Hello everyone. I hate to interrupt everyone who's having such a good time, but we have an exciting presentation. If everyone could just please come over here. First, I want to give a huge thank you to Dynalink for graciously hosting and sponsoring and making this event. Without them, this event wouldn't be. And an extra shout-out to Ari for making sure that everything is perfect, from arranging the entire hall and the parking, the valet parking, make sure that nothing is not taken care of. This is the eighth event that we have done. If anyone wants to get involved, sponsor, speak, please send me an email. We're building a community over here, and the help is much appreciated. The topic tonight is ransomware preparedness for MSP and IT teams, and we have a real expert on this topic, Michael Gorling. Michael has been presenting for very large audiences about this topic and is a very big expert. I'm sure everyone is going to enjoy and hear more. Michael? Okay, so a couple of words about myself. I was born in Russia. I migrated to Israel at eight years old. Around eight years ago I moved to US, Boston, and then around three years ago I moved to Jersey. I have three beautiful kids and even more beautiful wife, and I'm happy doing cybersecurity for 25 years, so it's quite a lot. I'm enjoying here to present to you guys and trying to give back to the community. I know that probably not everyone here are MSSPs, maybe not all of them are IT, so I'll try not to go too deep. I had a lot of very interesting world stories and engagements that will probably last for like three hours just talking about them. My goal is basically to share a bit of the latest experience with you, especially with the changes that are there with ransomware, with AI, a bit of mixing those two together, maybe sharing with you what can be done better. Morphosec is one of my companies that I founded 11 years ago, working from Ben-Gurion University with some of my fellow founders. We thought about an interesting way to fight ransomware and malware by using deception. We thought instead of chasing the attackers, let's basically cause them to chase after us. And while the attackers are looking to chase after something, we'll change it continuously. We'll basically create unpredictable attack surface. And it was very successful. Today we have around 7,000 customers. We have more than 9 million endpoints protected. It's a very successful business. Around a year ago, I also founded a boutique penetration testing incident response team company also here in New Jersey, and working on my next next endeavor, working on business email compromise stuff, just because I can, so why not? But yeah, we are talking about ransomware right now, so enough about myself. If you guys want any contacts, come to me after the lecture, I would love to share you any information you have. So we'll start a bit with some really statistics about the last year, what happens in this ransomware landscape. We'll continue with a couple of case studies of three customers that I selected in the past two, three months that are extremely interesting. They got hit, they were saved at different times, and then we'll talk about some of those, why do teams really fail in the first 30 minutes, what can be improved and what can be changed. So a bit of the statistics—ransomware is a business. There are a lot of criminal groups in Russia and China, and Korea that are extremely interested to get easy money. Ransomware as a Service is one thing. Ransom as a Service is definitely a business model that is like an emerging, let's say it like that. There are a lot of groups that are adopting Ransomware as a Service. Nevertheless, specifically groups that attack MSSPs are actually less Ransomware as a Service. I'll talk about SafePay, is one of those groups that actually doing everything. So what is a Ransomware as a Service? We'll cover in the next slide. But overall, it's a business. And even though during the past year there are less people that pay ransomware—they actually last by two percent to one percent, I don't remember exactly the statistics—but the payment themselves increased. It's businesses need to maintain themselves. And there are a couple of big big events. Mark and Spencer is a big big one. Ingram distributor is a big one, and there are many other big ones. I dealt with a small office of five or six people, law office, with very nice revenues, eventually paying $1.5 million for ransomware, so really significant. It's depending on how much you make. They look, they go over your documents that they exfiltrated, they learn about your revenues. They do not ask usually more than 10 percent or 15 percent. Today, the tier model really become advanced. At some point, let's say a couple of years ago, there was like encryption extra, then there was the double, the exfiltration, let's threaten our customers. Then they added services in which let's report to the SEC and the regulation entities about you. Today, the Ransom as a Service specifically like Killing for example, one of the groups—those are some of the dark web kind of advertisements that the Ransomware as a Service are doing, a lot of them in Russian, obviously. They are even doing law services. Basically, they go over your documents, they find out what are your customers, they call to your customers saying about the fact that you were infected. So they really pressure you from any possible way. And they even provide you a tier module in which you can pay for not exfiltrating. You can pay for us not entering again into your environment. You can pay us to tell you how we got into your environment, and there's really a lot of very interesting tiers for that process. The model is interesting at