This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack the Podcast: Inside a Real LockBit Attack - Lessons From Fighting Ransomware with Zach Lewis

Drex DeFord: [00:00:00] Today on the UnHack channel with me Drex DeFord

Drex DeFord: I'm Drex Deford, president of Cybersecurity and Risk at this Week, health in the 2 29 Project. Our mission is healthcare transformation powered by community. Welcome to UnHack, where we navigate healthcare security challenges together because cyber safety is patient safety.

Let's get started.

Hey, welcome, dun. Hack the podcast. I'm Drex, and today a very special guest, the CIO and CSO at the University of Health, science and Pharmacy, UHSP in St. Louis, Zach Lewis. Hi Zach.

Zach Lewis: Hey, J, how's it going? Happy to be here. Thanks for having me,

Drex DeFord: I am really glad you're here. I want to talk about your new book Locked Up, which is a book about, I'll try to do my best to describe it.

Obviously I'm gonna, I'm gonna want you to talk about it, A book of hard knocks. It kind of ties to your real life experience with a ransomware security [00:01:00] incident there at UHSP. How do you describe the book to people when you talk about it?

Zach Lewis: Yeah. Yeah. I mean, you're right. It's a real world example, not an example, a real world case of what we deal dealt with when LockBit ransomware group attacked our university.

It details how it happened, what happened in the middle, how we made decisions, why we made certain decisions, all the way up to the end, buttoning everything up. And then some lessons learned to send you on your way. Just, very low level not in the weeds technically. I wanted to make something high level that anyone could read of any sort of role or position in a company and really understand what ransomware does to an organization when it strikes.

Drex DeFord: Yeah, I, one of the things I talk about in the podcast all the time, the try, the way I try to do the podcast, I talk about it, is mostly plain English, mostly non-technical, and you do a really great job of that. In the book, I feel like we're kindred spirits because as I read it, I mean, when I got to the end I was really just like, everybody needs to read this book, not just security people.

I know it's at least theoretically [00:02:00] aimed at security people. But everything that you talk about is like a problem at the universities. All those things are problems at healthcare delivery organization, exactly the same thing. Instead of saying one regulatory body, we say a different regulatory body, but otherwise I'm like, everything's exactly the same.

So I would say for CISOs and CIOs, this may be a little fanny here, but like every exec cabinet member, every board member should have this on their reading list. It's, like I said, it's easy to read, play by play, blow by blow. Does a great job sort of setting up how ransomware works and who the LockBit crew is, and then the incident, and then at the end, tons of amazing advice about how to hopefully create a situation where this doesn't happen to you.

So everybody needs to read this. Build a better program. Yeah. And hopefully they will.

Zach Lewis: I appreciate that. Thank you.

Drex DeFord: Of course. You get into everything from the history of ransomware to the evolution of the lock, but gang that you were fighting during the incident.

To the [00:03:00] chronic challenges with legacy servers and apps to overworked it and security teams and to the incredibly transparent challenges and successes you had during the actual ransomware event. So my first question is, how'd you get everybody in your org to sign off on this kind of transparency as a book?

Because people usually like to keep this stuff undercover.

Zach Lewis: it was a, it was definitely a journey through, through all that um, from, from the time of the ransomware event happened until we'll call present day. We've gone through a couple presidents. We've gone through various leadership changes and such.

So I started I started with a presentation and I got sign off just from like, sort of my supervisor, Hey, I'm gonna talk about this at a high level. You know, not too many details, but just talk that we had it. And I was doing that presentation a lot and I was getting lots of questions.

Mm-hmm. People coming up, just an asking ask, ask. And uh, and that happened two or three times at different conferences. And I was like, okay, so there's something here. So I was like, I might [00:04:00] wanna write this and turn this into a book. So I wrote a couple chapters without going to anyone. At first, I just wanted to see there was something there.

And then um, I, I talked to a couple publishers Wiley being the one that picked it up and they were like, this is great. There's nothing like this. We really want this to happen. Do you have sign off from everyone? So I got a contract from them and I took it to General Counsel and it was like, general counsel, Hey, I'm going.

I just book about our incident. Here's the contract, you know, here's the description of the book, here's what it is, you know, red line, this, tell me what am I missing? What's going on here? And and he went through it, didn't have any pressing questions up front, you know, like, I get it. We're here to, we're an education institution.

