Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service
ISMG Editors: The Case of the 'Dr. Evil' of Ransomware
Also: Ransomware Attacks on Healthcare; Cybersecurity Market Slows Anna Delaney (annamadeline) • May 20, 2022In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity issues, including the alarming and bizarre case of a cardiologist in Venezuela who has been charged with developing malware and recruiting affiliates, recent ransomware and data leak incidents in healthcare and how the economy is causing mature cybersecurity startups to slow hiring.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The editors - Michael Novinson, managing editor, business; Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; Marianne Kolbasuk McGee, Executive Editor, HealthcareInfoSecurity - discuss:
- How U.S. authorities have charged a cardiologist based in Venezuela with developing and selling notorious ransomware called Thanos as well as recruiting affiliates to use it against victims;
- Claims by ransomware-as-a-service operator AvosLocker that it is behind an attack allegedly involving data theft from Texas-based CHRISTUS Health, which operates hundreds of healthcare facilities in the U.S., Mexico and South America;
- How mature cybersecurity startups are beginning to slow hiring and prune operating expenses as macroeconomic storm clouds obscure future funding sources.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the May 6 edition with special guest John Kindervag, the creator of Zero Trust, and the May 13 edition discussing what have we learned from the Conti leaks.
Anna Delaney: Hello, I'm Anna Delaney. Welcome to the ISMG Editors' Panel, where we discuss a selection of the week's most interesting cybersecurity stories. And this week's party includes Mathew Schwartz, executive editor of DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity; and welcoming for the first time, our excellent colleague, Michael Novinson, managing editor for Business of Cybersecurity. Welcome and great to see you, Michael.
Michael Novinson: Thank you for having me.
Delaney: So, Michael, start us off. Where are you today?
Novinson: I am just outside of Providence, Rhode Island, which is where I've been living for the past four years. This is a picture of the Providence skyline with the Providence River in front. Fun fact: Providence uncovered all of its rivers that were covered by roads up until the mid-1980s. They were uncovered about 35 years ago. Now there's a giant festival called WaterFire in the summer, where they essentially put cauldrons in the river and play some nice music and you can walk around the river that's been uncovered. No, probably about an hour or so.
Delaney: I love that. I always learn something new on these panels. You're not too far from Marianne.
Novinson: No, probably about an hour or so.
Delaney: Where are you, Marianne?
Marianne McGee: This is a photo I took walking the dog, a couple of weeks ago, at twilight. It's behind our house. There's a golf course, down yonder. I liked the colors.
Delaney: Yeah, favorite moment of the day, I think, twilight. And Mathew, another moody shot for us.
Mathew Schwartz: Yeah, a little bit of an artistic treatment here on a photograph of East Sands, down the road for me in St. Andrews, home of the famous Cathedral University, and also this year's Open Golf Championship coming up this summer.
Delaney: Nice. I've got a bit of a noisy background this week. But I just wanted to show you, preparations are underway in London for a very big event. And you can see a row of British flags behind me lining Oxford Street, which is one of our busiest shopping streets in London. And the big event is, of course, the Queen's Platinum Jubilee, which is 70 years since her reign or since she came to power. Long live the Queen. It's quite impressive! Matt, you'll see all this fanfare next week when you're in town.
Schwartz: For the London summit, I can't wait.
Delaney: Mathew, starting with a novel story this week, there's a Dr. Evil ransomware in town. Tell us more.
