Welcome to Cyber Security Today. This Week in Review for the week ending Friday, May 12, 2023. I’m Jim Love IT World Canada’s CIO, filling in for Howard this week. There’s usually a news roundup before we start the discussion but instead, David Shipley of New Brunswick’s Beauceron Security and I will just dive in.
 |
 |
 |
(The following is an edited transcript of part of the discussion. To hear the full talk play the podcast)
Last week the Ransomware Task Force had a second-anniversary webinar. It issued 48 recommendations for governments and technology and industry for the whole world to deter and disrupt the ransomware model. Howard’s story noted there are mixed signs of success. Is there progress, or is this just Groundhog Day?
David: This was progress. Let’s let’s rewind back to 2021. We had two of the most significant moments in IT cybersecurity history: The Colonial Pipeline [attack], which, just to refresh, carries a significant amount of the U.S. Northeast liquefied energy. For the better part of a week you had people panic buying gasoline in their cars with garbage bags — which by the way turns a sedan into an improvised explosive device. We had a massive massive risk on our society because of a reused [employee] password — but we’ll we’ll dive more into that. And then you had the near miss at JBS Meats, which produces a quarter-plus of the U.S. protein supply. So we almost couldn’t couldn’t drive our cars and there was almost no steaks in America. Those [ransomware attacks] were the tipping points. It wasn’t the hospitals. It wasn’t hacking government. It was, ‘Mess with gasoline and steak and you got the attention .. of the whole of government.’ All of a sudden the U.S. senior administration said, ‘Not one more inch. What are we going to do [is treat this] with the same seriousness that we treat terrorism.’ So all of a sudden they’re engaging civil society, they’re having these meetings they’re changing policy. They’re giving the kind of marching orders to the agencies like the FBI, U.S. Cyber Command and others that [ransomware’s] going to stop. And there were spectacular successes. There was the complete disruption of entire ransom gangs and the ending of their infrastructure.
Jim: How do how do you disrupt a ransomware gang?
David: Tons of fun to disrupt a ransomware gang. First, when they hit a victim there’s a trail to follow of the tooling the infrastructure, because remember ransomware-as-a-service is a thing. There’s still a backend to this, usually hosted in what we call a bulletproof country, a country that doesn’t have an extradition treaty et cetera. So you [the law enforcement or cybersecurity company] can see all this stuff. You trace their crummy little onion networks and you social engineer them: You scan for vulnerabilities, you hack the hackers and you know you gain access. [Sometimes] you can sit in there for three or six months. [U.S. authorities did that to dismantle the Hive ransomware infrastructure last year.] … And what’s really awesome is one of the key victories is if you can destroy the bonds of trust between these cybercriminal internal organizations. They don’t know who to trust and you wreck their affiliate network … You erode their entire business model.
Jim: REvil was one gang that was disrupted.
David: Exactly. But gangs are like little cockroaches. It’s hard to kill them. They just scatter about and then gather together and rebrand themselves as BlackCat 2.0 or whatever else. But when you smash their toys and force them to rebuild you’re changing the economics right now. This is a really good profitable business model. Hell, I have spent the last six years building a startup and ah you know we we’ve done a fraction of the business that Conti did. Conti was making $100 million before they imploded because of the Russia-Ukraine war. But now you [as countries] are raising the cost of it, making it harder to do. But until we change the fundamental aspect, money still flows into their pockets. The mixed results will remain until we blow up the business model [that relies on digital currency for ransomware payments].
…
There are two ways of looking at this There’s there’s a hard way: We make it illegal to pay ransoms. This is tricky. What If you banned a children’s hospital for paying the ransom but they’re gonna lose all their patient data on kids with cancer? Or this small business is done. There’s no way to recover their data. Are you willing to accept the casualty rate? I proposed to Canadian officials recently is make it mandatory that organizations have to [privately] register ransom payments with the federal government so we can start tracking the money-laundering, the money flows, with penalties if they don’t. That does two things: One, we get the visibility how much money this is actually costing? What’s the activity really like? And with significant finds they got to know that if they try and run under the radar the consequences are so significant it doesn’t make sense do it. Second, for those that feel it’s truly discretionary to pay, they’ll do the harder work and recover from the attack themselves.