We wanna educate people on what's going on. So if someone can learn from our incident, all the better and. I'll preface that by saying I think it helped that our incident wasn't like catastrophic at in the end, right? Mm-hmm. Mm-hmm. So if we had lost, you know, 300 million files of, you know, PII or HIPAA related information, yeah, this might have been a very different story, but we came out relatively unscathed.

So when you have this like learning exercise that [00:05:00] essentially happens, like, yeah, we should tell people what went on. So kind of got that, kept writing. Presidents leave and go, new president comes in. Mm-hmm. He is aware I'm writing this book. Like we've talked about it. He's, you know, liking posts on LinkedIn.

We, we never thought too much of it. And then like right before we go to publish and they're like hey, has the president signed off on that? And I'm like. You know,

Drex DeFord: A president has signed off on this.

Zach Lewis: Yeah. Yeah. The new one has it. So, uh, went back to him. Not a, Not a big deal. He, he, He understood what we were doing.

He knew, but we just talked about it and he was like, yeah, we go forth. We'll kind of knock it out. So, and then we just did.

Drex DeFord: That's amazing. I wanna get into the book now. You. Kind of really start this whole book with the story about getting a call the middle of the night. There was an outage and your first thought was, well, you know, tech debt, legacy gear, we have plans to replace this stuff.

It's all gonna retire, but we're kind of, some of it's running kind of by the skin of its teeth. And there was nothing kind of initially that led you to [00:06:00] believe it was a security incident. So tell me more about that. The first couple of days of maybe. A little misdirection just because of the mindset that you had.

We have some old stuff and sometimes it's gonna break.

Zach Lewis: Yeah, I absolutely, and that's exactly what it was. We've dealt with issues with outages before we knew we had failing old, outdated technology. That was, it was getting ready to get replaced. So, I mean, to us, this was. Just that, like, let's come in.

We'll get it working again. We will port stuff over somewhere else. We'll switch out some hard drives. Like whatever we gotta do, we'll just get this just running again for, you know, another month and a half is about all we had left before our hardware arrived. And we're like in the closets where we're pulling stuff, where we're trying to reset factory reset, we're talking to the manufacturer.

Like some of the equipment we had was out of warranty. Like they didn't service it anymore, but we still had 'em on the phone. We're like, anything you can tell us about getting this back online? Like, like what can we do? And so really just running down that tech troubleshooting rabbit hole was all we did for the first couple of days.

We didn't have a ransom note [00:07:00] yet. No one's saying anything's encrypted. We haven't heard any alerts or messages or anything down. EDR is not saying anything. Mm-hmm. Sos not saying anything. So we, we all indicators were it problem?

Drex DeFord: Yeah. Well, I mean, before the ransomware attack happened on the security side, you'd kind of done, I mean all the right things as I go through the book, like encryption and endpoint detection and response you mentioned the.

Center for Internet Security Framework and MFA and like, you know it, it would appear that you had done all of the right things. You're briefing the board, you're connected to cisa, you're connected to the FBI. You have your insurance company rolled in on exercises, but then in the book you say something that's really insightful about how no plan survives first contact with the enemy.

Talk about that like. We had a great plan. And then I think Mike Tyson has this saying about everybody has a plan until they get punched in the face.

Zach Lewis: That's him.

Yeah. So with that, you know, I was doing board reporting and by [00:08:00] all measures from external attestation internal, we were, you know, a.

A, a minus, like really good scores looks Looks great. And that's well and good. And again that's a point in time. That's a just a, a number, it's just a data point, you know, it's not indicative of the entire environment. So for us though, we're thinking doing pretty good. We got all this stuff, well, the boxes are checked and it's funny how just a couple things have to line up at just the right time.

For the threat actors to come in and at any point, like I, I kind of talk about it in the book, but like if we had checked a config a little bit closer, if we had, you know, done this one thing with VPN and checked it a little bit closer, like we would've broken the kill chain, the whole thing would've fallen apart and we would've been fine, but.

In those few moments, you know, days where things were like linked up just right. They were able to find and exploit that. And it's just, it goes back to how we have to be right 100% of the time. And you miss one.

Drex DeFord: That's right.

Zach Lewis: And you're in this situation.

Drex DeFord: [00:09:00] That's right.

Zach Lewis: And it's pretty crazy.

Drex DeFord: So the bad guys are in your environment.

They've gotten into ESXI, which is the hypervisor that manages all your virtual machines. How'd you figure out it was ransomware? Tell me the story about you poking around in there.

