ISMG Editors: Why Is LockBit Ransomware Group So Prolific?Also: Netskope's SASE Vision; The Compassionate CISO Anna Delaney (annamadeline) • January 20, 2023
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including why being a CISO is like being the first family doctor in a small village, why you can't trust ransomware gangs such as LockBit, and why cloud security vendor Netskope took on $401 million in debt from Morgan Stanley to fuel its SASE offering.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Michael Novinson, managing editor of business; and Tom Field, senior vice president, editorial - discuss:
- Highlights from an interview with Aleksandr Zhuk, CISO of cryptocurrency broker sFOX, on why being a CISO is like being the first family doctor in a small village;
- How the world's most prolific ransomware group, LockBit - which has been linked to a cyberattack that targeted Britain's national postal service, Royal Mail - displays an attitude of "profit at any cost";
- Why cloud security vendor Netskope has taken on more than $400 million in debt to further develop its SASE platform and expand its go-to-market activities.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Jan. 6 edition, which discusses the complexity of the Rackspace zero-day attack, and the Jan. 13 edition, which discusses the impact of the fragmented Russian darknet market.
Anna Delaney: Hi. Thanks for joining us at the ISMG Editors' Panel. I'm Anna Delaney and this is where ISMG editors meet on a weekly basis to share their thoughts and insights on the top stories, interviews and industry trends. Really pleased to be joined today by our senior vice president of editorial Tom Field, Mathew Schwartz, executive editor of DataBreachToday and Europe, and Michael Novinson, managing editor for ISMG business. Excellent to see you all. Episode 97. Can you believe?
Tom Field: We're close to 100, aren't we?
Delaney: Getting there. Tom, you got a beautiful scene behind us. It is almost like a Japanese piece of artwork. Tell us.
Field: This actually was when we were leaving dinner a couple of weeks ago during a snowstorm and walking, that was an old Revolutionary era in with a tavern and walking from the old building through the snow to a lower parking lot. Looking up and seeing the full moon up through the tree is just saying, "This is a moment." Yes, because this is the 97th panel, also thinking this is the background.
Delaney: Very well plan there. Michael, is that in your house?
Michael Novinson: That house does not have quite this high ceilings. But this is actually the Providence Athenaeum. It is a private subscription library predating the start of the public library service built back in 1836. If you're not a member, you're allowed to look, and you can touch, but you can't take anything with you. Most famous visitor there was H.P. Lovecraft who lived just down the street.
Delaney: So almost as many books as in Tom's house.
Field: But not as old!
Mathew Schwartz: Fewer pentagrams because of H.P. Lovecraft, right?
Delaney: Mathew, you're donning your personal Postman Pat?
Schwartz: Yep, here is a look into Matt's psyche. What do I want to be when I grow up? And the answer could be postie. Or it could be someone who talks about a certain ransomware attack that's been afflicting the United Kingdom recently.
Delaney: Well, we'll have to guess.
Schwartz: Hold your breath, Anna.
Delaney: I am joining you from the rooftops of Beirut today. So I was last here, I think in 2019. It's the city that never sleeps. It's always fun and very beautiful. So here we go. Tom, take us to see Ceylon. You regularly speak with a range of CISOs as part of our Profiles in Leadership Series. What insights have you gleaned recently?
Field: Like the CISO land, like it's a cable subscription network. You can watch past interviews with CISOs on a 24/7 basis. As you know, we all get the opportunity to participate in these Profiles in Leadership and it's a chance to sit down with individual CISOs. They're part of ISMG's CyberEdBoard community. This is our CISO club, our global CISO association. These people become advisors to us, they participate in our programs, they participate in our events. And when we get the opportunity to sit down and have conversations, it's a rare chance to really get into the CISO's mindset and find out what are the challenges that mean the most? What are the threats of greatest concern? What have been their biggest leadership challenges and what do they want to pass on to a new generation. So I embrace these, I love doing these. I had the chance recently to sit down with Aleksandr Zhuk. He is the CISO of sFOX, which is a crypto broker. Now interesting enough, Aleksandr isn't an older CISO, seasoned in his career. He likes to work in the startup community because he enjoys the energy that comes with startups. And in the middle of our conversation, he made the comment to me that as a CISO in these startup organizations, he feels like the first family doctor coming to a small village and I said "Look, all the CISO interviews I've done over the past decade or so, no one has ever said that they feel like the first family doctor of village. Please explain that." And he did and I want to share with you what he had to say about that.
