Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, April 19th, 2024. I’m Howard Solomon.
In a few minutes Jen Ellis, a member of the Ransomware Task Force will be here to talk about the group’s recent report on what governments need to do before banning ransom payments. But first a look at some of the headlines from the past seven days:
Sophisticated cyber attacks aren’t new. But old-fashioned brute force credential attacks are still being used by threat actors. Researchers at Cisco Systems’ Talos threat intelligence service say brute force attacks have increased since March. The targets are wide and include virtual private network services, web application authentication interfaces and SSH services. IT leaders should make sure this type of attack is made difficult by having all employees use multifactor authentication and other defensive tactics to block brute-force logins.
Russia’s Sandworm cyber group has been upgraded to an advanced persistent threat actor by researchers at Mandiant. An arm of the Russian military, Sandworm is linked to the NotPetya data wiper that was aimed at Ukraine but escaped around the world, as well as cyber attacks in 2015 and 2016 on Ukraine’s energy grid. But Mandiant also warns this group has tools for collecting intelligence, spreading disinformation and sabotaging IT networks in any country to support Russia’s political aims.
Separately, Microsoft warned in a report that Russia has increased its anti-Ukraine disinformation messages to Americans online in the run-up to this year’s U.S. elections. This includes video commentary spread by websites that are covertly managed by Russia. The report also says China is in the game, using artificial intelligence applications to create videos and manipulated images.
At the same time the U.S. Director of National Intelligence issued an eight-page report on the latest tactics by Russia, China and Iran to undermine confidence in the upcoming U.S. elections through fake online personas on social media.
Organizations using SAP’s business applications continue to be targeted by threat actors. That’s according to researchers at Onapsis and Flashpoint. No doubt it’s because some of the biggest companies in the world use SAP software. How valuable is it to an attacker? The prices hackers are paying to buy a remote exploit for SAP applications increased 400 per cent in the past four years. What’s of concern is that many victims have SAP installations without the latest patches. IT staff in charge of patch management have been warned.
UnitedHealth, the American parent company of Change Heathcare, said in a regulatory filing that the first quarter cost of handling February’s ransomware attack came to US$872 million. The news service The Register notes that’s on top of perhaps as much as US$6 billion in advanced funding and interest-free loans UnitedHealth had to give many support care providers using its services.
An arm of the United Nations has admitted being hit recently by ransomware. The UN Development Programme told the cybersecurity news service The Record that data on current and past employees was stolen from a server. The 8Base ransomware gang has taken credit for the attack. The same gang is taking credit for a ransomware attack on the Atlantic States Marine Fisheries Commission.
A cyber attack on New York state has disrupted work printing legislation and the upcoming budget.
A Michigan health care provider is notifying over 184,000 people their data was stolen last December. Cherry Street Services, which provides primary, dental, vision and other services, says data stolen included names, dates of birth, Social Security numbers, diagnosis and treatment information, health insurance information and more.
And the Roman Catholic Diocese of Phoenix, Arizona is notifying over 23,000 people, including those in the dioceses’ employee benefits plan, their data was stolen. In the incident discovered in January, people’s names, addresses, dates of birth and Social Security number were copied.
(This transcript is an edited version of the conversation. To hear the full discussion play the podcast)
Howard: Joining me now from Cambridge, England to talk about fighting ransomware is Jen Ellis, a co-chair of the Ransomware Task Force and host of the Distilling Cyber Policy podcast.
I’ve asked you to be on the show because last week the Task Force, which is an international group of experts, issued its third report since 2021. A Roadmap to the Potential Prohibition of Ransomware Payments, outlines a roughly two-year plan for what ought to be done if governments want to institute a ban on ransomware payments. We’ll talk about that report in a minute. First tell us about yourself.
Jen Ellis: As you can probably tell [from my accent] I’m British, but I started doing policy engagement when I lived in the U.S., which I did for many years. I worked very, very closely with security researchers for a long time and started to understand that the legal environment in the U.S. was chilling research and hurting both the security industry, but also much more importantly, society as a whole by holding back security information from society. So I started to get involved in policy. It expanded really quickly from there into looking at all sorts of different areas around policy connected to cybersecurity, and also looking at how we could bridge the gap between the policy community and the technical community so that as the policy community is looking at policy around technical topics, we’re plugging in people who are actually working on the front lines who have the real technical knowledge and they understand what’s coming.
I think that bridge is super important. So fast forward to 2020 when we started looking at this ransomware issue, in the RTF [Ransomware Task Force] and pulled that together. These days I work with non-profits and with governments to one bridge that gap and to help sort of assist with developing policy positions around cyber.
Howard: It seems that because the number of reported successful ransomware attacks continues to increase that little progress is being made. The Task Force’s recent report says “the majority of organizations globally are still under-prepared to defend against or recover from a ransomware attack.” Why?