their Ransomware as a Service: they take around between 10 to 20% of the ransom payment, while the other workers, let's say access brokers, initial access, those that are doing the lateral movement, those that got the credentials, etc., they're getting more than most of the payments. Some of the services, Ransomware as a Service, for example Pay2Key is Iranian, they actually do reduce their percentage if they find out that the victim supports Iranian regime or against Israel. So there are actually this kind of things even there. So they work 24/7, they provide support. There's a negotiation, really advanced stuff. I had around two weeks ago a customer that found out that he was ransomware, but he didn't have a single encryption. So it actually was notified by different people that his data was exfiltrated and he's on the wall of shame. There is an increasing trend of just exfiltrating information, not doing any impact on the environment, and you'll find out somewhere in six months or four months or five months that, "Hey, your environment was actually exfiltrated," which is very much damaging because you have no clue how they got in. You don't have the forensic evidence to find out how they. So it becomes extremely challenging, and therefore the need for continuously validating your security posture. This is a great example for one of my customers. This one had around, if I'm not mistaken, around $160 million in revenue. Annual revenue. So we're talking about an average ransom of $2 million if it would be succeeded. We prevented that early enough with our solution, but the interesting again point, how the attackers went into the environment. There's an increasing trend right now. A while ago there was a social engineering, people were sending in emails and trying to convince people to click on those. It still happens quite a lot, but right now there is an increasing trend to connect you through Teams. There's a lot of move to the Microsoft shop. A lot of people, organizations have Teams, have Microsoft for communication, and there's misconfigurations in which external people can communicate over Teams and connect with your employees. Yeah, application Teams, yeah, Microsoft application Teams, and it's become a very much significant vector for many of the ransomware groups today. This customer specifically, they had four employees contacted over Teams, and in this case the attacker impersonated IT help desk, basically saying, "You have an issue, we want to reset whatever, give us access." Now many of those environments have also the building Quick Assist. You are familiar with what is Quick Assist? Yeah, by the way, anyone here experienced ransomware? I know that there are some, okay, there is a high probability there's actually more than 50 percent people that experience it this way or that way. Some people maybe more, some people experience it twice in the same organization. So in this case there were four employees that were basically contacted by the adversary. Two didn't respond. One actually responded, decided not to enable the Quick Assist, and only one that eventually enabled Quick Assist, and this guy basically installed the ScreenConnect RMM. The ScreenConnect is popular use, but it's also popular use for the attackers as well. So obviously you want to know what your customers use: Are they using AnyDesk? Are they using ScreenConnect? Are they using anything like anything else? And this was a very interesting case in which the attackers basically implanted more than three backdoors. Now why? What is backdoor? What is essentially backdoor? When people think about Cobalt Strike or Metasploit as a backdoor, this is one way of a backdoor. This is still thing-in-memory backdoor. Whoever knows what is Cobalt Strike Metasploit, okay, it's quite advanced framework. But again, why do you need backdoors? Backdoors because, I mean, there are proactive IT teams that identify that there are some EDR events that notify you, and you do some isolation, you close some holes in the firewall, you disable some accounts, so you need a way to get in. And they are smart. They're not leaving one way in, they are leaving three ways in, so that they still can continue communicate while you are trying to disable them. And almost always, my experience fighting—and I'm doing it every week—is that you are in the environment while they are also in the same environment. So you're basically chasing who's first in a way, and there are a lot of issues there. How customers are trying to recover and renew. We'll talk about that, all the failures to do that the wrong way. This customer had those three backdoors, and one of the backdoors was ScreenConnect itself. Another was Node.js that basically the attacker could install Node.js somewhere in one of the servers as a package, including with vulnerable packages, so that it can connect even if the outbound will be closed, the inbound. And they still can leverage the vulnerability to get in. And there was also a portable Java, which I didn't see for a while because people are not using that anymore, at least attackers. But yeah, I found that it was just a couple of weeks ago. And all of them were trying to communicate through different proxies to the C2. That's interesting. How you find that? This is part of the incident response. How do you do this? Incident response, so you need a lot of forensic. You go over system logs, you go over profiles, you go where we build a timeline. You find authentication against the active directory. You take the remote, the remote connection terminal connection. You build a map. This is part of the incident response, because the attacker doesn't just work within his region of his endpoint, it communicates with