The Backup Wrap-Up

Password manager vulnerabilities aren't just about bad code — and a new research paper out of Zurich just proved it. Researchers analyzed three of the most popular password managers and found fundamental design flaws baked into the very architecture that's supposed to keep your credentials safe. Curtis and Prasanna break it all down and tell you what to do about it. If you've ever been that person who asks "but what if the password manager gets hacked?" — this episode is for you. And if you haven't been asking that question, you probably should start. A research team looked at LastPass, Bitwarden, and Dashlane — products with a combined 60 million users representing roughly 23% of the password manager market — and what they found wasn't sloppy programming. It was something harder to fix: architectural problems at the core of how encrypted vaults work. Curtis walks through how the zero-knowledge encryption model works, why the vault recovery process creates an inherent trust problem, and why the researchers were able to exploit that trust by impersonating the server during vault recovery. Prasanna adds another layer — the field-level encryption issues inside the vaults themselves, where there's no strong verification that data hasn't been manipulated. It's not theoretical. It's a real attack surface. The good news? Curtis still believes password managers are the right tool for today — better than sticky notes on a monitor (yes, he saw that in real life) and better than reusing passwords. But he's also clear that passkeys are the right direction for the future, even if the current implementation is still a little rough around the edges. https://eprint.iacr.org/2026/058.pdf https://www.theregister.com/2026/02/16/password_managers/ https://www.forbes.com/sites/daveywinder/2026/01/23/lastpass-issues-critical-warning-for-users---password-attacks-underway/

What is an initial access broker — and why does it matter to your organization? In this episode, W. Curtis Preston and Prasanna Malaiyandi are joined by Dr. Mike Saylor of Black Swan Cybersecurity to break down the role of the initial access broker in today's ransomware attacks. Most people picture ransomware as a single bad guy with a keyboard. The reality is way scarier. There's an entire criminal supply chain out there, and the initial access broker is the specialist at the front of it. These are the people who do nothing but break in — stealing credentials, exploiting vulnerabilities, hijacking sessions — and then sell that access to other criminals who do the dirty work. Dr. Mike Saylor walks us through a real case study from 2024 where an employee's personal Gmail account — with a Google Docs folder literally named "passwords" — became the entry point for a corporate ransomware attack months later. This stuff is real, it's happening constantly, and most organizations have no idea how exposed they are. We cover what IABs target, how they package and sell access, what "coincidental passwords" are and why they're so dangerous, and what practical steps you can take today to make your organization a harder target. Chapters: 00:00 - Intro: What Is an Initial Access Broker? 02:12 - Welcome, Introductions, and a Little Judging 03:33 - Defining the Initial Access Broker 04:31 - Real Case Study: How Bob's Gmail Became a Corporate Breach 07:16 - How IABs Package and Sell Access 10:32 - How Stolen Credentials Get Bundled and Priced 29:48 - RDP, VPN Vulnerabilities, and What IABs Are Hunting 32:54 - Web Shells Explained 35:08 - Session Hijacking and Man-in-the-Middle Attacks 36:16 - Would Eliminating IABs Stop Ransomware? 36:49 - How the Cybercriminal Ecosystem Evolved to Create IABs 39:51 - Practical Takeaways: What You Can Do Right Now 40:45 - The Numbers: 37 Billion Records and the ShinyHunters Breach

Ransomware as a service has turned cybercrime into a franchise business — and in this episode, Dr. Mike Saylor and I break down exactly how it works, who's buying, and why the buyer might end up as the patsy. If you thought ransomware was just a lone hacker writing code in a basement, this episode is going to change how you think about it. Ransomware as a service means that today, literally anyone — no technical skills required — can pay someone to launch a ransomware attack on their behalf. You hand over the money, tell them what you want, and sit back and watch your crypto wallet. That's it. No portal. No dashboard. No login. Just a chat on the dark web through the TOR network and a prayer that they actually do what you paid for. Dr. Mike Saylor walks us through the full criminal ecosystem — from the initial access brokers who collect and sell validated email addresses, to the botnet operators who rent out millions of compromised computers by the hour, to the affiliate programs that tie it all together. We cover the franchise model, the "no honor among thieves" reality of these transactions, and why the person who buys into ransomware as a service might just end up as law enforcement's fall guy. This is one of those episodes where the more you learn, the more you realize how much the threat picture has changed — and why your backups are more important than ever. Chapters: 00:00:00 - Episode Intro 00:01:17 - Introductions & Welcome 00:03:25 - Setting the Stage: CryptoLocker and the Birth of a Criminal Industry 00:07:17 - Defining Ransomware as a Service: The Franchise Model 00:10:36 - The Amazon/AWS Analogy and How Botnets Power the Attacks 00:17:10 - No Portal, No Dashboard: How Dark Web Transactions Actually Work 00:19:17 - Why Do RaaS Operators Offer the Service? The Lottery Ticket Theory 00:21:59 - The Affiliate Model: How the Criminal Ecosystem Specializes 00:26:33 - How Many RaaS Groups Exist — and Who's Buying? 00:29:36 - RaaS as Subterfuge: The Conti Group and the Costa Rica Attack 00:30:49 - Who Are These Criminals, Really?

