Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Ransomware
ISMG Editors: Is Russia Waging War Through Ransomware?
Also: Lone-Wolf Operators, Attacks on Medical Supply Chains – What's Next? Anna Delaney (annamadeline) • August 9, 2024In the latest weekly update, ISMG editors discussed the evolving ransomware landscape, including rising attacks in healthcare and other critical sectors, a shift from cybercrime groups such as LockBit to lone-wolf operators, and why Russian ransomware gangs are dominating the global stage.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The panelists - Anna Delaney, director, productions; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity, Tony Morbin, executive news editor, EU; Mathew Schwartz, executive editor, DataBreachToday and Europe - discussed:
- How the downfall of major ransomware groups including Alphv and LockBit has led to an increase in lone-wolf operators and smaller groups, resulting in record extortion payments and more complex ransomware dynamics;
- How a ransomware attack on Florida-based blood center OneBlood and other recent attacks on blood suppliers reveal the vulnerabilities in medical supply chains - and why they have become a big target;
- Why a new TRM Labs report showing that Russian ransomware gangs are responsible for 69% of global ransom cryptocurrency proceeds raises concerns that these cyberattacks might be a form of warfare against the West, as suggested by some Russian media commentators.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 26 edition on the CrowdStrike outage and the Aug. 2 edition on why data breach costs are rising.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll explore the evolving ransomware landscape, focusing on rising attacks in critical sectors such as healthcare, the shift from major groups such as LockBit to lone-wolf operators, and the challenges posed by Russian ransomware gangs dominating the global stage. Our troop today features Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity; Mathew Schwartz, executive editor at DataBreachToday and Europe; and Tony Morbin, executive news editor for the EU. Very good to see you team.
Mathew Schwartz: Hello!
Tony Morbin: Hey there.
Marianne McGee: Hi Anna.
Delaney: Mat, you've written this week that the downfall of major ransomware groups like Alphv and LockBit has led to an increase in lone-wolf operators and smaller groups, resulting in record extortion payments and more complex ransomware dynamics. Tell us more about this trend.
Schwartz: If there is one thing constant with ransomware groups, it's change. We continue to see lots of experimentation, lots of innovation for the profit-making imperative that these groups seem to have. Financially oriented cybercrime - if there's a poster child for it, as opposed to, like nation-state espionage-type stuff, it is ransomware groups. They're in it for the money. And unfortunately, it doesn't seem like they want to let anything stand in their way, does it? We've seen horrible stuff happening. This has been highlighted in some recent reports in terms of some groups threatening to swat targets if they don't pay. We've seen a lot of groups over the years phoning up their victims, demanding they pay and sometimes phoning the customers of their victims demanding that they pay. It's not clear if this leads more victims to pay or if it creates more notoriety for these groups, which all funnels into this image of them as these crazy evil wizards that are able to magically take over your computers. So again, lots of innovation that we've been seeing. As you mentioned there, one of the interesting trends in the last quarter, according to Coveware, which is a ransomware incident response firm, has been the emergence of lone wolves. So, Coveware, to the best of our knowledge, works with thousands of organizations on a quarterly basis who've been hit by ransomware, who are responding to ransomware, and advises them about, if you pay what you might get and what you might not get. So, I appreciate the statistics coming from them, because it gives you a sense of what corporate America, at least, is seeing when it gets attacked. 10% of the attacks last quarter had to do with lone-wolf operators that's never been seen before. Yes, we've definitely seen some lone wolves, but in recent years, ransomware-as-a-service has been much more of the dominant business model and if not ransomware-as-a-service, then groups that ran attacks themselves using their own encryptors. Why are we seeing more lone wolves? One of the philosophies is that ransomware brands have become super toxic. We've seen this with the downfall of LockBit. For example, it got disrupted and then attempted to come back and then got disrupted some more. Also with Alphv or BlackCat, a lot of these groups are hitting healthcare and earning themselves a horrible reputation, very much in the limelight because of law enforcement takedowns. It seems like a lot of affiliates are running scared and thus going the lone-wolf route and apparently to good effect, since they're notching up a fair number of victims. Again though, this is only a fraction of what we're seeing. We're also seeing other established groups or up-and-coming groups scoring some pretty high profits unfortunately. One of those being the Dark Angels ransomware group, which, according to Zscaler, earlier this year, got a single ransom worth $75 million. It didn't say who the victim was. Neither the ransomware group nor Zscaler have outed the victim, although Zscaler did say that it was a Fortune 50 company, meaning it's one of the most profitable, publicly traded US companies. There's some suspicion this may have been pharmaceutical giant Cencora, which got hit in February. It disclosed it had an attack against it that it fell victim to, but hasn't said anything more. So, we're not clear on what happened here. We're seeing lots of attacks against hospitals, blood banks, schools and critical infrastructure. This seems to be leading a lot of affiliates or ransomware aficionados to take their show on the road. There are lots of leaks that have happened that allow individuals to access good crypto-locking malware without needing to necessarily work with the group that's constantly maintaining it. So, the long and the short of it is more innovation aimed at making victims pay however possible and increasingly by these lone-wolf attackers.
