WEBVTT 1 00:00:07.200 --> 00:00:09.831 Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm 2 00:00:09.885 --> 00:00:12.892 Anna Delaney, and this week we're discussing the rise of 3 00:00:12.946 --> 00:00:16.061 criminal groups using leaked LockBit ransomware for global 4 00:00:16.115 --> 00:00:19.230 cyberattacks, Congress's recent hearing in the U.S. on the 5 00:00:19.283 --> 00:00:22.506 cyberattack, targeting Change Healthcare, and takeaways from 6 00:00:22.559 --> 00:00:25.298 ISMG's Cybersecurity Implications of AI Summit. I'm 7 00:00:25.352 --> 00:00:28.574 very pleased to be joined by my colleagues Tom Field, senior 8 00:00:28.628 --> 00:00:31.474 vice president of editorial; Marianne Kolbasuk McGee, 9 00:00:31.528 --> 00:00:34.052 executive editor of HealthcareInfoSecurity; and 10 00:00:34.106 --> 00:00:37.114 Mathew Schwartz, executive editor of DataBreachToday and 11 00:00:37.167 --> 00:00:38.940 Europe. Wonderful to see you all! 12 00:00:38.000 --> 00:00:41.180 Tom Field: Great to be seen as always. Thank you. 13 00:00:41.210 --> 00:00:42.050 Mathew Schwartz: Yeah. Thanks. 14 00:00:42.380 --> 00:00:43.550 Marianne McGee: Thanks for having us. 15 00:00:44.270 --> 00:00:46.970 Anna Delaney: Very delighted to see you all, and Marianne, very 16 00:00:46.970 --> 00:00:50.030 pretty in pink and spring. So, is this near you? 17 00:00:51.320 --> 00:00:53.810 Marianne McGee: Yeah, actually, it was a tree at a supermarket. 18 00:00:54.590 --> 00:00:56.390 I have been going grocery through the week. "Oh, that 19 00:00:56.390 --> 00:01:01.160 would be a nice background!" Really, it's a rare thing right 20 00:01:01.160 --> 00:01:06.410 now, because as Tom- started recording, a lot of plants 21 00:01:06.410 --> 00:01:08.510 haven't bloomed yet around here. I was like, "Oh, this is 22 00:01:08.510 --> 00:01:08.900 pretty!" 23 00:01:10.160 --> 00:01:11.930 Anna Delaney: Well, your supermarkets are obviously 24 00:01:11.930 --> 00:01:17.690 prettier than ours. Tom, flying in the air? Walking the air? 25 00:01:18.050 --> 00:01:23.240 Tom Field: About that. This is- a Seattle after our AI summit - 26 00:01:23.240 --> 00:01:26.330 that you referenced - and just a beautiful view out the windows 27 00:01:26.330 --> 00:01:29.300 of the mountains as we headed down south to Los Angeles. 28 00:01:29.630 --> 00:01:33.590 Anna Delaney: It's incredible! Beautiful. Mat, is that a beer 29 00:01:33.590 --> 00:01:34.040 garden? 30 00:01:34.020 --> 00:01:37.225 Matthew Schwartz: Why yes, Anna. How quickly you seem to notice 31 00:01:34.870 --> 00:01:43.660 Anna Delaney: Very good, great! And this week, I was in the 32 00:01:37.296 --> 00:01:41.713 that! Yeah, this is Teuchters Landing, as it's called in Leith 33 00:01:41.784 --> 00:01:46.201 on the north side of Edinburgh, where there's a big port. And, 34 00:01:43.960 --> 00:02:07.840 beautiful city of Copenhagen to moderat a Round Table and I was 35 00:01:46.272 --> 00:01:50.760 apparently this building, a long time ago, was the terminal for 36 00:01:50.831 --> 00:01:54.963 the steamer up to Aberdeen. But now, it's been turned to a 37 00:01:55.034 --> 00:01:59.380 different purpose, as you've noted, has a lovely selection of 38 00:01:59.451 --> 00:01:59.879 beers. 39 00:02:07.840 --> 00:02:11.650 really taken by the city's charm and lovely people. And this 40 00:02:11.650 --> 00:02:15.460 backdrop is of the old commercial port, once bustling 41 00:02:15.460 --> 00:02:20.920 with ships and sailors who visited - quite aptly - its pubs 42 00:02:21.070 --> 00:02:25.000 and sought other entertainment to as you can imagine, and it 43 00:02:25.000 --> 00:02:28.660 was also once home to the famous author Hans Christian Andersen. 44 00:02:28.690 --> 00:02:33.970 So, it's a very popular spot with tourists to relax and enjoy 45 00:02:33.970 --> 00:02:36.190 the scenery. Right. Well, 46 00:02:36.000 --> 00:02:37.830 Tom Field: If we could, we can refresh those backgrounds? Nice 47 00:02:37.830 --> 00:02:38.100 job. 48 00:02:38.540 --> 00:02:42.350 Anna Delaney: Yes. At any opportunity. So, you were in 49 00:02:42.350 --> 00:02:45.770 Seattle, as you said, earlier this week hosting ISMG's 50 00:02:45.800 --> 00:02:49.430 Cybersecurity Implications of AI Summit. How did it go then? Tell 51 00:02:49.430 --> 00:02:50.810 us about it. What did you learn? 