Schwartz: Indeed there is. The Feds this week unsealed an indictment charging a man with Venezuelan and French citizenship but who's based in Venezuela, working as a cardiologist, in his spare time having developed ransomware. At least two strains were detailed in the charging document that's been released to the public. So we don't have all of the alleged facts or evidence against him. But Moises Luis Zagala Gonzalez, will call him Dr. Zagala, has been accused of developing two kinds of ransomware, which are particularly well-known. One is Jigsaw, and that came to light back around 2016. It was notable because the lock screen featured an image from the torture porn horror film series, Saw. I've not seen the film, but as I read, it has a fictional serial killer named the Jigsaw Killer. It communicates with victims using a puppet called Billy, which is what Jigsaw featured in its ransom note. And it said, "If you don't pay me, I'm going to start deleting your files, and the cost of your ransom is gonna go up." So great, right? And then fast forward a little bit. There's another strain of ransomware, which was much more prevalent called Thanos, which was first spotted in August 2020. This strain of ransomware was not top of the pops, but often the top 10 when it came to security firms reviewing the most widely seen and damaging ransomware in the wild. It's fascinating that allegedly, we have what prosecutors are calling a multitasking doctor, in his spare time developing particularly virulent strains of cryptolocking ransomware. If you're a medic, you're meant to take an oath of do no harm. I don't exactly know how this alleged activity would square with that obligation, shall we say?
Delaney: Fascinating. Marianne, do you often cover stories like these on your healthcare site?
McGee: I've written about a lot of healthcare cybercrimes. This one is definitely a first. I don't know if there are other doctors that have been nabbed for hacking, but masterminding ransomware is a new one. And it's very alarming, frankly. And as Matt said, do no harm. Now, that's the oath that doctors take, talking to prosecutors and attorneys that follow these cases, it's pointed out that, who knows who some of these affiliated, clients of his, who they attack. Were there any healthcare entities that were the victims? They are very dangerous, potentially. Systems going offline, patients are hooked up to all sorts of equipment, keeping them alive. It just seems to be the totally opposite of what a doctor should do. And as Matt mentioned, if he's so busy, any free time that he has, it's busy taking care of creating this destructive malware. It's pretty amazing. And then, the other thing is that you kind of wonder if there was anybody within his circle, who had any inkling of what was going on. If I were a security leader at any of the practices or hospitals that he was able to care for patients, I'd be taking a look at my audit logs right now. See if he's done anything alarming in the past. Who knows?
Schwartz: It's fantastic advice. One of the details released was not a healthcare entity that got targeted. But the fact that Iranian nation-state hackers appeared to be one of the users of Thanos malware. And we know that the Iranians were targeting health care facilities, certainly. So second or third order effects, I suppose on the attack front, certainly a possibility. One of the fascinating things about this charging document is the details it contains, but also probably what it doesn't say, because the prosecutors won't put everything they have into a charging document. It's just enough to get a judge to approve the arrest warrant for a suspect. We don't know where this suspect is. He's probably at large in Venezuela, which does have an extradition treaty with the United States. It is possible that we'll see this suspect to get extradited to face these charges in the US courtroom.
Delaney: But not anytime soon.
Schwartz: No, extradition proceedings don't proceed quickly. Marianne, I know you spoke with somebody who was reckoning it, might be on the order of a year or two, I think.
McGee: Yeah, it could take a while. There is a treaty between Venezuela and the US. And again, I don't know, do they know where he is or they don't know where he is. Hiding? Not that this is the technology side, but I'm just kind of curious about this guy. What was his practice again? I know, they said he's multitasking doctor with a cardiology practice. How busy was he? Was he a good doctor? Was he's strange? I don't know, it's just alarming.
Delaney: Well, on that multitasking front, he was also quite a talker. Wasn't he, Matt? Because I think, just taking from your piece, he revealed to an FBI informant, confidentially, that big profit comes from RDP. So my question is, what can we learn? What can organizations learn from what he was able to exploit. What he said he was able to exploit?
Schwartz: It's unfortunately the same old, same old. Remote Desktop Protocol has been widely targeted, repeatedly targeted by ransomware organizations, operations groups, crime syndicates. Quarterly reports from security firms giving us updates on the top attack techniques continue to call out RDP phishing. They usually vie for first or second place overall. Software vulnerabilities are another big one, amongst other things. Organizations need to get their remote connections locked down. That continues to be a top recommendation and also a top deficiency that we see when these attacks come to light. As you say, he was very verbose in private chats. There was FBI agent he managed to obtain a copy to pay the license fee. The Bureau says it traced the cryptocurrency account where the person paid it to and they appear to have gotten the suspect's Venezuelan identity card from that cryptocurrency exchange. Not great operational security here with the suspect. But they had some shots, and he revealed some interesting details. He was running affiliates, allegedly between 15 and 20 people maximum, down to five at the minimum, and the FBI agent had tried to sign up as an affiliate and he said, "I'm too busy. But if you want to do your own affiliate program, I'll give you some tips." So fascinating stuff as always in the cybercrime ecosystem here.
