The Backup Wrap-Up

Phishing-resistant MFA could have stopped a Chinese state-sponsored threat actor from spending over a year inside North American academic and medical research networks — and we're going to tell you exactly how it happened and what you need to do about it.A group called UNC5608, tracked by Google's Threat Intelligence Group (GTIG), exploited a vulnerability unique to REDCap — a research data platform that allows multiple software versions to run simultaneously. They got in via stolen admin credentials, planted custom malware called Infinite.red directly into REDCap's upgrade process, harvested credentials for over a year, then used those credentials to log into Google Workspace as a domain admin and create fake compliance rules to silently forward sensitive research emails — military strategy, geostrategic policy, advanced tech, specific pathogens — straight to Gmail accounts they controlled. And nobody noticed for a very long time.Prasanna and I break down the full attack chain, then walk through every prevention layer that could have stopped it: inventory management, patching, password hygiene, SSO, phishing-resistant MFA, passkeys, DBSC, context-aware access, compliance rule monitoring, credential separation across security domains, and logging. We also get into what backups can and can't do for you in a long-dwell-time attack like this — and why infrastructure-as-code and truly immutable golden images matter more than you might think.If you're running any kind of research platform, academic institution, or medical network — or honestly any organization that uses Google Workspace — this one's for you.Chapters:00:00 — Intro: The attack that phishing-resistant MFA could have stopped01:03 — Show intro & woodworking banter03:26 — What is a living-off-the-land attack?04:02 — Who is UNC5608 and who did they target?05:08 — How REDCap's multi-version design was exploited06:11 — Infinite.red malware and credential harvesting09:01 — Google Workspace infiltration via fake compliance rules10:18 — The keywords they were stealing: pathogens, military strategy, and more11:50 — What could the victims have done differently?12:42 — Inventory management, patching, and legacy version removal14:00 — Why you can't trust application-level authentication alone — use SSO15:18 — Phishing-resistant MFA and why it matters16:00 — Passkeys, FIDO, and why there are zero known attacks against them17:57 — Device-bound session credentials (DBSC) and context-aware access19:38 — Monitor your compliance rules — have a compliance rule for the compliance rule20:40 — Credential separation across security domains23:00 — Get some logging — XDR, SIEM, and catching exfiltration in progress24:00 — What can backups actually do in a long-dwell-time attack?27:00 — Infrastructure-as-code and the right cyber recovery approach28:58 — Protecting your golden images with immutable storage31:59 — Wrap-up

Fileless malware is one of the most dangerous attack types out there — it never writes to your hard drive, lives entirely in RAM, and can steal your credentials before your antivirus has any idea it's there. In this episode, I bring in Dr. Mike Saylor — my co-author on Learning Ransomware Response & Recovery — to break down exactly how this attack works, why it's so hard to detect, and what you can actually do to protect yourself.Mike walks us through how fileless malware hides in memory, how bad guys maintain their foothold even after a reboot by modifying registry keys or rewriting the operating system itself, and why the ArcGIS attack is a perfect real-world example — attackers sitting undetected inside a network for two years. We also get into MFA, specifically why a lot of MFA setups are done wrong, why passkeys are the better answer, and when it's time to bring in an EDR or XDR tool.Fair warning: the action items here are a bit more advanced than our usual stuff. Think of this as the 401k conversation — don't have it before you've built your emergency fund. But this is stuff you absolutely need to know.00:01:26 - Welcome & intro00:04:43 - What is fileless malware?00:09:16 - How fileless malware achieves persistence (ArcGIS case study)00:15:02 - Can fileless malware spread beyond one machine?00:16:43 - Defending yourself: MFA done right00:20:38 - Why passkeys beat MFA00:23:00 - EDR and XDR explained00:28:03 - How modern EDR tools detect fileless malware00:30:01 - Wrap-up and action items

