WEBVTT 1 00:00:07.080 --> 00:00:09.360 Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna 2 00:00:09.360 --> 00:00:12.270 Delaney. Today, we'll explore the evolving ransomware 3 00:00:12.270 --> 00:00:15.330 landscape, focusing on rising attacks in critical sectors like 4 00:00:15.330 --> 00:00:19.230 healthcare, the shift from major groups like LockBit to lone-wolf 5 00:00:19.260 --> 00:00:22.110 operators, and the challenges posed by Russian ransomware 6 00:00:22.110 --> 00:00:25.680 gangs dominating the global stage. Our troop today features 7 00:00:25.680 --> 00:00:28.230 Marianne Kolbasuk McGee, executive editor for 8 00:00:28.230 --> 00:00:32.040 HealthcareInfoSecurity; Mathew Schwartz, executive editor at 9 00:00:32.070 --> 00:00:35.490 DataBreachToday and Europe; and Tony Morbin, executive news 10 00:00:35.490 --> 00:00:38.190 editor for the EU. Very good to see you team. 11 00:00:38.730 --> 00:00:39.240 Mathew Schwartz: Hello! 12 00:00:39.360 --> 00:00:39.720 Tony Morbin: Hey there. 13 00:00:39.750 --> 00:00:40.260 Marianne McGee: Hi Anna. 14 00:00:40.860 --> 00:00:44.550 Anna Delaney: Hello. So, where are you in your virtual worlds? 15 00:00:44.580 --> 00:00:45.780 Mat, why don't you start us off. 16 00:00:46.140 --> 00:00:50.190 Mathew Schwartz: Sure. This is a nearby wood that I like to go 17 00:00:50.190 --> 00:00:54.450 walking in sometimes. So, the definition of Scottish summer is 18 00:00:54.450 --> 00:00:58.320 sometimes four seasons in a day. And that's really been the case 19 00:00:58.350 --> 00:01:02.160 lately. A lot of wind, no snow, lot of rain, occasionally some 20 00:01:02.160 --> 00:01:05.190 sunshine. It's been lovely to get outdoors. 21 00:01:05.810 --> 00:01:09.800 Anna Delaney: Very good. I can. I'm inhaling the air now as it 22 00:01:09.800 --> 00:01:10.190 feels very fresh. 23 00:01:10.200 --> 00:01:11.310 Mathew Schwartz: Plenty scents. 24 00:01:12.780 --> 00:01:16.080 Anna Delaney: And Marianne, now you're usually in nature. So, 25 00:01:16.080 --> 00:01:17.880 this is very urban. 26 00:01:18.680 --> 00:01:22.910 Marianne McGee: Yeah. This is lower Manhattan, near the site 27 00:01:22.910 --> 00:01:26.900 of where we had our Healthcare Summit a few weeks ago, in the 28 00:01:26.930 --> 00:01:31.370 ... you know, what is now One World Trade Center area. You 29 00:01:31.370 --> 00:01:34.280 kind of see remnants, not really remnants of what was there, but 30 00:01:34.280 --> 00:01:38.330 sort of, you know, depiction of what the old might look like. 31 00:01:38.330 --> 00:01:41.990 So, it's a very interesting area in Manhattan actually from an 32 00:01:41.990 --> 00:01:43.130 artistic point of view. 33 00:01:43.470 --> 00:01:46.110 Anna Delaney: Nice to have seen the both views that you've 34 00:01:46.110 --> 00:01:50.520 shared. Yeah. Tony, I recognize that background. 35 00:01:50.880 --> 00:01:53.520 Tony Morbin: Yeah, London, although I used to be doing the 36 00:01:53.520 --> 00:01:57.000 commute every day, now I actually at the weekend, went to 37 00:01:57.000 --> 00:02:00.390 London as a tourist over the weekend, which was a totally 38 00:02:00.390 --> 00:02:02.640 different experience and much more enjoyable. 39 00:02:03.780 --> 00:02:06.120 Anna Delaney: Great. Not too many tourists in your way. 40 00:02:06.750 --> 00:02:09.030 You're bashing them as a former Londoner. 41 00:02:09.509 --> 00:02:12.749 Tony Morbin: There were a lot, but I wasn't busy trying to get 42 00:02:12.749 --> 00:02:13.979 to work. So it wasn't so bad. 43 00:02:14.220 --> 00:02:16.020 Anna Delaney: It's always a bit different, isn't it? Well, I'm 44 00:02:16.020 --> 00:02:19.890 sticking with Paris, the Paris theme this week, the Olympics. 45 00:02:20.100 --> 00:02:22.980 This is from a rooftop with a view that overlooks the city, 46 00:02:22.980 --> 00:02:26.220 and you might be able to see Sacré-Cœur there just over my 47 00:02:26.220 --> 00:02:30.780 shoulder. Mat, you've written this week that the downfall of 48 00:02:30.780 --> 00:02:34.530 major ransomware groups like Alphv and LockBit has led to an 49 00:02:34.530 --> 00:02:39.000 increase in lone-wolf operators and smaller groups, resulting in 50 00:02:39.000 --> 00:02:42.480 record extortion payments and more complex ransomware 51 00:02:42.480 --> 00:02:44.490 dynamics. Just tell us about this trend. 52 00:02:45.740 --> 00:02:47.960 Mathew Schwartz: Yes, well, if there's one constant with 53 00:02:47.960 --> 00:02:52.220 ransomware groups, it's change. We continue to see lots of 54 00:02:52.220 --> 00:02:57.530 experimentation, lots of innovation for the profit-making 55 00:02:57.530 --> 00:03:00.770 imperative that these groups seem to have. Financially 56 00:03:00.800 --> 00:03:04.670 oriented cybercrime - if there's a poster child for it, as 57 00:03:04.670 --> 00:03:08.720 opposed to, like nation-state espionage-type stuff, it's 58 00:03:08.750 --> 00:03:11.630 ransomware groups. They're in it for the money. And 59 00:03:11.630 --> 00:03:15.620 unfortunately, it doesn't seem like they want to let anything 60 00:03:15.620 --> 00:03:19.130 stand in their way, does it? I mean, we've seen horrible