Welcome to Cyber Security Today. This is the Week In Review edition for Friday July 16th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
My guest commentator this week is Terry Cutler, head of Montreal’s Cyology Labs. We’ll be talking about how ransomware continues to be one of the biggest worries of cybersecurity teams. But first a brief look at major stories from the past seven days:
Speculation continues over why the REvil ransomware gang was knocked offline this week. The support, payment and data theft websites of the Russian-based ransomware-as-a-service operation suddenly become unavailable. Terry and I will discuss theories of whodunit.
Ransomware attacks continue. SonicWall issued an urgent bulletin Wednesday warning IT administrators of an imminent ransomware campaign targeting certain end-of-life and unpatched versions of its Secure Mobile Access and Secure Remote Access devices. These devices have to be patched or upgraded. This is particularly worrisome because devices like this help approved people access IT networks.
Global insurance company CNA Insurance finally figured out whose personal data was copied by hackers in a March ransomware attack. Last week the company began sending notices to victims.
In the last year, the average weekly number of ransomware attacks increased 93 percent, according to a new report from researchers at Check Point Software. As cyber attacks continue to rise, Check Point warns that ransomware attacks often don’t start with ransomware, so it’s important to take extra precautions to protect your organization.
Meanwhile the head of the international police co-operative known as Interpol warned ransomware attacks are increasing so fast ransomware will become a pandemic unless governments and cybersecurity companies work more closely.
Finally, some good news to report: Authorities in Spain arrested 16 people allegedly connected to two cybercrime groups there. However, security researchers at Kaspersky believe the creators of the malware they use are based in Brazil.
(The following is a condensed transcript of my conversation with Terry Cutler. To hear the full discussion play the podcast)
Howard: Once again the main topic of the week is ransomware. And that’s because of the mysterious disappearance of the REvil websites from the dark web. No government intelligence or law enforcement agency has taken credit — unlike in February, when authorities in the U.S., Canada, the U.K. and other countries proudly and loudly took credit for taking down the Emotet botnet. After the Colonial Pipeline attack, U.S. president Joe Biden warned Russia to stop allowing groups based there to launch cyber attacks. That warning was repeated last week after the Kaseya attack. So, Terry, did Russia quietly pass the word to REvil to disappear for a while?
Terry: It’s an interesting question. And the timing is actually very interesting, too, because REvil took control of Kaseya software and attacked 1,500 companies. And it just so happens that Biden had a meeting with Putin to try and stop this gang … I’m pretty sure that the Russian government had a word with these guys to shut them down, but at the same time, maybe this gang made too much money and it was going to shut down but rebrand at a later point … But, it’s still speculation: Was it that this group really shut itself down and it’s just going to rebrand once there’s less heat, or, or maybe reappear in smaller groups – you know, whatever it takes to make them less attractive.
Howard: Well, of course, it’s always possible that they took a look at their bank account and said, ‘You know what? We’ve made an awful lot of money. Why don’t we just retire?
Terry: Yup. How would you like to make $90 million in three months? But I think the focus is going to be more on [making] supply chain attacks. I mean, think about it: The one-to-many ratio. You attack one company, wait for thousands of their customers to update their software and you can ransomware them all. So I think that’s what’s going to be a main focus [of ransomware groups] going forward …
I think the focus is also going to be for [victim] companies to be able to notify their customers in a more timely manner, and to ensure that companies do their [software security] updates. The patch management issue has always been a problem for many, many years. Maybe the IT guy is not aware of that vulnerability because he’s not trained in cybersecurity. So he would never have known to update some of these older firmwares, for example, like what’s happening with Sonicwall.
Howard: I’m glad you brought it up because as I mentioned at the top of the podcast, Sonicwall warned administrators who use certain of its products that those products that are out of service and no longer supported, or certain products where that have not been patched may be vulnerable to a new ransomware campaign. And so I can’t emphasize our listeners how important is in your organization that you keep on top of patches that are issued by the manufacturers of all of your software and all of your hardware.
Terry: … I’ve seen a lot of cases – and I’ve had this happen to me, too — where we update a firmware of a firewall and it wiped out the whole configuration of the system. And now we need maybe the backups and restore the backup properly. And the restore is not functioning. We don’t have all those rules written down anywhere, or the former IT guy didn’t write them down. So it wipes out the config. Now they’re starting all over, or it actually renders the device useless because the firmware malfunctioned. So it’s a big deal when you’re updating the firmware.
Howard: And there’s also no excuse for an organization to run out-of-date software, or having out-of-date hardware … That’s just reckless.