other endpoints, it tries to be stilted. There are ways to find it out. When is it game over? When he already encrypted everything, tampered with the evidence, and this is bad. But usually during the event, if you catch it like in the middle, you have a lot of evidence, and you can hope that the customer has good enough security posture and he has big enough security log that doesn't override itself all the time. I find crazy stuff in the customer environments that think that they have the best security, but forget to audit and write down the events. Yeah, so here overall, if you are talking about an impact that was avoided, there was no encryption, we cut it in time. There was a little exfiltration through Azure Copy. And by the way, Azure Copy is the leading exfiltration today. There was a while ago, attackers were using Mega Upload as a way out. Obviously, a lot of organizations understood that it's not really legit. Let's find something more legit. So attackers are basically compromising, are using different credentials, basically creating their free Azure, whatever. They're creating those blobs. And then the exfiltration is done through a legitimate tool of Azure Copy. Now, this is a problem because a lot of organizations are using Azure Copy for backup and recovery, so it's really hard to identify exfiltration at this point. There are different techniques, but this is why they use it. There was a minimal exfiltration of a couple of users through Azure Copy. There was no impact of encryption or big exfiltration of PII. The biggest impact on ransomware is the business disruption. It's not the payment. The payment would be here $2 million, but if you count the revenue, annual revenue of a business, split it and see what is the five days of revenue that they lost, because this is the average time a business is not operable when the ransomware hits. There are cases like Mark and Spencer, they've been out two and a half months out, but really five days is normal. So you talk about like $4 million in this case or around $8 million with legislation, with additional impacts that are the hours of the IT, etc. It's normal for this size of organization. This one was a bit different case, we blocked it early enough, but again there was an impersonation from Teams again. Same case, this was just around two or three months ago, commercial or development company, a bit smaller in the revenue, around $60 million to $100 million, something like that. This is, for my sake, a relatively small company. We are working with companies of $1 billion, $2 billion revenues. This is a small company for me specifically. So this small company being attacked with a very very advanced vulnerable Notepad++ vulnerability. So there was a while ago, a couple of months ago, there were found a vulnerability in which you can run through Notepad and elevate the system, so they actually dropped this package to try and elevate the system, and then they dropped a novel Malware as a Service, it's called Matanbuchus 3. It's again, not Ransom as a Service, Malware as a Service, specifically Loader as a Service. Also very interesting business. We can talk about that for hours. But we worked with the FBI in this case, the Seattle agent that helped us basically to work with the customer and elevate some of the evidence forward. So, in this case, I would say the impact would be around $4 million if they would be fully exfiltrated and encrypted. This is a bigger company, one of the largest loan servicers. They do your loan outside of the house in in US, a Fortune 500 company, around $1.5 billion dollar revenue. Five days of loss operation will be at least $10 million dollars, I would suppose much more. In this case, we are talking about a full exfiltration, successful exfiltration of information, Wall of Shame. In this case, we prevented the encryption itself, so the business wasn't interrupted. There were only a couple of files encrypted, so the business was back to operation. But the exfiltration was impactful, brand reputation, legislation, PII. Years after, according to the law of US, you can be sued for PII. So you need to provide monitoring services to your customers for tracking their credit and additional things. So the impact was significant. There were a lot of work for the IT. We're talking about around $135,000 of just hours for the IT and then some response just to identify what was exfiltrated, to try and download it, to try and map that, to try and find out how the attackers went in. A lot of work has been done. And in average, we are talking about $150 per hour, more or less, for IT today. So if this is, we had an APAC companies as well, there's the cost is around $120 per hour. Bit cheaper. So cost of labor is quite expensive. So if it would be fully successful, the impact would be around $17 million. It's re-imaging all the workstations. The backup didn't work great. If it's a 6i compromise, in this case, there was a 6i compromise, then the damage is much more bigger. I tried to minimize the number of stories because I have many, and I wanted to talk a bit about the AI stuff. Okay, because, I mean, it's right now very trendy, it's very cool and everyone try to use the AI to increase productivity. It does increase productivity. I integrated AI in all my companies, and increased productivity by 30 percent in average. It increases productivity, it works great, but it is a huge attack surface because today the productivity goes first. Actually Microsoft started to sell Copilot before they developed security for Copilot, and only after that they invested around $30 billion dollars to try and secure Copilot, which kind of goes well right now after a while, but it's still not secure. I mean, there is