Aleksandr Zhuk: Especially when I begin my job at a different company, I start fresh. This is when company fundamentally has matured enough or have realized that they need to bring us in, so think about the village growing up enough to realize, "okay, we can afford and should bring in a family doctor." Again, they are not looking for somebody who will come in and stop everybody at their track and clap. "Stop at that. Stop doing what you're doing. Drop everything. Listen to me." No, that's not how it works. They look for a family doctor, somebody who comes in, who puts up a shingle, opened an office, and starts nurturing the community one by one. What keeps you up at night? What brings you joy? What are some of the things that concern you? And while you have these conversations with every stakeholder, look around. It's literally like that physical that a good doctor would do. As they talk to the person, they will look, "Oh, look at this scar. That is bleeding. I need to fix this. Oh, look at this rash. This may be something worth evaluating." On the other hand, "Hey, maybe all of this is yes, it's not as bulletproof, but it's good. We're going to give some vitamins to that person and keep going."
Field: Kind of refreshing though, like he could have come to me and said, "I feel like a mercenary carpetbagger." Even a hitman is enough. I can mean like a family doctor. I thought that was a nice image to convey. I just enjoyed the conversation and look forward to being able to share this with the greater community.
Delaney: Yeah, and I suppose that highlights the compassionate collaborative role of the CISO as well. Fantastic. Well, we look forward to watching the interview. I don't think it's on the sites yet.
Field: But it will be shortly. I look forward to sharing with everybody, and many more to come as you know.
Delaney: Fantastic. Okay, Mathew, you've written a couple of pieces in the past week about a ransomware attack, which targeted our very own British Postal Service, the Royal Mail. And for those of you who don't know, the Royal Mail is already in our bad books and the service has also been impacted by various strike action by postal workers over the weeks leading up to Christmas. So it's definitely had its fair share of disruption lately. Tell us about this attack, and how it all unfolded, because there are a few twists.
Schwartz: Yes, definitely. I know. It's a very British story. I was thinking on the heels of Tom's family doctor, all cybersecurity creatures - great and small. And we've got this beautiful British - probably European actually - but in this case, it's definitely a British van behind us, which if you've been in the United Kingdom, the four nations that comprise it, you'll recognize as your local postal carriers method of transport. Well, the transport's working. What isn't working so well is anyone's ability in Britain to post anything abroad - letters and parcels. Now, in what's been more than a week of disruptions remain interrupted. Royal Mail, which is our post office, has urged anyone who's in Britain not to try to send anything abroad. They're saying, "Keep it at home. Please, don't put it in a post box, don't take it to a post office, because things are going to get so backed up. We don't know how we're going to dig ourselves out." So, as you've mentioned, there was some industrial action, there were some strikes that happened throughout December and Christmas cards, for example, some were still arriving in the early weeks of January, really slowed things down. So the postal workers are striking for higher wages, as Britain has been beset by in a crazy cost-of-living crisis. We have that. Now, we have this ransomware attack, which has only technically been described by Royal Mail as a cyber incident. But, of course, cyber incidents these days are so often - another way to say "we got hit by ransomware." And there's been extensive reporting that the note that's been flashing up on disrupted, on unlocked systems at various facilities throughout Royal Mail traces to the LockBit group. The LockBit group initially denied this. Of course, they would, right? This is a little bit of an awkward hit. But then the leader of the group or the persona that is attached to the leader of the group, LockBitSupp came out and said, "Oh, you know, we're so busy, we have a hard time keeping track of everything. It turns out that one of our affiliates did hit Royal Mail. Isn't that too bad? So if they pay the ransom, we'll stop extorting them." So same old with ransomware attacks, disrupting something major. I think in this case, we can say it's a piece of the critical national infrastructure, although, as yet, His Majesty's government hasn't weighed in on this crisis. Yet. Apparently, ransomware attacks have become so common that when we have the emergency Cobra meetings with the government, I won't say more often than not, they're about ransomware. But many have been about ransomware, have reached out to Royal Mail, said what's happening, no response yet. It's not clear when they might get systems restored. So people might say, "Postal Service. Who uses that these days, especially to send things abroad?" Unfortunately, this seems to have had a massive impact, especially on small businesses. For example, there's a story in the BBC recently about a gentleman who sells Vinyl records and the majority of his sales are to overseas customers. And yes, there are other options for sending parcels abroad. But speaking from personal experience, if you want to track these things, for example, Britain's Royal Mail Postal Service has connections with other national postal services. So you can issue a tracking number and you and the buyer of your goods can watch the item as it works its way abroad - eBay, same sort of thing. If you want to track things, it's typically the most effective way. The most reliable way is to use the Postal Service. So this is having a big impact on people. There's no ETA from Royal Mail about when this situation might get resolved. And just to sum everything up, ransomware has been a huge disruptive challenge. And now that we're into 2023, doesn't seem to be changing.
