Fraud Management & Cybercrime , Ransomware , Video
ISMG Editors: Russian Cybercrime Syndicates Under Siege
Also: U.S. Healthcare Cyber Bill, Insights From ISMG's Canada Summit Anna Delaney (annamadeline) • October 4, 2024In the latest weekly update, ISMG editors discussed recent international law enforcement efforts against Russian cybercrime, the latest U.S. healthcare cybersecurity bill and key takeaways from ISMG's Canada Summit.
See Also: Ransomware Response Essential: Fixing Initial Access Vector
The panelists - Anna Delaney, director of productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity; and Tom Field, senior vice president of editorial - discussed:
- How international law enforcement agencies are making significant strides against Russian cybercrime, targeting notorious groups - such as Evil Corp and LockBit - and revealing deep ties to Russian intelligence, which has resulted in key arrests and sanctions;
- A proposed U.S. healthcare cybersecurity bill that includes funding for cybersecurity, tighter security controls and executive accountability for breaches;
- Highlights and key takeaways on the current state of cybersecurity from ISMG's Canada Summit.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 20 edition on how to survive a major ransomware attack and the Sept. 27 edition on whether Microsoft can regain trust in its security.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' panel. I'm Anna Delaney. Today, we'll discuss recent international law enforcement efforts against Russian cybercrime, the latest U.S. healthcare cybersecurity bill and key takeaways from ISMG's Canada summit. The excellent team today includes Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Very good to see you all.
Tom Field: Thanks for having us over.
Delaney: Mat, starting with you this week. It seems that international law enforcement is making significant strides against Russian cybercrime targeting notorious groups - you've written about plenty, such as Evil Corp and LockBit, revealing deep ties to Russian intelligence and resulting in key arrests and sanctions. So Mat, what do we need to know?
Mathew Schwartz: I love the name Evil Corp. It's been around for about a decade. Not to give them too much due. Government agencies, critical infrastructure, financial services and healthcare have all been hit by the group, especially with its ransomware. So, let's get to Evil Corp in a moment. They've been around for a long time. They're going to be around for a lot longer. So, we'll come back to them in just a second. But, what was interesting this week was the continuing trolling of LockBit - a formerly notorious and well-regarded ransomware group. So, it's been operating for multiple years now and had a very outspoken leader - LockBitSupp - who closely guarded his identity. Kudos to law enforcement. They've been dismantling all of that. They infiltrated LockBit In February and managed to obtain all of the chat logs between LockBit and its many victims. They found a lot of interesting things, such as even though LockBit would let a victim pay a ransom in return for a promise that stolen data would be deleted, the group hadn't deleted any data at all since at least the end of 2022. I don't know it escapes me. But, this is useful information. You pay for the promise of data deletion. And we've seen this time and time again. Aside from that, what's been cool is law enforcement's been trolling LockBit. With all this information they obtained, they've been reaching out to affiliates, saying, "We know all of your handles now, because LockBit didn't secure it very well. Are you sure you want to keep working with LockBit? We think maybe you should seek other forms of gainful employment." So, lovely reversal, because ransomware groups have been outspoken about saying things like, "Well, we've given security penetration testing to the world, and some people pay us for the privilege," and all this kind of nonsense. They're criminals. They've got no scruples, as Marianne continues to document. Unfortunately, they hit healthcare left, right and center to risk human life. They're horrible people. So, kudos to law enforcement for finding new ways to disrupt these groups. With LockBit, they had a countdown this week saying there's going to be additional information, and there was, and timed with authorities in the U.S., France, Spain and Australia. There's also a raft of new sanctions against LockBit operators. They already sanctioned the lead guy, but they found somebody that they didn't know who had been participating before, which turns out to