No Trust Podcast: Surviving Ransomware with Art Ocain

In this episode, hosts Jaye Tillson and John Spiegel welcome back Art Ocain for an in-depth discussion on ransomware threats, real-world attack vectors, response best practices, and building resilience so your business can survive and continue operating even under attack.

PODCAST

John Spiegel

8/15/20254 min read

In this episode, hosts Jaye Tillson and John Spiegel welcome back Art Ocain for an in-depth discussion on ransomware threats, real-world attack vectors, response best practices, and building resilience so your business can survive and continue operating even under attack.

For the full episode - Ransomware with Art Ocain

Outline
1. Introduction

  • Welcome Art Ocain back to the show.

  • Topic focus: How to survive ransomware.

  • Approach: Q&A and real-world scenarios.

2. Current Ransomware Entry Points

  • VPN is the dominant attack vector.

    • Often no MFA configured.

    • Executive team sometimes exempt from MFA → whale phishing.

    • VPN configured as a trusted zone → access to entire network upon connection.

  • Past vectors: RDP, credential phishing, breached credential lists.

3. Impact Across Industries

  • All industries affected.

  • Small & mid-sized businesses hit hardest:

    • Less prepared than enterprises.

    • Down for a week+ on average.

    • Legal, compliance, reputational impacts are greater relative to size.

4. Why the Misconceptions Persist

  • Many think “It won’t happen to me” until it does.

  • Underestimating the scale of impact.

  • Belief in quick restores that often aren’t realistic.

5. High-Value Targets for Attackers

  • Hypervisors (VMware vCenter, Hyper-V):

    • Exploits against unpatched vCenter.

    • Encrypting entire data stores cripples operations.

  • Backup systems targeted (NetApp, EMC) to remove recovery options.

6. Risk Reduction Steps Before an Incident

  • Attack surface management: external risk assessment to think like an attacker.

  • Limit VPN access to essential users.

  • Identify and protect crown jewels (ERP, AD, Okta, OT systems).

  • Apply microsegmentation principles.

  • Ensure physical domain controllers.

  • Maintain immutable cloud backups.

7. First 15 Minutes After Detection

  • Don’ts: avoid shutting down machines (lose forensic evidence).

  • Do: disconnect WAN to stop exfiltration & remote control.

  • Quickly assess scope: backups intact? Which clusters/servers are affected?

  • Document all actions.

  • Activate IR plan: contact cyber legal, insurance, forensics, IR teams.

8. Balancing Recovery and Forensics

  • Executive pressure for uptime vs. forensic needs.

  • Recovery team and forensic team must operate in parallel.

  • Consider regulatory requirements (HIPAA, PCI, SEC).

  • Use quarantine VLAN for recovery to avoid reintroducing compromise.

9. Incident Command Structure

  • Involve:

    • IT/Security

    • Compliance

    • C-suite

    • HR (employee comms)

    • Legal (internal & external)

  • Avoid executive/technical silos—stay in the same war room.

  • Pre-plan communication methods outside compromised systems.

10. Paying the Ransom

  • Morally discouraged—funds further crime.

  • Reality: if no recovery path exists, some pay to survive.

  • Decryptors usually work, but some systems remain unrecoverable due to live encryption state.

  • Always weigh ransom vs. total downtime/business loss.

11. Lessons Learned & Post-Incident Improvements

  • Improve identity hygiene (MFA, password policy, PAM).

  • Fix exploited vector (replace VPN with ZTNA or harden/limit VPN).

  • Reduce VPN trust and scope.

  • Enhance monitoring & segmentation.

  • Build resilience into backup and recovery processes.

12. Building Long-Term Resilience

  • Some companies disengage post-recovery; best to maintain partnership for:

    • DR/IR tabletop exercises.

    • Cloud migration of legacy workloads.

    • Continuous improvement.

  • Make security strategy an ongoing evolution with top-down buy-in.

13. Ransomware Trends

  • Not going away—attack patterns shift with tech changes.

  • Possible future: exfiltration/extortion targeting cloud services (MFA abuse, credential theft).

  • Law enforcement improving crypto tracking and clawbacks.

14. Final Advice to CISOs

  • Design for resiliency: be able to sustain an attack in one business unit while continuing to operate.

  • Invest in architectures, policies, and cultural shifts that reduce impact.

15. Personal Segment

  • Art’s recent favorite meal: pierogies with dill sour cream and steak.

  • St. Patrick’s Day plans: corned beef, family celebration.

Clean Transcript

(Speaker labels clarified, filler removed, conversational flow retained)

Jaye Tillson: Welcome back to another episode of No Trust. Today we have our friend of the show, Art Ocain, here to talk about how you can survive ransomware. We’ll do some Q&A and put Art on the spot.

Q: In today’s world, what are the most common ways attackers gain access?
Art Ocain: Recently—and for the past year—it’s been VPN. Before that, VPN and RDP. Many orgs close RDP externally, but assume VPN is safe. Attackers phish or buy stolen creds, socially engineer MFA, and walk in. Often no MFA on VPN, and VPN is configured as a trusted zone—full network access.

Q: Any industries hit more than others?
Art: It’s across the board, but small/medium businesses suffer most—less prepared, down longer, bigger relative compliance and reputational impacts.

Q: Why aren’t protections in place?
Art: Many think it won’t happen to them. Until it does, they underestimate downtime and impact. Think they’ll restore quickly—often not true.

Q: What assets do attackers target?
Art: Hypervisors, especially VMware vCenter—encrypt entire data stores, crippling everything: DCs, file servers, ERP. They also target backups to eliminate recovery options.

Q: First steps if you lack confidence in defending ransomware?
Art: Do external attack surface assessment. Limit VPN to essential users. Identify and protect crown jewels. Consider microsegmentation. Keep a physical DC. Maintain immutable cloud backups.

Q: First 15 minutes after detecting ransomware?
Art: Don’t shut down machines—lose forensic data. Disconnect WAN to stop C2 and spread. Assess impact. Document all actions. Then activate IR plan—contact legal, insurance, forensics.

Q: How to balance recovery vs. forensics?
Art: Have both efforts run in parallel. For regulated industries, keep forensic copies before restoring. Recovery into a quarantine VLAN until sure attacker is out.

Q: Who should be in the war room?
Art: IT/Sec, compliance, C-suite, HR, legal, external cyber legal. Avoid silos—everyone together. Pre-plan alternate comms; don’t use potentially compromised corporate systems.

Q: Should companies pay the ransom?
Art: Ethically no—it fuels the crime. But if no recovery path, some must to survive. Decryptors usually work but not always for live-encrypted systems.

Q: Lessons learned?
Art: Identity hygiene (MFA, PAM), fix the exploited vector (replace or harden VPN), reduce VPN trust scope, enhance segmentation. Build recovery resilience.

Q: Do companies engage for long-term strategy?
Art: Some disengage, but best practice is to keep evolving strategy—tabletops, cloud migration, reducing legacy footprint.

Q: Ransomware trends?
Art: It’s here to stay. Attacks will shift to cloud services. Law enforcement making progress in crypto tracking.

Q: Final advice to CISOs?
Art: Build for resiliency—keep operating during an attack. This may mean segmentation, ZTNA, legacy cleanup. Make it company-wide with exec buy-in.

Personal segment:

  • Favorite meal: pierogies with dill sour cream and steak.

  • St. Patrick’s Day: corned beef, family celebration.