The Backup Wrap-Up

W. Curtis Preston (Mr. Backup)

Formerly known as "Restore it All," The Backup Wrap-up podcast turns unappreciated backup admins into cyber recovery heroes. After a brief analysis of backup-related news, each episode dives deep into one topic that you can use to better protect your organization from data loss, be it from accidents, disasters, or ransomware.   The Backup Wrap-up is hosted by W. Curtis Preston (Mr. Backup) and his co-host Prasanna Malaiyandi. Curtis' passion for backups began over 30 years ago when his employer, a $35B bank, lost its purchasing database – and the backups he was in charge of were worthless. After miraculously not being fired, he resolved to learn everything he could about a topic most people try to get away from.  His co-host, Prasanna, saw similar tragedies from the vendor side of the house and also wanted to do whatever he could to stop that from happening to others. A particular focus lately has been the scourge of ransomware that is plaguing IT organizations across the globe.  That's why in addition to backup and disaster recovery, we also touch on information security techniques you can use to protect your backup systems from ransomware.  If you'd like to go from being unappreciated to being a cyber recovery hero, this is the podcast for you. 

  1. Claude Deletes a Company — But It's Not Really Claude's Fault

    20 HR AGO

    Claude Deletes a Company — But It's Not Really Claude's Fault

    Claude deletes a company — and the internet immediately blamed the AI. But this story is really about backup design, credential management, and least privilege. An AI coding agent running Claude via Cursor deleted PocketOS's entire production database and all its backups in nine seconds. One bad design decision at a time, a startup built itself a disaster waiting to happen. Claude just happened to be the thing that set it off. Here's what you need to understand: the AI violated the principles it was given, and that's on Claude. But Claude never should have had access to do what it did. Credentials were sitting in a plain text YAML file. The production database and its backups lived on the same volume. No least privilege. No expiration on elevated permissions. And almost certainly, no backup recovery test — ever. In this episode, Curtis and Prasanna break down what actually went wrong with PocketOS, what Railway did to help recover the data, and what you need to do to make sure this never happens to you. Topics covered include backup isolation, the 3-2-1 rule, secrets management tools like AWS Secrets Manager and HashiCorp Vault, least privilege access, permission expiration, and credential scanning tools like TruffleHog. Chapters: 0:00 — Intro: Meet the villain 1:50 — Welcome and introducing "the French friend" 3:48 — What Claude actually did to PocketOS 7:20 — This is a backup story, not an AI story 9:27 — The recovery: Railway, a weekend of chaos, and a lucky Twitter post 12:31 — Your data is your responsibility — not your vendor's 17:48 — Rule #1: Never store backups inside production 20:37 — The real problem: credential management 23:38 — Secrets management tools explained 25:21 — Least privilege and why permissions need expiration dates 34:59 — Finding exposed credentials with TruffleHog 37:24 — Summary and takeaways

    40 min
  2. How Honeypots and Canary Files Catch Attackers Before They Strike

    11 MAY

    How Honeypots and Canary Files Catch Attackers Before They Strike

    Honeypots and canary files are two of the most underused tools in cybersecurity — and in this episode, Dr. Mike Saylor and I break down exactly how they work and why you should be using them. The short version: they're tripwires. They tell you a bad guy is poking around your network before anything gets encrypted. Mike walks through his layered security analogy, explains the three different ways organizations use honeypots — learning attacker tactics, distraction, and testing — and then we get into canary files: what makes them different from a honeypot, how they beacon home when stolen, and why clock synchronization matters more than most people think if you ever want that evidence to hold up. We also cover how to stand one up without a big budget, what tools are available, and why something is absolutely better than nothing. Plus, Mike and I have news about our new O'Reilly book, Learning Ransomware Response and Recovery. 0:00 - Intro and book news 1:09 - Meet the crew 3:45 - Security is all about layers 9:22 - What are honeypots and canary files? 11:00 - Three ways honeypots work for you 13:17 - Real-world examples: bait cars and glitter bombs 15:20 - Making your honeypot convincing 19:11 - Honeypot tools and options 21:13 - Something is better than nothing 24:10 - Monitoring and notifications 25:05 - Canary files explained 27:03 - How canary files beacon and track attackers 28:03 - Don't forget to sync your clocks 29:05 - Final thoughts

    34 min
  3. Network Segmentation to Prevent Ransomware: What the UCSF Attack Taught Us