have been the right-hand man to the head of Evil Corp. I'm going to do no justice to these Russian names, but Aleksandr Ryzhenkov was an affiliate of LockBit, the authorities say. And before that, he was the number two person in Evil Corp, serving as the right-hand man to Yakubets, aka Aqua, the guy who was in charge. So, Aqua was in charge. And now it turns out that when the going got tough for Evil Corp, because they got sanctioned by the U.S. in 2019, both the organization and its leadership. Once they got sanctioned, it meant it was illegal to pay them a ransom. So, Evil Corp had been mixed up with BitPaymer - a kind of ransomware - and then later on WastedLocker, among other strains of ransomware. They reacted to these sanctions, and according to the police, the sanctions have done some real damage. It led one of the key members to have a fallout with the head of Evil Corp, and German police are seeking him currently. But that weakened the group, and then its inability to get ransom payments meant that they had to change things up and try to get paid some other way. So, they tried disguising the ransomware as somebody else's, which didn't work. That's the long and short of that one. And then, they've been trying to develop some other ransomware. I don't know if he was moonlighting or what he was doing, but the number two guy ends up as an affiliate, allegedly, of LockBit. So, they've all now been named and shamed. Law enforcement continues, as I said, to go through all of the details of things they had seized, including LockBit's malware in development. So, you can imagine that whatever they had in store next has already been circulated to security firms. A little FYI from law enforcement saying, "Maybe just block this or the bits that you can see now, in case they try to use this later." So, the long and short here, Anna, is we've had an ongoing law enforcement disruption of a group of criminals, namely Evil Corp, that's continued; more of them have got sanctioned and more of them have got indicted. Along the way, we've seen these ties with LockBit. We can talk for a moment, if you want, about why this group seems to have been so successful for so long inside Russia. But, the good news is they're getting disrupted. They're getting named and shamed. Their tools are getting intercepted, and law enforcement can't shut them down because they're in Russia, but they're doing the next best thing.
Field: And the minute they go on vacation to the Caribbean?
Schwartz: Yeah, outside Russia. And the French police did arrest somebody we don't know in which country, and they won't name the suspect under French law, but there's somebody currently facing extradition to France, who they say is a key member of LockBit; arrested in August, I'll just say.
Delaney: Very good. And Mat, a quick question on affiliates. So, how important are affiliates to the success of ransomware service models? Do you think the increased law enforcement actions will sort of push these groups toward more decentralization?
Schwartz: It looks like LockBit was faking having affiliates. Police said they were faking having victims. It said they were relisting victims left, right and center. So, the affiliate question is an interesting one. It helped fuel LockBit. But, there's also public intelligence now that instead of using affiliates, LockBit had outsourced a lot of its attacks to an entirely different group, which was using the LockBit name. So, the short answer is, it's complicated but none of this does LockBit any favors. If you've been infiltrated by law enforcement, many fewer people are going to want to work with you. So, all of that is a very good thing. The tie-ins with Evil Corp are very interesting. It's not clear if it was one of the members moonlighting or if things might have been more closely aligned. Intelligence released by the National Crime Agency here in Britain says that there were close ties between Evil Corp and the FSB, Russia's security service, namely, the guy in charge's father-in-law was a senior official formerly, apparently on a squad formerly with the KGB that carried out assassinations, to which he's maybe somehow still connected. So, deep state connections here that help explain also why some of these groups haven't been shut down for being maybe politically inexpedient.
Delaney: Great analysis, Mat, and great to hear this is a goal for law enforcement. Marianne, this week, you've covered the proposed U.S. healthcare cybersecurity bill aiming for stricter security and executive accountability. Can you give us some background and the main highlights?