The cryptolocker virus was the attack that turned ransomware from a nuisance into a full-blown criminal industry — and in this episode of The Backup Wrap-up, we break down exactly how that happened. W. Curtis Preston (Mr. Backup) sits down with co-host Prasanna Malaiyandi and cybersecurity expert Dr. Mike Saylor to trace the full evolution of ransomware and explain why CryptoLocker was the turning point. If you've ever wondered how ransomware went from fake pop-up messages to billion-dollar criminal enterprises, this is the episode for you. We start with the earliest days — scareware attacks that did nothing more than frighten you into paying — and walk through the progression of encryption methods that made ransomware increasingly dangerous. Dr. Mike Saylor breaks down the difference between symmetric and asymmetric encryption in plain language, and explains why the move to public-private key pairs made it so much harder for victims to recover without paying up. Then we get into the cryptolocker virus itself: how it spread through fake FedEx emails, why it kick-started phishing awareness training, what Operation Tovar did to shut it down, and — just as interesting — what the bad guys learned from its failures. We cover the role of the Zeus botnet, how Bitcoin became the payment method of choice, and why ransoms started out at just a few hundred bucks. We also talk about what happened next: the rise of data exfiltration, double extortion, and even triple extortion where attackers go after the victims of the victims. Plus, we take a side trip into the LastPass breach and pour one out for the guy who lost his crypto fortune in a landfill. Whether you're in IT, security, or just want to understand how ransomware works, this episode gives you the full picture. Chapters: 00:00:00 — Intro 00:01:22 — Welcome and Introductions 00:04:11 — The Three Generations of Ransomware 00:05:01 — Scareware: Fake Attacks That Did Nothing 00:05:42 — Ciphers and Decoder Ring Encryption 00:06:38 — Symmetric Encryption Explained 00:09:25 — Asymmetric (Public-Private Key) Encryption 00:12:46 — Why Asymmetric Encryption Made Ransomware Stronger 00:15:44 — What Was the CryptoLocker Virus? 00:16:25 — Lessons CryptoLocker Taught Victims and Criminals 00:18:03 — Operation Tovar Takes Down CryptoLocker 00:19:54 — Bitcoin, Ransom Amounts, and Getting Paid 00:23:20 — Botnets Explained: Networks of Zombie Computers 00:26:22 — Recap: Three Phases of Ransomware 00:27:09 — Double Extortion and Data Exfiltration 00:28:01 — The LastPass Connection 00:28:47 — The Lost Crypto Hard Drive

A history of ransomware is more than just dates and names—it's the story of how criminals evolved from mailing infected floppy disks in 1989 to running billion-dollar enterprises that cripple entire organizations. On this episode of The Backup Wrap-up, I sit down with Dr. Mike Saylor, my co-author on "Learning Ransomware Response and Recovery," to trace this evolution from the AIDS Trojan to today's sophisticated double extortion attacks. We talk about how ransomware went from requiring physical distribution to scaling globally through the internet, how cryptocurrency made anonymous payment possible, and why the shift from tape to disk backups created vulnerabilities that attackers now exploit first. You'll learn about the wild west days when IT focused on building systems without understanding how bad guys attack, the emergence of ransomware-as-a-service that democratized cybercrime, and why modern attacks target your backups before encrypting your production systems. If you've ever wondered why backup immutability matters or how we got to a point where ransomware is inevitable rather than hypothetical, this episode connects those dots. Dr. Mike and I also discuss why having backups is still critical even with double extortion threats, and what you need to know about defending your backup systems in today's threat environment. Chapter Markers: 00:00:00 - Introduction 00:01:19 - Welcome and Guest Introduction 00:02:19 - Curtis's First Ransomware Memory 00:03:40 - The AIDS Trojan: First Ransomware (1989) 00:04:42 - The Wild West Era: Late 1990s Security 00:08:05 - Y2K and Budget Shifts 00:11:26 - The Transition from Tape to Disk Backups 00:15:45 - How Disk Backups Created Vulnerabilities 00:19:30 - The Rise of Cryptolocker and Bitcoin 00:23:15 - Ransomware as a Service Emerges 00:27:40 - WannaCry and NotPetya 00:31:20 - Double Extortion: The Game Changer 00:35:10 - Why Backups Still Matter 00:37:55 - Should You Just Pay the Ransom? 00:40:01 - Defending Your Backup System