a new attack vector: prompt injections and everything around prompt injection. But there's much more than prompt injection because when we are talking about the AI security, we're not just talking about how do you abuse the AI to get in, but also we are concerned that our employees will share the secrets of the company, your PII, will be shared, exposed. We all know that all the major companies, whether this is the OpenAI, the Google, and everyone else are sharing their info with the authorities, and if needed, your information will be exposed whether you want it or not. It means they save the information. This information is saved for forensic and audit. Which means that it can be compromised and utilized. But all this is nice and interesting. The bigger concern is at what stage will this AI be manipulated automatically by the malware, by the ransomware? Because attackers were using AI for the last two years to improve their delivery, their social engineering. The mails are almost without, you almost don't find errors. It's very trustworthy. People are falling those traps. The social engineering is easy, right? With the AI, there is video impersonation, image. You just go to ChatGPT, there's some African guy from Africa, and ask you, "Please provide me an email that sends whatever". A while ago, I don't know if you guys, some of you are relatively young, but if you guys analyze phishing emails seven years ago, it would have a lot of obvious mistakes. So you could even develop your email security to identify those mistakes. Today email security is having a huge problem, even with the integration of AI, they still cannot identify, because even normal emails right now utilize the AI the same way. So what is normal, what is not normal, it's a big problem. So the paradigm shift is serious because you cannot identify emails today, really real emails, if they are fished. So you need to look at the sources where it comes from, is it signed, is it not signed? How many of companies will start to use signing of emails, really like encryption, and there are solutions but no one uses them, unfortunately. Well, imagine you are sending an attachment through your email, it will be blocked automatically by any of the content disarming solutions, whether this is Checkpoint or any application firewalls, etc., right? You want your user to download it as if it comes from inbound, right, inside, better outbound, this is the right word. They click, they download, they want, right? Because, I mean, if you stop your users to download from HTTPS protocols then you have a disruption of your business, it's a serious issue. So they know that you are allowed to go over to HTTPS and HTTP to download stuff, so they cause the user to download those things. This was a while ago, this was a while ago, there is no like a good phishing doesn't go with low reputation URLs. They go from compromised URLs, they go from URLs that you trust, they go from AWS or Amazon SNS or all those services that you cannot block because your business uses them. So there are ways obviously today. What they send you some very popular right now is sending you a link which looks like a SharePoint but it's not really a SharePoint, it's really long link and you're used for long links because like authentication token that somehow is striving inside the URL, but really at the end it's some kind of executable or something that you download. Or for MFA, they call, do something in the middle, right, Man-in-the-Middle or Attack-in-the-Middle, so they listen. So you basically authenticate something like, let's say you have a DocuSign. There are a lot of similar services. They are open to send links, you cannot block that because you use it all the time. Attackers, they'll do the same. They send your links or that and that's it, right? Very popular. There are so many ways, really. Less and less popular. I'll tell you when one of my business email compromise that I analyzed just a couple of months ago, there was an email that was compromised by the CEO—not the CEO, sorry, this was a different business email compromise. This business email compromise, there was someone that approves vendor invoices, so his email was compromised. And the attack learned that this guy approves vendor invoices for Netflix and a couple of others. So they created cybersquatting like Net instead of Netflix, Net with one X or whatever, and they send to themselves the email to the guy that was compromised and approved it and went by changing the account. So now the BEC was successful because the company was paying to the right Netflix and the one that needed to validate that it's legit was compromised. Kind of stuff happens a lot, yes. This is something that is increasing in popularity right now. Very very challenging to differentiate. The 'a' and the 'i' is very similar, the 'r' and 'n' which becomes 'm' which is very very popular as well. There are very cool other stuff. But back to AI in malware, because this is the real risk. There are first indications, there are first reports by numbers of companies, Asset from East Europe, Anthropic, Google as well, that there's new indicators that the malware itself incorporates AI. Now it's not easy because really how do you incorporate AI inside the model? AI model really, AI model is around five gigabytes that you need to download with all the, it's heavy. But it goes downstream and slowly the model size reduces. There was a case in which there was a ransomware with the model of five gigabytes by Meta, Facebook model LLaMA it's called. They dropped in and the model said to the agent, the AI agent, "Go and encrypt the files but in unpredictable ways". Now if you look on all, most of the EDRs today, they look at