Formerly known as "Restore it All," The Backup Wrap-up podcast turns unappreciated backup admins into cyber recovery heroes. After a brief analysis of backup-related news, each episode dives deep into one topic that you can use to better protect your organization from data loss, be it from accidents, disasters, or ransomware. The Backup Wrap-up is hosted by W. Curtis Preston (Mr. Backup) and his co-host Prasanna Malaiyandi. Curtis' passion for backups began over 30 years ago when his employer, a $35B bank, lost its purchasing database – and the backups he was in charge of were worthless. After miraculously not being fired, he resolved to learn everything he could about a topic most people try to get away from. His co-host, Prasanna, saw similar tragedies from the vendor side of the house and also wanted to do whatever he could to stop that from happening to others. A particular focus lately has been the scourge of ransomware that is plaguing IT organizations across the globe. That's why in addition to backup and disaster recovery, we also touch on information security techniques you can use to protect your backup systems from ransomware. If you'd like to go from being unappreciated to being a cyber recovery hero, this is the podcast for you.
Listen to episodes
60 recent
June 15, 202635 min
California Election Fraud? (Pt 2)
California election fraud claims are flooding social media — and most of them fall apart under basic scrutiny. In this follow-up episode, longtime San Diego County poll worker W. Curtis Preston tackles the wave of viral fraud allegations head-on, with sources so you can check his work yourself.Topics covered: the LA mayoral race "statistically impossible" surge for Nithya Raman, the AP reporting error that got blamed on fraud, claims that Spencer Pratt voters were having ballots rejected for signatures, the "gym membership card" voter ID myth, the Skid Row "paid to vote" controversy, and yes — the one claim that turned out to be true (a woman who actually did register her dog to vote).If you've seen these claims and wondered whether there's anything to them, this episode walks through the actual data, the actual law, and the actual outcomes — no spin, just the facts from someone counting the votes.
June 8, 202624 min
California Election Counting Explained by an Actual Poll Worker
California election counting has confused — and frankly ticked off — a lot of people, and I get it. I'm W. Curtis Preston, I've worked every California election since the 2016 presidential primary, and I've managed the polls at multiple elections here in San Diego County. This episode, I'm going solo to explain exactly what's going on, why it takes so long, what the "red mirage" actually is, and why none of it is fraud. Sorry to disappoint some of you.If you've ever had a family member call you asking "what the hell is going on over there?" — this one's for you. I walk through the specific changes California made to election law, how our system compares to Florida's, why human nature is a big part of the problem, and what the chain of custody for every single ballot actually looks like from the inside. This isn't punditry. This is someone who has stood at those poll books, sealed those ballot cartons, and escorted those ballots to the DART team.Chapters:0:00 – Introduction: What the hell is going on in California?1:23 – Who I am and why I can speak to this2:12 – How California election law changed six years ago4:43 – The mail ballot window: postmark by 8 PM, received within 7 days5:09 – Vote centers vs. the old precinct model7:39 – California vs. Florida: why the laws produce such different results9:09 – Why California voters wait until the last minute14:12 – The red mirage explained: it's not fraud, it's math15:31 – Signature verification: 80,000–100,000 per day in San Diego alone16:35 – How computers count ballots — and the 1% manual audit that checks them19:11 – Chain of custody: two people, sealed cartons, tracked numbers20:17 – Debunking the "law enforcement can't observe" myth21:24 – Dead people voting? Let's talk about what's actually happening22:47 – Wrap-up
May 25, 202640 min
Stop 90% of Ransomware Attacks with Basic Cyber Hygiene