Password manager vulnerabilities aren't just about bad code — and a new research paper out of Zurich just proved it. Researchers analyzed three of the most popular password managers and found fundamental design flaws baked into the very architecture that's supposed to keep your credentials safe. Curtis and Prasanna break it all down and tell you what to do about it.If you've ever been that person who asks "but what if the password manager gets hacked?" — this episode is for you. And if you haven't been asking that question, you probably should start. A research team looked at LastPass, Bitwarden, and Dashlane — products with a combined 60 million users representing roughly 23% of the password manager market — and what they found wasn't sloppy programming. It was something harder to fix: architectural problems at the core of how encrypted vaults work.Curtis walks through how the zero-knowledge encryption model works, why the vault recovery process creates an inherent trust problem, and why the researchers were able to exploit that trust by impersonating the server during vault recovery. Prasanna adds another layer — the field-level encryption issues inside the vaults themselves, where there's no strong verification that data hasn't been manipulated. It's not theoretical. It's a real attack surface.The good news? Curtis still believes password managers are the right tool for today — better than sticky notes on a monitor (yes, he saw that in real life) and better than reusing passwords. But he's also clear that passkeys are the right direction for the future, even if the current implementation is still a little rough around the edges.https://eprint.iacr.org/2026/058.pdfhttps://www.theregister.com/2026/02/16/password_managers/https://www.forbes.com/sites/daveywinder/2026/01/23/lastpass-issues-critical-warning-for-users---password-attacks-underway/

Ransomware as a service has turned cybercrime into a franchise business — and in this episode, Dr. Mike Saylor and I break down exactly how it works, who's buying, and why the buyer might end up as the patsy.If you thought ransomware was just a lone hacker writing code in a basement, this episode is going to change how you think about it. Ransomware as a service means that today, literally anyone — no technical skills required — can pay someone to launch a ransomware attack on their behalf. You hand over the money, tell them what you want, and sit back and watch your crypto wallet. That's it. No portal. No dashboard. No login. Just a chat on the dark web through the TOR network and a prayer that they actually do what you paid for.Dr. Mike Saylor walks us through the full criminal ecosystem — from the initial access brokers who collect and sell validated email addresses, to the botnet operators who rent out millions of compromised computers by the hour, to the affiliate programs that tie it all together. We cover the franchise model, the "no honor among thieves" reality of these transactions, and why the person who buys into ransomware as a service might just end up as law enforcement's fall guy.This is one of those episodes where the more you learn, the more you realize how much the threat picture has changed — and why your backups are more important than ever.Chapters:00:00:00 - Episode Intro00:01:17 - Introductions & Welcome00:03:25 - Setting the Stage: CryptoLocker and the Birth of a Criminal Industry00:07:17 - Defining Ransomware as a Service: The Franchise Model00:10:36 - The Amazon/AWS Analogy and How Botnets Power the Attacks00:17:10 - No Portal, No Dashboard: How Dark Web Transactions Actually Work00:19:17 - Why Do RaaS Operators Offer the Service? The Lottery Ticket Theory00:21:59 - The Affiliate Model: How the Criminal Ecosystem Specializes00:26:33 - How Many RaaS Groups Exist — and Who's Buying?00:29:36 - RaaS as Subterfuge: The Conti Group and the Costa Rica Attack00:30:49 - Who Are These Criminals, Really?