predictability: How do you encrypt files one by one, folder by folder, subfolder, and at some point they identify that too many folders are encrypted, done. But when you use AI, it becomes unpredictable because you don't need to maintain the same predictability, right? It crashed exactly, exactly, no connection outside. So some people say it's a real stuff, some people say that it's someone that plays with it. But we basically downloaded a reversal and it's real. Is it really run on a real customer? We don't know, but it real, it works. It really works. So it works to the point in which I decided I create one of my own and it works as well, just for fun. You don't have to download the model. You can work with an external model, but then you can be blocked and you are dependent on the internet connection, all kind of additional things like API which you need to pay, and then you can get back to you and cetera. Don't want to get into that, but it's really scary because there are articles that says that a model can get to 28 megabytes, and that's it. Now, five gigabytes is not a big deal. I saw a bypass in which they tried to bypass my solution and they dropped a VirtualBox which was around three gigabytes with Windows 7, and basically they encrypted the files by basically sharing into the VirtualBox the files and encrypting them from within. So they are doing this kind of stuff. There are a lot of very interesting things and the motivated attacker will succeed eventually. So it's all about time, how much time do you buy yourself, right? Do you have the right processes? Do you have people? We have the right solutions. Those are the three things: right tools, people, processes. I talked about Ransomware as a Service. I just wanted to mention very quickly this one is one of those groups that really likes MSSPs. How many of you are MSSPs, really? We have some, very few, very few. Okay, but it's fine. The biggest money distributor, Ingram Micro, but a lot of them use IT outsource. SafePay is there. The leading groups right now is Akira, Killing, and I think Club. I talked about initial access as an impersonation. Their initial access is impersonation. Someone calling you and saying, "I'm an IT help desk," and their initial access by someone calling the IT help desk impersonating an employee and basically convincing them to set up your credentials, what lapses, right? So we're talking about the MGM, the big exploitations. This is exactly that. This is actually the group. They do that. They basically target the IT help desks, those that lead, and they impersonate the regular employee and ask to reset the MFA, to reset the password, to reset whatever it is. And then they get that entry into the environment. And this works well for them. They also work with insiders. It's also happened. I don't know how much you know about insiders, but there are a lot of dark web posts for insiders that the attackers are sharing profits with them. And there are a lot of insiders in US unfortunately. There were around a month ago there were two known penetration testers that were found as insiders that were doing activity on their customers and were sharing the credentials to the attackers, and the attackers were coming in into those networks with the same credentials and encrypting those networks. And they were arrested just a couple of weeks ago, fortunately. But they are not alone. Thankfully, it's not me. But, yeah, this is a problem. It's a challenging problem, right? Because who else can you trust, right? You don't have the inner expertise most of the time. You want those really expert guys, but can you trust them? It's all about trust. Again, we're talking about the full, this is not the Ransom as a Service that they've done exactly like an MGM, in Ingram Micro, they went in, they implanted, they used FileZilla and Rclone to exfiltrate and done the full encryption. They used DragonForce, was also one of the Ransomware as a Service. I will probably not tell you a lot, but still. Okay, let's talk, let's see how much time do I have. I have a couple of minutes. So, why teams crash in the first 30 minutes? Most of ransomware attacks that I investigated usually happened on the weekends. You know why? Right, so response time slow. They have enough time to operate. Today there are different reports that say that they can laterally move from initial access to crown jewels within 18 minutes. I don't know how much is it true. I've done it a couple of times because some of the customers had vulnerabilities. I just shared with one of the guys, I've done penetration testing a week ago, and the guy had a certificate template vulnerabilities. I don't know if you know how do you manage certificates in your organization? You have a certificate authority, and people don't know how to deploy it correctly. So if you know the vulnerability you can impersonate a domain administrator and gather its credentials by basically because of this certificate authority vulnerability, and it took me two minutes to do that. But in average, I don't think that 18 minutes is really normal, but a day is definitely enough. A day or two days is enough to compromise the whole organization. One of the things that I find a lot is that the organization have a great security posture, have great tools, have great processes, and have a lousy SOC. The SOC communicates with the customer a week after saying, "Hey, you have a risk," but it's already a done deal, right? No one listens to the guardrails, to the EDRs that say something. I dealt with an incident just a time ago, an Israeli company fully popped out, popped in through SonicWall. They had a cloud backup on, exposed, the management was a console was exposed to everyone else and still