Basic cyber hygiene — patch management, password management, and MFA — is responsible for stopping roughly 90% of the ransomware attacks that could hit your organization. This episode is the overview: what those three things are, why they matter, and what happens when you skip them.WannaCry infected over 200,000 systems worldwide. A patch existed. People just hadn't applied it. Rackspace lost an entire business line — not because the attack was sophisticated, but because a workaround gave them false confidence and they delayed a critical patch. These aren't edge cases. They're the rule.Dr. Mike Saylor (Black Swan Cybersecurity) and Prasanna Malaiyandi join me to walk through the three pillars of basic cyber hygiene. We cover patch management first — and before you can even patch, you have to know what you have. Inventory is the starting point. Then we get into passwords: why reusing them is a numbers game the bad guys always win, and why a password manager isn't optional anymore. Finally, MFA — what it is, which forms are actually worth using, and why "remember this device" is quietly defeating the whole point.This is an overview episode. We're going deeper on each pillar in three follow-up episodes. But if you're not doing these three things today, stop reading this and go do them. There's no point talking about EDR, XDR, or any other three-letter security product if you haven't nailed the basics first. It's like researching a Roth IRA when you don't have a savings account.Chapters:0:00 Intro0:59 Welcome & Introductions4:20 WannaCry: The Patch That Would Have Saved 200,000 Systems7:33 Rackspace: When a Workaround Isn't Enough12:12 Defining Basic Cyber Hygiene14:53 Why These Three Things Stop 90% of Ransomware17:54 Pillar 1: Patch Management23:55 Pillar 2: Password Management31:55 Pillar 3: MFA & Passkeys37:34 Wrap-Up & What's Next
May 18, 202640 min
Claude Deletes a Company — But It's Not Really Claude's Fault
Claude deletes a company — and the internet immediately blamed the AI. But this story is really about backup design, credential management, and least privilege. An AI coding agent running Claude via Cursor deleted PocketOS's entire production database and all its backups in nine seconds. One bad design decision at a time, a startup built itself a disaster waiting to happen. Claude just happened to be the thing that set it off.Here's what you need to understand: the AI violated the principles it was given, and that's on Claude. But Claude never should have had access to do what it did. Credentials were sitting in a plain text YAML file. The production database and its backups lived on the same volume. No least privilege. No expiration on elevated permissions. And almost certainly, no backup recovery test — ever.In this episode, Curtis and Prasanna break down what actually went wrong with PocketOS, what Railway did to help recover the data, and what you need to do to make sure this never happens to you. Topics covered include backup isolation, the 3-2-1 rule, secrets management tools like AWS Secrets Manager and HashiCorp Vault, least privilege access, permission expiration, and credential scanning tools like TruffleHog.Chapters:0:00 — Intro: Meet the villain1:50 — Welcome and introducing "the French friend"3:48 — What Claude actually did to PocketOS7:20 — This is a backup story, not an AI story9:27 — The recovery: Railway, a weekend of chaos, and a lucky Twitter post12:31 — Your data is your responsibility — not your vendor's17:48 — Rule #1: Never store backups inside production20:37 — The real problem: credential management23:38 — Secrets management tools explained25:21 — Least privilege and why permissions need expiration dates34:59 — Finding exposed credentials with TruffleHog37:24 — Summary and takeaways
May 11, 202633 min
How Honeypots and Canary Files Catch Attackers Before They Strike
Honeypots and canary files are two of the most underused tools in cybersecurity — and in this episode, Dr. Mike Saylor and I break down exactly how they work and why you should be using them. The short version: they're tripwires. They tell you a bad guy is poking around your network before anything gets encrypted.Mike walks through his layered security analogy, explains the three different ways organizations use honeypots — learning attacker tactics, distraction, and testing — and then we get into canary files: what makes them different from a honeypot, how they beacon home when stolen, and why clock synchronization matters more than most people think if you ever want that evidence to hold up.We also cover how to stand one up without a big budget, what tools are available, and why something is absolutely better than nothing. Plus, Mike and I have news about our new O'Reilly book, Learning Ransomware Response and Recovery.0:00 - Intro and book news1:09 - Meet the crew3:45 - Security is all about layers9:22 - What are honeypots and canary files?11:00 - Three ways honeypots work for you13:17 - Real-world examples: bait cars and glitter bombs15:20 - Making your honeypot convincing19:11 - Honeypot tools and options21:13 - Something is better than nothing24:10 - Monitoring and notifications25:05 - Canary files explained27:03 - How canary files beacon and track attackers28:03 - Don't forget to sync your clocks29:05 - Final thoughts
May 4, 202647 min
Network Segmentation to Prevent Ransomware: What the UCSF Attack Taught Us