52 00:02:51.110 --> 00:02:54.516 Tom Field: Well, while I'll have time to say that, first of all, 53 00:02:54.581 --> 00:02:58.695 you know, this was our first AI Summit anywhere. And starting in 54 00:02:58.759 --> 00:03:02.552 the Pacific Northwest was great. We had a - I would say a - 55 00:03:02.616 --> 00:03:06.666 maturing crowd, a good crowd and maturing in terms of they were 56 00:03:06.730 --> 00:03:10.394 beyond, "should we be delving into gen AI? Should we have 57 00:03:10.458 --> 00:03:14.251 policy? How are we going to govern this?" And they actually 58 00:03:14.315 --> 00:03:18.044 had many mature use cases, particularly in using gen AI in 59 00:03:18.108 --> 00:03:22.222 the SOC to streamline detection and response, and an application 60 00:03:22.286 --> 00:03:25.822 security to prioritize and, again, identify some of the 61 00:03:25.886 --> 00:03:29.486 vulnerabilities and act upon those. I was pleased to see 62 00:03:29.550 --> 00:03:33.471 people coming to the event with some use cases to discuss. At 63 00:03:33.535 --> 00:03:37.650 the event, we had CISOs talking about the practical applications 64 00:03:37.714 --> 00:03:41.699 and what they've done to educate their boards and their senior 65 00:03:41.764 --> 00:03:45.492 leadership and to give them business opportunities. We had 66 00:03:45.556 --> 00:03:49.156 chief privacy officers, including Ginger Armbruster, the 67 00:03:49.220 --> 00:03:53.013 chief privacy officer of the city of Seattle, talking about 68 00:03:53.077 --> 00:03:56.677 what they have done to both leveraging and protect data. 69 00:03:56.741 --> 00:04:00.405 And, when I asked the question about guardrails, Ginger's 70 00:04:00.470 --> 00:04:04.455 response was "What guardrail?" Which sparked a good discussion 71 00:04:04.519 --> 00:04:08.441 among the privacy officers. We had Washington State's AG, Bob 72 00:04:08.505 --> 00:04:12.426 Ferguson, there giving us some details on the state's AI Task 73 00:04:12.490 --> 00:04:16.219 Force. Clearly, they're well ahead of this in ways they're 74 00:04:16.283 --> 00:04:20.397 trying to anticipate the use of predictive and gen AI. And I was 75 00:04:20.461 --> 00:04:24.125 pleased to sit on a panel of cross-industry leaders, they 76 00:04:24.190 --> 00:04:27.854 were there from the legal profession, from pharmaceutical 77 00:04:27.918 --> 00:04:31.261 manufacturing and from transportation, talking about 78 00:04:31.325 --> 00:04:34.860 specific use cases, lessons learned in what can be done 79 00:04:34.925 --> 00:04:38.974 across industries. So, just very pleased to see that this was a 80 00:04:39.039 --> 00:04:43.088 maturing discussion not going to say mature, maturing, and that 81 00:04:43.153 --> 00:04:47.074 people were willing to share what they're doing and were open 82 00:04:47.138 --> 00:04:51.124 to hearing some best practices from others, so they made for a 83 00:04:51.188 --> 00:04:55.173 lively discussion, full house, great event. And I think one of 84 00:04:55.238 --> 00:04:59.223 the highlights for me was we had a tabletop exercise. Mandiant 85 00:04:59.287 --> 00:05:03.273 and the U.S. Secret Service and it was based around a deepfake 86 00:05:03.337 --> 00:05:07.066 video from a CEO to a CFO asking for a multimillion dollar 87 00:05:07.130 --> 00:05:11.180 transfer over a weekend to fund an acquisition, which of course 88 00:05:11.244 --> 00:05:15.101 ended up being fraudulent. And, we went through the exercise 89 00:05:15.165 --> 00:05:18.893 about how one would go about detecting what safeguards one 90 00:05:18.958 --> 00:05:22.750 would put in place? How you avoid having this happen in the 91 00:05:22.815 --> 00:05:26.157 future? Terrific tabletop exercise, we had scores of 92 00:05:26.222 --> 00:05:30.143 people involved in this. And we brought in about a half dozen 93 00:05:30.207 --> 00:05:34.192 Secret Service agents to help facilitate that discussion. And, 94 00:05:34.257 --> 00:05:38.306 people walked away with- some of them want to take the exercise 95 00:05:38.371 --> 00:05:42.421 back to their own offices. And they do the very same thing with 96 00:05:42.485 --> 00:05:46.342 their own staff, which is good, but came away with some very 97 00:05:46.406 --> 00:05:49.941 good questions and some discussion about how do we do a 98 00:05:50.006 --> 00:05:53.863 better job detecting some of this deepfake activity? Because 99 00:05:53.927 --> 00:05:57.462 it's growing ever more sophisticated as we as we speak? 100 00:05:57.527 --> 00:06:01.577 And what layers of security can we add? So, you don't have that 101 00:06:01.641 --> 00:06:05.048 CFO alone being able to make that multimillion dollar 102 00:06:05.112 --> 00:06:08.905 transfer because they feel pressured or socially engineered 103 00:06:08.969 --> 00:06:13.019 at the moment to do it. So all in all, excellent one-day event, 104 00:06:13.083 --> 00:06:16.683 but it can't stop there. I'll make sure we take to other 105 00:06:16.747 --> 00:06:20.540 regions, other countries and continue this discussion. It's 106 00:06:20.604 --> 00:06:22.790 the right topic at the right time. 107 00:06:22.000 --> 00:06:26.020 Anna Delaney: It was like a rich agenda there. So was there 108 00:06:26.020 --> 00:06:28.390 anything that particularly surprised or even challenged 109 00:06:28.510 --> 00:06:30.490 your views on AI and cybersecurity? 