Terry: Sometimes they have no choice … Maybe that manufacturer went out of business, so there’s no update to it. So they’re stuck with this legacy technology.
Howard: But they’re not stuck. They’ve got to buy replacement technology … Security is a cost of doing business.
I also recall recently some chatter on some Russian-based criminal forums that ransomware attacks are attracting too much heat. In fact there was a report an alleged REvil member was quoted as saying the group was trying to restrict the number of organizations that it would allow affiliates to attack. The implication is it would only go after what it thought were low-profile targets, and then, hopefully, American law enforcement groups wouldn’t go after them. Now, of course, that may be misinformation. I’m not sure that ransomware groups are holding off.
Terry: That that could be a plausible idea, because imagine there’s a law enforcement group that’s [going after] the gang via an affiliate program. So they [the ransomware gang] want to limit affiliates to friends only … but at the same time they want to make money.
Howard: I remember that after the Colonial Pipeline attack [in the U.S.] all of the attention the Darkside group got from the U.S. government, and suddenly Darkside lost access to part of its infrastructure, and the funds from its payment server had disappeared. No one has taken credit for that attack. There has been speculation that the Darkside gang has disbanded. Other researchers say it’s still going.
Terry: I think what’s happened here is that when these high profile attacks are happening, that’s when the U. S. government and the military and all these guys get involved because they have access to [court] warrants. They’ve got relationships in foreign countries. So they’re going to leverage all of this to shut the gang down as quickly as possible.
Howard: There was an analysis by Positive Technologies of first-quarter cyber attacks this week. And it found that ransomware is the malware that’s most on that was most often used by attackers during this period. It also noticed that there are several new strains of ransomware being distributed. Perhaps that’s a sign that some groups really aren’t afraid of attracting the attention of police,
Terry: It’s so easy to become a cybercriminal today. I can just go and get myself a ransomware kit. It’ll cost me three grand. And it comes with 24 by 7, 365 [day] tech support by the cybercriminals – and even provides me a list of targets. And I just pay 75 per cent of the royalties to affiliates [to do the hacking]. I’m up and running in a short period of time.
Howard: And of course, the thing about ransomware is what the crook gets is cash. If you steal lists of credit cards, you steal lists of people’s dates of birth or their passport numbers you still have to monetize that.
Terry: And that’s what that’s why there are companies that say, ‘Oh, I’m too small. I’m not going to be a target.’ They don’t understand that data is equal to money to these guys. If you got personal data, they want it. And they’re going to charge you for it.
Howard: You were a guest today on a webinar on cybersecurity. Can you tell us a bit about it?
Terry: It was on ransomware and should you pay. … A lot of companies are going to be stuck in a situation where they don’t want to pay, but if they don’t pay the business will go bankrupt because they don’t have access to their data. But [in the U.S.] with sanctions [forbidding companies from dealing with terrorist-related groups] incident response firms can’t necessarily help pay them. The OFAC [the U.S. Treasury Department’s Office of Foreign Assets Control] is starting to crack down on firms for helping companies negotiate and pay the ransom.
Howard: Insurance companies are getting increasingly concerned about the amount of money that they’re having to pay [for cyber attack damages], and especially the amount of money that they have to pay for ransomware attacks. And there’s sort of two sides of this thing: One is insurance companies have expertise in negotiating with ransomware groups, and the ransomware groups will often negotiate the payment. The other difficulty is ransomware groups know this, they like insurance companies to get involved and it ends up being perhaps inadvertently insurance companies are encouraging ransomware attacks.
Terry: What we’re going to see now is who will be insured. For example, if you’re not using multi-factor authentication, or you’re not using endpoint detection and response technology in your environment, they’re probably not even going to insure you because you’re too much of a high risk. And sometimes they won’t even re-insure you after a data breach, because it’s just so expensive for these guys to pay out the amounts.
We’re seeing now is [threat groups] are going after sometimes an individual [or] employee saying, ‘Hey. I have access to your medical records. Here’s proof. I’m going to leak it unless you help convince your employer to pay that little tiny invoice that we sent them.. For like 40 million bucks. They’re going after the end users now to pressure the employer to pay the bill.
Howard: Increasingly cyber insurers are taking this seriously. Last month they formed a company called CyberAcuView that they can each have a share in and participate in, dedicated to enhancing cyber risk mitigation efforts so they can share best practices and intelligence, and, and hopefully, get their customers to improve cybersecurity. That lowers the risk. If the risk is lowered, they can lower the premiums.