A history of ransomware is more than just dates and names—it's the story of how criminals evolved from mailing infected floppy disks in 1989 to running billion-dollar enterprises that cripple entire organizations. On this episode of The Backup Wrap-up, I sit down with Dr. Mike Saylor, my co-author on "Learning Ransomware Response and Recovery," to trace this evolution from the AIDS Trojan to today's sophisticated double extortion attacks.We talk about how ransomware went from requiring physical distribution to scaling globally through the internet, how cryptocurrency made anonymous payment possible, and why the shift from tape to disk backups created vulnerabilities that attackers now exploit first. You'll learn about the wild west days when IT focused on building systems without understanding how bad guys attack, the emergence of ransomware-as-a-service that democratized cybercrime, and why modern attacks target your backups before encrypting your production systems.If you've ever wondered why backup immutability matters or how we got to a point where ransomware is inevitable rather than hypothetical, this episode connects those dots. Dr. Mike and I also discuss why having backups is still critical even with double extortion threats, and what you need to know about defending your backup systems in today's threat environment.Chapter Markers:00:00:00 - Introduction00:01:19 - Welcome and Guest Introduction00:02:19 - Curtis's First Ransomware Memory00:03:40 - The AIDS Trojan: First Ransomware (1989)00:04:42 - The Wild West Era: Late 1990s Security00:08:05 - Y2K and Budget Shifts00:11:26 - The Transition from Tape to Disk Backups00:15:45 - How Disk Backups Created Vulnerabilities00:19:30 - The Rise of Cryptolocker and Bitcoin00:23:15 - Ransomware as a Service Emerges00:27:40 - WannaCry and NotPetya00:31:20 - Double Extortion: The Game Changer00:35:10 - Why Backups Still Matter00:37:55 - Should You Just Pay the Ransom?00:40:01 - Defending Your Backup System

Disk backup security is the weak link that ransomware attackers exploit every day—and most backup admins don't even realize it. In this episode, Curtis and Prasanna examine how the move from tape to disk-based backups created an unintended security gap that threat actors now target as their first priority.The transition to disk brought real benefits: deduplication made storage affordable, replication eliminated the "man in a van" for offsite copies, and backup verification became practical. But disk backup security wasn't part of the original architecture. When backups lived on tape, physical access was required to destroy them. Disk backups sitting in E:\backups can be wiped out with a single command.Threat actors figured this out fast. After gaining initial access, the first thing they do is identify and eliminate your backups. No backups means no recovery—which means you pay the ransom.Curtis and Prasanna discuss the history of how we got here, why backups are now the number one target, and practical solutions including obfuscation, getting backups out of user space, and implementing truly immutable storage. The standard is simple: if you can't delete the backups, they can't delete the backups.TIMESTAMPS:0:00 - Episode intro1:24 - Welcome & introductions4:04 - Tape explained for the modern audience9:07 - Why tape got faster (and problematic)10:54 - The shoe-shining problem12:27 - Deduplication changes everything15:35 - Benefits of disk-based backup20:29 - THE PROBLEM: RM -r / DEL .23:43 - Backups are the #1 ransomware target26:26 - Immutability as the solution27:32 - Book: Learning Ransomware Response & Recovery

What's your real backup TCO? Most organizations focus on software licenses, hardware, and cloud storage when budgeting for backup infrastructure. But those are just the visible costs. The true backup TCO includes something far more expensive: the humans managing it all.In this episode, Curtis and Prasanna break down the complete picture of backup costs. They explore why soft costs—the labor, the troubleshooting, the daily monitoring—often exceed what you're paying for technology. With studies showing over half of environments spend more than 10 hours weekly on backup management, those labor dollars add up fast.The discussion covers cloud storage pitfalls (especially with object lock and retention policies), why automation is your best friend, and whether SaaS-based backup might actually save you money. Curtis shares his infamous 1993 story about losing a production database – the origin story of Mr. Backup himself. If you're looking to get a handle on your backup TCO, this is the episode for you.

Building a cyber security team isn't optional anymore; it's the difference between recovering from ransomware and going out of business. In this episode, Curtis and Prasanna explain why hardening your backup infrastructure is only half the battle. You need professionals who know how to configure XDR systems without drowning you in false positives, blue teams to defend your environment, and red teams to test whether your defenses actually work. They cover the role of MSSPs, incident response planning, cyber insurance requirements, and why attempting ransomware response on your own is like those old TV warnings: "Don't try this at home." If you've been following their series on backup basics and system hardening, this episode ties it all together with the human element that makes or breaks your recovery plan.