    4 MAY

    Network Segmentation to Prevent Ransomware: What the UCSF Attack Taught Us

    Network segmentation to prevent ransomware isn't just a nice-to-have — the UCSF ransomware attack proves it's what separates a contained incident from a catastrophe. UCSF got hit. Their segmented network kept the damage from spreading across their entire operation. That's the difference we're talking about in this episode. Dr. Mike Saylor — my co-author on Learning Ransomware Response and Recovery — joins me and Prasanna to break down exactly how network segmentation works, why it matters for ransomware defense, and how to start doing it without breaking everything in the process. (Not that I've ever done that. Much.) We cover what segmentation actually is, how VLANs make it manageable, the "need to talk" principle, and where microsegmentation fits in — and when it becomes overkill. We also get into the complexity trap: more rules and more layers don't automatically mean more protection. Sometimes they mean nobody can troubleshoot anything when the house is on fire. If you're an IT admin trying to make the case for better network architecture, or you just want to understand what would actually stop ransomware from ripping through your environment, this is the episode. Chapters: 00:00:00 — Intro 00:01:40 — Welcome & Guest Introductions 00:05:17 — Case Study: UCSF Ransomware Attack 00:08:13 — What Is Network Segmentation? 00:12:32 — VLANs Explained 00:19:50 — The Need to Talk Principle 00:30:54 — Complexity vs. Security 00:31:09 — Microsegmentation 00:38:55 — Action Items: Where to Start 00:42:05 — Monitoring VLAN Traffic

    47 min
  4. Stop Using VSS as a Backup Before Ransomware Deletes Your Shadow Copies

    27 APR

    Stop Using VSS as a Backup Before Ransomware Deletes Your Shadow Copies

    Stop Using VSS as a Backup Before Ransomware Deletes Your Shadow Copies Ransomware deletes shadow copies using your own built-in Windows tools against you — and if VSS was your backup plan, you just found out the hard way that it wasn't. In this episode, W. Curtis Preston (Mr. Backup), Prasanna Malaiyandi, and Dr. Mike Saylor break down exactly what shadow copies are, why they don't qualify as a real backup, and how attackers are weaponizing vssadmin to wipe your recovery options before you even know you're under attack. If you've got Windows systems and you've been thinking "eh, we've got shadow copies," this episode is for you. We cover the history of VSS — what it was actually designed for, why it became a crutch, and why using it as your primary backup strategy is a bad idea on multiple levels. Performance, the 3-2-1 rule, and the fact that one attacker with admin rights can delete every single copy in seconds. We also get into the living off the land angle: how attackers do recon on your shadow copies, how they use them to scope out valuable data before going full ransomware, and what you can actually do to detect and respond to this behavior using EDR tools. The bottom line: VSS is a great tool. It was just never meant to be your backup. Get a real one. Chapters: 0:00 — Intro 1:39 — Welcome & Book Talk 3:26 — What Are Shadow Copies and Why Do People Use Them as Backups? 9:14 — Performance Problems with VSS as a Backup 10:19 — Living Off the Land: How Ransomware Uses VSS Against You 12:36 — Can You Monitor or Lock Down VSS Admin? 14:26 — Why Shadow Copies Fail the 3-2-1 Rule (They're Not a Backup) 18:01 — How to Protect Yourself: Configuring Your EDR 21:31 — The Local Admin Problem and Security Culture 27:00 — Virtualization, Snapshots, and Shadow Copies 29:00 — Final Thoughts: Just Don't Do That

    37 min
  5. Ransomware Sanctions, OFAC, and the Lazarus Group: A Real Case Study

    20 APR

    Ransomware Sanctions, OFAC, and the Lazarus Group: A Real Case Study

    Ransomware sanctions are something most companies never think about — until they're staring down a ransom demand from a group the US government has already put on a sanctions list. In this episode, Dr. Mike Saylor walks us through a real incident involving a construction company, hundreds of millions in active contracts, and the Lazarus Group — a North Korean state-sponsored threat actor. Before that company could pay a single dollar in ransom, they had to figure out whether doing so would trigger federal penalties that dwarfed the ransom itself. We're talking fines of 10x to 100x the payment amount, and in some jurisdictions, jail time. This is one of those episodes where the story alone is worth your time. Mike was in the room for this incident, negotiating directly with the Lazarus Group over a weekend — and yes, it turns out North Korean cybercriminals have a surprisingly functional help desk. But beyond the story, there's real actionable information here about OFAC (the Office of Foreign Asset Control), how the US Treasury tracks Bitcoin wallets to identify sanctioned actors, and what you actually need to do the moment ransomware hits your organization. We also get into why paying a ransom paints a target on your back — 70% of companies that pay get hit again within six months — and why immutable backups are the only thing that truly keeps you out of this situation. Chapters: 0:00 Intro 1:31 Meet the Guests: Curtis, Prasanna, and Dr. Mike Saylor 4:10 Case Study: A Construction Company and the Lazarus Group 6:34 Are These Bad Guys Sanctioned? Introducing OFAC 8:05 Why Ransomware Funds Terrorism, Drug Trafficking, and Worse 11:00 Sanctions Penalties: Fines That Can Put You Out of Business 12:24 Colonial Pipeline and Exceptions for Critical Infrastructure 13:26 How the Government Tracks Bitcoin Wallets 16:27 Global Sanctions: UK and Australia Have Their Own Rules 18:31 Pay Once, Pay Again: The 70% Re-Attack Rate 20:43 Proof of Life: Don't Pay Without It 23:38 What To Do When You Get Hit: The Right Order of Operations 25:17 Immutable Backups: The Only Real Answer 27:07 How the Construction Company's Backups Got Wiped 33:07 Build Your Team Before the Bad Day: FBI InfraGard and More