Delaney: Yeah, not designed for criminal work as he should have stuck with his day job, perhaps. Marianne, what else has been happening in the healthcare sector?
McGee: There's never a shortage of ransomware attacks and other sorts of hacking incidents. Speaking of ransomware attacks, the ransomware group AvosLocker recently claimed it stole sensitive patient data of a large Texas-based health system that operates more than 600 facilities in the US, Mexico, and South America. That entity Christus Health, earlier this week, said, it was investigating an incident involving unauthorized activity on its computer network and claimed that so far, the incident appeared to be limited and did not impact any of Christus Health's patient care or clinical operations. The entity didn't say anything about whether or not they were aware of data supposedly being leaked on the OPPO soccer site, which included some details about patients who end their cancer and their tumors and some other details that were up for discussion at a conference that some of their doctors were attending. In the meantime, there's also fallout growing from a December 2021 hacking incident that involved a cloud-based electronic health records vendor, Eye Care Leaders. Over the last week or so, more breaches were filed to federal regulators by eye practices that were affected, the incident had been made public. As of this morning, there are nearly a dozen ophthalmology practices and more than 348,000 patients affected by the incident, which involve the deletion of EHR databases, and system configuration files. More details of the incident are also emerging. One of the practices that were affected by the incident revealed that the affected EHR databases were hosted on Amazon Web Services. So we'll see in the coming weeks how many more eye practices and their patients have been impacted. The disturbing side is that these EHR databases were deleted. And in some cases, including that practice, I just mentioned, that the AWS says that their backups can't be restored. Some of the backups could be restored, but then others couldn't. We'll see how big this breach grows.
Delaney: Does anything surprise you anymore, Marianne?
McGee: Dr. Zagala. That's the biggest surprise lately.
Schwartz: Dr. Ransomware.
McGee: Yeah. Like a killer, allegedly.
Novinson: Allegedly.
Delaney: Michael, we are seeing some interesting market developments recently, especially with late-stage startups. What's happening?
Novinson: Absolutely. So those are, I would say four separate but interconnected trends that have been playing themselves out since last November. After a very strong market throughout 2021, the public stock market started to soften in November. And then the issues have really accelerated kind of across the economy in recent months between runaway inflation, rising interest rates, and now the ongoing war between Russia and Ukraine, which doesn't seem to have an end in sight. So how it affects cybersecurity, we've seen four different things. The first thing which we've seen is private equity firms coming in and taking publicly traded companies private; we've seen Mimecast, Proofpoint, Tufin, and McAfee. And now SailPoint, all under agreement or having gone private. These private equity firms are realizing that they can get a good deal. The stock prices are down. In the case of certainly some of these companies like SailPoint has a pretty healthy business that's growing at 20% a year. Category leader and identity governance, so we're seeing these companies go private and I think the PE firms are figuring. Three to five years from now, the market will be healthier, and they can make a nice return on their investment. For late-stage startups, it's a tough time. Because there are a ton of companies that got huge valuations between $4 and $8 billion last year off a very little revenue, oftentimes, less than $10 million of annual recurring revenue. And now many of those companies were talking about going public companies, like Arctic Wolf had talked late last year about going public this year. IPO market's pretty much dead right now. And it's just a question for a lot of these companies about how long can they make the cash that they have in hand last? Are they going to seal hiring? Do they have to consider layoffs or delay kind of product rollouts and scaling, for some companies? And I think for other companies, it's a question of really what do they do going forward? Are they willing, especially for the ones that got generous valuations, are they willing to take a cut to their valuation to get more money, which is not something most companies are eager to do. But if a company does need money, they may in this market, they're very unlikely to get the valuations that they were getting six to 12 months ago. So two other developments that we're seeing related to that is we're seeing a lot of companies