Delaney: So I've got a few questions for you. So tell us a bit about LockBit first, and what makes them so successful, why they stay prolific at the moment?
Schwartz: Yes, one of the big groups, definitely, top five in terms of the most known attacks that we have seen. In terms of attacks that we know about, LockBit's one of the top five groups over the past year. They've been really successful, because we've LockBit 2.0, also known as LockBit Red, they introduced a version of the ransomware that was extremely easy to use. So in a lot of cases, ransomware is designed where you don't need to be a technical expert, but LockBit took it to another level apparently, and just made it exceptionally easy to use. So anybody who might want to turn a criminal profit using ransomware, probably can get their head around this tool set. And then they've come up with version three, also known as LockBit Black, which apparently has made things even better. And then technically their ransomware apparently works very quickly, very effectively. So they've put a lot of time and effort into crafting a better, more automated and easy to use product, which is great for criminals and bad for the rest of us.
Delaney: And in terms of, you know, the seriousness of this, is this on the same level as comparable to Colonial Pipeline in the U.S., you've got Medibank in Australia? And if so, are we likely to see a tougher stance in terms of response from U.K.'s GCHQ and NCSC, as we saw from the U.S. and Australia in those examples?
Schwartz: So I would imagine that if you were the U.K. Government and you were going to task your intelligence agency GCHQ to go after somebody, LockBit's now looking like a really good target. Is this going to have any effect? I don't know. LockBit was disrupted last year after it attempted to leak some records from one of its larger victims, and in return, suffered DDoS attacks, which, again, they disrupted LockBit's operations to some extent. Unfortunately, it doesn't seem to have taken a bit out of LockBit's profits. So, will the government talk tough? Probably. Will we see action? I mean, it might be top secret. So you might not know about it anyway. But this does get to a bigger problem, which is that ransomware is a big problem. And there's been the ransomware task force that was gathered by the White House, for example, which brought 30 nations together. They had their second meeting late last year and agreed on a number of strategies that they're going to try to use to disrupt ransomware. That's good. Hopefully, the strategies will have some success. But I've been reviewing a number of reports into 2022 ransomware trends, and the number of attacks that we know about didn't decline from 2021. So definitely, more needs to be done. There's a great essay by Ciaran Martin, who used to lead the NCSC, the National Cybersecurity Center that he put out this week. He says ransoms are the oxygen of cybercrime. And if we're going to get really serious about stopping this, he has been proposing that we outlaw ransom payments, just like kidnapping. Britain outlaws paying a ransom if people get kidnapped, that led to fewer terrorist organizations and others attempting to hold the British government or its people to ransom using kidnapping. He says we've got to get tough and do the same thing with ransoms. The government in the U.K. hasn't outlawed paying a ransom to ransomware artists, actors, crime groups, but they did for kidnapping. Why this difference, he says. Why is it any different? So just because it's cyber doesn't mean it isn't having this massive impact as we've seen now with Royal Mail. So I think we're going to have some tough conversations. What, if anything, and when might it change? It's really not clear.