    37 min
  6. The Real Cost of a Ransomware Attack: The Ransom Is the Least of Your Problems

    13 APR

    The Real Cost of a Ransomware Attack: The Ransom Is the Least of Your Problems

    The cost of a ransomware attack goes way beyond the ransom itself — and most organizations don't find that out until it's too late. In this episode of The Backup Wrap-up, W. Curtis Preston (Mr. Backup) and co-host Prasanna Malaiyandi sit down with Dr. Mike Saylor of Black Swan Cybersecurity to walk through every category of cost that hits when ransomware strikes. The case that kicks everything off: UVM Health Network, October 2020. Over 1,300 servers encrypted, staff forced back to paper records, patient care disrupted for weeks. Total tab? Over $63 million — and they never paid the ransom. From there, we go category by category: people costs (overtime, third-party IR firms, emergency hardware), lost business revenue, regulatory fines, reputational damage that doesn't wash off, staff burnout and resignations, supply chain chaos, payment processor shutdowns, and cyber insurance fine print that can leave you holding the bag even when you think you're covered. We also cover what you should be doing right now — before any of this happens to you. Starting with a Business Impact Analysis, which Mike argues most small-to-medium businesses can knock out in one to three weeks. Knowing what a downed system costs you per hour is exactly the information that gets you budget from leadership and a plan that actually works when the feces hits the rotary oscillator. Chapters: 00:01:44 - Intro & Welcome 00:03:45 - Case Study: UVM Health Network ($63M, 1,300 Servers Down) 00:07:12 - People Costs: Overtime, Staffing & Third-Party IR Firms 00:10:01 - The Odds Are Damn Near 100% — Set Up Your IR Relationship Now 00:13:00 - Hardware Costs & Emergency Spending 00:14:05 - Lost Business Revenue (Current and Future) 00:15:14 - The Stat That Should Scare You: Over 50% Don't Survive 00:16:38 - Regulatory Fines (GDPR, California & More) 00:19:32 - Reputational Damage: Your Customers Never Forget 00:21:28 - Staff Burnout, Exhaustion & Resignations 00:22:40 - Supply Chain Disruption & Credit Rating Impact 00:24:07 - Payment Processor Shutdown (Real Case: Dental Practice) 00:26:00 - Cyber Insurance: Fine Print, Claim Denials & Premium Spikes 00:27:52 - Post-Attack Process Remediation Costs 00:29:36 - Business Impact Analysis: Why You Need One Before It Happens 00:35:00 - Action Items 00:39:41 - Recovery Prioritization & Recovery Point Objectives 00:44:43 - Wrap

    46 min
  7. How Polymorphic Malware Evades Detection — And What to Do About It

    6 APR

    How Polymorphic Malware Evades Detection — And What to Do About It

    Polymorphic malware is the kind of threat that changes its own code — its signature, its behavior, even the command-and-control server it reports to — specifically so your antivirus can't catch it. In this episode, Dr. Mike Saylor of Black Swan Cybersecurity joins Prasanna and me to break down exactly how this works, why signature-based detection keeps losing the race, and what defenders actually need to do differently. Mike walks us through ViraLock, one of the most well-known early examples of polymorphic malware, and explains the gap between infection and detection that attackers exploit. We also get into the difference between polymorphic and metamorphic malware — and metamorphic is a lot scarier. Then we cover waterhole attacks, a red team story that will make you rethink how fast attackers can own a network, and what behavioral detection looks like when it's actually working. If you thought keeping your antivirus updated was enough, this episode is going to change your mind. Chapters: 00:00:00 – Intro 01:35 – Meet the guests: Prasanna Malaiyandi and Dr. Mike Saylor 02:58 – What is polymorphic malware? The ViraLock story 05:52 – How polymorphic code changes its own signature 10:04 – Disguised executables and the human factor 12:23 – Polymorphic vs. static malware: what's the real difference? 14:15 – Metamorphic malware: nation-state-level scary 16:01 – The Frankenstein virus: a conceptual metamorphic example 16:52 – Waterhole attacks: infecting the shared file everyone downloads 18:32 – How polymorphic malware stays alive: the red team story 21:28 – Behavioral detection and baselining: how you actually fight back 26:57 – Risk-based defense: protect what matters most