who are in negotiations for money, late last year and early this year, when some of the warning signs were on the horizon, were essentially grabbing as much money as they could while I had spoken with the CEO of Tailscale, which is a zero trust VPN startup. And even though they only had 35 employees, they decided to raise $100 million of funding just because they were concerned about their access to capital in the future. And they did. They wanted to make sure that they didn't run out of money. So even though they really didn't need that level of funding, given their current size, they decided to take the money while they still could. The other behavior that we're seeing from investors is that they're really moving their money to what they consider to be safer investments. So it's not that they're leaving the cybersecurity market, as much as they're trying to put their capital in mature companies with large bases of revenue. And in particular, companies that are profitable. Profitability and margins are seeming to be a lot more important to investors. A data point I would give is that Check Point, which is a consistently profitable company that is modestly growing, one has seen the stock price rise by 5% since November, while SentinelOne, which last year had the biggest IPO of all time and was times-trading at high double digits multiple on the revenue, has seen their stock price fall by 64% over the past six months as investors move toward more conservative investments. There has not been a trickle-down market yet this seems to be mostly a late-stage startup problem. Early-stage startups are still getting funding or getting money. But the people who I've spoken to have said that they do expect in the next six to nine months for the funding environment to get more difficult for even series A series B, C type companies as investors worry about how they'll be able to exit those investments.
Delaney: How do you think this all impacts cybersecurity innovation? Or actually, are there too many products out there and this is quite healthy pause?
Novinson: It's a good question. I think there's a feeling that it's going to force some consolidation. I mean, we nearly saw it in the email security market where Proofpoint was pushing pretty aggressively to combine with Mimecast. Mimecast decided that from a regulatory standpoint, they were concerned the deal wouldn't go through one with Permira instead. Something like that had happened that you are having the two largest pure play security vendors combining would have been considerable. I think you do have the potential. Also for strategic buyers, we've seen Google come in and buy Mandiant at a pretty reasonable rate. You have to wonder for companies with large market caps like Cisco, or Google, or Microsoft, if they're going to just spend some money now to buy security companies and fold into their broader technology platforms. I think in terms of the early-stage startups, there's going to be the need, that the people are going to want more validation, that either founders who have strong credentials, or stronger business case, customers who've signed up, that I think there's a lot of investors last year who are willing, especially in emerging areas like cloud security to just place very big bets on good ideas without kind of much proof yet. I think this year that, even for the early-stage companies who are seeking meaningful money, there's going to be a lot more validation aside and people wanting a much more clarity around kind of a path to profitability.
Delaney: This has been an excellent overview, Michael. We want you back on the Editors' Panel.
Novinson: Of course. It's great to be with all of you.
Delaney: So finally, conference season is upon us. We have RSA around the corner. InfoSec Europe and others of course. What are your conference survival tips?
Novinson: I've always enjoyed the old DEF CON tip, the 3-2-1 rule. At least three hours of sleep, at least two meals a day, and at least one shower a day. You do find that advice holds up well for both conferences as well as for being a parent of a young child. So always important to take care of basic needs and make sure you're feeling good and your mind's sharp.
Delaney: Love it.
Schwartz: Yeah, slightly more hardboiled. I always think of the Jack Reacher books where even you can't sleep when you can because you just don't know what might be around the corner.
Delaney: That's great. Marianne?
McGee: Bring comfortable shoes. And I guess nowadays bring a handful of masks.
Delaney: For sure, and get some air. I think we forget that there's an outside world sometimes. That's all great advice. Thank you very much. That's all we have time for. Matt, Marianne, Michael, it's been a pleasure.
Schwartz: Happy Jubilee, Anna.
Delaney: Thank you very much.
Novinson: Thank you for having me.
Delaney: And thank you so much for watching. Until next time!