Zach Lewis: Yeah, so we had restored our environment. Things were working. Again, we thought everything was up. We were almost 100% operational again after a few days of troubleshooting the IT side.

Uh, And then the environment goes down again. And this time we bring, we start doing the exact same troubleshooting procedures thinking, okay, really end of life, we gotta nurse this thing along, put it on life support. and we're, and we're And we're trying to stand it back up. And while doing it, the same process we just went through is not working.

Like, we're just not having success. We can't read files. We managed to get into the root of the hypervisor. The EXSI host. And and it's there, like looking at these files. I'm like, these, they look really weird. Those are some weird extensions. And then there's a Read me file, and as soon as I saw the read me file, I was like, oh, I know what's happened like that's not typically there.

And so I opened the Read Me file and it's the [00:10:00] ransom note from. From LockBit talking about what they did and how they encrypted all of our files and we're start looking at the files. Then I called my network director over who was working with me on this, and I'm like, it's not good, is it?

He's like, no that's not good.

Drex DeFord: Read this and double check me. This is what it is. Yeah, I think it is, right? Yeah. Oh

Zach Lewis: yeah. And then that's when we went down I talked to the COO and let him know, and he kind of marshaled the forces of the rest of the ULT or leadership team while I was gathering information and then we met and gave him the lowdown.

But that ransom note really was indicative of what was going on at that

Drex DeFord: point, and that also was a great. A learning lesson in the book from an observation perspective, you know, from my point standpoint, who was in charge? Did you had a plan you kind of followed the plan, but again, no plan survives first contact, but you had an org chart who was in charge through all of this?

Zach Lewis: there's different pieces. We had just ran a tabletop exercise around ransomware a few months prior to this event happening, so people were at least aware of what their roles would [00:11:00] be. We have an incident response plan, which we activated right away and has real high level stuff on who to contact, who's gonna be doing what and when.

And I think in the early stages, the first few hours, maybe in the first couple of days, super useful after that. You know, things, every incident's different. So things kind of just change and fall apart and you kind of run by the seat of your pants a little bit. But, you know, I, it's always been established that if I find it or my team finds it, they bring it to me.

I take it to, to the COO who is who I report to right now. And then um, he would get the leadership team involved and then I brief the leadership team we bring in and just. Just to be aware that hey, we're gonna be reaching out to our insurance company, we're gonna be reaching out to the FBI, we're gonna be reaching out to whoever just so they know and to prepare.

And that's a really gonna be a tight knit group. We kept that in single digits for quite a while just on what was going on. And once we brought in outside counsel, through insurance. He was able to lay the groundwork a little bit more on what we needed to do and when to do it. But from a, from a tech side, from a security side, I was sort of running point with the team.

Yeah. And then that information would [00:12:00] flow up to me and then I would take it to the board or leadership team almost every day for the first week. And then we got into a different cadence after that, but just. Keeping everyone up to date on what was going on.

Drex DeFord: I mean, it was pretty clear you had a good relationship with your fellow execs because at a couple of points in there, it was clear they were deferring to you, you know?

Mm-hmm. Like, what should we do here? What's our next step? So it's, it was kind of fun throughout the read to kind of see. Depending on what was happening in a particular part of the event, there were different people who were kind of leading and pulling the wagon. So the teamwork was pretty impressive to watch.

Zach Lewis: I appreciate that. Like I said, we'd work through the tabletop. Everyone kind of knew and like, I'm not gonna sit there and make calls on who we're gonna notify and win in terms of like external. Customer, students, alumni, stuff like that's marketing, like communications. Like this is your strength, guys.

Like, lean into it. What do you want to do? What's best practice here? I'll give you my feedback, I'll give you my 2 cents. But there are definitely [00:13:00] areas in there about do we pay, do we not pay? Who do we alert, when do we alert? You know, it's not in the realm of the CISO or even the CIO, like you gotta lean on your other peers for that.

Drex DeFord: You know, kind of looking back at the whole event, what's the biggest lesson you think that you'd share with folks who. Haven't read the book. Maybe it helps them drive them to read the book.

Zach Lewis: Yeah, I mean, I think the biggest lesson for us was just we need to take more time and review when we finish a project take a second to review everything.

Like did we do the project Right? We're really rushed a lot of the time in higher ed or, healthcare or something like that. Get a project done and move on to the next one. that goes back to budget's. Tight. People are tired. Lots of projects going on. You know, you're all working heavily.