Understanding how ransomware works is critical for anyone responsible for protecting their organization's data. In this episode of The Backup Wrap-up, we examine the five core objectives that drive nearly every ransomware attack - from initial access through the final ransom note delivery. I'm joined by my co-author Dr. Mike Saylor as we kick off what's going to be a comprehensive series on our new book, "Learning Ransomware Response and Recovery." We start at the beginning: how do these attackers even get in? Mike breaks down the role of initial access brokers (IABs) - the bad guys who specialize in harvesting and selling credentials. We talk about why email phishing remains the cheapest and most statistically reliable attack vector, even with all our defenses. From there, we walk through lateral movement and reconnaissance. Once attackers are inside your network, they're not sitting idle. They're mapping your environment, identifying your crown jewels, and figuring out where your backups live. The "phone home" phase establishes command and control, letting attackers coordinate their activities and receive instructions. We dig into data exfiltration and the rise of double extortion. It's not enough anymore to just encrypt your data - attackers are stealing it first, threatening to publish it even if you can restore from backups. Mike shares some fascinating details about how sophisticated ransomware can be, including variants that examine file headers rather than just extensions to find valuable targets. The encryption phase itself is resource-intensive, and Mike explains why you might actually notice your computer acting weird if you're paying attention. Your mouse hesitates, typing lags, the network slows down - these are all potential warning signs. Finally, we cover how ransom notes are delivered today. Spoiler: it's not the old-school desktop background takeover anymore. Modern ransomware drops text files in every folder it touches, making sure you can't miss the message. This episode sets the foundation for understanding how ransomware works, which is the first step in defending against it and recovering when prevention fails.

Disk backup security is the weak link that ransomware attackers exploit every day—and most backup admins don't even realize it. In this episode, Curtis and Prasanna examine how the move from tape to disk-based backups created an unintended security gap that threat actors now target as their first priority. The transition to disk brought real benefits: deduplication made storage affordable, replication eliminated the "man in a van" for offsite copies, and backup verification became practical. But disk backup security wasn't part of the original architecture. When backups lived on tape, physical access was required to destroy them. Disk backups sitting in E:\backups can be wiped out with a single command. Threat actors figured this out fast. After gaining initial access, the first thing they do is identify and eliminate your backups. No backups means no recovery—which means you pay the ransom. Curtis and Prasanna discuss the history of how we got here, why backups are now the number one target, and practical solutions including obfuscation, getting backups out of user space, and implementing truly immutable storage. The standard is simple: if you can't delete the backups, they can't delete the backups. TIMESTAMPS: 0:00 - Episode intro 1:24 - Welcome & introductions 4:04 - Tape explained for the modern audience 9:07 - Why tape got faster (and problematic) 10:54 - The shoe-shining problem 12:27 - Deduplication changes everything 15:35 - Benefits of disk-based backup 20:29 - THE PROBLEM: RM -r / DEL . 23:43 - Backups are the #1 ransomware target 26:26 - Immutability as the solution 27:32 - Book: Learning Ransomware Response & Recovery

What is ransomware, and why does it remain the number one threat to businesses of all sizes? In this episode of The Backup Wrap-up, W. Curtis Preston and Prasanna Malaiyandi break down the fundamentals of ransomware attacks and explain why the question "what is ransomware" still gets searched tens of thousands of times each month. We cover the two main types of ransomware attacks: traditional encryption-based attacks where hackers lock your data and demand payment, and the newer double extortion model where attackers steal your sensitive information before encrypting it—then threaten to publish everything if you don't pay. Our hosts share real-world examples including the Sony hack, the Costa Rica government attack, and the massive Jaguar Land Rover breach that cost over $2.5 billion. Whether you're a Fortune 500 company or a small dental office, this episode explains what is ransomware, why you're a target, and why preparation is your best defense.