Delaney: And I, just at this point, highlight your fantastic interview that you conducted with researcher Jon DiMaggio on LockBit and their behavior and their business operations and he had some really interesting thoughts about the fact that indictments are not actually working at the moment, and we should think about psychology and LockBit. After all, they're humans. So their behavior, and how we can use psychology to our advantage. I mean, there's so much to unpack there. Could you just briefly talk on that?
Schwartz: Yeah. So great point bring this up. Really fascinating, great timing for Jon to have put out this report. He's a former intelligence analyst. He's got experience infiltrating groups. And he did that with LockBit. He applied for a job, didn't get it, and was able to parlay that into a bit of a fanboy kind of persona, and got some one-on-one time with LockBitSupp, who he found was a very boisterous and probably low self-esteem individual who kept bigging up everything he did. And him and others, Jon says, there's a real opportunity there with a psychology of how these people operate and just the ego, and they take everything extremely personally. So there's a lot more detail to unpack there. But he says, we need to use these kinds of - what we know about their human behavior to sow chaos, sow doubt, infiltrate it like he's done, and make others suspect LockBit, turn the community against itself, much more than we've been doing. Because what we are doing, obviously, as you emphasize, as you note, isn't enough.
Delaney: Excellent. Well, I implore anybody watching this to to go check out the interview on our sites. Michael, moving on to business news. Now you've written about cloud security vendor NetSkope this week, and how it's taken on more than $400 million in debt to further develop its SASE platform. Please share an overview of the story.
Novinson: Of course, and I'm happy to be here. So just to take a step back. If you think about the economic downturn and who it's affected most, it's really these late-stage startups folks who thought they're going to go public in 2022 or 2023. And now realize that they can't, and they have to come up, have to turn to Plan B or Plan C. So for a lot of these companies was workforce reductions, layoffs, we saw a lot of those among late-stage startups, not Netskope, but a lot of their peers who thought they're going to go public decided to buy some time by cutting cost, reducing the size of their workforce. And now as these folks think about, essentially, the expectation and downtime, that you want to have 24 months, two years of cash on hand, to be able to weather anything that comes your way. So when these folks are thinking about, IPO's not really a possibility in 2023, who knows in 2024. It's not clear if the market is going to be better. So if we can't IPO this year, and we can't IPO next year, what does that mean? So one of the challenges for these companies, I was excited when that happened was that a lot of these companies took in funding in 2021, which was a fantastic year to get a really rich valuation because investors love these high-growth companies. They didn't really care about profitability, didn't care if you're losing money, but high growth and high valuation. Now they're going back to the market and the market really desperate. Nobody is worth as much today as they were worth in mid-2021. So what does that mean? So there's a couple different things that folks can do. One thing would be to just bite the bullet as you were and take out some more equity and take the valuation. If this is what we saw, sneak in the application security market, they were worth 8.5 billion in September of 2021, wanted another round of equity funding in November of 2022. And they reduced their valuation down to 7.4 billion, about 12-13% cut. So what that means is everybody who's invested in them after 8.5 billion essentially, their investment is now worth 12-13% less. So you have to get in touch with, on-board with that. And it's not great for morale to have to say like, "Even though we've grown, we're not worth as much as we were a little over a year ago." The other option, the way to essentially kick the can down the road is of course to issue what's called convertible notes. They're a form of short-term debt. And essentially, it's just an IOU, it's a bit of a game of Roulette. And it says, "Hey, we're not going to worry about the valuation right now. But come the next equity event, then we'll figure out how much you're worth." So ideally, that's an IPO. But that could also just be another round of funding that could be a sale, and will determine how much your investment is worth once we reach that next equity event. So we first saw Arctic Wolf do this back in October, they had been valued at 5.3 billion in mid-2020. They didn't want to have to deal with getting a new valuation. So they went the convertible note route, that 401 billion led by Owl Rock and convertible notes, October 2022. And that is the year that most recently, we started Netskope a similar time. They had gotten the $7.5 billion valuation in July 2021. Didn't want to have to take that valuation hit. So they did convertible notes as well. Notably some pretty high profile investment banks involved here. Morgan Stanley was the lead investor government taxes involved as well along with the Ontario Teachers' Pension Plan, who invest in a lot of cybersecurity companies, some real blue chip investors here. And obviously, these folks are confident that when the market shakes out, and that's still a good company, they're a leader in the security service edge space. And they think that when all is said and done, then the company's valuation will go up. But it is interesting to see we've now had seen three companies have to reach this crossroads and decide how do we want to deal with raising more money. It'll be interesting, as more of these cases come up.