110 00:06:31.230 --> 00:06:33.570 Tom Field: No, I wouldn't say anything challenged my views on 111 00:06:33.570 --> 00:06:36.930 it. I was just pleasantly surprised to hear about the 112 00:06:36.930 --> 00:06:42.540 maturing use cases because I've spent too much time in sessions 113 00:06:42.540 --> 00:06:47.970 where CISOs are talking about how they're still trying to have 114 00:06:47.970 --> 00:06:50.670 the conversation with the senior management the board about what 115 00:06:50.670 --> 00:06:54.870 should they do? What could they do? What are they doing to limit 116 00:06:54.870 --> 00:07:00.960 the impact of shadow AI? So, I'm glad that we put behind us some 117 00:07:00.960 --> 00:07:05.370 of the 2023 discussions and we're having some rich 2024 ones 118 00:07:05.370 --> 00:07:07.080 that I think are really going to propel us forward. 119 00:07:08.500 --> 00:07:11.020 Anna Delaney: Brilliant, looking forward to hearing more about 120 00:07:11.020 --> 00:07:15.760 these summits that are in the works. Marianne, back to Change 121 00:07:15.760 --> 00:07:19.330 Healthcare, this week. I mean, you've reported that Congress 122 00:07:19.360 --> 00:07:22.360 has held a hearing to address the cyberattack on the company 123 00:07:22.570 --> 00:07:26.140 examining its impact and data security concerns. So, what did 124 00:07:26.140 --> 00:07:27.640 you take away from the hearing? 125 00:07:28.740 --> 00:07:31.860 Marianne McGee: Well, as you said, there was a hearing 126 00:07:31.890 --> 00:07:35.970 examining the impact on the healthcare sector. But of 127 00:07:35.970 --> 00:07:41.490 course, lawmakers were very curious about what went wrong at 128 00:07:41.490 --> 00:07:47.880 Change Healthcare, or the company's- healthcare and a 129 00:07:47.880 --> 00:07:51.540 point that was a big bone of contention with the lawmakers 130 00:07:51.540 --> 00:07:55.710 was that no one from UnitedHealth Group showed up to 131 00:07:55.710 --> 00:08:02.760 testify. Instead, the lawmakers questioned a panel of industry 132 00:08:02.760 --> 00:08:09.780 experts. And, during that query of the experts - now, none of 133 00:08:09.780 --> 00:08:12.960 the experts really had any in depth insight into what actually 134 00:08:12.960 --> 00:08:17.610 went wrong with Change Healthcare's IT systems or 135 00:08:17.610 --> 00:08:23.430 products that caused the massive IT disruption, but also, you 136 00:08:23.430 --> 00:08:26.880 know, what actually went wrong in terms of the compromise. But, 137 00:08:26.910 --> 00:08:30.420 there was a lot of, sort of, drilling of the healthcare 138 00:08:30.420 --> 00:08:35.160 sector about the impact that this is all had on the 139 00:08:35.160 --> 00:08:39.510 healthcare sector. But, in the meantime, while this hearing was 140 00:08:39.510 --> 00:08:44.490 going on in DC, which I'll get back to, UnitedHealth Group was 141 00:08:44.490 --> 00:08:48.450 also in the midst of dealing with this latest problems with 142 00:08:48.450 --> 00:08:53.940 this attack. And that included reports that cybercriminal gang 143 00:08:53.940 --> 00:08:59.040 RansomHub had begun posting screenshots on the dark web that 144 00:08:59.040 --> 00:09:04.380 supposedly show sample of the four terabytes of data that was 145 00:09:04.410 --> 00:09:08.430 allegedly stolen by an affiliate of another ransomware group, 146 00:09:08.670 --> 00:09:14.550 Black Cat, also known as ALPHV. RansomHub this week also listed 147 00:09:14.550 --> 00:09:20.820 Change Healthcare's data for sale on its dark web site. Now, 148 00:09:20.850 --> 00:09:24.090 in the midst of all this UnitedHealth Group also quietly 149 00:09:24.120 --> 00:09:28.230 updated its own website about the status of the attack this 150 00:09:28.230 --> 00:09:32.520 week. The company has confirmed now that a breach of protected 151 00:09:32.520 --> 00:09:35.730 health information and personally liable information 152 00:09:35.970 --> 00:09:40.020 had occurred in the incident, which triggers federal and state 153 00:09:40.020 --> 00:09:43.680 breach reporting and notification obligations. The 154 00:09:43.680 --> 00:09:48.330 company said it is working with forensic experts and the U.S. 155 00:09:48.360 --> 00:09:51.210 Department of Health and Human Services Office for Civil Rights 156 00:09:51.210 --> 00:09:56.310 to determine the extent of that breach. Up to now UnitedHealth 157 00:09:56.310 --> 00:10:01.110 Group only publicly stated that data was taken in the attack, 158 00:10:01.110 --> 00:10:06.090 but never said whether or not it knew for sure if that included 159 00:10:06.120 --> 00:10:11.400 patient PHI or PII. So going back to the congressional 160 00:10:11.400 --> 00:10:15.180 hearing, because no one at Change Healthcare was there to 161 00:10:15.180 --> 00:10:19.800 testify, the discussion kind of centered around the disruption. 