stuff 61 00:03:19.250 --> 00:03:21.950 happening. This has been highlighted in some recent 62 00:03:21.950 --> 00:03:27.200 reports in terms of some groups threatening to swat targets if 63 00:03:27.200 --> 00:03:31.010 they don't pay. We've seen a lot of groups over the years phoning 64 00:03:31.040 --> 00:03:35.300 up their victims, demanding they pay, and sometimes phoning the 65 00:03:35.420 --> 00:03:39.470 customers of their victims demanding that they pay. It's 66 00:03:39.470 --> 00:03:43.670 not clear if this leads more victims to pay, or if it just 67 00:03:43.670 --> 00:03:47.930 creates more notoriety for these groups, which all funnels into 68 00:03:47.930 --> 00:03:53.750 this image of them as these, you know, crazy evil wizards I guess 69 00:03:53.750 --> 00:03:56.870 is the phrase I'm looking for, that are able to magically take 70 00:03:56.870 --> 00:04:01.400 over your computers. So again, lots of innovation that we've 71 00:04:01.400 --> 00:04:05.600 been seeing. As you mentioned there, one of the interesting 72 00:04:05.630 --> 00:04:09.890 trends in the last quarter, according to Coveware, which is 73 00:04:09.890 --> 00:04:13.130 a ransomware incident response firm, has been the emergence of 74 00:04:13.160 --> 00:04:18.920 lone wolves. So, Coveware, as best I can tell, works with 75 00:04:19.400 --> 00:04:23.720 thousands of organizations on a quarterly basis who've been hit 76 00:04:23.720 --> 00:04:26.990 by ransomware, who are responding to ransomware, that 77 00:04:26.990 --> 00:04:30.740 sort of thing, and advises them about, if you pay what might you 78 00:04:30.740 --> 00:04:34.160 get, what might you not get, that sort of thing. So, I 79 00:04:34.160 --> 00:04:37.130 appreciate the statistics coming from them, because it gives you 80 00:04:37.130 --> 00:04:40.580 a sense of what corporate America, at least, is seeing 81 00:04:40.670 --> 00:04:45.260 when it gets attacked. 10% last quarter of the attacks, as you 82 00:04:45.260 --> 00:04:50.570 noted, had to do with lone-wolf operators that's never before 83 00:04:50.600 --> 00:04:56.390 been seen. Yes, we've definitely seen some lone wolves, but in 84 00:04:56.390 --> 00:04:59.120 recent years, ransomware-as-a-service has been 85 00:04:59.120 --> 00:05:03.440 much more of the dominant business model and if not 86 00:05:03.440 --> 00:05:07.160 ransomware-as-a-service, then groups that ran attacks 87 00:05:07.160 --> 00:05:11.480 themselves using their own encryptors. Why are we seeing 88 00:05:11.510 --> 00:05:16.340 more lone wolves? 10% of attacks last quarter apparently ascribed 89 00:05:16.400 --> 00:05:23.120 to lone wolves, second highest. One of the philosophy, if you 90 00:05:23.120 --> 00:05:25.970 are thinking behind why we're seeing more lone wolves, is that 91 00:05:25.970 --> 00:05:30.170 ransomware brands have just become super toxic. We've seen 92 00:05:30.170 --> 00:05:37.040 this with the downfall of LockBit. For example, it got 93 00:05:37.040 --> 00:05:39.950 disrupted and then attempted to come back and then got disrupted 94 00:05:39.950 --> 00:05:45.380 some more. Also with Alphv or BlackCat, a lot of these groups 95 00:05:45.380 --> 00:05:49.580 are hitting healthcare and just basically earning themselves a 96 00:05:49.580 --> 00:05:53.270 horrible reputation, very much in the limelight because of law 97 00:05:53.270 --> 00:05:56.480 enforcement takedowns. And it seems like a lot of affiliates 98 00:05:56.570 --> 00:06:01.640 are running scared and thus going the lone-wolf route, and 99 00:06:01.670 --> 00:06:04.550 apparently to good effect, since they're notching up a fair 100 00:06:04.550 --> 00:06:09.230 number of victims. Again though, this is only a fraction of what 101 00:06:09.230 --> 00:06:13.070 we're seeing. We're also seeing other established groups or 102 00:06:13.250 --> 00:06:18.230 up-and-coming groups scoring some pretty high profits 103 00:06:18.230 --> 00:06:21.560 unfortunately. One of those being the Dark Angels ransomware 104 00:06:21.560 --> 00:06:27.320 group, which, according to Zscaler, earlier this year, got 105 00:06:27.320 --> 00:06:32.840 a single ransom worth $75 million. It didn't say who the 106 00:06:32.840 --> 00:06:36.230 victim was. Neither the ransomware group nor Zscaler 107 00:06:36.230 --> 00:06:39.470 have outed the victim, although Zscaler did say that it was a 108 00:06:39.470 --> 00:06:43.880 Fortune 50 company, meaning it's one of the most profitable, 109 00:06:44.090 --> 00:06:49.070 publicly traded US companies. There's some suspicion this may 110 00:06:49.070 --> 00:06:52.910 have been pharmaceutical giant Cencora, which got hit in 111 00:06:52.910 --> 00:06:57.380 February. It disclosed it had an attack against it that it fell 112 00:06:57.380 --> 00:07:00.740 victim to, but hasn't said anything more. So, we're not 113 00:07:00.740 --> 00:07:06.500 really clear on what happened here. Again, we're seeing lots 114 00:07:06.500 --> 00:07:10.100 of innovation. We're seeing lots of attacks against hospitals, 115 00:07:10.100 --> 00:07:13.970 blood banks, schools, critical infrastructure. This seems to be 116 00:07:14.090 --> 00:07:20.660 leading a lot of affiliates or ransomware aficionados to take 117 00:07:20.660 --> 00:07:23.480 their show on the road really. And there's lots of leaks that 118 00:07:23.480 --> 00:07:27.980 have happened that allow individuals to access good 119 00:07:28.010 --> 00:07:31.700 crypto-locking malware without needing to necessarily work with 120 00:07:31.700 --> 00:07:34.970 the group that's constantly maintaining it. So, the long and 121 00:07:34.970 --> 00:07:38.330 the short of it is more innovation aimed at making 122 00:07:38.330 --> 00:07:42.620 victims pay however possible and increasingly by these lone-wolf 123 00:07:42.620 --> 00:07:43.310 attackers. 