Jen: I wish there was a really simple answer. If I wanted to be flippant, the simple answer is life: Because there’s so much layers of complexity around competing demands on resources, on time and on attention, a lack of true understanding about what’s going on, there’s an inability for organizations to respond appropriately.
There’s so much noise out there, and so little of it helps organizations really understand what to do. Incentives work in the wrong direction, in many cases — for example, the incentives around companies that make technology to constantly be building really quickly and moving on to the next thing. It’s not taking your time doing it right, making sure you’ve tested for everything, going back and acknowledging vulnerabilities in your technology. All of the incentives work in the wrong direction for security to work. And so we have an ecosystem where we have the vast majority of companies can’t afford, haven’t invested, don’t have the capacity to have good preparedness or resilience. We have opportunities for attackers abounding both in terms of opportunities in the technology itself — vulnerabilities — or just the fact that it’s really easy for them to manipulate human behaviour. So there’s a lot of different factors at play.
That mean it [cybersecurity] is really hard, which is why when the [first] report came out it had 48 recommendations. We would have loved to come up with one, if we could have all agreed that this one thing would do it.
But the problem is, as we always say in security, there are no silver bullets. What we were looking at are incremental things you can do, and if you do them all together will hopefully create an impact. And while there has been progress on a number of those things, often it isn’t just about pulling the lever. It’s about maintaining focus and maintaining investment and commitment over time, which actually often is much harder than taking that first step. So we haven’t had long enough yet to see this stuff come to fruition.
I don’t know what the percentage is in the U.S., but in the U.K. our economy is 98 per cent small to medium businesses. Most of them are well below the cybersecurity poverty line. They have not invested to the degree that they need to. Meanwhile, the attackers are making big money. They’re able to invest every day if they want to. So those are some of the challenges at play.
Howard: If you’re an IT leader in a company, or in a county or municipality, are there three, five things that you really should do that that will make a real impact?
Jen: There are plenty of documents out there that will provide guidance. The RTF created one in partnership with CIS [the Center for Internet Security] aimed specifically at small to medium businesses called the Blueprint for Ransomware Defence which tries to make it more bite-sized for small to medium businesses.
I’m going to tell you five things. When we rattle them off as a list of five things it sounds really straightforward. But the reality is each one of them is a really time-consuming major thing. And it’s not like one and done. You don’t do it and then you’re done. It’s an ongoing commitment, so it’s not like you get up and say, “On Monday I’m going to institute patching, and on Tuesday I’m going to institute identity and access management, and on Wednesday I’m going to make sure that I’ve got offline backups, and I’m going to check that they’ve not been poisoned in some way.” It’s more like, “My major goal for this year is going to be to get a proper, functioning vulnerability management program off its feet. That’s going to be a big investment of time and effort and understanding and configuration and buy-in across my organization and talking to the IT team.”
So it is really important to understand when we go through what the things are [to be done] that they’re not simple easy lifts. But I’ll give you three:
— patching. You need to have a vulnerability management program. If you’re listening to this and you’re wondering about how to get started, a really good resource for you is CISA’s Known Exploited Vulnerabilities Catalogue, which specifically highlights the vulnerabilities that they know are being exploited in the wild;
— an identity and access management program. You want to make sure that people [employees] only have the ability to access things that they need to access. The program also has to have a secondary factor of [login] authentication; so that if somebody gets tricked into giving away credentials, that it’s not easy for the attackers to use those credentials.
–resilience. Having backups of all of the stuff that you care about the most, not just your data but your systems as well. You backups have to be offline so they’re not easy to access [by a hacker]. You also need to check backedup data regularly to make sure that there’s no sign of any dodgy behaviour …
Howard: What are the biggest roadblocks you hear from business and IT leaders about not being able to implement Task Force recommendations for fighting ransomware in their firms?
Jen: You could put it very simply and say it’s about capacity or capability. What that boils down to is a lack of understanding or a lack of resources. Either the organization that doesn’t really understand the threat, doesn’t really understand its relevance to that organization. Or it is unable to invest. Sometimes you have organizations that both are true or one affects the other …
You [as management] can’t do everything you want to do, and you have a responsibility to your employees, your customers and your investors to not do everything that you want to do. So they have to make difficult decisions. They have to decide how to prioritize. And because they don’t understand the threats, they may choose other, more urgent, pressing priorities in other areas, they make choices away from spending on cybersecurity …
Howard: Why are some organizations still paying ransoms?