162 00:10:19.860 --> 00:10:23.820 And that included the fact that even though Change Healthcare's 163 00:10:23.820 --> 00:10:27.600 IT systems have been slowly going back online, it's still 164 00:10:27.840 --> 00:10:31.500 causing all sorts of problems for hospitals and health 165 00:10:31.500 --> 00:10:35.130 practices that were affected. And that includes, many of them 166 00:10:35.130 --> 00:10:38.280 still waiting to get paid for claims that they could not 167 00:10:38.280 --> 00:10:42.450 submit during the outage. And now, a lot of these providers 168 00:10:42.450 --> 00:10:46.950 are having to spend hours helping patients sort through 169 00:10:47.070 --> 00:10:51.750 erroneous bills that they're getting in the mail form about 170 00:10:51.750 --> 00:10:55.620 care that they received during the outage, but that were not 171 00:10:55.620 --> 00:11:00.450 submitted in time to the health insurers. That discussion also 172 00:11:00.450 --> 00:11:03.840 veered into the struggles that the healthcare sector entities, 173 00:11:03.870 --> 00:11:08.010 especially small practicing hospitals and clinics themselves 174 00:11:08.040 --> 00:11:12.690 face in terms of their own cybersecurity. And a lot of that 175 00:11:12.840 --> 00:11:16.320 comes down to funding, you know, there was always a need for 176 00:11:16.320 --> 00:11:21.210 funding. And so, you know, there were pleads to Congress on ways 177 00:11:21.210 --> 00:11:25.170 that the feds could help with grants, and, you know, technical 178 00:11:25.170 --> 00:11:30.090 assistance, and, you know, so on and so forth. But, you know, 179 00:11:30.450 --> 00:11:35.760 overall, there was lots of complaints about how devastating 180 00:11:35.760 --> 00:11:39.720 this attack was on the healthcare sector. And, you 181 00:11:39.720 --> 00:11:42.330 know, some of the potential solutions are things that we've 182 00:11:42.330 --> 00:11:44.670 heard about before it's a matter of funding. 183 00:11:46.550 --> 00:11:49.580 Anna Delaney: And back to the industry experts at the hearing, 184 00:11:49.580 --> 00:11:53.300 did they suggest any immediate kind of actions or even long 185 00:11:53.300 --> 00:11:54.320 term strategies? 186 00:11:55.080 --> 00:11:59.100 Marianne McGee: Well, yeah, you know, again, these people who 187 00:11:59.100 --> 00:12:04.470 testified, they included a CIO, who's also the chair of the 188 00:12:04.470 --> 00:12:07.170 College of Healthcare Information Management 189 00:12:07.170 --> 00:12:12.180 executives, which is a CIO-CISO professional organization; there 190 00:12:12.180 --> 00:12:16.200 was John Riggi, who is National Cyber director at the American 191 00:12:16.260 --> 00:12:21.600 Hospital Association; Greg Garcia, who is executive of the 192 00:12:21.600 --> 00:12:25.500 Health Sector Coordinating Council. There were a lot of 193 00:12:25.980 --> 00:12:31.410 heavy hitters there. And again, a lot of it comes down to 194 00:12:31.410 --> 00:12:36.780 funding, the healthcare sector is dealing with low 195 00:12:36.810 --> 00:12:41.370 reimbursement rates from payers, and some of these reimbursement 196 00:12:41.370 --> 00:12:45.090 rates are getting even lower, there's not enough money to go 197 00:12:45.090 --> 00:12:48.780 around for all the other things they have to do. And then 198 00:12:48.780 --> 00:12:53.610 another thing that came up a few times is the liability of 199 00:12:53.610 --> 00:12:57.120 third-party vendors, who are often at the center of these 200 00:12:57.120 --> 00:13:01.170 breaches, , vulnerabilities that are exploited, the contracts 201 00:13:01.170 --> 00:13:04.560 that these hospitals and small doctor practices, in particular, 202 00:13:04.560 --> 00:13:10.170 sign, shift the liability to that those entities, the there's 203 00:13:10.170 --> 00:13:13.740 limited amount of liability that the vendors have. And it all 204 00:13:13.740 --> 00:13:18.360 shifts back to healthcare providers that, they weren't the 205 00:13:18.360 --> 00:13:22.080 cause of the breach, but they're getting blamed, and they're 206 00:13:22.080 --> 00:13:27.900 going to have to dole out money to respond to it. So that that 207 00:13:27.900 --> 00:13:31.320 was a issue that came up to I'm not sure what Congress might do 208 00:13:31.320 --> 00:13:33.630 or can do, but that was something that was kind of 209 00:13:33.630 --> 00:13:36.120 pleaded, you know, by these witnesses. 