124 00:07:44.130 --> 00:07:47.550 Anna Delaney: Yeah. So, how is the rise of these lone-wolf 125 00:07:48.390 --> 00:07:52.710 attackers operators affected the overall cybersecurity landscape 126 00:07:52.710 --> 00:07:55.290 and how businesses are responding to ransomware 127 00:07:55.000 --> 00:08:00.010 Mathew Schwartz: Well, I think it's really important for any 128 00:07:55.290 --> 00:07:55.830 threats? 129 00:08:00.010 --> 00:08:03.310 business that's looking to defend itself against 130 00:08:03.490 --> 00:08:05.950 ransomware. Obviously, it should be defending itself against 131 00:08:05.950 --> 00:08:10.750 everything, but ransomware is very useful. It's good to track 132 00:08:10.900 --> 00:08:16.180 because of the profit-making potential. A lot of very 133 00:08:16.180 --> 00:08:19.210 sophisticated, not always, but a lot of very sophisticated 134 00:08:19.210 --> 00:08:23.350 attackers are aiming to get ransomware onto systems. So, 135 00:08:23.410 --> 00:08:27.400 keeping an eye on what is happening is really a good idea 136 00:08:27.550 --> 00:08:31.060 from a defensive standpoint. What I've been hearing from 137 00:08:31.060 --> 00:08:35.830 security experts is the rise of these more lone-wolf operators 138 00:08:36.070 --> 00:08:40.540 is reminder that ransomware is not just about groups. It's 139 00:08:41.140 --> 00:08:43.990 mostly about tactics, and so you're going to want to be 140 00:08:43.990 --> 00:08:48.910 keeping an eye on not just what groups are doing but across all 141 00:08:48.910 --> 00:08:53.920 kinds of attacks. How are attackers breaking in? And we 142 00:08:53.920 --> 00:08:57.550 know about a lot of big trends here - socially engineering help 143 00:08:57.550 --> 00:09:02.170 desks, for example, hacking into remote connectivity, either 144 00:09:02.170 --> 00:09:04.720 because they've gotten info-stealing malware onto an 145 00:09:04.720 --> 00:09:07.960 employee's computer and been able to purchase these 146 00:09:07.960 --> 00:09:11.140 credentials or simply because they've brute-forced these 147 00:09:11.140 --> 00:09:15.160 credentials. Also using known vulnerabilities for remote 148 00:09:15.160 --> 00:09:19.720 connectivity appliances and some other security appliances is a 149 00:09:19.720 --> 00:09:24.610 major trend. So, if you keep an eye on this and use it as a 150 00:09:24.610 --> 00:09:29.140 self-checklist to make sure that they can't get in the ways that 151 00:09:29.140 --> 00:09:31.840 they're trying to get in, this is going to be a big help, 152 00:09:32.050 --> 00:09:36.610 regardless of who the ransomware-wielding attacker may 153 00:09:36.610 --> 00:09:40.960 or may not be, and a reminder too that attackers might work 154 00:09:40.960 --> 00:09:43.690 with more than one ransomware group. They might choose what to 155 00:09:43.690 --> 00:09:47.560 deploy based on who the victim is. So, you never know who's 156 00:09:47.560 --> 00:09:50.680 going to hit you, but there are some good clues about how they 157 00:09:50.680 --> 00:09:53.470 are going to try that you need to shut down. 158 00:09:54.210 --> 00:09:56.550 Anna Delaney: Excellent. The constant innovation. It's 159 00:09:56.550 --> 00:10:00.060 palpable there. Thank you Mathew. Marianne, staying on 160 00:10:00.060 --> 00:10:02.220 ransomware of course, you've written about a ransomware 161 00:10:02.220 --> 00:10:05.820 attack on the Florida-based blood center OneBlood, alongside 162 00:10:05.820 --> 00:10:08.760 recent attacks on other blood suppliers, all of which 163 00:10:08.760 --> 00:10:12.150 highlight the vulnerabilities in medical supply chains. Could you 164 00:10:12.150 --> 00:10:14.670 just tell us a bit more about this particular case with 165 00:10:14.700 --> 00:10:15.060 OneBlood? 