Welcome to Cyber Security Today. This is the Week in Review edition for Friday May 28th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a minute Dinah Davis, Canadian-based vice-president of research and development for managed security provider Arctic Wolf, will join me in a discussion. But first a look at some highlights of the past seven days:
Walmart has apologized to people around the world after someone sent racist new registration emails that appeared to come from the company. According to the Bleeping Computer news service, Walmart said the attacker was able to do this by creating false Walmart accounts. The company is now updating the account sign-up process to ensure this doesn’t happen again.
Air India is trying to notify 4.5 million passengers around the world that their personal information was copied by cyber attackers. This is the result of the compromise revealed earlier this year of a company called SITA, which processes data for a number of airlines.
A Michigan man is awaiting sentencing after admitting he hacked the employee databases of the University of Pittsburgh Medical Centre eight years ago and copied data on 65,000 staff members. Then he sold it to other crooks, who filed false tax returns to get hundreds of thousands of dollars in tax refunds. That money was converted into Amazon gift cards for buying merchandise. Separately the accused stole and sold nearly 90,000 other sets of personally identifiable information In cyber attacks.
Finally, a Russian national has been sent to jail for two and a half years by an American judge for operating a website that hosted over 24,000 online stores for selling stolen personally identifiable information. He was arrested after flying to New York from Russia. The sentence includes the 15 months he has already served behind bars.
(The following is an edited transcript of my talk with Dina Davis. To hear the full conversation play the podcast)
Howard: Today we’re going to talk about a controversial way of fighting ransomware: The practice by some cybersecurity companies of giving away free ransomware decryptor software to victim organizations. That way they don’t have to pay for data decryption keys. Now, not all ransomware strains have been cracked and can have decryptors. But it sounds like a generous strategy. Tell us why some experts object.
Dinah: I think it’s always good to start with an example and really take a look at the pros and cons of whether or not you should share the decryptors. If we look at a specific example, on January 11th of this year, a security company called Bitdefender said it was very happy to announce that they had a decryptor for the ransomware that the group known as Darkside was using to extort victims.
Remember Darkside is the group that was responsible for the Colonial Pipeline attack just two weeks ago. So at first this [decryptor announcement] looks like a very nice and generous thing for the company to do, but what are the implications? They posted the decryptor on their website for victims to download, but guess who else can download it? Darkside. And within 24 hours they were able to reverse engineer the decryptor, find the bug in their system and then fix it. So any time they were now sending out ransoms, it used the new software and the decryptor didn’t work anymore. They even left a little note for Bitdefender on their dark web blog saying ‘Special thanks to Bitdefender for helping us fix our issues.
A big question is if Bitdefender had not posted that [decryptor] would Colonial Pipeline have been able to use the decryptor? Two researchers also had descriptors for Darkside. And instead of publishing it, they were quietly helping victims decrypt their data without paying the ransom. So there’s two sides of the equation: Some experts say once a decryptor has been found, it should not be publicly shared, so that hackers can’t fix the bug. You should just quietly go help the victims. Bitdefender to their defense said they decided to publish the tool because most victims who fit fall for ransomware do not have the right connection with ransomware support groups and won’t know where to ask for help, unless they can learn about the existence of the tools from media reports or with a simple search.
So it’s a tough call.
Howard: And, and the reason why we’re discussing this is that last week there was a big article on the MIT blog (the Massachusetts Institute of Technology, two researchers discussed this and they came out rather critical of organizations that release descriptors. So what’s your position on this?
Dinah: This is a tough, tough call. Making the decryptor readily available by default for anyone is also making it available to hackers. That may not be the best approach. But the problem with keeping it completely quiet is non-tech people don’t always know how to reach out to the security researchers that might have it. I think what we must do as security professionals is think about the victims first in every single case. That might mean in some cases that we do make the decryptor available. And other times we keep it more close to the vest and still help as many people as possible. But who gets to decide when to share and when to keep it quiet? This might be an interesting place for governments to step in.
Dinah: You know, for example, if NIST (the U.S. National Institute of Standards and Technology) or the CSE (Canadian Security Establishment, Canada’s electronic spy agency) had a ransomware decryptor tool, maybe they could have a portal where you could get that. But you need to have strong authentication to download them, so they know who’s downloaded the descriptors. It’s not perfect because there are ways that hackers can still get it, but it’s harder.
Howard: It’s not only vendors who offer decryptors. There’s a site called ‘nomore ransom.org’ supported by the European Cyber Crime Centre, Kaspersky and McAfee, which offers decryption keys as well as advice on how to protect against ransomware. It has keys for about 100 strains of ransomware. There’s also a group of researchers called ID Ransomware, who run a site where victims can upload encrypted files and find out what strain that they’d been hit with. And it also lets them know if there’s a way to decrypt the files.