210 00:13:36.780 --> 00:13:39.510 Tom Field: Marianne, a question if I could please, in the 211 00:13:39.510 --> 00:13:42.180 constellation of healthcare breaches, and I know that this 212 00:13:42.180 --> 00:13:47.010 story changes by the day, it grows by the day, how big is 213 00:13:47.010 --> 00:13:49.890 Change Healthcare among the healthcare breaches we've seen 214 00:13:49.890 --> 00:13:50.520 over the past? 215 00:13:50.000 --> 00:13:52.932 Marianne McGee: Ah, well, United Healthcare is the largest 216 00:13:50.000 --> 00:14:54.710 And so as a result, do you think this is going to trigger big 217 00:13:53.002 --> 00:13:56.982 healthcare company, that was sort of stated over and over 218 00:13:57.051 --> 00:14:01.241 again, at this hearing, in terms of this breach, it could be 219 00:14:01.310 --> 00:14:05.570 potentially the largest breach and the reason why I say that- 220 00:14:05.639 --> 00:14:10.038 again, the hackers claimed four terabytes of data. I don't know 221 00:14:10.108 --> 00:14:14.367 what that means in terms of how many patients but the problem 222 00:14:14.437 --> 00:14:18.766 for United Healthcare is that - at least legally - under HIPAA 223 00:14:18.835 --> 00:14:22.606 if there's any potential individuals' protected health 224 00:14:22.676 --> 00:14:26.446 information was accessed, viewed, or disclosed without 225 00:14:26.516 --> 00:14:30.635 authorization, that's a breach. Often what happens in these 226 00:14:30.705 --> 00:14:35.104 larger attacks, like if there's a database that was breached or 227 00:14:35.173 --> 00:14:38.874 there was data exfiltrated, these companies when they 228 00:14:38.944 --> 00:14:42.225 started examining what was affected, they can't 229 00:14:42.295 --> 00:14:46.764 definitively say, "Okay, it was only these people, we don't know 230 00:14:46.833 --> 00:14:50.813 if the hackers actually saw those people, even though the 231 00:14:50.883 --> 00:14:55.421 data wasn't exfiltrated for that group of people." So, therefore, 232 00:14:55.491 --> 00:14:59.471 you know, everyone in the database is a potential victim. 233 00:14:58.010 --> 00:15:08.900 changes in the healthcare industry? The fact that we rely 234 00:14:59.541 --> 00:15:03.521 And because this company is so large, and there's so many 235 00:15:03.590 --> 00:15:07.989 systems that had been shut down due to this incident, it's hard 236 00:15:08.059 --> 00:15:12.318 to say. The Anthem breach in 2015 when it was reported was 79 237 00:15:12.388 --> 00:15:16.717 million, pretty much, which is a record holder now, since then 238 00:15:15.830 --> 00:15:26.630 on a group so large, that one group. 239 00:15:16.787 --> 00:15:20.208 almost 10 years. This potentially couldn't exceed 240 00:15:20.278 --> 00:15:23.420 that. But we don't know yet. Well, we'll see. 241 00:15:26.720 --> 00:15:29.240 Well, you know, Congress is certain, they're angry, because 242 00:15:30.770 --> 00:15:40.640 they're hearing from their constituents. There was a 243 00:15:40.640 --> 00:15:43.640 congress person who asked questions, prefaced it by 244 00:15:43.640 --> 00:15:48.320 saying, "Well, you know, this medical practice in my district 245 00:15:48.320 --> 00:15:52.460 says..." And everyone has heard of somebody, if not multiple 246 00:15:52.460 --> 00:15:56.240 people who have been affected in one way or another. I think 247 00:15:56.240 --> 00:15:59.600 Congress feels this burden that they need to do something, but 248 00:15:59.600 --> 00:16:02.480 I'm not sure what that's going to be. And we'll have to see. 249 00:16:04.250 --> 00:16:06.470 Anna Delaney: More updates, I'm sure, next week. But, thanks so 250 00:16:06.470 --> 00:16:09.710 much, Marianne, for that. Mat, you've got a couple of 251 00:16:09.710 --> 00:16:12.740 ransomware updates for us this week. So, diverse organizations 252 00:16:12.740 --> 00:16:15.800 are being hit, it seems by LockBit malware following the 253 00:16:15.800 --> 00:16:19.940 leak of version 3.0. And at the same time, the percentage of 254 00:16:19.940 --> 00:16:23.450 ransomware victims choosing to pay a ransom has dropped to a 255 00:16:23.450 --> 00:16:27.020 record low of 28%. So, how are you making sense of all of this? 256 00:16:27.660 --> 00:16:29.610 Matthew Schwartz: There is a lot of news to make sense of, 257 00:16:29.610 --> 00:16:33.810 suddenly, here. Yeah, a flurry of activity on the ransomware 258 00:16:34.020 --> 00:16:37.680 