Network segmentation to prevent ransomware isn't just a nice-to-have — the UCSF ransomware attack proves it's what separates a contained incident from a catastrophe. UCSF got hit. Their segmented network kept the damage from spreading across their entire operation. That's the difference we're talking about in this episode.Dr. Mike Saylor — my co-author on Learning Ransomware Response and Recovery — joins me and Prasanna to break down exactly how network segmentation works, why it matters for ransomware defense, and how to start doing it without breaking everything in the process. (Not that I've ever done that. Much.)We cover what segmentation actually is, how VLANs make it manageable, the "need to talk" principle, and where microsegmentation fits in — and when it becomes overkill. We also get into the complexity trap: more rules and more layers don't automatically mean more protection. Sometimes they mean nobody can troubleshoot anything when the house is on fire.If you're an IT admin trying to make the case for better network architecture, or you just want to understand what would actually stop ransomware from ripping through your environment, this is the episode.Chapters:00:00:00 — Intro00:01:40 — Welcome & Guest Introductions00:05:17 — Case Study: UCSF Ransomware Attack00:08:13 — What Is Network Segmentation?00:12:32 — VLANs Explained00:19:50 — The Need to Talk Principle00:30:54 — Complexity vs. Security00:31:09 — Microsegmentation00:38:55 — Action Items: Where to Start00:42:05 — Monitoring VLAN Traffic
April 27, 202636 min
Stop Using VSS as a Backup Before Ransomware Deletes Your Shadow Copies
Stop Using VSS as a Backup Before Ransomware Deletes Your Shadow CopiesRansomware deletes shadow copies using your own built-in Windows tools against you — and if VSS was your backup plan, you just found out the hard way that it wasn't. In this episode, W. Curtis Preston (Mr. Backup), Prasanna Malaiyandi, and Dr. Mike Saylor break down exactly what shadow copies are, why they don't qualify as a real backup, and how attackers are weaponizing vssadmin to wipe your recovery options before you even know you're under attack.If you've got Windows systems and you've been thinking "eh, we've got shadow copies," this episode is for you. We cover the history of VSS — what it was actually designed for, why it became a crutch, and why using it as your primary backup strategy is a bad idea on multiple levels. Performance, the 3-2-1 rule, and the fact that one attacker with admin rights can delete every single copy in seconds. We also get into the living off the land angle: how attackers do recon on your shadow copies, how they use them to scope out valuable data before going full ransomware, and what you can actually do to detect and respond to this behavior using EDR tools.The bottom line: VSS is a great tool. It was just never meant to be your backup. Get a real one.Chapters:0:00 — Intro1:39 — Welcome & Book Talk3:26 — What Are Shadow Copies and Why Do People Use Them as Backups?9:14 — Performance Problems with VSS as a Backup10:19 — Living Off the Land: How Ransomware Uses VSS Against You12:36 — Can You Monitor or Lock Down VSS Admin?14:26 — Why Shadow Copies Fail the 3-2-1 Rule (They're Not a Backup)18:01 — How to Protect Yourself: Configuring Your EDR21:31 — The Local Admin Problem and Security Culture27:00 — Virtualization, Snapshots, and Shadow Copies29:00 — Final Thoughts: Just Don't Do That
April 20, 202636 min
Ransomware Sanctions, OFAC, and the Lazarus Group: A Real Case Study
Ransomware sanctions are something most companies never think about — until they're staring down a ransom demand from a group the US government has already put on a sanctions list. In this episode, Dr. Mike Saylor walks us through a real incident involving a construction company, hundreds of millions in active contracts, and the Lazarus Group — a North Korean state-sponsored threat actor. Before that company could pay a single dollar in ransom, they had to figure out whether doing so would trigger federal penalties that dwarfed the ransom itself. We're talking fines of 10x to 100x the payment amount, and in some jurisdictions, jail time.This is one of those episodes where the story alone is worth your time. Mike was in the room for this incident, negotiating directly with the Lazarus Group over a weekend — and yes, it turns out North Korean cybercriminals have a surprisingly functional help desk. But beyond the story, there's real actionable information here about OFAC (the Office of Foreign Asset Control), how the US Treasury tracks Bitcoin wallets to identify sanctioned actors, and what you actually need to do the moment ransomware hits your organization.We also get into why paying a ransom paints a target on your back — 70% of companies that pay get hit again within six months — and why immutable backups are the only thing that truly keeps you out of this situation.Chapters:0:00 Intro1:31 Meet the Guests: Curtis, Prasanna, and Dr. Mike Saylor4:10 Case Study: A Construction Company and the Lazarus Group6:34 Are These Bad Guys Sanctioned? Introducing OFAC8:05 Why Ransomware Funds Terrorism, Drug Trafficking, and Worse11:00 Sanctions Penalties: Fines That Can Put You Out of Business12:24 Colonial Pipeline and Exceptions for Critical Infrastructure13:26 How the Government Tracks Bitcoin Wallets16:27 Global Sanctions: UK and Australia Have Their Own Rules18:31 Pay Once, Pay Again: The 70% Re-Attack Rate20:43 Proof of Life: Don't Pay Without It23:38 What To Do When You Get Hit: The Right Order of Operations25:17 Immutable Backups: The Only Real Answer27:07 How the Construction Company's Backups Got Wiped33:07 Build Your Team Before the Bad Day: FBI InfraGard and More