166 00:10:16.590 --> 00:10:19.800 Marianne McGee: To sort of set the background here, we've seen 167 00:10:19.830 --> 00:10:23.220 hundreds of cyberattacks over the last several years on third 168 00:10:23.220 --> 00:10:28.350 parties or HIPAA-regulated business associates in the U.S. 169 00:10:28.590 --> 00:10:31.380 that provide a variety of services to the healthcare 170 00:10:31.380 --> 00:10:35.220 sector. Many of the largest of those incidents have involved 171 00:10:35.220 --> 00:10:38.820 attacks on companies that provide IT-related services to 172 00:10:38.820 --> 00:10:42.450 healthcare providers and that includes vendors of medical 173 00:10:42.810 --> 00:10:46.470 transcription, practice management and even debt 174 00:10:46.470 --> 00:10:51.330 collection services. And as was in the case of the February 175 00:10:51.360 --> 00:10:55.590 ransomware attack on Change Healthcare, that incident 176 00:10:55.590 --> 00:10:59.070 disrupted more than 100 different types of IT services 177 00:10:59.070 --> 00:11:02.820 that healthcare providers in the U.S. depend upon for claims 178 00:11:02.820 --> 00:11:08.370 processing, patient eligibility checks and so on. But one of the 179 00:11:08.370 --> 00:11:12.150 most disturbing developments that we're seeing now in recent 180 00:11:12.150 --> 00:11:15.840 months are indeed the attacks on third parties that provide 181 00:11:16.020 --> 00:11:20.760 critical supplies to healthcare sector entities, namely, blood 182 00:11:20.760 --> 00:11:25.680 and related services. Last week, a ransomware attack against 183 00:11:25.710 --> 00:11:29.970 Florida-based blood donation center OneBlood prompted the 184 00:11:29.970 --> 00:11:33.930 entity to issue an alert to hundreds of hospitals in the 185 00:11:33.930 --> 00:11:38.430 southeastern region of the U.S. to activate their critical 186 00:11:38.430 --> 00:11:42.540 shortage protocols for blood supplies. That's because 187 00:11:42.570 --> 00:11:47.580 OneBlood was struggling with time-intensive manual processes, 188 00:11:47.940 --> 00:11:52.560 including testing and labeling blood during their IT outage, 189 00:11:52.770 --> 00:11:57.210 and that impacted blood supplies to hospitals. They've kind of 190 00:11:57.210 --> 00:12:00.810 rallied around the kind of blood community and have gotten 191 00:12:00.810 --> 00:12:04.950 partners to kind of step in to help here. But earlier this 192 00:12:04.950 --> 00:12:09.150 week, OneBllood said that it was starting to regain IT system 193 00:12:09.150 --> 00:12:12.960 functionality, but it was still sort of heavily relying on 194 00:12:12.960 --> 00:12:17.910 manual processes for some of its activities. Now, OneBlood's 195 00:12:17.910 --> 00:12:21.360 continued recovery from the attack, which was allegedly 196 00:12:21.360 --> 00:12:25.830 carried out by Russian-speaking ransomware group RansomHub, 197 00:12:26.280 --> 00:12:31.200 unfortunately coincided with Hurricane Debby, making landfall 198 00:12:32.100 --> 00:12:35.670 on Florida and other southeastern U.S. states on 199 00:12:35.670 --> 00:12:39.810 Monday, and you know, early this week. And just before the 200 00:12:39.810 --> 00:12:44.760 hurricane hit, OneBlood issued a statement urging the public to 201 00:12:44.760 --> 00:12:48.840 step up their blood donations, especially platelets, to help 202 00:12:48.840 --> 00:12:52.860 offset any hospital blood shortages related to the storm's 203 00:12:52.860 --> 00:12:57.810 impact. Now, the OneBlood incident minus the hurricane 204 00:12:58.020 --> 00:13:01.530 follows at least two similar attacks on blood suppliers in 205 00:13:01.530 --> 00:13:06.180 recent months - that includes a June attack on Synnovis, which 206 00:13:06.180 --> 00:13:10.320 is a British pathology laboratory services provider. 207 00:13:10.560 --> 00:13:14.220 That attack disrupted patient care and testing services at 208 00:13:14.220 --> 00:13:18.960 several London-based National Health Systems hospitals. And it 209 00:13:18.960 --> 00:13:22.950 ultimately affected the United Kingdom's blood supplies. The 210 00:13:22.980 --> 00:13:26.700 NHS blood and transplant organization has said that 211 00:13:26.700 --> 00:13:29.850 thousands of patient appointments needed to be 212 00:13:29.850 --> 00:13:34.260 rescheduled or canceled due to that attack. Now, 213 00:13:34.440 --> 00:13:37.920 Russian-speaking ransomware group Qilin claimed 214 00:13:39.120 --> 00:13:43.440 responsibility for the Synnovis attack. But meanwhile, 215 00:13:43.650 --> 00:13:49.470 in April, an attack on Octapharma Plasma, which is the 216 00:13:49.470 --> 00:13:53.700 American operations of a Swiss pharmaceutical maker, shut down 217 00:13:53.700 --> 00:13:59.130 nearly 200 blood plasma donation centers for several days, and 218 00:13:59.160 --> 00:14:03.390 that attack was supposedly launched by Russian-speaking 219 00:14:03.390 --> 00:14:08.820 ransomware gang BlackSuit. Now, healthcare sector authorities 220 00:14:08.850 --> 00:14:12.060 are saying that these latest attacks on blood centers are 221 00:14:12.060 --> 00:14:16.470 again shining the spotlight on the fragility of medical supply 222 00:14:16.470 --> 00:14:20.820 chains. Healthcare entities urgently need to bolster supply 223 00:14:20.820 --> 00:14:25.020 chain security practices and resilience in the face of these 224 00:14:25.020 --> 00:14:29.580 highly disruptive attacks against critical suppliers and 225 00:14:29.610 --> 00:14:32.880 the American Hospital Association and the Health 226 00:14:33.060 --> 00:14:37.620 Information Sharing Analysis Center issued warnings just last 227 00:14:37.620 --> 00:14:41.130 week, telling healthcare entities, "You got to step it up 228 00:14:41.130 --> 00:14:45.000 here in terms of your supply chain attention." Now, we've 229 00:14:45.000 --> 00:14:49.020 heard these sorts of urgent