tracking front, just to start with LockBit, since you started 259 00:16:37.680 --> 00:16:40.200 with that, there's been an interesting thing that's 260 00:16:40.200 --> 00:16:45.000 happened since the LockBit ransomware builder code got 261 00:16:45.000 --> 00:16:50.190 leaked back in 2022. So, a builder is how you make a piece 262 00:16:50.190 --> 00:16:53.040 of ransomware. It's the secret sauce for a lot of 263 00:16:53.040 --> 00:16:58.560 organizations. And, a lot of criminals or wannabe criminals 264 00:16:58.650 --> 00:17:01.830 who wanted to enrich themselves off of ransomware would have 265 00:17:01.830 --> 00:17:05.580 looked with envy at the sophistication and speed of what 266 00:17:05.580 --> 00:17:08.460 LockBit was offering. But, the barrier to entry would have been 267 00:17:08.460 --> 00:17:12.810 pretty high. LockBit is a Russian-speaking organization. 268 00:17:13.020 --> 00:17:16.110 They do also work with non-Russian speaking affiliates, 269 00:17:16.260 --> 00:17:21.210 but they thoroughly vet their affiliates before they allow you 270 00:17:21.300 --> 00:17:25.440 to use their crypto blocking malware. Some of that is, they 271 00:17:25.440 --> 00:17:29.550 only want people who are going to bring in the big bucks. Some 272 00:17:29.550 --> 00:17:32.430 of that is also they want to repel any attempts by law 273 00:17:32.430 --> 00:17:37.620 enforcement to infiltrate the operation. Thanks to this leaked 274 00:17:37.770 --> 00:17:43.860 locker code, though, anybody can pretend to be LockBit, or 275 00:17:43.860 --> 00:17:47.130 anybody could just use the LockBit code and call themselves 276 00:17:47.160 --> 00:17:52.080 something else. And, we've been seeing a bit of both on the rise 277 00:17:52.080 --> 00:17:56.160 actually. So, there have been some LockBit imposters and not 278 00:17:56.160 --> 00:17:59.640 to engage in schadenfreude or anything, but what I love is 279 00:17:59.760 --> 00:18:03.030 these fake LockBit groups have been getting LockbBit into hot 280 00:18:03.030 --> 00:18:05.940 water because they've been attacking Russians. And if 281 00:18:05.940 --> 00:18:10.230 there's one thing you don't do, as a Russian-based cybercrime 282 00:18:10.230 --> 00:18:14.550 operation, it's target anybody in Russia or the other 283 00:18:14.550 --> 00:18:17.280 Commonwealth of Independent States, the CIS - the former 284 00:18:17.280 --> 00:18:21.480 Soviet satellite states, including Russia, because that 285 00:18:21.480 --> 00:18:25.800 will earn you a very quick trip into jail. So, when these 286 00:18:25.800 --> 00:18:30.510 attacks came out, the head of LockBit came out and said, "It's 287 00:18:30.510 --> 00:18:34.140 not us. It's our leak locker. If you don't believe me, just look 288 00:18:34.140 --> 00:18:37.800 at the email addresses. We've never used those before." You 289 00:18:37.800 --> 00:18:42.900 know, "Please Mother Russia, we only hit the unworthy Western 290 00:18:42.900 --> 00:18:47.610 scum don't lock us up by accident." So, yet more drama 291 00:18:47.640 --> 00:18:51.180 with ransomware. What's interesting is the code is 292 00:18:51.180 --> 00:18:55.470 apparently pretty good. And, yet a lot of the people who are 293 00:18:55.470 --> 00:18:58.560 using it don't seem to be very sophisticated. There's lots of 294 00:18:58.560 --> 00:19:03.750 default settings they could be configuring. But, Kaspersky 295 00:19:04.110 --> 00:19:06.750 cybersecurity firm based in Russia that's been tracking some 296 00:19:06.750 --> 00:19:10.200 of these attacks, basically reports that a lot of the 297 00:19:10.200 --> 00:19:14.700 LockBit knock off aficionados, they're pretty basic with what 298 00:19:14.700 --> 00:19:19.380 they're doing. So, is it a threat? Yes. Is it as big a 299 00:19:19.380 --> 00:19:22.410 threat as we've been seeing with the more sophisticated groups? 300 00:19:23.190 --> 00:19:25.530 Perhaps not, although definitely small- and mid-sized 301 00:19:25.530 --> 00:19:29.520 organizations in particular, are falling victim to this, which is 302 00:19:29.550 --> 00:19:33.300 unwelcome news. In terms of more welcome news, though, there's a 303 00:19:33.300 --> 00:19:36.990 new report out from Coveware - a ransomware incident response 304 00:19:36.990 --> 00:19:40.980 firm that works with a lot of organizations, sometimes one on 305 00:19:40.980 --> 00:19:44.730 one, sometimes through insurance firms, helping them to respond, 306 00:19:44.880 --> 00:19:48.840 and it doesn't advocate whether people pay or don't pay. My 307 00:19:48.840 --> 00:19:52.050 understanding is the firm has a flat fee regardless of how the 308 00:19:52.050 --> 00:19:56.340 victim chooses to