April 13, 202646 min
The Real Cost of a Ransomware Attack: The Ransom Is the Least of Your Problems
The cost of a ransomware attack goes way beyond the ransom itself — and most organizations don't find that out until it's too late. In this episode of The Backup Wrap-up, W. Curtis Preston (Mr. Backup) and co-host Prasanna Malaiyandi sit down with Dr. Mike Saylor of Black Swan Cybersecurity to walk through every category of cost that hits when ransomware strikes.The case that kicks everything off: UVM Health Network, October 2020. Over 1,300 servers encrypted, staff forced back to paper records, patient care disrupted for weeks. Total tab? Over $63 million — and they never paid the ransom.From there, we go category by category: people costs (overtime, third-party IR firms, emergency hardware), lost business revenue, regulatory fines, reputational damage that doesn't wash off, staff burnout and resignations, supply chain chaos, payment processor shutdowns, and cyber insurance fine print that can leave you holding the bag even when you think you're covered.We also cover what you should be doing right now — before any of this happens to you. Starting with a Business Impact Analysis, which Mike argues most small-to-medium businesses can knock out in one to three weeks. Knowing what a downed system costs you per hour is exactly the information that gets you budget from leadership and a plan that actually works when the feces hits the rotary oscillator.Chapters:00:01:44 - Intro & Welcome00:03:45 - Case Study: UVM Health Network ($63M, 1,300 Servers Down)00:07:12 - People Costs: Overtime, Staffing & Third-Party IR Firms00:10:01 - The Odds Are Damn Near 100% — Set Up Your IR Relationship Now00:13:00 - Hardware Costs & Emergency Spending00:14:05 - Lost Business Revenue (Current and Future)00:15:14 - The Stat That Should Scare You: Over 50% Don't Survive00:16:38 - Regulatory Fines (GDPR, California & More)00:19:32 - Reputational Damage: Your Customers Never Forget00:21:28 - Staff Burnout, Exhaustion & Resignations00:22:40 - Supply Chain Disruption & Credit Rating Impact00:24:07 - Payment Processor Shutdown (Real Case: Dental Practice)00:26:00 - Cyber Insurance: Fine Print, Claim Denials & Premium Spikes00:27:52 - Post-Attack Process Remediation Costs00:29:36 - Business Impact Analysis: Why You Need One Before It Happens00:35:00 - Action Items00:39:41 - Recovery Prioritization & Recovery Point Objectives00:44:43 - Wrap
April 6, 202629 min
How Polymorphic Malware Evades Detection — And What to Do About It
Polymorphic malware is the kind of threat that changes its own code — its signature, its behavior, even the command-and-control server it reports to — specifically so your antivirus can't catch it. In this episode, Dr. Mike Saylor of Black Swan Cybersecurity joins Prasanna and me to break down exactly how this works, why signature-based detection keeps losing the race, and what defenders actually need to do differently.Mike walks us through ViraLock, one of the most well-known early examples of polymorphic malware, and explains the gap between infection and detection that attackers exploit. We also get into the difference between polymorphic and metamorphic malware — and metamorphic is a lot scarier. Then we cover waterhole attacks, a red team story that will make you rethink how fast attackers can own a network, and what behavioral detection looks like when it's actually working.If you thought keeping your antivirus updated was enough, this episode is going to change your mind.Chapters:00:00:00 – Intro01:35 – Meet the guests: Prasanna Malaiyandi and Dr. Mike Saylor02:58 – What is polymorphic malware? The ViraLock story05:52 – How polymorphic code changes its own signature10:04 – Disguised executables and the human factor12:23 – Polymorphic vs. static malware: what's the real difference?14:15 – Metamorphic malware: nation-state-level scary16:01 – The Frankenstein virus: a conceptual metamorphic example16:52 – Waterhole attacks: infecting the shared file everyone downloads18:32 – How polymorphic malware stays alive: the red team story21:28 – Behavioral detection and baselining: how you actually fight back26:57 – Risk-based defense: protect what matters most
Is this your show?
Claim this listing to keep it up to date, reach guests who want to pitch you, and manage bookings with Guestify.