vulnerable, by the way, it didn't it doesn't have a patch. So if you do not isolate your management for the backup of SonicWall, then you are vulnerable. And they went in and basically went to the NAS itself that used for the backups, the network storage, and encrypted all the endpoints from the NAS backward, and they had SentinelOne, a lot of alerts, a lot of notifications, zero prevention, because all the encryption was remote, not on the endpoints themselves. So the organization was done, they needed to recover everything. Had plenty of notifications, a lot of alerts that you cannot do anything with them, right? This is just one of those examples. Now, I had other organizations that had a month before some kind of notification on Azure Copy, and then a week before additional notification on something. They didn't do anything, and then comes the weekend, you have full encryption. So really how do you handle your events is serious. I did want to mention improper containment. I see that all the time for organizations, whether it's MSP or not. People that suffer from ransomware the first time, they don't know what to do. Most of them didn't do a proper tabletop exercises. How many of you know what is tabletop exercise? Not a lot, not a lot. Tabletop exercise is when you basically practice this event of a ransomware. You understand whom do you call, who answers what, who is doing what? This is a tabletop exercise. And I'm sure that you know there are much more beyond that, but really you need to be ready for this event. And what happens time after time, the customer gets into panic, he had some kind of encryption. He shut down everything. As soon as they shut down these machines, people don't understand because they are not forensic experts, you lose all the forensic evidence. You shut down the machine, all the temporary forensic evidence goes away. You need to isolate the machine, yes, you don't need to shut down the machines. And some of those things that when you learn how to handle ransomware you learn how not to shut down machines. And the difference is that I'm as an incident response I get into the picture, I try to help you. You shut down your machines, it will take you much more time. It will take you much more time to recover from the incident. You want to recover fast and this is critical. You need to be ready. Are you using the same channel of communication, your Teams, when your Microsoft is popped? No, you need to have a back channel communication. You need to know how do you communicate with your employees. No, don't. So you are like, "Okay, I'm encrypted, I cannot use my Teams. What do I use?" Are my guys know what to use? They don't know. We didn't agree on something, on anything, right? So this kind of agreements are important, because I mean those are just some of the things that you will experience when you have a ransomware. So all those miscommunications, who decides if it's an incident or not? You had some of those events coming from your EDR. Your SOC notified you that there's a problem on your server. Do you right now start a full incident mode? Do you call your guys, your employees to start working 24/7? Who decides on that? Do you have some decision making? Those are important things to have. You need to have an incident response plan, disaster recovery plan in place. Obviously, if not, you are not a dentist's office for five employees. But, hey, it could be much worse. Tools underutilization. I find that a lot. Companies and obviously I love companies that buy my tool, please buy it. Companies buy a lot of tools and they trust that those tools will save them. As a result, what I find is most of the tools are underutilized. They have those tools and they don't do the stuff that they can do with those tools. They do not configure proper SIEM to proper work playbooks to do something if something happens, right? They do not operate on the agents, like for example if there isn't a case, let's do blocking mode. That's maybe it's an audit. Okay, so I have notification. A lot of really crazy stuff. And I'll finish. This is my view of a proper security tool stack. I think you have to have perimeter security, platform security. You have to have some SIEM information, monitoring of your audit events. Endpoint security is important. Most of the U.S. industry already adopted EDRs. It's especially important when there is an incident. And you want to respond to the incident, you want to understand what kind of events happened within your environment, what was exfiltrated. And you have to have anti-ransomware solution. And here I'm selling kind of my son—I'm not trying to sell you, I'm joking—but this is what I do, right? This is anti-ransomware and this is exactly what they do. That's about it. I'm exactly at time. Hope you enjoyed it. Please come, happy to have a discussion with the show on a few. Thank you very much, Michael. Chris has a small presentation that I'm sure you'll enjoy. All right. Hello. This is who we are. We are Dynalink Communications, the only phone company you'll ever need. You'll see that, you'll get used to it. This is who we are. So who are we? Anybody know who we are? Who knows who we are? Anybody? You do? Who are we? There you go, the only phone company you'll ever need. See, he already learns things. All right, so who are we? We're a switchless reseller who provide top-tier customer service and support. We are now celebrating 20 years in business. That's a long time. Isn't that awesome? 