What's your real backup TCO? Most organizations focus on software licenses, hardware, and cloud storage when budgeting for backup infrastructure. But those are just the visible costs. The true backup TCO includes something far more expensive: the humans managing it all. In this episode, Curtis and Prasanna break down the complete picture of backup costs. They explore why soft costs—the labor, the troubleshooting, the daily monitoring—often exceed what you're paying for technology. With studies showing over half of environments spend more than 10 hours weekly on backup management, those labor dollars add up fast. The discussion covers cloud storage pitfalls (especially with object lock and retention policies), why automation is your best friend, and whether SaaS-based backup might actually save you money. Curtis shares his infamous 1993 story about losing a production database – the origin story of Mr. Backup himself. If you're looking to get a handle on your backup TCO, this is the episode for you.

Ransomware attacks on backups have reached epidemic levels, with 96% of attacks now targeting backup infrastructure. In this episode of The Backup Wrap-up, Curtis Preston and Prasanna Malaiyandi break down the alarming statistics and explain why cybercriminals have made your recovery systems their primary target. The math is simple: if attackers destroy your backups, you're far more likely to pay the ransom. And with only 25% of organizations feeling prepared for ransomware attacks on backups, the gap between threat and readiness is massive. Curtis and Prasanna discuss two studies revealing these numbers, explore why less than 7% of companies recover within a day, and outline practical defenses including true immutability, separate identity management systems, and MFA. If you're not protecting your backup infrastructure from ransomware attacks on backups, you're leaving yourself wide open.

Building a cyber security team isn't optional anymore; it's the difference between recovering from ransomware and going out of business. In this episode, Curtis and Prasanna explain why hardening your backup infrastructure is only half the battle. You need professionals who know how to configure XDR systems without drowning you in false positives, blue teams to defend your environment, and red teams to test whether your defenses actually work. They cover the role of MSSPs, incident response planning, cyber insurance requirements, and why attempting ransomware response on your own is like those old TV warnings: "Don't try this at home." If you've been following their series on backup basics and system hardening, this episode ties it all together with the human element that makes or breaks your recovery plan.

Want to know how to build an immutable backup system protected from ransomware attacks? In this episode, Curtis and Prasanna go beyond the basics to discuss four critical security features every modern backup system needs. Building on feedback from their previous episode about backup fundamentals, they cover multi-factor authentication (and why SMS doesn't cut it anymore), secure remote access methods, role-based access control, and when to bring in managed security service providers. The hosts explain why the person with full backup system access is literally the most powerful person in your company from a data destruction standpoint. If ransomware is your number one recovery scenario—and it is—then these security hardening techniques aren't optional. They're survival skills for your backup infrastructure.

Every backup system needs certain design elements to actually work when disaster strikes. In this episode of The Backup Wrap-up, W. Curtis Preston (Mr. Backup) and Prasanna Malaiyandi break down the 10 non-negotiable components your backup system must have. They cover the 3-2-1 rule, automated scheduling, recovery testing, defined RTOs and RPOs, backup security, SaaS protection, documentation, retention policies, monitoring, and endpoint backup. If your backup system is missing any of these elements, you're taking risks you can't afford. Curtis and Prasanna share war stories from real disasters and explain why no one cares if you can back up - they only care if you can restore. This fast-paced episode gives you the checklist every IT professional needs to evaluate their current backup approach.

The 3-2-1 rule is dead. Long live 3-2-1-1-0. For decades, the 3-2-1 rule has been the gold standard for backup strategies - three copies of your data, on two different media, with one copy somewhere else. But ransomware killed it. Not because the fundamentals were wrong, but because threat actors learned to target backups specifically. In this episode, Curtis and Prasanna explain why the traditional 3-2-1 rule isn't enough anymore and what the evolution to 3-2-1-1-0 means for your backup strategy. The extra "1" stands for one immutable, air-gapped copy that attackers can't delete or encrypt. The "0" means zero failures - your backups must actually work when you need them. You'll learn why SaaS platforms don't meet the 3-2-1 rule, how to think about immutability in the cloud era, and why this upgrade isn't optional if you want to survive a ransomware attack. Our interview with Peter Krogh, the one who coined the term: https://www.backupwrapup.com/peter-krogh-who-coined-the-3-2-1-rule-on-our-podcast/