This debate has got me wondering, is publicly offering a decryptor any different from security vendors offering indicators of compromise for malware.
Dinah: I think it’s slightly different, because the indicators of compromise are how those pieces of malware get into the system. So if we’re sharing those indicators of compromise that means like if [a hacker] is going in that way, then [after fixing the IoC] they have to deal a lot of work to find another way in. Sharing the decryptor is basically just showing the hackers where a bug in their own code is, which is always going to be a lot easier to fix than figuring out another way into a system.
Howard: A Canadian official that I talked to from Check Point Software on this pro- and anti- decryptor debate made a couple of points. For some organizations, like hospitals and health service providers, decryptors are literally life and death. Encrypted data means medical personnel can’t see patient records and lab work. His other point, though, was, if you release descriptors and you’re forcing ransomware gangs to constantly look for the problems in their code, that increases the cost of this malware to the bad guys, and they have to spend time and money to keep fixing their software — which one way of looking at it is that’s a good thing.
Dinah: Yeah, but how long did it take Darkside to do it? A day? In some cases that might really make them work at it, and in other cases there’s patch it in a day and they keep on going.
Howard: I also talked to a threat researcher at Emsisoft who said there may be an argument that some descriptors should be made public. For example, if a particular strain of ransomware spreading wildly and causing lots of harm. While it might be better to keep word about other decryptors limited to incident response firms and law enforcement. On the other end, the disadvantage is not all victim companies are going to be asking for help.
Dinah: This is where I go back to what’s the best thing for the victim. So let’s say we have another worldwide attack like we had with Wannacry or Not Petya. In those cases, you know, the ransomware was propagating from computer to computer without the help of the attackers. So a decryptor would continue to work for many, many, many victims. In those cases where it’s happening really, really quickly and a vast amount of people are affected, I think releasing descriptors right away is, is absolutely the thing you should do.
Howard: To put some perspective on this, a recent report from Checkpoint Software said that since the beginning of April it’s researchers have seen an average of over 1,000 organizations being impacted by ransomware every week. I take it impacted means there’s either a successful or unsuccessful attempt.
By far, the biggest sector hit is healthcare followed by utilities, the insurance industry, law firms, software companies, manufacturing firms, and internet and managed service providers.
Dinah: Hackers are always going to go after the victim, who will feel the most pressure to pay. And so healthcare utilities, insurance, and law, they all have time-critical services for their customers that can result in very serious damage for their customers. So they’re always going to be really motivated to find a solution as quickly as possible. And the other thing to note here though, is, you know, while we think corporations are the only victims, many individuals are also ransomed. In fact, I had a friend recently reached out to me asking for help because her father had all of his digital pictures encrypted. I pointed them to some of the descriptor sites but nothing ended up working for him. He actually paid the ransom and got the decryptor … about $200.
Howard: There’s a perfect example – he didn’t have a good backup. Iit sounds like is that the backup was [always] connected to his computer, so he could back up live. So the lesson, not only for businesses but also for individuals, is you need a disconnected backup that is separate from your computer. So if somebody hits you with ransomware, they don’t automatically get the connected backup.
One other thing that a lot of experts who I talked to say is many ransomware attacks can be prevented if chief executives and IT leaders invest in training of employees and technology, and they buy or use technology like multifactor authentication, anti-phishing software linked to the corporate email system and anti-ransomware solutions.
Dinah: Those things are all really important, but as always security training is something that every single company should be doing right now, along with other security practices. When you buy or build a security awareness program the number one thing is you need to make sure is you have current content. We know that annual training quickly becomes obsolete because the security world is just constantly changing. Companies must keep their employees’ knowledge sharp through ongoing education. You don’t want to just have it once a year, because within a few weeks people usually forget things.
Second, make sure you have low administrative overhead. If you’re choosing an [awareness training] system and you don’t have a lot of time to manage it, you might want to look at something that’s fully managed. If you have the time and the people, then you could totally roll your own. And then this one is key to me: You want to focus on employee engagement. There’s several common issues with employee engagement on a security awareness training: One is low employee participation — employee loses interest in the training cause it’s boring. And they also just forget what they’ve learned. It’s always difficult to achieve that hundred per cent employee participation, but it doesn’t help that many security awareness solutions seem to almost designed to discourage participation. Make sure it’s easy to access the lessons. Don’t ask employees to sit through the same session they sat through six months ago as a refresher because now they’re really gonna just tune out entirely. Microlearning has really shown to be something that works well. Break content up into small frequent, engaging lessons.
And make sure you’re measuring the right things … Security awareness efforts should be judged on the measurable reductions in intrusion and breaches and damage, not how much you are compliant to your SOC 2 or your other IMS controls. Only when programs become result-oriented do organizations develop a culture of actual security.