Delaney: So, how has the rise of these lone-wolf attackers operators affected the overall cybersecurity landscape and how are businesses responding to ransomware threats?
Schwartz: It's important for businesses to defend themselves against ransomware. It should be defending itself against everything, but ransomware is very important. It's good to track because of the profit-making potential. A lot of very sophisticated, but not always, are aiming to get ransomware onto systems. So, keeping an eye on what is happening is a good idea from a defensive standpoint. What I've been hearing from security experts is the rise of these more lone-wolf operators is a reminder that ransomware is not just about groups. It's mostly about tactics, and so you're going to want to be keeping an eye on not what groups are doing but across all kinds of attacks. How are attackers breaking in? We know about a lot of big trends here – for example, socially engineering help desks hacking into remote connectivity, either because they've gotten info-stealing malware onto an employee's computer and been able to purchase these credentials or simply because they've brute-forced these credentials. Also using known vulnerabilities for remote connectivity appliances and some other security appliances is a major trend. So, if you keep an eye on this and use it as a self-checklist to make sure that they can't get in the ways that they're trying to get in, this is going to be a big help, regardless of who the ransomware-wielding attacker may or may not be, as well as a reminder that attackers might work with more than one ransomware group. They might choose what to deploy based on who the victim is. So, you never know who's going to hit you, but there are some good clues about how they are going to try, helping you understand when you need to shut down.
Delaney: Excellent. The constant innovation. It's palpable there. Thank you Mathew. Marianne, staying on ransomware, you've written about a ransomware attack on the Florida-based blood center OneBlood, alongside recent attacks on other blood suppliers, all of which highlight the vulnerabilities in medical supply chains. Could you tell us a bit more about this particular case with OneBlood?
McGee: To sort of set the background here, we've seen hundreds of cyberattacks over the last several years on third parties or HIPAA-regulated business associates in the U.S. that provide a variety of services to the healthcare sector. Many of these large incidents involved attacks on companies that provide IT-related services to healthcare providers and that includes vendors of medical transcription, practice management and even debt collection services. And as was in the case of the February ransomware attack on Change Healthcare, that incident disrupted more than 100 different types of IT services that healthcare providers in the U.S. depend upon for claims processing, patient eligibility checks and so on. But, one of the most disturbing developments that we're seeing now in recent months is indeed the attacks on third parties that provide critical supplies to healthcare sector entities, namely, blood and related services. Last week, a ransomware attack against Florida-based blood donation center OneBlood prompted the entity to issue an alert to hundreds of hospitals in the southeastern region of the U.S. to activate their critical shortage protocols for blood supplies. That's because OneBlood was struggling with time-intensive manual processes, including testing and labeling blood during their IT outage, which impacted blood supplies to hospitals. They've kind of rallied around the kind of blood community and have gotten partners to kind of step in to help here. But, earlier this week, OneBlood said that it was starting to regain IT system functionality, yet it was still sort of heavily relying on manual processes for some of its activities. Now, OneBlood's continued recovery from the attack, which was allegedly carried out by Russian-speaking ransomware group RansomHub, unfortunately coincided with Hurricane Debby, making landfall on Florida and other southeastern U.S. states on Monday. Just before the hurricane hit, OneBlood issued a statement urging the public to step up their blood donations, especially platelets, to help offset any hospital blood shortages related to the storm's impact. Now, the OneBlood incident follows at least two similar attacks on blood suppliers in recent months - that includes a June attack on Synnovis, which is a British pathology laboratory services provider. That attack disrupted patient care and testing services at several London-based National Health Systems hospitals. And it ultimately affected the United Kingdom's blood supplies. The NHS blood and transplant organization has said that thousands of patient appointments needed to be rescheduled or canceled due to that attack. Now, Russian-speaking ransomware group Qilin claimed responsibility for the Synnovis attack. Meanwhile, in April, an attack on Octapharma Plasma, which is the American operations of a Swiss pharmaceutical maker, shut down nearly 200 blood plasma donation centers for several days, and that attack was supposedly launched by the Russian-speaking ransomware gang BlackSuit. Now, healthcare sector authorities are saying that these latest attacks on blood centers are again shining the spotlight on the fragility of medical supply chains. Healthcare entities urgently need to bolster supply chain security practices and resilience in the face of these highly disruptive attacks against critical suppliers. The American Hospital Association and the Health Information Sharing Analysis Center issued warnings last week telling healthcare entities, "You got to step it up here in terms of your supply chain attention." Now, we've heard these sorts of urgent warnings to the healthcare sector from cybersecurity experts and government authorities before about the need for entities to heighten their focus on resiliency, but now it's even clearer that healthcare entities must seriously consider supply chain outages and the availability of critical supplies such as blood in their overall risk management assessment process. The American Hospital Association and Health-ISAC are urging healthcare delivery organizations to consider suppliers and alternate suppliers in advance and incorporate multiple suppliers in their supply chain strategy to create redundancy in case a mission-critical supplier does suffer a devastating cyberattack. And ultimately, healthcare entities need to have their strategy sort of eliminate that single point of failure in terms of their health supply chains to minimize the impact of these sorts of incidents on crucial medical suppliers and the impact that comes with it on patients. So, that's a warning from the AHA and Health-ISAC, but others have been saying similar things now for several months.