warnings before to the 230 00:14:49.020 --> 00:14:51.690 healthcare sector from cybersecurity experts and 231 00:14:51.690 --> 00:14:54.750 government authorities about the need for entities to heighten 232 00:14:54.750 --> 00:14:58.110 their focus on resiliency, but now it's even clearer that 233 00:14:58.110 --> 00:15:01.740 healthcare entities must seriously consider supply chain 234 00:15:01.770 --> 00:15:06.690 outages and the availability of critical supplies like blood in 235 00:15:06.690 --> 00:15:10.980 their overall risk management assessment process. The American 236 00:15:10.980 --> 00:15:13.950 Hospital Association and Health-ISAC are urging 237 00:15:13.950 --> 00:15:17.370 healthcare delivery organizations to consider in 238 00:15:17.370 --> 00:15:22.290 advance suppliers and alternate suppliers and incorporate 239 00:15:22.290 --> 00:15:27.240 multiple suppliers in their supply chain strategy in order 240 00:15:27.240 --> 00:15:31.530 to create a redundancy in case a mission critical supplier does 241 00:15:31.560 --> 00:15:35.940 suffer a devastating cyberattack. And ultimately, 242 00:15:35.940 --> 00:15:40.470 healthcare entities need to have their strategy sort of eliminate 243 00:15:40.470 --> 00:15:44.430 that single point of failure in terms of their health supply 244 00:15:44.430 --> 00:15:47.850 chains in order to minimize the impact of these sort of 245 00:15:47.850 --> 00:15:54.240 incidents on crucial medical suppliers and that impact that 246 00:15:54.270 --> 00:15:58.560 comes with it on patients. So you know, that's a warning from 247 00:15:58.560 --> 00:16:02.010 the AHA and the Health-ISAC, but others have been saying similar 248 00:16:02.010 --> 00:16:04.170 things now for several months. 249 00:16:05.010 --> 00:16:07.410 Anna Delaney: Yes. It's horrible to see these blood suppliers 250 00:16:07.410 --> 00:16:11.910 being targeted like this. Is there any indication that the 251 00:16:11.970 --> 00:16:15.840 ransomware attacks on OneBlood, Octapharma and Synnovis are 252 00:16:16.200 --> 00:16:18.240 connected in any way or coordinated? 253 00:16:19.110 --> 00:16:21.840 Marianne McGee: Well you know, it seems like the ... what they 254 00:16:21.840 --> 00:16:25.080 have in common is that Russian-speaking ransomware 255 00:16:25.080 --> 00:16:29.700 groups are suspected to be behind each of these - BlackSuit 256 00:16:29.730 --> 00:16:34.080 in the Octapharma attack, Qilin in the Synnovis incident and 257 00:16:34.080 --> 00:16:39.600 then RansomHub on OneBlood. With that said, authorities are 258 00:16:39.600 --> 00:16:43.440 saying that while these attacks don't appear to be coordinated, 259 00:16:43.740 --> 00:16:47.130 you know, that's a possibility moving ahead that everyone's 260 00:16:47.160 --> 00:16:49.860 sort of worried about, that there might be a coordinated 261 00:16:50.280 --> 00:16:55.410 attack that happens to involve several critical suppliers of 262 00:16:55.410 --> 00:16:59.700 one particular product, like blood, or perhaps a combination 263 00:16:59.730 --> 00:17:03.750 of critical supplies like, you know, blood and, you know, 264 00:17:03.960 --> 00:17:08.400 anesthesia or other sorts of medicines that are just critical 265 00:17:08.430 --> 00:17:10.650 in the care of patients. So that's, you know, that's a big 266 00:17:10.650 --> 00:17:11.100 worry. 267 00:17:12.270 --> 00:17:15.780 Anna Delaney: Cool. Thanks Marianne. Tony, a report from 268 00:17:15.780 --> 00:17:19.530 TRM Labs shows that Russian ransomware gangs are responsible 269 00:17:19.530 --> 00:17:23.880 for 69% of global ransom proceeds, raising concerns about 270 00:17:23.880 --> 00:17:27.450 their cyber activities being a form of potentially warfare 271 00:17:27.720 --> 00:17:31.440 against the West as Russian media commentators suggest. So, 272 00:17:31.470 --> 00:17:33.060 Tony, what do we do about Russia? 273 00:17:33.630 --> 00:17:35.550 Tony Morbin: Well, certainly, yeah, we just heard both Mat and 274 00:17:35.550 --> 00:17:39.960 Marianne talking about Russians there. Some years ago, I 275 00:17:39.960 --> 00:17:43.080 interviewed Eugene Kaspersky, and among other things, he said 276 00:17:43.320 --> 00:17:45.780 that, in his opinion, Russian software engineers and 277 00:17:45.780 --> 00:17:48.870 cybersecurity professionals are the best in the world thanks to 278 00:17:48.870 --> 00:17:52.350 Russia's University, maths engineering and computer science 279 00:17:52.350 --> 00:17:55.650 departments turning out great numbers of highly technically 280 00:17:55.650 --> 00:17:58.980 literate graduates. Now, they may or may not be the best, but 281 00:17:58.980 --> 00:18:02.520 they're certainly capable, but unfortunately or unfortunately 282 00:18:02.520 --> 00:18:05.940 for them, Russia's dire economic climate means that opportunities 283 00:18:05.940 --> 00:18:09.120 for legitimate employment are fairly limited, whereas cyber 284 00:18:09.120 --> 00:18:12.690 criminality offers relatively easy, lucrative rewards that can 285 00:18:12.690 --> 00:18:16.260 be pursued with what amounts to state support, as long as they 286 00:18:16.260 --> 00:18:22.440 