Like just take a minute and review your configs. Did things get set up right? Are they properly installed? Because that, would've like, saved us a lot of headache. Of course, this book wouldn't have come out, so maybe it's a blessing right now but like, I don't wanna go through another one.

So we take a little bit more time now. We bake it in to just [00:14:00] double check everything set up the way it's supposed to be before we move on. And I think that's real important. Just slow down in life, in projects. Slow down, take a breather and get back to it then.

Drex DeFord: Yeah. Yeah, go slow to go fast.

I, I, you know, I've talked to my teams about this in the past too, this idea that, when you go fast, sometimes you create the situation where you become the pyromaniac that's setting the fire. It just, you don't find it until later. And in your case, remind me, there was like I mean one of the things was, for example, I think like a firewall.

You copied a firewall configuration from one firewall to a new firewall, but something didn't bridge over and it didn't get checked. And that was part of the chain of holes that allowed the bad guys to get through.

Zach Lewis: Yeah, that, that was exactly it. We had, We had um, some tech debt with some outdated firewall stuff.

Um, We moved firewall to firewall to firewall. We had three firewalls that, that had confi copied, copy copied three sets of configurations. And one of those configurations that worked on the original got lost somewhere between the second and [00:15:00] third copying and wasn't there like, it looked like it was there.

But if you go down into the, like it was labeled. The way it always been labeled? Well, if you go into it the limitation on who could connect to VPN and how they connect was missing. It was blank. And that allowed anyone in our environment to VPNN instead of just a set of controlled people. So that was one of those falling controls that sort of failed and led to the attack.

Drex DeFord: Is it, is this one of those things that you or your guys go out and look at like every morning just to make sure that the configuration is done? I mean, I feel like I would be so paranoid about.

Zach Lewis: I'm not checking the configuration every morning. I do get a report every single morning about VPN access and who's on it and the traffic going out of it.

And I look at it every morning now, even on the weekends, ever since that incident I check it every single day because uh, you know, the threat actors came in, they came in through a compromised account. So while that account. May be legitimate. We have a very finite amount of people who can VPN now, so mm-hmm.

If I see one of them and then they're exfiltrating, you know, five or six gigs of [00:16:00] data at a time. My question that a little bit, so we have a few more controls around that now.

Drex DeFord: Hey, you didn't pay and there's a lot that went into that decision. You want to talk a little bit about the, how you came to the We're not gonna pay.

Zach Lewis: Yeah. The initial ransom was for 1.25 million. And they had said in the first ransomware note that we had gigs of our data, they had 75 gigs of our data. And with that it was kinda like, well. Where did that come from? You know, what file could that be? So we, we started looking around.

We, we managed to get some file listings from the threat actor that talked about, you know, file paths where things were, how, where they were located. And we were trying to track like. Is that sensitive? Is it not? Like, can you give us more?

Drex DeFord: Mm-hmm.

Your negotiator spent a lot of time talking to the LockBit gang.

About, I mean, and extending, asking for more time, show me more stuff, like you really dragged it out with them, which turned out to be a big [00:17:00] advantage.

Zach Lewis: The more time you can have in that the better and it gives you more time to figure out what's going on. So that, that 75 gigs ended up increasing a couple points during the negotiation to, we got to about 380 gigs or something like that, and that's how much they had.

And we were like, we have no idea where 380 gigs of data come from. Like, we just don't have that sitting anywhere. So as we got closer and closer to, to drop date of, of the data. They'd given us file listings. They sent us 5% of all the files they had. We looked through those. We were like, there might be some FERPA data in there, but probably nothing HIPAA related.

Nothing too sensitive on the PII side. I mean, I just don't feel like paying 1.25 million. It just doesn't seem, but it wasn't my call. So, you know, we talked in the book about the president and the CFO and outside counsel, general counsel we're all like discussing this, trying to figure out what we wanna do and we decided not to pay.

And we were gonna just, when the data drops, we were just gonna kind of see what happens. And I remember having conversations with general counsel being like, well, 300 gigs, 380 gigs drop, you know, are we gonna be able to go through that? I was like, I mean, it would take me years. Maybe [00:18:00] my whole career to go through 380 gigs of files.

Like we'll have to send it off. So we'll have to parse through it and just figure out what's in there. So they dropped the data. It ends up being two and a half gigs. They'd been bluffing the whole time. The file listings we had were all that they had, and and we kind of, we went through them that day, but hardly had any information in it at all.

