoms started out at just a few hundred bucks. We also talk about what happened next: the rise of data exfiltration, double extortion, and even triple extortion where attackers go after the victims of the victims.Plus, we take a side trip into the LastPass breach and pour one out for the guy who lost his crypto fortune in a landfill.Whether you're in IT, security, or just want to understand how ransomware works, this episode gives you the full picture.Chapters:00:00:00 — Intro00:01:22 — Welcome and Introductions00:04:11 — The Three Generations of Ransomware00:05:01 — Scareware: Fake Attacks That Did Nothing00:05:42 — Ciphers and Decoder Ring Encryption00:06:38 — Symmetric Encryption Explained00:09:25 — Asymmetric (Public-Private Key) Encryption00:12:46 — Why Asymmetric Encryption Made Ransomware Stronger00:15:44 — What Was the CryptoLocker Virus?00:16:25 — Lessons CryptoLocker Taught Victims and Criminals00:18:03 — Operation Tovar Takes Down CryptoLocker00:19:54 — Bitcoin, Ransom Amounts, and Getting Paid00:23:20 — Botnets Explained: Networks of Zombie Computers00:26:22 — Recap: Three Phases of Ransomware00:27:09 — Double Extortion and Data Exfiltration00:28:01 — The LastPass Connection00:28:47 — The Lost Crypto Hard Drive

A history of ransomware is more than just dates and names—it's the story of how criminals evolved from mailing infected floppy disks in 1989 to running billion-dollar enterprises that cripple entire organizations. On this episode of The Backup Wrap-up, I sit down with Dr. Mike Saylor, my co-author on "Learning Ransomware Response and Recovery," to trace this evolution from the AIDS Trojan to today's sophisticated double extortion attacks.We talk about how ransomware went from requiring physical distribution to scaling globally through the internet, how cryptocurrency made anonymous payment possible, and why the shift from tape to disk backups created vulnerabilities that attackers now exploit first. You'll learn about the wild west days when IT focused on building systems without understanding how bad guys attack, the emergence of ransomware-as-a-service that democratized cybercrime, and why modern attacks target your backups before encrypting your production systems.If you've ever wondered why backup immutability matters or how we got to a point where ransomware is inevitable rather than hypothetical, this episode connects those dots. Dr. Mike and I also discuss why having backups is still critical even with double extortion threats, and what you need to know about defending your backup systems in today's threat environment.Chapter Markers:00:00:00 - Introduction00:01:19 - Welcome and Guest Introduction00:02:19 - Curtis's First Ransomware Memory00:03:40 - The AIDS Trojan: First Ransomware (1989)00:04:42 - The Wild West Era: Late 1990s Security00:08:05 - Y2K and Budget Shifts00:11:26 - The Transition from Tape to Disk Backups00:15:45 - How Disk Backups Created Vulnerabilities00:19:30 - The Rise of Cryptolocker and Bitcoin00:23:15 - Ransomware as a Service Emerges00:27:40 - WannaCry and NotPetya00:31:20 - Double Extortion: The Game Changer00:35:10 - Why Backups Still Matter00:37:55 - Should You Just Pay the Ransom?00:40:01 - Defending Your Backup System

Understanding how ransomware works is critical for anyone responsible for protecting their organization's data. In this episode of The Backup Wrap-up, we examine the five core objectives that drive nearly every ransomware attack - from initial access through the final ransom note delivery.I'm joined by my co-author Dr. Mike Saylor as we kick off what's going to be a comprehensive series on our new book, "Learning Ransomware Response and Recovery." We start at the beginning: how do these attackers even get in? Mike breaks down the role of initial access brokers (IABs) - the bad guys who specialize in harvesting and selling credentials. We talk about why email phishing remains the cheapest and most statistically reliable attack vector, even with all our defenses.From there, we walk through lateral movement and reconnaissance. Once attackers are inside your network, they're not sitting idle. They're mapping your environment, identifying your crown jewels, and figuring out where your backups live. The "phone home" phase establishes command and control, letting attackers coordinate their activities and receive instructions.We dig into data exfiltration and the rise of double extortion. It's not enough anymore to just encrypt your data - attackers are stealing it first, threatening to publish it even if you can restore from backups. Mike shares some fascinating details about how sophisticated ransomware can be, including variants that examine file headers rather than just extensions to find valuable targets.The encryption phase itself is resource-intensive, and Mike explains why you might actually notice your computer acting weird if you're paying attention. Your mouse hesitates, typing lags, the network slows down - these are all potential warning signs.Finally, we cover how ransom notes are delivered today. Spoiler: it's not the old-school desktop background takeover anymore. Modern ransomware drops text files in every folder it touches, making sure you can't miss the message.This episode sets the foundation for understanding how ransomware works, which is the first step in defending against it and recovering when prevention fails.

Disk backup security is the weak link that ransomware attackers exploit every day—and most backup admins don't even realize it. In this episode, Curtis and Prasanna examine how the move from tape to disk-based backups created an unintended security gap that threat actors now target as their first priority.The transition to disk brought real benefits: deduplication made storage affordable, replication eliminated the "man in a van" for offsite copies, and backup verification became practical. But disk backup security wasn't part of the original architecture. When backups lived on tape, physical access was required to destroy them. Disk backups sitting in E:\backups can be wiped out with a single command.Threat actors figured this out fast. After gaining initial access, the first thing they do is identify and eliminate your backups. No backups means no recovery—which means you pay the ransom.Curtis and Prasanna discuss the history of how we got here, why backups are now the number one target, and practical solutions including obfuscation, getting backups out of user space, and implementing truly immutable storage. The standard is simple: if you can't delete the backups, they can't delete the backups.TIMESTAMPS:0:00 - Episode intro1:24 - Welcome & introductions4:04 - Tape explained for the modern audience9:07 - Why tape got faster (and problematic)10:54 - The shoe-shining problem12:27 - Deduplication changes everything15:35 - Benefits of disk-based backup20:29 - THE PROBLEM: RM -r / DEL .23:43 - Backups are the #1 ransomware target26:26 - Immutability as the solution27:32 - Book: Learning Ransomware Response & Recovery

What is ransomware, and why does it remain the number one threat to businesses of all sizes? In this episode of The Backup Wrap-up, W. Curtis Preston and Prasanna Malaiyandi break down the fundamentals of ransomware attacks and explain why the question "what is ransomware" still gets searched tens of thousands of times each month.We cover the two main types of ransomware attacks: traditional encryption-based attacks where hackers lock your data and demand payment, and the newer double extortion model where attackers steal your sensitive information before encrypting it—then threaten to publish everything if you don't pay.Our hosts share real-world examples including the Sony hack, the Costa Rica government attack, and the massive Jaguar Land Rover breach that cost over $2.5 billion. Whether you're a Fortune 500 company or a small dental office, this episode explains what is ransomware, why you're a target, and why preparation is your best defense.