Want to know how much data you're really willing to lose? We're breaking down recovery point objective RPO - the agreement about how much data loss you can accept, measured in time. Most organizations have RPOs that are pure fantasy, claiming they can only lose an hour of data when they're backing up once a day. Curtis and Prasanna discuss why RPO matters, how ransomware scenarios can force you to accept more data loss than planned, and the difference between your stated RPO and your actual backup frequency. Learn practical strategies for rightsizing your backup schedule, using database transaction logs to minimize data loss, leveraging snapshot-based backup technologies, and protecting your SaaS applications like Microsoft 365 and Salesforce. From incremental backups to continuous data protection, discover how modern backup technology can help you meet your recovery point objective RPO targets without overwhelming your infrastructure.

Most IT teams can't meet their recovery time objective—and they don't even know it. In this episode of The Backup Wrap-up, Curtis and Prasanna explain why your RTO is probably fantasy, who should actually be setting it (hint: not you), and what recovery time actual really means. We cover the critical difference between objectives and reality, why testing is non-negotiable, and how to have honest conversations with business leadership about what's achievable. Learn about DR drills, chaos engineering, tabletop exercises, and why measuring your actual recovery times is the only way to close the gap. Stop feeling like a failure and start building realistic, tested recovery plans that actually work when disaster strikes.

Many organizations believe that Microsoft 365 backup is handled by Microsoft. That's a dangerous misconception. In this episode, W. Curtis Preston (Mr. Backup) and Microsoft 365 expert Vanessa Toves explain why you own your data and are responsible for protecting it—not Microsoft. They discuss the limitations of the recycle bin, why retention policies aren't backups, and what can go wrong when organizations assume SaaS means hands-off data protection. Whether you're running a Fortune 500 company or a small business, if you're using Microsoft 365, you need a proper backup solution. Learn why the shared responsibility model means you're on the hook for your data, and what you can do to protect it. This conversation will change how you think about cloud data protection.

Ransomware detection is more complex than most organizations realize. In this episode, cybersecurity expert Mike Saylor breaks down the real-world signs of ransomware attacks—from users complaining about slow computers to smart devices acting strangely. We explore polymorphic malware that changes based on its target, the risks posed by managed service providers using shared credentials, and why milliseconds matter in ransomware detection and response. Mike explains the difference between EDR, XDR, SIEM, and SOAR tools, helping you understand which security solutions you actually need. We also discuss why 24/7 monitoring is non-negotiable and how even small businesses can afford proper ransomware detection capabilities. If you're trying to protect your organization without breaking the bank, this episode offers practical guidance on building your security stack and knowing when to call in expert help.

This episode examines a sophisticated ArcGIS hack that remained undetected for 12 months. The threat group Flax Typhoon compromised an ArcGIS server by exploiting weak credentials and deploying a malicious Java extension that functioned as a web shell. The attack highlights critical failures in traditional security approaches: the malware was backed up along with legitimate data, signature-based detection tools completely missed the custom code, and the lack of multi-factor authentication made the initial breach possible. Curtis and Prasanna discuss why behavioral detection is now mandatory, how password length trumps complexity, and the importance of cyber hygiene practices like regular system audits and extension management. They also cover ReliaQuest's recommendations for preventing similar attacks, including automated response playbooks and monitoring for anomalous behavior. If you're running public-facing applications or managing any IT infrastructure, this episode provides actionable lessons you can't afford to ignore. https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise

Deepfake attacks are exploding, and your company is probably not ready. In this episode of The Backup Wrap-up, we dive into how cybercriminals are using AI to clone voices and create fake videos to authorize fraudulent wire transfers and reset credentials. With nearly 50% of businesses already experiencing deepfake attacks, this isn't a future problem – it's happening right now. We break down the two main attack vectors: authorization fraud (where fake CEOs trick employees into wiring money) and credential theft (where attackers reset passwords and MFA tokens). More importantly, we give you actionable defense strategies: multi-channel verification protocols, callback procedures for sensitive transactions, employee training programs, and break-glass scenarios. You'll learn what not to rely on (spoiler: caller ID is worthless) and why policy and procedure matter more than technology alone. This is a must-listen for anyone responsible for security or financial controls.