attack non-Russians. According to this TRM Labs report, as you 287 00:18:22.440 --> 00:18:25.410 say, you know, growth factors from across the former Soviet 288 00:18:25.410 --> 00:18:30.420 Union states accounted for 69% of all crypto proceeds linked to 289 00:18:30.420 --> 00:18:33.690 ransomware last year - that is exceeding half a billion 290 00:18:33.690 --> 00:18:38.010 dollars. It adds that they consistently drive most types of 291 00:18:38.040 --> 00:18:41.460 crypto-enabled cybercrime, from ransomware to elicit crypto 292 00:18:41.460 --> 00:18:45.480 exchanges and darknet markets. Now, notwithstanding recent 293 00:18:45.480 --> 00:18:48.900 takedowns that Mat mentioned, it reports that the largest players 294 00:18:48.900 --> 00:18:53.400 in the space included LockBit, blackmaster, Alphv, BlackCat, 295 00:18:54.090 --> 00:18:57.510 CL0P, all run by Russian-speaking threat 296 00:18:57.510 --> 00:19:01.410 actors. On top of that, they say that Russian language darknet 297 00:19:01.410 --> 00:19:06.510 markets also account for 95% of all recorded illegal product 298 00:19:06.510 --> 00:19:13.050 service sales globally - three largest handling 1.4 billion 299 00:19:13.050 --> 00:19:16.230 transactions last year. And when it comes to money laundering, 300 00:19:16.440 --> 00:19:21.420 Russia-based Garantex on its own, counted for 82% of 301 00:19:21.420 --> 00:19:25.230 cryptocurrency handled by sanctioned entities worldwide. 302 00:19:25.740 --> 00:19:28.170 And then just last week, we saw the U.S. Justice Department 303 00:19:28.680 --> 00:19:32.460 indict a Russian national, Roman Pikulev, for his role in 304 00:19:32.640 --> 00:19:35.340 founding and operating Cryptonator, an unlicensed 305 00:19:35.340 --> 00:19:39.480 cryptocurrency exchange that the U.S. says processed more than 306 00:19:39.480 --> 00:19:46.590 $235 million in illicit funds. Way back 2014, the then 307 00:19:46.650 --> 00:19:50.190 Moscow-based cybersecurity company, Group-IB, estimated the 308 00:19:50.190 --> 00:19:54.120 size of the cybercrime market in Russia alone to be worth $2.3 309 00:19:54.150 --> 00:19:58.380 billion. So, you know, exactly what the figure is now, I'm not 310 00:19:58.380 --> 00:20:01.800 sure, but it's going to be staggering. And then when you 311 00:20:01.800 --> 00:20:05.160 add that to Russia's reluctance to extradite cybercriminals to 312 00:20:05.160 --> 00:20:08.460 other countries. It's basically hindering international 313 00:20:08.460 --> 00:20:12.780 cooperation in combating cybercrime. And then, along with 314 00:20:12.780 --> 00:20:15.990 the involvement in cybercrime by some corrupt officials, it's 315 00:20:15.990 --> 00:20:18.600 also in the Russian government's interest to not just turn a 316 00:20:18.600 --> 00:20:21.720 blind eye to the criminality but to actually encourage it and 317 00:20:21.720 --> 00:20:24.780 potentially mobilize this pool of hacking talent in pursuit of 318 00:20:24.780 --> 00:20:28.890 its own goals. The Russian KGB's success of the FSB has been 319 00:20:28.890 --> 00:20:31.470 known to offer cybercriminals the choice of working for them 320 00:20:31.470 --> 00:20:35.520 or going to jail. On a state level, Russia has been, you 321 00:20:35.520 --> 00:20:39.000 know, just saying, noticeably active on the cyber front or 322 00:20:39.000 --> 00:20:42.990 criminal end state. And for the state, it is going beyond cyber 323 00:20:42.990 --> 00:20:46.350 surveillance that I guess we can assume that all states conduct 324 00:20:46.680 --> 00:20:50.430 on potential adversaries, and it's moved into outright cyber 325 00:20:50.430 --> 00:20:54.210 offensive action. Among the most notable was the SolarWinds' 326 00:20:54.210 --> 00:20:57.720 supply chain attack in 2020 targeting U.S. government 327 00:20:57.720 --> 00:21:01.920 agencies and private companies. And then in 2017, we saw 328 00:21:01.920 --> 00:21:05.100 NotPetya ransomware attack contributed to Russians, which 329 00:21:05.100 --> 00:21:07.500 caused widespread damages to businesses and governments 330 00:21:07.500 --> 00:21:11.550 worldwide. Now, economic sanctions were imposed on 331 00:21:11.550 --> 00:21:14.250 Russian entities and individuals after the SolarWinds' attack, 332 00:21:14.250 --> 00:21:17.880 which, as Mat saying, has led to some of the breakup of some of 333 00:21:17.880 --> 00:21:21.480 those bigger groups. Other options do include expelling 334 00:21:21.480 --> 00:21:24.720 Russian diplomats, issuing indictments against specific 335 00:21:24.720 --> 00:21:27.600 criminals, and we can take down criminal sites, and we've done 336 00:21:27.600 --> 00:21:31.200 all of that. But, while things like the U.K. cyber defense 337 00:21:31.200 --> 00:21:35.820 force and Israel's 8200 also espoused cyber offensive action, 338 00:21:35.970 --> 00:21:38.040 and the U.S. and Israel are believed to be behind the 339 00:21:38.040 --> 00:21:41.790 Stuxnet attack on an Iranian nuclear reactor. We've not 340 00:21:41.790 --> 00:21:47.310 really seen much offensive use of cyber against Russia. So, 341 00:21:47.340 --> 00:21:51.240 despite Russian media commentators see