Delaney: And Michael, just focusing on SASE for the moment. Where are the market opportunities for Netskope to be an even bigger leader in this space?
Novinson: Absolutely. It's a fascinating market. So Netskope was born in this cloud access security broker space, it was really for many years then and Skyhigh networks who were then bought by McAfee, which spun them back out of Skyhigh Security. So those are really the two strongest companies in cloud access security broker. From there, Netskope built into the other competencies around security services, built secure web gateway offering to directly take on Zscaler, as well as zero trust network access. What's interesting about Netskope is that they, because there's been so much debate about single vendor versus multivendor SASE, they historically have been in that multi vendor camp, figuring that they weren't going to worry about the networking side, that SD-WAN side, but they did decide a bid last year to make an acquisition so that they can be a player in the single vendor SASE spaces. You have folks like Gartner and Palo Alto Networks really beating the drum on that. So they do now have SD-WAN as well. So they kind of offer that full package. Obviously, their strength is going to be in their heritage, which is really in that cloud security, that web security. From a competitive landscape, they've been taking Zscaler, had a lot of back and forth, criticisms of them, of one another in the press and blogs and white papers, the companies. What's interesting is we're seeing really a new entrant into this market, which is Cloudflare, which is really more than web application firewall space. But they've been very clear they want to get into the world to zero trust. And Cloudflare, in particular, has been very critical of how Zscaler does things. So clearly that two they're shooting for. So Netskope is definitely - Cisco was kind of the king of the hill, so I think they get more of the criticism, but Netskope definitely is going to be encountering Cloudflare more, because they are kind of all in on billion to this SSD market as well.
Delaney: Very interesting. Well, Michael, thanks for bringing us up to speed on this. Finally, your task is to commission a composer to write the next smash hit song or aria about cybersecurity and you have the pick of all composers, dead or alive. Who would it be?
Field: My candidate, going to my hero, Brian Wilson. He was able to - back in 1966 - put forward his teenage symphony to God with Pet Sounds. And then 30 some years later, was able to piece together the various elements of the great last album Smile, an issue that anybody can do it. I'm going with Brian. Let's go surfing though everybody's learning now.
Delaney: Beach vibes! Love it. Michael?
Novinson: So, I'm thinking really inside the box here, but I had to say Fish, two reasons, of course. Who better to fight the Fish with than Fish. And then secondly, everybody loves to jam with them and it's just incredible that 30 years after they started, they continue to sell out stadiums shows in the United States, do multiple nights in the same arena and everybody felt it, so they could really educate the masses on cybersecurity.
Delaney: It's impressive actually. A great choice. Matt?
Schwartz: I think cybersecurity's a musical and so I'd resurrect Meredith Willson, who you might know as the gentleman behind Music Man, which, to be very brief, is about a charlatan who comes to town and a librarian with a heart of gold, sees through the charade and earns him from bad to good. So, I mean, I just think with Snake Oil and cybersecurity sales and silver bullets, there's a huge opportunity here to bring cybersecurity to the masses in a more accessible way.
Delaney: Yeah, yeah, good choice. I was going to say Phantom of the Opera actually. You made me think of that. Wasn't my choice for today - Stravinsky, I think there's lots of musical dissonance, rhythmic complexity and innovative orchestration. These are all words we use in cybersecurity. It's very apt. Don't you think?
Schwartz: Very difficult to play.
Delaney: Very difficult. Easier to listen to, maybe.
Field: As long as we put together a heck of a compilation album.
Delaney: Yeah, it's good. Well, as ever, it's always fun. Tom, Michael, Matt, thank you very much. Thank you. Until next time. Thanks so much for watching.