approach what they do. The useful thing for 309 00:19:56.400 --> 00:20:00.180 those of us not responding to incidents is they share their 310 00:20:00.180 --> 00:20:03.450 data about what they're seeing. And as you mentioned, fewer 311 00:20:03.450 --> 00:20:06.690 victims than ever before are choosing to pay. That's great 312 00:20:06.690 --> 00:20:10.890 news. What's also gone down is the percentage of victims who 313 00:20:10.890 --> 00:20:16.590 choose to pay only in exchange for a guarantee from attackers - 314 00:20:16.590 --> 00:20:19.410 you can see there's a problem there already - a guarantee from 315 00:20:19.410 --> 00:20:25.590 attackers to delete their data. So about a quarter, 23%, in the 316 00:20:25.590 --> 00:20:28.260 beginning of this year of victims paid solely for that 317 00:20:28.260 --> 00:20:31.680 promise. That's still too many, but thankfully, it's a decline 318 00:20:31.680 --> 00:20:35.310 from what we have been seeing. Because if there's one thing you 319 00:20:35.310 --> 00:20:38.190 can guarantee is that ransomware attackers aren't going to keep 320 00:20:38.190 --> 00:20:43.290 their promises. And we see this again and again. LockBit got 321 00:20:43.320 --> 00:20:47.610 disrupted not very long ago by law enforcement, and the 322 00:20:47.640 --> 00:20:51.510 National Crime Agency here in Britain said that after it 323 00:20:51.510 --> 00:20:55.890 penetrated the infrastructure, it recovered data that LockBit 324 00:20:55.890 --> 00:21:00.990 had assured victims it had already deleted. We've seen this 325 00:21:00.990 --> 00:21:04.740 in some other cases as well. The Hive ransomware group got funds 326 00:21:04.740 --> 00:21:07.980 and said, "Okay, we've deleted it," and then it rebooted, and 327 00:21:07.980 --> 00:21:12.690 they're the same victims got shaken down again. So, don't be 328 00:21:12.690 --> 00:21:18.090 a sucker. Don't pay these ransomware outfits for promises. 329 00:21:18.360 --> 00:21:20.760 If they give you a decrypter, experts say that's one thing 330 00:21:20.760 --> 00:21:24.480 that's tangible, you might need that to help restore, hopefully, 331 00:21:24.480 --> 00:21:28.110 you won't. And the reason fewer organizations are paying is 332 00:21:28.110 --> 00:21:31.260 because they've gotten a lot better at defense and recovery. 333 00:21:31.710 --> 00:21:35.160 Coveware said, a lot of them don't even need to think about 334 00:21:35.160 --> 00:21:40.020 paying a ransom, they can simply wipe the affected systems and 335 00:21:40.110 --> 00:21:45.690 restore. And, that's music to our ears. Because that just 336 00:21:45.690 --> 00:21:48.330 tells ransomware attackers, "Okay, yeah, you've disrupted 337 00:21:48.330 --> 00:21:53.010 us, you're absolute scum, but we don't have any need of you. So 338 00:21:53.280 --> 00:21:56.550 take a hike." The more that happens, the less lucrative it 339 00:21:56.550 --> 00:22:01.470 is, hopefully, people who are dabbling or worse in ransomware 340 00:22:01.470 --> 00:22:02.970 will look elsewhere. 341 00:22:03.690 --> 00:22:05.340 Tom Field: May I assume that you have to give us your opinions on 342 00:22:05.340 --> 00:22:05.640 this. 343 00:22:06.720 --> 00:22:09.390 Matthew Schwartz: Uh, yeah, I don't know, I like to talk 344 00:22:09.390 --> 00:22:11.040 caveat these things just a little bit. 345 00:22:13.140 --> 00:22:16.230 Anna Delaney: Really interesting insights. Back to the LockBit 346 00:22:16.260 --> 00:22:20.310 3.0 story, are there any technical differences between 347 00:22:20.310 --> 00:22:24.150 the original LockBit 3.0 ransomware and its knock offs? 348 00:22:24.150 --> 00:22:27.690 And what makes them so dangerous? And what makes them 349 00:22:27.690 --> 00:22:28.590 so effective? 350 00:22:29.530 --> 00:22:31.630 Matthew Schwartz: What makes them so dangerous and effective 351 00:22:31.690 --> 00:22:37.390 is it's free. For one thing, so that's going to attract a lot of 352 00:22:37.390 --> 00:22:40.600 people - that has attracted a lot of people - not just to the 353 00:22:40.630 --> 00:22:45.730 LockBit code, but also to leaked Conti code, leaked Babuk code. 354 00:22:46.000 --> 00:22:50.440 Something else we're seeing is Phobos, which is nominally a 355 00:22:50.440 --> 00:22:54.010 ransomware-as-a-service operation, offers its code to 356 00:22:54.010 --> 00:22:58.210 anybody. So, you don't need to pass any tests to join this 357 00:22:58.210 --> 00:23:03.070 club. All you got to do is pay 100-150 bucks or the crypto 358 00:23:03.250 --> 00:23:06.490 equivalent, and they'll let you use their code. It's not as 359 00:23:06.490 --> 00:23:10.540 sophisticated, but it is maintained and up to date. So, 