them on Julia 342 00:21:51.240 --> 00:21:54.090 Davis's propaganda monitoring site, and they're basically 343 00:21:54.090 --> 00:21:57.450 saying Russia is now at war with NATO and the West. But the truth 344 00:21:57.450 --> 00:22:00.300 is we're not in an all-out cyberwar with Russia, even if it 345 00:22:00.300 --> 00:22:03.600 sometimes feels like it. So, given the onslaught of attacks 346 00:22:03.600 --> 00:22:08.280 by Russia and Russian criminals, I asked a former CIA official 347 00:22:08.280 --> 00:22:12.090 earlier this week at the meeting that you were there, why we 348 00:22:12.090 --> 00:22:15.060 don't go beyond takedowns and use offensive cyber more 349 00:22:15.060 --> 00:22:18.720 aggressively. His response was, the situation is comparable to 350 00:22:18.720 --> 00:22:22.530 the cold war policy of mutually assured destruction. Neither 351 00:22:22.530 --> 00:22:26.310 side can be 100% sure of either their ability to eliminate the 352 00:22:26.310 --> 00:22:29.430 threat by a first strike attack nor can they be sure of their 353 00:22:29.430 --> 00:22:32.250 ability to totally defend their most critical assets from any 354 00:22:32.250 --> 00:22:34.800 response. And partly that's because there's an element of 355 00:22:34.800 --> 00:22:38.160 the unknown about what the adversary can potentially do. 356 00:22:38.910 --> 00:22:42.540 So, it seems that for all the state can or might do, its main 357 00:22:42.540 --> 00:22:45.330 role is likely to be intelligence and advising us 358 00:22:45.480 --> 00:22:48.210 what we should be doing to protect ourselves. Hence, 359 00:22:48.210 --> 00:22:51.360 organizations need to follow all the best practice advice in 360 00:22:51.360 --> 00:22:54.390 strengthening their own cybersecurity, as the current Russian 361 00:22:54.390 --> 00:22:59.130 storm is likely to rage on for some time yet. Just on another 362 00:23:00.120 --> 00:23:02.700 tangent, at the same time, we need to prepare for the climate 363 00:23:02.700 --> 00:23:04.350 change that China represents. 364 00:23:06.600 --> 00:23:11.190 Anna Delaney: Lots of deep stuff there Tony. How do you interpret 365 00:23:11.190 --> 00:23:14.940 the Russian media's portrayal of cyber activities as warfare 366 00:23:15.240 --> 00:23:17.430 against the West? What do you think is happening there? 367 00:23:17.000 --> 00:23:17.600 Tony Morbin: I mean, they are quite aggressive. The 368 00:23:18.770 --> 00:23:19.790 government, the Russian government, is aggressively 369 00:23:19.790 --> 00:23:23.720 expansionist at the moment. They are moving ... they have moved 370 00:23:26.030 --> 00:23:36.710 into Ukraine. They are putting across a propaganda narrative 371 00:23:36.710 --> 00:23:38.600 that they're going to invade other countries, which I don't 372 00:23:38.600 --> 00:23:42.140 think they are. But having said that, you know, the Baltics 373 00:23:42.140 --> 00:23:46.430 certainly feel, you know, threatened. And all warfare now 374 00:23:46.430 --> 00:23:50.270 is hybrid warfare. You know, the Ukrainians, you know, to be fair 375 00:23:50.270 --> 00:23:53.060 to the Russians, the Ukrainians have also attacked their ATMs. 376 00:23:53.150 --> 00:23:56.750 You know they have, you know, the Russians at the early 377 00:23:56.750 --> 00:24:01.970 stages, you know, prior to the current conflict, but since 2014 378 00:24:02.000 --> 00:24:08.330 did take down power in Ukraine, but it's not out-and-out 379 00:24:08.420 --> 00:24:10.880 warfare, as I said, you know, people are a little bit scared 380 00:24:10.880 --> 00:24:15.260 about what the retaliation could be, and so we've seen far less 381 00:24:15.290 --> 00:24:19.640 real warfare, cyber warfare, than we expected. So, for all 382 00:24:19.880 --> 00:24:26.210 the financial losses, the damage to critical infrastructure, you 383 00:24:26.210 --> 00:24:30.560 know, the seriousness of what's happening. It's not all-out war, 384 00:24:31.280 --> 00:24:35.510 and the impact of cyber warfare, if you want to call it that, is 385 00:24:35.510 --> 00:24:37.640 still way below that of kinetic attacks. 386 00:24:38.200 --> 00:24:40.120 Mathew Schwartz: Yeah. Russia has been really hesitant to go 387 00:24:40.120 --> 00:24:43.720 past some red lines that cybersecurity officials in the 388 00:24:43.720 --> 00:24:48.970 West were warning about with the Ukraine, the all-out Ukraine 389 00:24:48.970 --> 00:24:54.400 invasion back in February 2022. They were saying, "Look, banking 390 00:24:54.400 --> 00:24:58.510 sector could get hit as a reprisal for allying with 391 00:24:58.510 --> 00:25:01.900 Ukraine." That sort of thing, and we didn't see that, which 392 00:25:01.900 --> 00:25:04.540 surprised a lot of people. It seems like Russia doesn't want 393 00:25:04.540 --> 00:25:10.510 to go there. What we have seen is a lot of noise, a lot of DDoS 394 00:25:10.510 --> 00:25:13.780 groups, which may be directly funded, maybe indirectly funded 395 00:25:13.780 --> 00:25:17.650 by the Russian government, threatening to target hospitals, 396 00:25:17.680 --> 00:25:20.800 threatening to do this, threatening to do that, maybe 397 00:25:20.800 --> 00:25:25.930 not actually having much of an effect at all, except from an 398 00:25:25.930 --> 00:25:29.350 information operations standpoint, all of which 399 00:25:29.410 --> 00:25:34.900 bolsters Putin's regime and gives the Russian government a 400 00:25:34.900 --> 00:25:36.640 way to say, look how fierce we are. 401 00:25:37.770 --> 00:25:40.800 Tony Morbin: Absolutely. I mean, when you looked at the mixture 402 00:25:40.800 --> 00:25:45.810 of, probably, you know, patriotic vigilantes, plus a 403 00:25:45.810 --> 00:25:53.670 fair few, you know, criminals and people who were proxies for 404 00:25:53.670 --> 00:25:56.730 the government. The attacks on Estonia did real damage there, 405 00:25:56.730 --> 00:25:58.770 but we've not seen that level of attack. 