20 years. And when I started, I had a lot more of this, and not everything was as gray. And I was thank Hirsch for pointing that out when I first saw him. He goes, "Wow, you got white." Yeah, that's what I should have done. I should have got a yarmulke. I should convert. I think I'm going to convert. All right, so here's something cool: most of our employees, one of the things that separates us from a lot of companies, most of our employees have been with us 10 to 15 years. Where's the little guy? Little guy's right there. He's been with us for 18 years. I don't know why, but we keep him anyway. Okay. Wouldn't it be really cool to talk to the same person every single year? How many times you get a company and you're like, "Hi, I'm with this company," and then the next year you're with somebody else? Right? So you know that. All right. Customer service. Every customer gets an escalation list from the manager all the way up to COO and a dedicated account team. Our retention rates are 90% for all of our services. One thing too, I'm going to go very fast. They gave me 15 minutes. I don't want to keep you guys too long. So if you have any questions, just yell them out. Our people are the reason why your customers are going to stay with Dynalink. What do we offer? Oops, hold it, hold it, hold it. Went too fast, hit too many buttons. I am just too fast on this. There we go. Okay, this is everything we offer. Mobility, wireless service, POTS over wireless, IoT, data services, hosted, UCaaS or VoIP, whatever flavor you want to call it, and SIP, which is lowest pricing in the industry. See how pretty that is? All right, our SIP services. When I said lowest prices, this is dirt cheap. $149 SIP PRIs, $12 trunk. Fast installation. If you need something, you need to convert it into a PRI, you need to convert it into an analog. We have Grandstream, we have Adtran, okay? Great product, works fast. We can get them installed very, very quickly. UCaaS. Who knows what UCaaS is? Everybody knows what UCaaS is? No, that's hosted phone systems. That is a phone system over the internet. You can also put it on your phone, which is even cool too. Our UCaaS product is fully staffed 365. Everything is customizable. One thing you'll constantly hear from Dynalink, which is why we're the only phone company you'll ever need—see, you know that, you heard the line—it's because everything is customized for your customers, for your folks, for your people's needs. You want to this, this is what you want to have, because not everything fits in the same mold. All of our features are included in the basic plans: call recording, Microsoft integration, the whole gamut. And you get a mindset of installation. The best thing is Mendel has it. Where's Mendel? Mendel loves to talk on his phone constantly, and he takes it, he takes his UCaaS with him, so you can take it right on here through an app. Everybody loves apps, right? You like apps, we all have apps. Mendel has my integration linked right up, right? Perfect. It's perfectly synced. You like that? See, that's customer service. So this is our call center callback. So here's how, this is a really cool feature. You're on the phone, somebody, everybody's experienced this when they call customer service, right? The call drops, whether it's they've dropped you, you drop them, wherever the case may be, and you call back and what do you got to do? You got to explain to the exact same person the exact same thing. It happens all the time. Well, now announcing Dynacall. What's cool is when you call back that same customer service number, it goes right to the same person. How cool is that? Right now you don't explain anymore, because we are Dynalink, right? We're the only phone company you'll ever need. You know that because it's a simple feature, it's a simple programming thing, and these are one of the things that separate us from our company. That you will hold them so that they can't take another call, so they always have a down period, whether it be a minute, two minutes, three minutes, or we can have it specifically routed to that person, send it and say, "Hey, there's another call coming through," and then he can hand it off or they can sit on hold. And here's the beauty about it: It's customizable. Everything's customizable. The caller bypasses the main menu and goes right to the representative, okay? How is that for customer service? Sounds cool, right? Also, we got something even better, call transcripts. So, let's say you're a company and you want to find a specific call, you need something specific, you don't want to go through 100 calls. Let's say you got a customer service rep that's had 200 calls. What's cool is now you can use a search engine, find it, and listen to that specific call, right? How many times do you need it for security purposes? If somebody did something, you use it for training purposes. Or maybe somebody screwed up. You're like, "Hey, you screwed up. Let's go fix that." You can find the call. And here's what's cool: You can search keywords to improve customer service or sentiment analysis, which means for emotional tones. So when that person yells and screams at you, then you can say, "Oh, that's a bad call." And we can use that. You can all search the end of day for positive or negative tones, and you can use this for beating people up. Anybody want to beat people up? Look at Isaac, little guy. He's our muscle, okay? This feature will improve your customer service throughout coaching, trend spotting, and it's coming soon in quarter three. But it's actually here now, and this, you know, this is the first time I'm seeing this slide, so sorry about that. All right, White Label UCaaS, did you see that? It's right there. We absolutely use like Yealink. You know why we use them? Because we love Yealink, and we also have Grandstream. We do offer some other ones, but we primarily go with Yealink. I would trust them with my life. Yes, we trust Yealink. We've actually been using