The Backup Wrap-Up

What is an initial access broker — and why does it matter to your organization? In this episode, W. Curtis Preston and Prasanna Malaiyandi are joined by Dr. Mike Saylor of Black Swan Cybersecurity to break down the role of the initial access broker in today's ransomware attacks.
Most people picture ransomware as a single bad guy with a keyboard. The reality is way scarier. There's an entire criminal supply chain out there, and the initial access broker is the specialist at the front of it. These are the people who do nothing but break in — stealing credentials, exploiting vulnerabilities, hijacking sessions — and then sell that access to other criminals who do the dirty work. Dr. Mike Saylor walks us through a real case study from 2024 where an employee's personal Gmail account — with a Google Docs folder literally named "passwords" — became the entry point for a corporate ransomware attack months later. This stuff is real, it's happening constantly, and most organizations have no idea how exposed they are.
We cover what IABs target, how they package and sell access, what "coincidental passwords" are and why they're so dangerous, and what practical steps you can take today to make your organization a harder target.
Chapters:
00:00 - Intro: What Is an Initial Access Broker?
02:12 - Welcome, Introductions, and a Little Judging
03:33 - Defining the Initial Access Broker
04:31 - Real Case Study: How Bob's Gmail Became a Corporate Breach
07:16 - How IABs Package and Sell Access
10:32 - How Stolen Credentials Get Bundled and Priced
29:48 - RDP, VPN Vulnerabilities, and What IABs Are Hunting
32:54 - Web Shells Explained
35:08 - Session Hijacking and Man-in-the-Middle Attacks
36:16 - Would Eliminating IABs Stop Ransomware?
36:49 - How the Cybercriminal Ecosystem Evolved to Create IABs
39:51 - Practical Takeaways: What You Can Do Right Now
40:45 - The Numbers: 37 Billion Records and the ShinyHunters Breach

Ransomware as a service has turned cybercrime into a franchise business — and in this episode, Dr. Mike Saylor and I break down exactly how it works, who's buying, and why the buyer might end up as the patsy.
If you thought ransomware was just a lone hacker writing code in a basement, this episode is going to change how you think about it. Ransomware as a service means that today, literally anyone — no technical skills required — can pay someone to launch a ransomware attack on their behalf. You hand over the money, tell them what you want, and sit back and watch your crypto wallet. That's it. No portal. No dashboard. No login. Just a chat on the dark web through the TOR network and a prayer that they actually do what you paid for.
Dr. Mike Saylor walks us through the full criminal ecosystem — from the initial access brokers who collect and sell validated email addresses, to the botnet operators who rent out millions of compromised computers by the hour, to the affiliate programs that tie it all together. We cover the franchise model, the "no honor among thieves" reality of these transactions, and why the person who buys into ransomware as a service might just end up as law enforcement's fall guy.
This is one of those episodes where the more you learn, the more you realize how much the threat picture has changed — and why your backups are more important than ever.
Chapters:
00:00:00 - Episode Intro
00:01:17 - Introductions & Welcome
00:03:25 - Setting the Stage: CryptoLocker and the Birth of a Criminal Industry
00:07:17 - Defining Ransomware as a Service: The Franchise Model
00:10:36 - The Amazon/AWS Analogy and How Botnets Power the Attacks
00:17:10 - No Portal, No Dashboard: How Dark Web Transactions Actually Work
00:19:17 - Why Do RaaS Operators Offer the Service? The Lottery Ticket Theory
00:21:59 - The Affiliate Model: How the Criminal Ecosystem Specializes
00:26:33 - How Many RaaS Groups Exist — and Who's Buying?
00:29:36 - RaaS as Subterfuge: The Conti Group and the Costa Rica Attack
00:30:49 - Who Are These Criminals, Really?