Delaney: Yes. It's horrible to see these blood suppliers being targeted like this. Is there any indication that the ransomware attacks on OneBlood, Octapharma and Synnovis are connected or coordinated in any way?
McGee: What they have in common is that Russian-speaking ransomware groups are suspected to be behind each of these - BlackSuit in the Octapharma attack, Qilin in the Synnovis incident and then RansomHub on OneBlood. With that said, authorities are saying that while these attacks don't appear to be coordinated, there is a possibility moving ahead that everyone's sort of worried that there might be a coordinated attack that happens to involve several critical suppliers of one particular product, such as blood, or perhaps a combination of critical supplies such as blood and anesthesia or other sorts of medicines that are critical in the care of patients. So, that's a big worry.
Delaney: Thanks Marianne. Tony, a report from TRM Labs shows that Russian ransomware gangs are responsible for 69% of global ransom proceeds, raising concerns about their cyber activities being a form of potential warfare against the West as Russian media commentators suggest. So Tony, what do we do about Russia?
Morbin: Some years ago, I interviewed Eugene Kaspersky, and among other things, he said that, in his opinion, Russian software engineers and cybersecurity professionals are the best in the world thanks to Russia's University, math engineering and computer science departments turning out great numbers of highly technically literate graduates. Now, they may or may not be the best, but they're certainly capable, but unfortunately or unfortunately for them, Russia's dire economic climate means that opportunities for legitimate employment are fairly limited, whereas cyber criminality offers relatively easy, lucrative rewards that can be pursued with what amounts to state support, as long as they attack non-Russians. According to this TRM Labs report, growth factors from across the former Soviet Union states accounted for 69% of all crypto proceeds linked to ransomware last year - which exceeded half a billion dollars. It adds that they consistently drive most types of crypto-enabled cybercrime, from ransomware to elicit crypto exchanges and darknet markets. Now, notwithstanding recent takedowns that Mat mentioned, it reports that the largest players in the space included LockBit, BlackMatter, Alphv, BlackCat and CL0P, all run by Russian-speaking threat actors. Also, they say that Russian language darknet markets also account for 95% of all recorded illegal product service sales globally - three of the largest markets handled 1.4 billion transactions last year. And when it comes to money laundering, Russia-based Garantex on its own, counted for 82% of cryptocurrency handled by sanctioned entities worldwide. And then last week, we saw the U.S. Justice Department indict a Russian national, Roman Pikulev, for his role in founding and operating Cryptonator, an unlicensed cryptocurrency exchange that the U.S. says processed more than $235 million in illicit funds. Way back in 2014, the then Moscow-based cybersecurity company, Group-IB, estimated the size of the cybercrime market in Russia alone to be worth $2.3 billion. So, I'm not exactly sure what the figure is now, but it's going to be staggering. When you add that to Russia's reluctance to extradite cybercriminals to other countries, it is hindering international cooperation in combating cybercrime. Along with the involvement in cybercrime by some corrupt officials, it's also in the Russian government's interest to not turn a blind eye to the criminality but to encourage it and potentially mobilize this pool of hacking talent in pursuit of its own goals. The Russian KGB's success of the FSB has been known to offer cybercriminals the choice of working for them or going to jail. On a state level, Russia has been noticeably active on the cyber front or criminal end state. And for the state, it is going beyond cyber surveillance that I guess we can assume that all states conduct on potential adversaries, and it's moved into outright cyber offensive action. Among the most notable was the SolarWinds' supply chain attack in 2020 targeting U.S. government agencies and private companies. And then in 2017, we saw the NotPetya ransomware attack contributed by Russians, which caused widespread damage to businesses and governments worldwide. Now, economic sanctions were imposed on Russian entities and individuals after the SolarWinds' attack, which, as Mat said, has led to the breakup of some of those bigger groups. Other options include expelling Russian diplomats, issuing indictments against specific criminals and taking down criminal sites, which have been done previously. But, while things like the U.K. cyber defense force and Israel's 8200 also espoused cyber offensive action, the U.S. and Israel are believed to be behind the Stuxnet attack on an Iranian nuclear reactor. We've not seen much offensive use of cyber against Russia. So, despite Russian media commentators being seen on Julia Davis's propaganda monitoring site, they're saying Russia is now at war with NATO and the West. But, the truth is we're not in an all-out cyberwar with Russia, even if it sometimes feels like it. So, given the onslaught of attacks by Russia and Russian criminals, I asked a former CIA official earlier this week at the meeting, "Why don't we go beyond takedowns and use offensive cyber more aggressively?" His response was, "The situation is comparable to the cold war policy of mutually assured destruction. Neither side can be 100% sure of either their ability to eliminate the threat of a first-strike attack nor can they be sure of their ability to defend their most critical assets from any response. And partly that's because there's an element of the unknown about what the adversary can potentially do." So, it seems that for all the state can or might do, its main role is likely to be intelligence and advising us on what we should be doing to protect ourselves. Hence, organizations need to follow all the best practice advice in strengthening their own cybersecurity, as the current Russian storm is likely to rage on for some time. On another tangent, at the same time, we need to prepare for the climate change that China represents.