    29 min
  8. Emergency Episode: The PyPI Software Supply Chain Attack You Need to Know About

    26 MAR

    Emergency Episode: The PyPI Software Supply Chain Attack You Need to Know About

    A PyPI software supply chain attack hit LiteLLM — a library pulled into developer environments 97 million times a month — and if you use it, you may already be compromised. This wasn't a fake package or a typo-squatting trick. Attackers stole real credentials, published malicious code as the real thing, and walked out with SSH keys, cloud credentials, Kubernetes tokens, API keys, and more — all encrypted and sent home before anyone knew what happened. I'm doing something I've never done before: an emergency episode, recorded and published immediately because this is that serious. I brought in Dr. Mike Saylor, co-author of our book Learning Ransomware Response and Recovery, and my co-host Prasanna Malaiyandi to break down exactly what happened, how to find out if you were hit, and what you need to do to protect yourself going forward. We open with a story from 1982 that perfectly captures what this attack really is — getting poisoned by something you trusted completely. That framing matters. This wasn't a failure of the library. It was a failure of the supply chain. And it can happen again. Chapters: 00:00:00 - Intro: Why this is an emergency episode 00:01:35 - Meet the guests: Dr. Mike Saylor and Prasanna Malaiyandi 00:02:31 - The Tylenol poisoning analogy and what it means for software supply chains 00:05:51 - What LiteLLM is and what the malware actually did to your environment 00:09:04 - Dependencies explained: why you're affected even if you didn't install LiteLLM directly 00:12:24 - How to find out if you were hit: the first things to check right now 00:14:23 - IOCs and TTPs: what to look for in your logs and on your systems 00:19:07 - Network indicators: unusual traffic and what it tells you 00:22:12 - How security teams can find out if developers installed it without telling anyone 00:30:38 - Action items for the future: inventory, pinning, and hash verification 00:36:55 - Sandboxing new downloads before they touch your environment 00:37:59 - Immutable backups: why this attack makes the case for them 00:40:33 - Modern authentication: MFA, its limits, and why passkeys matter 00:46:53 - Where to get threat intel so you hear about attacks like this faster 00:53:23 - Wrap-up If you installed or upgraded LiteLLM on or after March 24, 2026 without a pinned version, stop what you're doing and listen to this episode first. The story: https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/ https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/ https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/ https://www.upwind.io/feed/litellm-pypi-supply-chain-attack-malicious-release https://docs.litellm.ai/blog/security-update-march-2026 https://www.helpnetsecurity.com/2026/03/25/teampcp-supply-chain-attacks/ https://www.darktrace.com/resources/the-cisos-guide-to-cyber-ai https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/ Resources: https://www.stopransomware.com https://www.cisa.gov https://www.cve.org/

    56 min
See All (350)

About

Formerly known as "Restore it All," The Backup Wrap-up podcast turns unappreciated backup admins into cyber recovery heroes. After a brief analysis of backup-related news, each episode dives deep into one topic that you can use to better protect your organization from data loss, be it from accidents, disasters, or ransomware.   The Backup Wrap-up is hosted by W. Curtis Preston (Mr. Backup) and his co-host Prasanna Malaiyandi. Curtis' passion for backups began over 30 years ago when his employer, a $35B bank, lost its purchasing database – and the backups he was in charge of were worthless. After miraculously not being fired, he resolved to learn everything he could about a topic most people try to get away from.  His co-host, Prasanna, saw similar tragedies from the vendor side of the house and also wanted to do whatever he could to stop that from happening to others. A particular focus lately has been the scourge of ransomware that is plaguing IT organizations across the globe.  That's why in addition to backup and disaster recovery, we also touch on information security techniques you can use to protect your backup systems from ransomware.  If you'd like to go from being unappreciated to being a cyber recovery hero, this is the podcast for you. 

Information

  • Creator
    W. Curtis Preston (Mr. Backup)
  • Years Active
    2019 - 2026
  • Episodes
    350
  • Rating
    Clean
  • Copyright
    © All rights reserved
  • Show Website
    The Backup Wrap-Up

You Might Also Like