The cryptolocker virus was the attack that turned ransomware from a nuisance into a full-blown criminal industry — and in this episode of The Backup Wrap-up, we break down exactly how that happened. W. Curtis Preston (Mr. Backup) sits down with co-host Prasanna Malaiyandi and cybersecurity expert Dr. Mike Saylor to trace the full evolution of ransomware and explain why CryptoLocker was the turning point.
If you've ever wondered how ransomware went from fake pop-up messages to billion-dollar criminal enterprises, this is the episode for you. We start with the earliest days — scareware attacks that did nothing more than frighten you into paying — and walk through the progression of encryption methods that made ransomware increasingly dangerous. Dr. Mike Saylor breaks down the difference between symmetric and asymmetric encryption in plain language, and explains why the move to public-private key pairs made it so much harder for victims to recover without paying up.
Then we get into the cryptolocker virus itself: how it spread through fake FedEx emails, why it kick-started phishing awareness training, what Operation Tovar did to shut it down, and — just as interesting — what the bad guys learned from its failures. We cover the role of the Zeus botnet, how Bitcoin became the payment method of choice, and why ransoms started out at just a few hundred bucks. We also talk about what happened next: the rise of data exfiltration, double extortion, and even triple extortion where attackers go after the victims of the victims.
Plus, we take a side trip into the LastPass breach and pour one out for the guy who lost his crypto fortune in a landfill.
Whether you're in IT, security, or just want to understand how ransomware works, this episode gives you the full picture.
Chapters:
00:00:00 — Intro
00:01:22 — Welcome and Introductions
00:04:11 — The Three Generations of Ransomware
00:05:01 — Scareware: Fake Attacks That Did Nothing
00:05:42 — Ciphers and Decoder Ring Encryption
00:06:38 — Symmetric Encryption Explained
00:09:25 — Asymmetric (Public-Private Key) Encryption
00:12:46 — Why Asymmetric Encryption Made Ransomware Stronger
00:15:44 — What Was the CryptoLocker Virus?
00:16:25 — Lessons CryptoLocker Taught Victims and Criminals
00:18:03 — Operation Tovar Takes Down CryptoLocker
00:19:54 — Bitcoin, Ransom Amounts, and Getting Paid
00:23:20 — Botnets Explained: Networks of Zombie Computers
00:26:22 — Recap: Three Phases of Ransomware
00:27:09 — Double Extortion and Data Exfiltration
00:28:01 — The LastPass Connection
00:28:47 — The Lost Crypto Hard Drive

A history of ransomware is more than just dates and names—it's the story of how criminals evolved from mailing infected floppy disks in 1989 to running billion-dollar enterprises that cripple entire organizations. On this episode of The Backup Wrap-up, I sit down with Dr. Mike Saylor, my co-author on "Learning Ransomware Response and Recovery," to trace this evolution from the AIDS Trojan to today's sophisticated double extortion attacks.
We talk about how ransomware went from requiring physical distribution to scaling globally through the internet, how cryptocurrency made anonymous payment possible, and why the shift from tape to disk backups created vulnerabilities that attackers now exploit first. You'll learn about the wild west days when IT focused on building systems without understanding how bad guys attack, the emergence of ransomware-as-a-service that democratized cybercrime, and why modern attacks target your backups before encrypting your production systems.
If you've ever wondered why backup immutability matters or how we got to a point where ransomware is inevitable rather than hypothetical, this episode connects those dots. Dr. Mike and I also discuss why having backups is still critical even with double extortion threats, and what you need to know about defending your backup systems in today's threat environment.
Chapter Markers:
00:00:00 - Introduction
00:01:19 - Welcome and Guest Introduction
00:02:19 - Curtis's First Ransomware Memory
00:03:40 - The AIDS Trojan: First Ransomware (1989)
00:04:42 - The Wild West Era: Late 1990s Security
00:08:05 - Y2K and Budget Shifts
00:11:26 - The Transition from Tape to Disk Backups
00:15:45 - How Disk Backups Created Vulnerabilities
00:19:30 - The Rise of Cryptolocker and Bitcoin
00:23:15 - Ransomware as a Service Emerges
00:27:40 - WannaCry and NotPetya
00:31:20 - Double Extortion: The Game Changer
00:35:10 - Why Backups Still Matter
00:37:55 - Should You Just Pay the Ransom?
00:40:01 - Defending Your Backup System

Understanding how ransomware works is critical for anyone responsible for protecting their organization's data. In this episode of The Backup Wrap-up, we examine the five core objectives that drive nearly every ransomware attack - from initial access through the final ransom note delivery.
I'm joined by my co-author Dr. Mike Saylor as we kick off what's going to be a comprehensive series on our new book, "Learning Ransomware Response and Recovery." We start at the beginning: how do these attackers even get in? Mike breaks down the role of initial access brokers (IABs) - the bad guys who specialize in harvesting and selling credentials. We talk about why email phishing remains the cheapest and most statistically reliable attack vector, even with all our defenses.
From there, we walk through lateral movement and reconnaissance. Once attackers are inside your network, they're not sitting idle. They're mapping your environment, identifying your crown jewels, and figuring out where your backups live. The "phone home" phase establishes command and control, letting attackers coordinate their activities and receive instructions.
We dig into data exfiltration and the rise of double extortion. It's not enough anymore to just encrypt your data - attackers are stealing it first, threatening to publish it even if you can restore from backups. Mike shares some fascinating details about how sophisticated ransomware can be, including variants that examine file headers rather than just extensions to find valuable targets.
The encryption phase itself is resource-intensive, and Mike explains why you might actually notice your computer acting weird if you're paying attention. Your mouse hesitates, typing lags, the network slows down - these are all potential warning signs.
Finally, we cover how ransom notes are delivered today. Spoiler: it's not the old-school desktop background takeover anymore. Modern ransomware drops text files in every folder it touches, making sure you can't miss the message.
This episode sets the foundation for understanding how ransomware works, which is the first step in defending against it and recovering when prevention fails.