And we were like, whew, we lucked out on that one and didn't pay, you know, $1 million for essentially nothing. But I say, you know, another company could have done that and that could be two gigs of sensitive, you know, research information or government information or something like that. and You may pay that.

So it really depends on your sort of situation and your leadership team and what you think is in that, that data that makes it worth, you know, millions of dollars.

Drex DeFord: You probably knew this before, because. I know you're, you know, involved in a lot of research on cyber thugs, but this really kind of, this the book really kind of reaffirms that LockBit.

A lot of these ransomware, ransomwares of service [00:19:00] organizations are very much. Big business. They're hardcore big business tech companies with bug bounty programs and division of layer of Talk about that too, because I don't, I still think people think of these hackers as being like people with hoodies in the basement somewhere, but they're way more than that these days.

Zach Lewis: It It's very much a reminiscent of organized crime. So they have affiliates where they will sell products to, or people will make products for them and sell up to them. So Lockbit like for instance, will, I mean that's also the name of their, their ran their, their software their malware, for instance, that they, they they sell and they'll sell that to customers who want it.

Those customers will go encrypt, you know, a company that they want to target, and a portion of whatever ransom that they get will go back to the LockBit, you know, group. So, very affiliate marketing, very almost Ponzi scheme esque and how you sell stuff out and the money flows to the top. But they make a wild [00:20:00] wide range of tools and products that you can buy.

They have leadership, they have healthcare. There's been instances of malware, ransomware groups that actually operate out of a, an office building. And people literally come in and they clock in, they clock out. They have benefits like this is. Their livelihood, they have quotas of how many companies they need to attack in a month and different stuff.

So it's very organized, very structured. It's very hard to disrupt. The FBI came in and disrupted LockBit. They took down their site, they managed to see some infrastructure, but all this stuff is housed, you know, overseas in, in Russia and Ukraine and Iran and all these different places and it's hard to get ahold of that.

So they just disperse. There's no extradition. Rules. Mm-hmm. Uh, They're, they stay in the wind and we can indict 'em all we want, but unless they come into some area where we can nab 'em or we have a partnership with the country they kind of reper wherever they are. And then they break down and they regroup with a new bunch of affiliates and other people that have been disrupted and start a new ransomware group and.

We've actually seen LockBit doing that and actually creating a cartel of 3, 4, [00:21:00] 5 other ransomware groups that sort of disbanded and pulled back together. So it's very hard to keep 'em down for, for long term.

Drex DeFord: And they take the IP with them when they go? Yeah. So they have all the material to sort of start a new, company, I guess. Yeah, in just

Zach Lewis: farms, just buildings of servers and machines. 'Cause they can't really cloud host on the traditional, you know, Google and Microsoft environment. So they have just buildings filled with servers and farms that they, like. Different groups will house for the ransomware groups before the bad guys to use their infrastructure to launch attacks.

It's pretty crazy the underground. Infrastructure that they have created to, to do these things. But it's big business. You know, it's a billion dollar business.

Drex DeFord: It's all about the money.

Zach Lewis: Mm-hmm.

Drex DeFord: It's not about being worried about who they're hurting on the other side. Hey, one of the things too I loved about the book was that you at one point you talked about calling your wife.

Once you kind start to understand what's happening, like this isn't just another downtime, but it's a ransomware attack, and you kind of start to prepare her with this [00:22:00] idea that this might be a resume generating event. Talk about that conversation. Obviously you, that didn't happen. You're still there, but how, I mean, given everything else that's happening, you're also worried about that.

How'd you deal with that and how'd your family deal with that?

Zach Lewis: Yeah I make the joke. I made three phone calls that, that first night, and the first was to our cyber insurance provider. I said, Hey, we had a ransomware attack. I need some help. The second one was to FBI, Hey, we've had a ransomware attack.

I need some help. And then the third call was to my wife, Hey, we had a ransomware attack. This might be a resume generating a bit. Just maybe stop buying a bunch of stuff for a little while, while we figure out what's going on. And you know, I think she could tell like. This was serious.

It is like not a lot of joking going on. Like this was a real deal. And she knew, you know, through conversations with me what ransomware is and cyber attacks are. But I know I, I, there were multiple overnights during there when I was away and working and we have, you know, we had two kids at the time, but.