406 00:26:00.010 --> 00:26:02.770 Mathew Schwartz: No, and forewarned is forearmed as well. 407 00:26:02.800 --> 00:26:05.380 I mean, to Ukraine's credit, it had good defenses in place. 408 00:26:07.000 --> 00:26:07.540 Tony Morbin: Absolutely. 409 00:26:07.810 --> 00:26:09.700 Anna Delaney: Meanwhile, what we've been discussing today, we 410 00:26:09.700 --> 00:26:13.420 see that the ransomware threat continues to evolve and is not 411 00:26:13.420 --> 00:26:16.450 stopping anytime soon. But thank you so much for all these 412 00:26:16.450 --> 00:26:19.990 inputs. There's light in the mood then. And finally just for 413 00:26:19.990 --> 00:26:24.520 fun, imagine a world where cybersecurity is perfect. Think 414 00:26:24.520 --> 00:26:27.730 hard. Imagine that. What new challenges do you think would 415 00:26:27.730 --> 00:26:28.960 arise in such a scenario? 416 00:26:30.850 --> 00:26:33.040 Marianne McGee: I think it might be hard for people who actually 417 00:26:33.040 --> 00:26:37.690 need their patient legitimately to get it, you know, as it is. 418 00:26:37.720 --> 00:26:40.540 You know, even with multi-factor authentication, which is not 419 00:26:41.260 --> 00:26:44.200 used as much as it should be. In healthcare, you have doctors 420 00:26:44.200 --> 00:26:47.110 complaining it takes too long to get information. If you had 421 00:26:47.110 --> 00:26:50.560 perfect cybersecurity, you kind of wonder what the complaints 422 00:26:50.560 --> 00:26:52.480 would be from the user's perspective. 423 00:26:54.820 --> 00:26:57.700 Anna Delaney: Yeah, interesting perspective there. Tony? 424 00:26:58.650 --> 00:27:02.280 Tony Morbin: Well, if cybersecurity were perfect, I'd 425 00:27:02.280 --> 00:27:06.390 take that moment's pause to have a cup of tea, after which new 426 00:27:06.390 --> 00:27:09.300 unthought of attacks would occur. Because, as we keep 427 00:27:09.300 --> 00:27:12.480 saying, change is constant. We're in a highly dynamic cat 428 00:27:12.480 --> 00:27:14.940 and mouse industry, where nothing stands still for long. 429 00:27:15.240 --> 00:27:19.080 So, yes, it might be perfect for a moment until the new attacks 430 00:27:19.080 --> 00:27:19.410 come. 431 00:27:19.830 --> 00:27:21.300 Anna Delaney: Criminals will always find a way. 432 00:27:23.730 --> 00:27:26.310 Mathew Schwartz: Always! And that was the angle I was 433 00:27:26.310 --> 00:27:29.340 thinking. I mean, perfect in which way - the technology is 434 00:27:29.340 --> 00:27:33.870 functioning? Great. Well, in that case, the bad guys phone up 435 00:27:33.870 --> 00:27:38.730 a help desk and they social engineer someone into thinking 436 00:27:38.730 --> 00:27:41.730 they're Bob Smith and getting Bob Smith's access, and Bob 437 00:27:41.730 --> 00:27:46.740 Smith happens to be the CEO, and nothing's perfect than it is. So 438 00:27:46.740 --> 00:27:48.690 many ways it could go wrong. Sorry, Anna, I thought we were 439 00:27:48.690 --> 00:27:49.950 trying to end on a light note here. 440 00:27:51.450 --> 00:27:53.340 Anna Delaney: Actually, in retrospect, I don't think the 441 00:27:53.340 --> 00:27:56.760 question is so light, but false sense of security. I think 442 00:27:56.760 --> 00:27:59.850 people will just take more risks online, and then there'll be a 443 00:27:59.850 --> 00:28:03.450 lack of incentive for improvement and innovation, and 444 00:28:03.810 --> 00:28:08.040 why would we be motivated to respond to and adapt to new 445 00:28:08.040 --> 00:28:11.040 threats and technologies? And I think that would be a bad thing. 446 00:28:11.040 --> 00:28:11.370 So... 447 00:28:12.390 --> 00:28:13.830 Mathew Schwartz: Danger keeps us strong, huh? 448 00:28:13.890 --> 00:28:15.150 Anna Delaney: Danger keeps us strong. 449 00:28:15.570 --> 00:28:17.310 Tony Morbin: Yeah. I mean complacency would be the big 450 00:28:17.310 --> 00:28:17.970 threat then, yeah. 451 00:28:18.560 --> 00:28:22.760 Anna Delaney: Very good. So, the industry is still strong, not 452 00:28:22.760 --> 00:28:26.390 going anywhere anytime soon. Thank you everyone. Insightful 453 00:28:26.390 --> 00:28:27.920 as always. Brilliant! 454 00:28:29.550 --> 00:28:31.410 Mathew Schwartz: Thanks Anna. Always fun to talk ransomware. 455 00:28:31.470 --> 00:28:35.760 Anna Delaney: Oh yeah, and thank you so much for watching. Until 456 00:28:35.760 --> 00:28:36.270 next time.