them for probably about 10 years. Yealink, if you look at it for people who have a lot of hair, you know, less hair like me, is that Yealink would be like Inter-Tel back about 20 years ago, where they were competing with Nortel and they were competing with Avaya. They had all the cool features, but they didn't have the name recognition. Now, Yealink has gotten that name recognition. So, why let carriers have all the fun with your White Label UCaaS? You could be your own carrier. How cool is that? So, you can utilize Dynacash. You can offer your own customer service, or you can have us do it for you. That means that you can be your own boss. You can set up your own system. You can set up your own company, and we can do everything for you, or you can do it yourself. You can send out your own bills, or let us send out the bills for you. Again, this is a true White Label experience. So, you have the Dynacash on it. They'll say your company name. Let's say your name is Bob's Telecom. Our customer service rep will answer the phone, "Hi, this is Bob's Telecom," and they'll service your customers for you. Or you can do it yourself. You tell us what you need, and we'll customize it for you. See, the customization kind of keeps coming back. Again, there's a million carriers out there, but there's only one Dynalink. Because, again, we're the only phone company you'll ever need. See, I know you said that. So you do it like that, and prices are starting as little as $5 a seat. So you can take this, and you can mark it up not just once, two, three, four times. Now, what are some of the benefits of actually doing this? The beauty of it is if you start selling White Label UCaaS, right away you start selling, you can achieve margins of 70, 80%. Again, if you need assistance, the beauty of it is you're not left in the dark. Our customer service is there 24/7. And if you really need help, we can send Mendel. He likes to travel. We'll just send him money in an Uber. But again, we're not going to leave you in alert. If you need something, our customer service is there 24/7. We can streamline every step of the billing cycle from quotes to invoices to payments. Everything is a fully automated system and accelerates the flow and increases overhead. Also, you offer our Dynacast service and receive residual every single month. That's the biggest thing is that you're selling the product for making 80%, and that to you is residual every single month. That's not even selling Dynalink products. This is making you your own company. Be your own boss. We also have mobility, which is cool too. That's this thing. Everybody knows about these. Why would I sell it? Simple. Your average customer spends two times more on their cell phones than their TDM costs. Wireless services have been dumped on the IT department because nobody wants to do it, right? You're in IT. You see that. Who wants to do a wireless? Nobody wants to do a wireless. It's a pain. No trouble tickets. The beauty of it is, it's your cell phone. Who calls it? Anybody call AT&T? Who called AT&T or Verizon? Oh, this is awesome. We can talk afterwards. But see, the beauty about this is that you never have, if you have a problem with the phone, what are you doing? You're calling Apple. You're not calling AT&T. Cell phone has turned into the most important means of communication. And you know what it is, there's only two companies. There's AT&T and Verizon. That's it. Really think about it. T-Mobile's trying to crack into it, but it's still AT&T and Verizon. So your competition with everything, with everything you do, IT, anything you have, think about it. Your competitors, there's only two of them. And they're the worst companies in the world. The service works, but ever call their customer service? It's horrible. Again, personalized attention. Each customer is assigned a representative to handle their needs. Also too, if you have customers that are not using this, wireless backup is phenomenal. You can use our router, you can buy your own router. Since a lot of you guys are IT people, sell your own router, we'll just send you the SIM. You have multiple locations, our plan starts at $10. I don't want to sell one $10 location, but it's got 10, 15 locations, we'll do it for $10. Excuse me? No, no, no, for the wireless backup, you'd use a router. You guys can sell the router for the company, oh yeah, absolutely. Yep, absolutely fixed wireless. We sell Verizon and AT&T. AT&T is $85, Verizon's the Verizon is $95, okay? That's the only difference between the two. Full selection of 5G routers. All right. Anybody who has POTS lines, you know they're going away. Copper's going bye-bye. Guess what? We have a POTS over wireless product. Starts as low as $38 bucks. That's dirt cheap. In New York, it's not as convenient, because in New York it's probably about $35, but there's no BS surcharge attached to it, and you get off copper, because you know if copper breaks, it's done. So why would you want to sell us? Fast and easy pricing, comes back in hours, not days. We'll generate a proposal for you. 95% of our business partners are partners from the direct side. Never have it in carry to deal with. It means you never have to pick up the phone and actually talk to AT&T or Verizon. And we also do cool events like this, right? So here are the ones that I recommend. Here are hot products: SIP, Mobility, Backup Wireless, and POTS over Wireless. These are the hot ones, these are the ones where your competition is the least. That's the beauty about it. Why deal with carriers that don't value relationships with customers? We're going to deal with a carrier that does. Welcome to Dynalink Communications, the only phone company you'll ever need. And that would be me.