The cost of a ransomware attack goes way beyond the ransom itself — and most organizations don't find that out until it's too late. In this episode of The Backup Wrap-up, W. Curtis Preston (Mr. Backup) and co-host Prasanna Malaiyandi sit down with Dr. Mike Saylor of Black Swan Cybersecurity to walk through every category of cost that hits when ransomware strikes.

The case that kicks everything off: UVM Health Network, October 2020. Over 1,300 servers encrypted, staff forced back to paper records, patient care disrupted for weeks. Total tab? Over $63 million — and they never paid the ransom.

From there, we go category by category: people costs (overtime, third-party IR firms, emergency hardware), lost business revenue, regulatory fines, reputational damage that doesn't wash off, staff burnout and resignations, supply chain chaos, payment processor shutdowns, and cyber insurance fine print that can leave you holding the bag even when you think you're covered.

We also cover what you should be doing right now — before any of this happens to you. Starting with a Business Impact Analysis, which Mike argues most small-to-medium businesses can knock out in one to three weeks. Knowing what a downed system costs you per hour is exactly the information that gets you budget from leadership and a plan that actually works when the feces hits the rotary oscillator.

Chapters:

00:01:44 - Intro & Welcome

00:03:45 - Case Study: UVM Health Network ($63M, 1,300 Servers Down)

00:07:12 - People Costs: Overtime, Staffing & Third-Party IR Firms

00:10:01 - The Odds Are Damn Near 100% — Set Up Your IR Relationship Now

00:13:00 - Hardware Costs & Emergency Spending

00:14:05 - Lost Business Revenue (Current and Future)

00:15:14 - The Stat That Should Scare You: Over 50% Don't Survive

00:16:38 - Regulatory Fines (GDPR, California & More)

00:19:32 - Reputational Damage: Your Customers Never Forget

00:21:28 - Staff Burnout, Exhaustion & Resignations

00:22:40 - Supply Chain Disruption & Credit Rating Impact

00:24:07 - Payment Processor Shutdown (Real Case: Dental Practice)

00:26:00 - Cyber Insurance: Fine Print, Claim Denials & Premium Spikes

00:27:52 - Post-Attack Process Remediation Costs

00:29:36 - Business Impact Analysis: Why You Need One Before It Happens

00:35:00 - Action Items

00:39:41 - Recovery Prioritization & Recovery Point Objectives

00:44:43 - Wrap

Polymorphic malware is the kind of threat that changes its own code — its signature, its behavior, even the command-and-control server it reports to — specifically so your antivirus can't catch it. In this episode, Dr. Mike Saylor of Black Swan Cybersecurity joins Prasanna and me to break down exactly how this works, why signature-based detection keeps losing the race, and what defenders actually need to do differently.

Mike walks us through ViraLock, one of the most well-known early examples of polymorphic malware, and explains the gap between infection and detection that attackers exploit. We also get into the difference between polymorphic and metamorphic malware — and metamorphic is a lot scarier. Then we cover waterhole attacks, a red team story that will make you rethink how fast attackers can own a network, and what behavioral detection looks like when it's actually working.

If you thought keeping your antivirus updated was enough, this episode is going to change your mind.

Chapters:

00:00:00 – Intro

01:35 – Meet the guests: Prasanna Malaiyandi and Dr. Mike Saylor

02:58 – What is polymorphic malware? The ViraLock story

05:52 – How polymorphic code changes its own signature

10:04 – Disguised executables and the human factor

12:23 – Polymorphic vs. static malware: what's the real difference?

14:15 – Metamorphic malware: nation-state-level scary

16:01 – The Frankenstein virus: a conceptual metamorphic example

16:52 – Waterhole attacks: infecting the shared file everyone downloads

18:32 – How polymorphic malware stays alive: the red team story

21:28 – Behavioral detection and baselining: how you actually fight back

26:57 – Risk-based defense: protect what matters most

A PyPI software supply chain attack hit LiteLLM — a library pulled into developer environments 97 million times a month — and if you use it, you may already be compromised. This wasn't a fake package or a typo-squatting trick. Attackers stole real credentials, published malicious code as the real thing, and walked out with SSH keys, cloud credentials, Kubernetes tokens, API keys, and more — all encrypted and sent home before anyone knew what happened.

I'm doing something I've never done before: an emergency episode, recorded and published immediately because this is that serious. I brought in Dr. Mike Saylor, co-author of our book Learning Ransomware Response and Recovery, and my co-host Prasanna Malaiyandi to break down exactly what happened, how to find out if you were hit, and what you need to do to protect yourself going forward.

We open with a story from 1982 that perfectly captures what this attack really is — getting poisoned by something you trusted completely. That framing matters. This wasn't a failure of the library. It was a failure of the supply chain. And it can happen again.

Chapters:

00:00:00 - Intro: Why this is an emergency episode

00:01:35 - Meet the guests: Dr. Mike Saylor and Prasanna Malaiyandi

00:02:31 - The Tylenol poisoning analogy and what it means for software supply chains

00:05:51 - What LiteLLM is and what the malware actually did to your environment

00:09:04 - Dependencies explained: why you're affected even if you didn't install LiteLLM directly

00:12:24 - How to find out if you were hit: the first things to check right now

00:14:23 - IOCs and TTPs: what to look for in your logs and on your systems

00:19:07 - Network indicators: unusual traffic and what it tells you

00:22:12 - How security teams can find out if developers installed it without telling anyone

00:30:38 - Action items for the future: inventory, pinning, and hash verification

00:36:55 - Sandboxing new downloads before they touch your environment

00:37:59 - Immutable backups: why this attack makes the case for them

00:40:33 - Modern authentication: MFA, its limits, and why passkeys matter

00:46:53 - Where to get threat intel so you hear about attacks like this faster

00:53:23 - Wrap-up

If you installed or upgraded LiteLLM on or after March 24, 2026 without a pinned version, stop what you're doing and listen to this episode first.

The story:

https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/

https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/

https://snyk.io/articles/poisoned-security-scanner-backdooring-litellm/

https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign

https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/

https://www.upwind.io/feed/litellm-pypi-supply-chain-attack-malicious-release

https://docs.litellm.ai/blog/security-update-march-2026

https://www.helpnetsecurity.com/2026/03/25/teampcp-supply-chain-attacks/

https://www.darktrace.com/resources/the-cisos-guide-to-cyber-ai

https://securitylabs.datadoghq.com/articles/litellm-compromised-pypi-teampcp-supply-chain-campaign/

Resources:

https://www.stopransomware.com

https://www.cisa.gov

https://www.cve.org/