Marianne McGee: Sure. As you said last week, two Democrat U.S. senators introduced the latest congressional Bill aiming to shore up cybersecurity in the healthcare sector. The Health Infrastructure Security and Accountability Act by Senate Finance Committee Chair Ron Wyden, who is a Democrat of Oregon, and Senator Mark Warner, a Democrat of Virginia, is the most sweeping of several other healthcare sector cyber bills that have been introduced in recent months. However, this bill from Wyden and Warner, unlike some of the others that are bipartisan, does not yet have any Republican co-sponsors. So, that might be an issue, but nonetheless, the Widen-Warner Bill appears to be the most comprehensive, and the bill contains some proposals that are already somewhat familiar to the healthcare sector, because the Department of Health and Human Services has been talking about some of these sorts of things that would be incorporated in some regulatory and rule-making proposals that are supposedly in the pipeline. Now, the bill, among other provisions, includes the mandatory requirement for healthcare sector entities to implement minimum and enhanced cybersecurity practices. And while the bill doesn't say what those practices are, it assigns HHS and also the Department of Homeland Security, CISA agency, to figure that out. Again, behind the scenes, HHS has been working on these sorts of proposals. Nonetheless, under the bill, the minimum standards would apply to all covered organizations and business associates, while the enhanced security requirements would pertain to covered entities and business associates that are of systemic importance or are critical to national security, as determined by HHS and CISA. Under the bill, covered entities and business associates would be subject to annual independent cybersecurity audits, and some would also face stress tests to determine if they are capable of restoring services quickly after a cyber incident. The bill also requires HHS to proactively audit data security practices of at least 20 regulated entities each year, focusing on providers of systemic importance, again, those that might have some sort of national security relevance. But, some of the more controversial provisions, as you kind of alluded to Anna, include requiring executives to annually certify compliance with the security requirements, similar to how executives are expected to sign off on financial statements as part of Sarbanes-Oxley. Covered entities and business associates that fail to comply with the auditing, reporting and documentation requirements would be subject to fines of up to $5,000 or a day, but executives who are found guilty of knowingly submitting a report containing false information about their organization's compliance to the requirements would be subject to up to $1 million in a fine or criminal fine and imprisonment of up to 10 years in federal prison. The bill also provides, on the brighter side for the healthcare sector, up to $1.3 billion in funding to help entities adopt these standards. But, HHS is already working on regulations that encompass at least some of what the senators are proposing and that includes possible cybersecurity mandates for hospitals and other healthcare providers. HHS is also working on an update to the HIPAA security rule that is also expected to include new cybersecurity requirements that might all be part of these proposals from HHS. Now, the healthcare sector has been getting a lot of attention from lawmakers and regulators for a while for cybersecurity, but that's definitely been ratcheting up this year in the wake of the Change Healthcare cybersecurity in February that disrupted thousands of healthcare entities in the sector for months. And while the healthcare sector is trying to improve security, either they're being pushed by regulators or threatened by lawmakers. And this is a bipartisan sort of effort overall. The chances of this Widen-Warner Bill or any of the other bills getting much traction this year is sort of kind of iffy because we're in an election year, but we'll see what happens. So, it'll be interesting to see if these threats do much to kind of push the healthcare sector.
Delaney: And are there any early reactions from healthcare industry leaders or executives regarding the penalties for noncompliance in this bill?
McGee: Yeah, the reaction, not surprisingly, is sort of a mixed bag. Many are saying that these potential criminal and civil penalties are another form of blaming the victim for attacks that are committed by cybercriminals. And then others think that these potential penalties might help healthcare CISOs and their teams get needed attention from the board of directors, and some others think that kind of holds the purse strings in terms of cybersecurity investments and resources. So, it's good and bad. Whether this goes anywhere, we'll see, but it's definitely something that's on the radar screens of lawmakers, regulators and healthcare sector entities.
Delaney: Let's see how far it goes. Thank you, Marianne. Tom, you moderated a day of panels and sessions at ISMG's Canada Summit last week in Toronto. So, what were the main themes or takeaways regarding the current state of cybersecurity?