Delaney: Lots of deep stuff there Tony. How do you interpret the Russian media's portrayal of cyber activities as warfare against the West? What do you think is happening there?
Morbin: They are quite aggressive. The Russian government is aggressively expansionist at the moment. They have moved into Ukraine. They are putting across a propaganda narrative that they're going to invade other countries, which I don't think they are. But having said that, the Baltics certainly feel threatened. And all warfare now is hybrid warfare. The Ukrainians, to be fair to the Russians, have also attacked their ATMs. The Russians at the early stages, prior to the current conflict, but since 2014, did take down power in Ukraine, but it's not out-and-out warfare. People are a little bit scared about what the retaliation could be, and so we've seen far less real cyber warfare than we expected. So, for all the financial losses, the damage to critical infrastructure, the seriousness of what's happening, it's not all-out war, and the impact of cyber warfare, if you want to call it that, is still way below that of kinetic attacks.
Schwartz: Yeah. Russia has been hesitant to go past some red lines that cybersecurity officials in the West were warning about with the all-out Ukraine invasion back in February 2022. They were saying, "Look, the banking sector could get hit as a reprisal for allying with Ukraine." That sort of thing, and we didn't see that, which surprised a lot of people. It seems like Russia doesn't want to go there. What we have seen is a lot of noise, a lot of DDoS groups, which may be directly or indirectly funded by the Russian government, threatening to target hospitals and other entities, but maybe not having much of an effect at all, except from an information operations standpoint, all of which bolsters Putin's regime and gives the Russian government a way to say, look how fierce we are.
Morbin: The attacks on Estonia did real damage there, but we've not seen that level of attack again.
Schwartz: No, and forewarned is forearmed as well. To Ukraine's credit, it had good defenses in place.
Morbin: Absolutely.
Delaney: Meanwhile, what we've been discussing today, we see that the ransomware threat continues to evolve and is not stopping anytime soon. But thank you so much for all these inputs. There's light in the mood then. And finally, just for fun, imagine a world where cybersecurity is perfect. What new challenges do you think would arise in such a scenario?
McGee: It might be difficult for people who need their patient legitimately checked, even with multi-factor authentication, which is not used as much as it should be. In healthcare, you have doctors complaining it takes too long to get information. If you had perfect cybersecurity, you kind of wonder what the complaints would be from the user's perspective.
Delaney: Yeah, interesting perspective there. Tony?
Morbin: If cybersecurity were perfect, I'd take that moment's pause to have a cup of tea, after which new thoughts of attacks would occur. Because, as we keep saying, change is constant. We're in a highly dynamic cat-and-mouse industry, where nothing stands still for long. So, yes, it might be perfect for a moment until the new attacks come.
Delaney: Criminals will always find a way.
Schwartz: Always! And that was the angle I was thinking. Perfect in which way - the technology is functioning? Great. In that case, the bad guys phone up a help desk and they social engineer someone into thinking they're Bob Smith and getting Bob Smith's access, and Bob Smith happens to be the CEO, and nothing's perfect than it is. So many ways it could go wrong. Sorry Anna, I thought we were trying to end on a light note here.
Delaney: In retrospect, I don't think the question is so light, but for me it's a false sense of security. People will take more risks online, and then there'll be a lack of incentive for improvement and innovation, and why would we be motivated to respond to and adapt to new threats and technologies? And that would be a bad thing.
Schwartz: Danger keeps us strong, huh?
Delaney: Danger keeps us strong.
Morbin: Yeah. Complacency would be the big threat then.
Delaney: Very good. So, the industry is still strong, not going anywhere anytime soon. Thank you everyone. Insightful as always. Brilliant!
Schwartz: Thanks Anna. Always fun to talk ransomware.
Delaney: Yes, and thank you so much for watching. Until next time.