Like she's at home with both of them. I'm nowhere to be seen. Like I could get, I could very [00:23:00] well be fired. This is a thing that happens. I don't know what leadership in the board's talking about when I'm not there. Like maybe they are, they, maybe they used me to get through and then I did a bad job and we, I'm let go.

And we've seen that happen with companies in the past. It's not become. It's not as common as it used to be. It's definitely trended down. People are seeing that having battle tested CISOs and CIOs are a good thing to have on board and attacks are gonna happen. So if you have someone who understands your infrastructure and your environment, like why get rid of 'em.

Like keep 'em here and work through the problem with 'em. So, fortunately the university saw that as well. But you know, at the time it's in my mind that this could happen. I might need to look for a job, but also like. You gotta stay focused on task at hand. Like they, they're still bad guys, you know, in the system, bad guys doing things.

They have data. Like, we have to get through this at all before we figure out, you know, what's going on there. So it's personal and per professional, like combating over what your focus wants to be on so you're, you don't sleep.

Drex DeFord: Yeah, I definitely got that vibe from the book too. You and a bunch of others didn't sleep.

Zach Lewis: Yeah, for [00:24:00] sure.

Drex DeFord: Okay. So you obviously got through this, you came out the other side. One of the main lessons I'd like to get your insight on is your assertion that the recovery wasn't just about restoring lost data and getting everything back online, but it was, the whole attack was kind of this test that put you in a position.

The team in a position to be stronger on the other side of the event. How's that? How's that happened and how have you sustained that reality?

Zach Lewis: I mean, I like to think we have definitely gotten stronger. We we remediated the problem. We know where the threat actors came in, so we closed that.

So, you know, you wanna be sure that they're not gonna come in the exact same way. Right. Twice. Like, you might have two, two incidents um, at a company, but you don't want 'em to come in the same way twice. Right? So we definitely wanted to bolster that, but we found out where our weak points were during the incident, right?

Like, we didn't know what data they had, you know, what is in that data. We couldn't make. You know, definitive answers on what that was so. [00:25:00] We really wanted to get down and understand our data at a deeper level. So we kicked off a very big data governance project. We've been on that path for a few years now.

Just classifying, documenting, tracking. We have a couple new tools some data security, posture management stuff that looks at it and tells you like, Hey, these files have HIPAA data. These files have credit card deferred, whatever and that's all labeled and tracked and managed now. So if anyone was to grab some of that, we would know very definitively what was in it, which is great.

Little bit more reassurance. With that. Also, we wanted to harden the environment where our data was. So how do people access things? We are very SaaS first university. We have all our data out in the cloud. Um, You know, how are people accessing that? Well, mostly they're going through the browser, so we look at some enterprise browser stuff, some security around that.

So we bolstered that layer and made it a lot harder to get in if you're not. Kind of already in the know we've, you know, we definitively made sure that my, and that multifactor authentication is on everything. Mm-hmm. Trying to go [00:26:00] passwordless if we can have biometrics have, you know, as, as secure as we can around the identity, around the browser, around the data.

And that's kind of the key pillars we're looking at to really secure how the most likely revenue avenues that ransomware groups and threat actor groups are gonna take to get after what we have.

Drex DeFord: the end of the book. So the last, you know, several sort of sections of the book.

You kind of talk about all of the, this stuff that you've done and it kind of blows me away. You kind of go through the list, it's like, wow this is this is really amazing. Do you have a copy of the book in front of you?

Zach Lewis: Yeah,

Drex DeFord: because here's what happened for me. I wound up buying I bought the book on Kindle and then I started reading the book and I kept getting interrupted.

And then, so then the Audible version just came out. Yeah. So I got the audible version and I kind of plowed through the audible version because I'm, that's how I learn. So wave the book around so people can see it. Higher. Higher. Higher. There it is. [00:27:00] Oh man. I really appreciate you being with me today.

Zach Lewis from UHSP. Man, it was great talking to you.

Zach Lewis: Yeah, no thanks Rick. I appreciate it. I love being here. I love talking about the book. I hope it uh, hope the story helps some people out there. And I don't know, let 'em understand what's, what's going on with the ransomware environment. They're probably gonna run into an attack some point in their life and their, the professional journey.

So, uh. get a little forewarning, get a little heads up and be ready.

Drex DeFord: Thanks for joining on UnHack. Remember, we're not alone in this. Every healthcare leader needs a community to lean on and learn from. Join our community at this week, health.com/subscribe and share this not only with your security crew, but with your entire leadership team and staff.

Together we are stronger.