The Backup Wrap-Up

Network segmentation to prevent ransomware isn't just a nice-to-have — the UCSF ransomware attack proves it's what separates a contained incident from a catastrophe. UCSF got hit. Their segmented network kept the damage from spreading across their entire operation. That's the difference we're talking about in this episode.
Dr. Mike Saylor — my co-author on Learning Ransomware Response and Recovery — joins me and Prasanna to break down exactly how network segmentation works, why it matters for ransomware defense, and how to start doing it without breaking everything in the process. (Not that I've ever done that. Much.)
We cover what segmentation actually is, how VLANs make it manageable, the "need to talk" principle, and where microsegmentation fits in — and when it becomes overkill. We also get into the complexity trap: more rules and more layers don't automatically mean more protection. Sometimes they mean nobody can troubleshoot anything when the house is on fire.
If you're an IT admin trying to make the case for better network architecture, or you just want to understand what would actually stop ransomware from ripping through your environment, this is the episode.
Chapters:
00:00:00 — Intro
00:01:40 — Welcome & Guest Introductions
00:05:17 — Case Study: UCSF Ransomware Attack
00:08:13 — What Is Network Segmentation?
00:12:32 — VLANs Explained
00:19:50 — The Need to Talk Principle
00:30:54 — Complexity vs. Security
00:31:09 — Microsegmentation
00:38:55 — Action Items: Where to Start
00:42:05 — Monitoring VLAN Traffic

Stop Using VSS as a Backup Before Ransomware Deletes Your Shadow Copies
Ransomware deletes shadow copies using your own built-in Windows tools against you — and if VSS was your backup plan, you just found out the hard way that it wasn't. In this episode, W. Curtis Preston (Mr. Backup), Prasanna Malaiyandi, and Dr. Mike Saylor break down exactly what shadow copies are, why they don't qualify as a real backup, and how attackers are weaponizing vssadmin to wipe your recovery options before you even know you're under attack.
If you've got Windows systems and you've been thinking "eh, we've got shadow copies," this episode is for you. We cover the history of VSS — what it was actually designed for, why it became a crutch, and why using it as your primary backup strategy is a bad idea on multiple levels. Performance, the 3-2-1 rule, and the fact that one attacker with admin rights can delete every single copy in seconds. We also get into the living off the land angle: how attackers do recon on your shadow copies, how they use them to scope out valuable data before going full ransomware, and what you can actually do to detect and respond to this behavior using EDR tools.
The bottom line: VSS is a great tool. It was just never meant to be your backup. Get a real one.
Chapters:
0:00 — Intro
1:39 — Welcome & Book Talk
3:26 — What Are Shadow Copies and Why Do People Use Them as Backups?
9:14 — Performance Problems with VSS as a Backup
10:19 — Living Off the Land: How Ransomware Uses VSS Against You
12:36 — Can You Monitor or Lock Down VSS Admin?
14:26 — Why Shadow Copies Fail the 3-2-1 Rule (They're Not a Backup)
18:01 — How to Protect Yourself: Configuring Your EDR
21:31 — The Local Admin Problem and Security Culture
27:00 — Virtualization, Snapshots, and Shadow Copies
29:00 — Final Thoughts: Just Don't Do That

Ransomware sanctions are something most companies never think about — until they're staring down a ransom demand from a group the US government has already put on a sanctions list. In this episode, Dr. Mike Saylor walks us through a real incident involving a construction company, hundreds of millions in active contracts, and the Lazarus Group — a North Korean state-sponsored threat actor. Before that company could pay a single dollar in ransom, they had to figure out whether doing so would trigger federal penalties that dwarfed the ransom itself. We're talking fines of 10x to 100x the payment amount, and in some jurisdictions, jail time.
This is one of those episodes where the story alone is worth your time. Mike was in the room for this incident, negotiating directly with the Lazarus Group over a weekend — and yes, it turns out North Korean cybercriminals have a surprisingly functional help desk. But beyond the story, there's real actionable information here about OFAC (the Office of Foreign Asset Control), how the US Treasury tracks Bitcoin wallets to identify sanctioned actors, and what you actually need to do the moment ransomware hits your organization.
We also get into why paying a ransom paints a target on your back — 70% of companies that pay get hit again within six months — and why immutable backups are the only thing that truly keeps you out of this situation.
Chapters:
0:00 Intro
1:31 Meet the Guests: Curtis, Prasanna, and Dr. Mike Saylor
4:10 Case Study: A Construction Company and the Lazarus Group
6:34 Are These Bad Guys Sanctioned? Introducing OFAC
8:05 Why Ransomware Funds Terrorism, Drug Trafficking, and Worse
11:00 Sanctions Penalties: Fines That Can Put You Out of Business
12:24 Colonial Pipeline and Exceptions for Critical Infrastructure
13:26 How the Government Tracks Bitcoin Wallets
16:27 Global Sanctions: UK and Australia Have Their Own Rules
18:31 Pay Once, Pay Again: The 70% Re-Attack Rate
20:43 Proof of Life: Don't Pay Without It
23:38 What To Do When You Get Hit: The Right Order of Operations
25:17 Immutable Backups: The Only Real Answer
27:07 How the Construction Company's Backups Got Wiped
33:07 Build Your Team Before the Bad Day: FBI InfraGard and More