360 00:23:11.110 --> 00:23:15.040 these give attackers a lot of options. And, we see some 361 00:23:15.070 --> 00:23:18.520 upstarts that people have never heard of before using it. We 362 00:23:18.520 --> 00:23:22.360 also see some more established groups using it, even LockBit, 363 00:23:23.110 --> 00:23:27.400 after version three of its code. When it put out version four, 364 00:23:27.970 --> 00:23:31.720 kind of version four, it was Counti's locker that they had 365 00:23:31.720 --> 00:23:37.810 tweaked. So, all of these kinds of ransomware are very 366 00:23:37.810 --> 00:23:40.810 effective. If they haven't been modified, it's possible that 367 00:23:40.810 --> 00:23:45.760 they can be more easily detected. But, there are bases. 368 00:23:45.790 --> 00:23:48.700 So, if you have a degree of sophistication, you can use them 369 00:23:48.700 --> 00:23:51.940 to make something better, something very effective, 370 00:23:51.970 --> 00:23:52.780 unfortunately. 371 00:23:54.670 --> 00:23:56.560 Anna Delaney: Well, excellent work as always, Mat, thanks so 372 00:23:56.560 --> 00:24:01.360 much. And finally, and just for fun, we are approximately 100 373 00:24:01.390 --> 00:24:04.810 days away till the Olympic Games. And this week, I'm sure 374 00:24:04.810 --> 00:24:07.990 you saw the Olympic flame was lit in Greece and it's making 375 00:24:07.990 --> 00:24:12.880 its way now to Paris. So, in honor of this, if there were a 376 00:24:12.880 --> 00:24:17.140 Cybersecurity Olympics, what would one of the events be and 377 00:24:17.140 --> 00:24:18.640 who do you think would take home the gold? 378 00:24:18.000 --> 00:24:19.680 Anna Delaney: Great, Tom. 379 00:24:18.630 --> 00:24:21.491 Marianne McGee: Well, I was thinking about a contest or - I 380 00:24:19.000 --> 00:24:37.960 Marianne McGee: Yeah, I'm a fan of the Deepfake-athlon, which is 381 00:24:21.558 --> 00:24:25.751 don't know how you call it - I guess it's a meet of programmers 382 00:24:25.817 --> 00:24:29.944 and who can address a previous unidentified vulnerabilities in 383 00:24:30.010 --> 00:24:34.004 software fastest who can patch them? Since that seems such a 384 00:24:34.070 --> 00:24:38.330 major problem, at least for the healthcare no one wants to patch 385 00:24:38.396 --> 00:24:42.656 those vulnerabilities. Who could do it the fastest? I don't know 386 00:24:39.040 --> 00:24:56.410 10 individual activities with which you can use text, audio 387 00:24:42.723 --> 00:24:45.119 who would win but it's worth trying. 388 00:24:56.410 --> 00:25:02.890 and video to fool executives and employees and users. Who would 389 00:25:02.890 --> 00:25:07.930 win? The Chinese are stealthy. But, the Russians dope. 390 00:25:11.080 --> 00:25:12.880 Anna Delaney: That's great, Mat. 391 00:25:14.050 --> 00:25:17.440 Matthew Schwartz: So, my event might break Olympics rules might 392 00:25:17.440 --> 00:25:20.560 be a bit transnational. I'm thinking about something along 393 00:25:20.560 --> 00:25:24.550 the lines of Running Man, that game show where if you don't 394 00:25:24.550 --> 00:25:28.030 succeed, you die. Now, we might need to make it a little more 395 00:25:28.030 --> 00:25:32.410 suitable for primetime. So, I'm thinking maybe Capture, 396 00:25:32.620 --> 00:25:36.160 specifically, we get some law enforcement officials, and we'd 397 00:25:36.160 --> 00:25:41.950 release them in search of some Russian or other cybercriminals, 398 00:25:42.280 --> 00:25:45.190 and see who could bag the bad guy quickest. 399 00:25:47.160 --> 00:25:49.020 Anna Delaney: Very good. I like our different types. Here. I'm 400 00:25:49.020 --> 00:25:53.190 going for Cyber Synchronized Swimming. This is an event where 401 00:25:53.190 --> 00:25:56.700 teams would need to flawlessly coordinate defense and attack 402 00:25:56.700 --> 00:25:59.910 strategies, under time constraints, of course. I'm not 403 00:25:59.910 --> 00:26:02.220 sure about a winner, but I'm sort of thinking it's a close 404 00:26:02.220 --> 00:26:07.140 call between South Korea, Japan, Germany, and maybe the United 405 00:26:07.140 --> 00:26:11.070 States of America. Anyway, I look forward to attending these 406 00:26:11.070 --> 00:26:15.390 events. They sound quite fun. Thanks so much as ever for your 407 00:26:15.420 --> 00:26:18.960 contributions and informative discussions, Loved it! 408 00:26:20.830 --> 00:26:21.190 Tom Field: Thank you 409 00:26:21.000 --> 00:26:22.500 Matthew Schwartz: Great to be here! Can't wait to hit those 410 00:26:22.500 --> 00:26:23.130 Olympics. 411 00:26:23.000 --> 00:26:26.330 Anna Delaney: Yes, and thanks so much for watching. Until next 412 00:26:26.330 --> 00:26:26.630 time.