Field: That was a terrific event. I've been calling it the Zero-Day Summit, not because zero day was the topic, but because this was built into our summit schedule, it was completely overlooked, in my opinion, understaffed, and then it just exploded upon us. We had the best attendance and engagement I've seen at any of our events all year. And it was a privilege to be able to be there and be a part of this to say, why was it so successful? I'd say in part, it was the topics. We were talking about privacy legislation - new and emerging in Canada, we were talking certainly about the impact and use cases of generative AI. We talked about software supply chain, ransomware and executive liability. Joe Sullivan's name might have come up in five of the seven sessions that we did. So, the topics were engaging, and part of it was the speakers. We had attorneys Imran Ahmed and Ruth Promislow, who have been a part of our events for many years now, and they brought their latest updates about current and emerging legislation. We had CISOs such as Deniz Hanley and Robert Knoblauch, who made it practical for us and talked about the real-world impacts of threats, legislation and emerging regulations, and we even had Carl Montreuil of the RoyalCanadian Mounted Police from law enforcement. Now, I know that you've worked with law enforcement in London to do some of our solution room events. I've worked with the Secret Service in the FBI in the U.S. This was the first opportunity to work with the RoyalCanadian Mounted Police and see how engaged they are in cybercrimes, particularly ransomware and business email compromise and the rise of deepfakes and extortion schemes. So, the speakers were a big part of the success, and it certainly was the crowd. They showed up early. They stayed throughout the day. They had questions for every session and all the speakers. They lined up after the event or the discussions to be able to meet with the speakers. And they were coming up and asking me questions about the content that we had published, or in some cases, they asked me about some of you (my fellow colleagues), and the work that you've done in places that they've engaged with you. So, they knew us well and had lots to say about the type of work that we've done. For me, the lasting impression of the event was that Canada is feeling woefully behind the U.S. when it comes to critical infrastructure protection and cybersecurity legislation. So, there's a good deal of catch-up there to make sure that they aren't a weak link in any kind of supply chain attacks or issues going forward. There was the reality that AI use cases continue to develop, and I heard some good ones. We had a good AI panel with a CISO from a community, as well as a CISO from a financial institution. We heard some good use cases about how cities are using gen AI to analyze city traffic and allocating street lights and crosswalks according to where the traffic is, which is good. But, it strikes me that the good guys aren't putting gen AI to work as readily or as efficiently as the bad guys, and this continues to be a serious red flag. If organizations don't start to hasten their adoption and experimentation, they're going to find themselves playing serious catch-up. The other big takeaway is our solution room tabletop exercise, where we get everybody engaged in a crime about a deepfake robbery or exfiltration; continues to get people extremely engaged. They love being a part of this. They enjoy the networking. They enjoy diving into the case study and the relationships they forge while they're doing it. We need to find more ways to engage attendees as well as we do here. As we head into 2025, the message to me, and you may agree as well, we need to reinvent the in-person event. People today aren't going to take days off to come into the city for a PowerPoint presentation, for a buffet lunch or for panel discussions. We've got to reinvent the conference experience and use the solution room as a model. How can we get more hands-on and create more meaningful attendee engagement. If we can do that, then this won't be an anomaly. It won't be a zero. They will have successful events such as these in all geographies, and I look forward to that.
Delaney: You are right, and they have to be engaging. We ran the tabletop scenario recently in London at our summit a couple of weeks ago. There was a lot more focus than in recent years on verifying authenticity, in the era of deepfakes, and a lot of interest around that, and how can we improve verification processes to prevent costly mistakes. Also, another big theme is how to improve the speed of communication across teams internally? So, the conversation has matured from we need to talk with law enforcement to how we dive in and improve the processes across teams and internally and externally. So, I'm glad to hear it resonated with the audience in Toronto. But, did you pick up on any new insights in that particular solution room?
Field: No, it's much the same as usual. People come up with their ideas about how they need to change their own internal processes and have more than one person signing off on an expenditure, and what they've got to do to update their own incident response plans, and as you say, break down some of those communication silos. Consistent themes. But, what's fun is seeing people go into those exercises, network with people, essentially make new friends, and that energy carries forward into the subsequent sessions we have, and we have to find a way to recreate that experience and have that extend throughout the day. So, if we're going to call these summits, which are meetings of minds, we make them truly summits.
Delaney: Here's to 2025 bringing more of the same there. Thanks, Tom. That's great. Thank you for your insights, everyone. Brilliant as always.
Schwartz: Thanks for having us.
Delaney: Thank you. Until next time.