The cost of a ransomware attack goes way beyond the ransom itself — and most organizations don't find that out until it's too late. In this episode of The Backup Wrap-up, W. Curtis Preston (Mr. Backup) and co-host Prasanna Malaiyandi sit down with Dr. Mike Saylor of Black Swan Cybersecurity to walk through every category of cost that hits when ransomware strikes.
The case that kicks everything off: UVM Health Network, October 2020. Over 1,300 servers encrypted, staff forced back to paper records, patient care disrupted for weeks. Total tab? Over $63 million — and they never paid the ransom.
From there, we go category by category: people costs (overtime, third-party IR firms, emergency hardware), lost business revenue, regulatory fines, reputational damage that doesn't wash off, staff burnout and resignations, supply chain chaos, payment processor shutdowns, and cyber insurance fine print that can leave you holding the bag even when you think you're covered.
We also cover what you should be doing right now — before any of this happens to you. Starting with a Business Impact Analysis, which Mike argues most small-to-medium businesses can knock out in one to three weeks. Knowing what a downed system costs you per hour is exactly the information that gets you budget from leadership and a plan that actually works when the feces hits the rotary oscillator.
Chapters:
00:01:44 - Intro & Welcome
00:03:45 - Case Study: UVM Health Network ($63M, 1,300 Servers Down)
00:07:12 - People Costs: Overtime, Staffing & Third-Party IR Firms
00:10:01 - The Odds Are Damn Near 100% — Set Up Your IR Relationship Now
00:13:00 - Hardware Costs & Emergency Spending
00:14:05 - Lost Business Revenue (Current and Future)
00:15:14 - The Stat That Should Scare You: Over 50% Don't Survive
00:16:38 - Regulatory Fines (GDPR, California & More)
00:19:32 - Reputational Damage: Your Customers Never Forget
00:21:28 - Staff Burnout, Exhaustion & Resignations
00:22:40 - Supply Chain Disruption & Credit Rating Impact
00:24:07 - Payment Processor Shutdown (Real Case: Dental Practice)
00:26:00 - Cyber Insurance: Fine Print, Claim Denials & Premium Spikes
00:27:52 - Post-Attack Process Remediation Costs
00:29:36 - Business Impact Analysis: Why You Need One Before It Happens
00:35:00 - Action Items
00:39:41 - Recovery Prioritization & Recovery Point Objectives
00:44:43 - Wrap

Polymorphic malware is the kind of threat that changes its own code — its signature, its behavior, even the command-and-control server it reports to — specifically so your antivirus can't catch it. In this episode, Dr. Mike Saylor of Black Swan Cybersecurity joins Prasanna and me to break down exactly how this works, why signature-based detection keeps losing the race, and what defenders actually need to do differently.
Mike walks us through ViraLock, one of the most well-known early examples of polymorphic malware, and explains the gap between infection and detection that attackers exploit. We also get into the difference between polymorphic and metamorphic malware — and metamorphic is a lot scarier. Then we cover waterhole attacks, a red team story that will make you rethink how fast attackers can own a network, and what behavioral detection looks like when it's actually working.
If you thought keeping your antivirus updated was enough, this episode is going to change your mind.
Chapters:
00:00:00 – Intro
01:35 – Meet the guests: Prasanna Malaiyandi and Dr. Mike Saylor
02:58 – What is polymorphic malware? The ViraLock story
05:52 – How polymorphic code changes its own signature
10:04 – Disguised executables and the human factor
12:23 – Polymorphic vs. static malware: what's the real difference?
14:15 – Metamorphic malware: nation-state-level scary
16:01 – The Frankenstein virus: a conceptual metamorphic example
16:52 – Waterhole attacks: infecting the shared file everyone downloads
18:32 – How polymorphic malware stays alive: the red team story
21:28 – Behavioral detection and baselining: how you actually fight back
26:57 – Risk-based defense: protect what matters most