Jen: Because it’s so hard. Say you’re the CEO of a regional, smallish manufacturing company and you’re a third-generation owner, right? The company’s been in your business for three generations, and you have dedicated your entire life to this business. You employ a bunch of people in your region. You don’t have a lot of money to invest in cybersecurity. It’s probably not something you really think about a huge amount. and you’re super reliant on five major customers that you’ve got contracts with to create whatever widget for them. You get hit by a ransomware attack and it takes your business offline, and all of a sudden your business grinds to a halt. Your customers have deadlines and those deadlines can’t be shifted just because you can’t provide that service. So all of a sudden, the situation [attack] is existential for your business. If you cannot provide the service, you’re going to lose those contracts. Customers are going to go elsewhere. Your reputation is shot, you might get sued by them … People who are in a situation like that say, “How do I make this problem go away as quickly, as painlessly as possible?”
… Nobody says, “What I really want to do with my hard-earned money is give it to a criminal in a foreign state who doesn’t care about anything to do with me, and takes pictures of himself riding around in his Lamborghini …They’re doing it out of desperation.”
Howard: What are the pros and cons of a ransomware payment ban?
Jen: The first theory is ransomware is a crime that exists in interests of making money for criminals. If you take away the money, then you take away the impetus for doing it and it goes away. Number two, is because giving money to these criminals is disgusting, unethical. And lot of these organized criminal gangs are involved in other types of organized crime. Nobody wants to think that they’re funding the drug trade or the weapons trade or human trafficking.
The third reason that policymakers want a ban is because they have tried to push the needle on building [business] preparedness but it’s not going quickly … so they think, “We’ve tried the carrot and the carrot hasn’t got anywhere. Maybe now we try the stick in the form of saying to people, ‘You will not be able to pay a ransom.’ Therefore you [governments] have to get ahead of this. You have to have preparedness [for a payment ban] because there is no parachute ..
I don’t think gangs will suddenly turn away from illegal activity. I think it’s far likelier that before they do that they will test the mettle of organizations. If I was a ransomware attacker what I would do is shift to focusing specifically on critical infrastructure and small businesses because I know that they’re the least likely to withstand my demands for ransom … So I think there has to be a plan for how to help them get themselves ready for a ban.
Howard: Which do you think of the recommendations [for preparing businesses for a payments ban] are the easiest and which are the hardest to implement?
Jen: The ones that are somewhat easier are the stuff that government does itself. For example, collaborate with other governments … The government can institute sanctions. They can clarify [incident] reporting [to regulators]. You can have law enforcement work with law enforcement around the world. The takedown of the LockBit gang was a collaboration of law enforcement around the world. What’s much, much, much harder is stuff that is outside of the government’s direct operational field. Things like reaching into millions of small to medium businesses and driving them to take action is really hard because you don’t want to make it a regulatory thing
… The other thing that’s really hard is that cyber criminal gangs have for a long time thrived in what we call safe havens or harbour nations — countries that protect them.
Howard: Among the recommendations is to create a ransomware response fund to help victims organizations recover. Another is to end the tax deductibility of ransomware payments. Doesn’t it seem a little bit nuts to you that you can give money to criminals and then you can take that as a tax writeoff?
Jen: I can’t think of another space where that would be the same thing, right? Like when I do my tax return, I’m like, “Here’s all the money I gave to charity this year.” And, “Here’s all the money that I gave to criminals this year. I would like a [tax] benefit for both, please.” That seems kind of crazy to me … If you had to pay tax on it [ransomware payment] maybe that money could be used to help with the fund [for victims].
Howard: Finally, I’m an IT or security leader. I don’t have enough money or people to fight cyberattacks, including ransomware. How do I persuade my boss to give me more?
Jen: There is a saying that we use in security, which is, never let a crisis go to waste.
You can do a lot by scouring the headlines and highlighting relevant [cybersecurity] stories [for management]. There has to be a little bit of education. But also, if you seem disconnected from the realities of the business, your business leaders will never take you seriously. So if you want to tell them all the things going on in security and you completely ignore the fact that the business is also worried about the economy or facilities or investors, employee well-being, changing laws then you’re going to have a conversation that is so far removed from what they actually focus on and think about that they’re not going to take you seriously. Education is a two-way street. You have to educate yourself on what the business cares about, get to know the business leaders in the organization and talk to people who are leaders of sub-areas in the business …
Maybe you could take lower-down department heads for lunch and learn what it is they focus on and what their priorities are. Then you’ll get a view of how the business goes together and what the competing priorities are. That gives you a much better position to have that conversation with your leadership, because you understand a lot more about what they’re weighing. This is also an opportunity to help them understand why you care about what you do and why they should care about it …
One of the things that can be helpful is find stories [in the media or from cybersecurity research] about people. It helps to make it real to your leaders to say, “This is what a cyber crime gang looks like. Here’s this guy and he has been doing this for this long. These are the things that he’s accused of. Here he is driving around in his Lamborghini.
Discussion about this post