Cryptocurrency Fraud , Cybercrime , Fraud Management & Cybercrime
ISMG Editors: Decoding BlackCat Ransomware's Downtime Drama
Also: Fraud Trends; Cryptocurrency Regulatory Developments Anna Delaney (annamadeline) • December 15, 2023In the latest weekly update, editors at Information Security Media Group discuss whether police have seized ransomware group Alphv/BlackCat's data leak site, how fraudsters are adapting their tactics and techniques to exploit advancements in technology, and which cryptocurrency stories have shaped the industry this year.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday & Europe; Rashmi Ramesh, assistant editor, global news desk; and Suparna Goswami, associate editor, ISMG Asia - discussed:
- How we should interpret the recent disruption of ransomware group Alphv/BlackCat's online infrastructure by law enforcement and why defenders must employ unconventional methods to thwart future ransomware attacks;
- The most significant fraud developments of 2023 and how fraudsters are adapting their tactics and techniques to exploit advancements in technology;
- The cryptocurrency stories that have shaped 2023 and the regulatory developments we might see on the horizon.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Dec. 1 edition on what the Sam Altman/OpenAI saga taught us and the Dec. 8 edition on ugly health data breach trends of 2023.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney and this is a weekly spot where ISMG editors meet to discuss and debate the top cybercrime fraud and crypto stories and trends. And those distinguished editors are Suparna Goswami, associate editor at ISMG Asia; Rashmi Ramesh, assistant editor, Global News Desk; and Mathew Schwartz, executive editor of DataBreachToday & Europe. Very good to see you.
Delaney: Suparna. What a splendid backdrop. Tell us more.
Suparna Goswami: Yes, this is not a picture taken by me. My friend has gone to Kashmir. So this is how Kashmir looks during the winters and he has sent this pic. So definitely, this is my to do list in the next two years, I need to - I have not visited Kashmir till now - so I need to visit this place. So hopefully, soon.
Delaney: Very fitting for December, and the festive spirit over here, at least. And Rashmi?
Rashmi Ramesh: This was also a picture that was taken by a friend, because it's a regular sunset, just behind his house in central India. So hit a bunch of really lovely pictures, but I thought this one was the most fitting for today's episode.
Delaney: Beautiful, beautiful sky. Matt, was your picture taken by a friend?
Mathew Schwartz: So I actually did take this. I was present and accounted for at last week's Blackhat Europe conference where you were as well and in the heart or at least on the western edge of the center of London.
Delaney:Beautiful. So that is actually in the conference hall.
Schwartz: So this is the ExCeL conference center in London Docklands.
Delaney: You make it look so arty.
Schwartz: It's got some beautiful, funky architecture that always catches me by surprise when you walk into this otherwise massive, open cavernous all. Anybody who's been to the ExCeL conference center before knows just how massive this thing is. And they are expanding it. So more to come.
Delaney: Well, I'll let you in on a secret. This is also taken by a friend of mine. But it is about this week, I've still stolen it from his Instagram account. So sorry. But anyway, I am sharing these Christmas spirit and decorations in London's Covent Garden right now and the London's lights, I must say, are looking very pretty at the moment, so I might share another next week. So Matt, starting with you this week. Here's a question for you. Have police finally ceased the data leak site operated by ransomware group BlackCat?
Schwartz: That's a great question, Anna. And the simple answer is we don't know. But the good news is that at least for a while, the site has been offline. So possibly there's a tussle happening between law enforcement agencies and the group that runs the data leak site. So the group we're talking about here is BlackCat, also known as ALPHV. I don't know if you want to say alpha ALV. Who knows. But we'll call it BlackCat just to keep things easy. And last Thursday, so we should go Thursday, the site's data leak site, and also the group's talks peer to peer instant messaging, encrypted communications account went offline. This is great news, because it means that the group is going to have difficulty monetizing its attacks. So I'm going to throw in a caveat in a second. But it's important to note that in recent months, while LockBit has been the group most associated with ransomware attacks that we know about, BlackCat has been second or regularly been second on the charts when it comes to known victims. There's a lot that we don't know. So there might be groups out there, popping victims left, right and center. And maybe the groups don't have a data leak site, where they post the nonpaying victims in the way that LockBit, BlackHat and many other groups do. So there's a lot that we don't know. But what we do know is that these groups have amassed lots of victims. BlackCat continues to make headlines because of its rampant self promotion. Also its tricks - a lot of groups use tricks to dig themselves up to attract fresh affiliates, their business partners who take the cryptolocker malware, use it to infect victims. BlackCat recently reported in - air quotes - one of its victims to the Securities and Exchange Commission, because it said the victim wasn't quickly transparent with the reach with the attack. overlooking, as I'm sure you can expect criminals to do that, although there are some upcoming SEC regulations, it hadn't actually broken the law. And anyway, we're getting so far down the rabbit hole, because what right do criminals have to be reporting anybody to anyone. So I mentioned there's a caveat before, we need to be careful about spending too much time or focusing too much on any given group. Cybersecurity officials will regularly remind us that a lot of the group's so called are more of a loose affiliation. And so, Conti, for example, may have gone away, Russian speaking ransomware group, but before it closed down, it's split off a lot of other groups. And so many of the same players are running or participating in other operations. Similarly, a lot of these groups won't work with affiliates. And the affiliates come and go, who's giving him the best deal at the moment, who's got the best crypto blocking malware, many of the affiliates apparently will have multiple different strains of ransomware at their fingertips that they can use, given the victim that they happen to have attacked, and they can determine what might play best for any given situation. So we shouldn't glorify and we shouldn't overly focus on any given group. All that said, it would be wonderful if BlackCat does indeed seem to be disrupted, perhaps permanently.
Delaney: You cited Ollie Whitehouse in your article, CTO of Britain's National Cybersecurity Center. He mentioned at BlackHat recently, we need to find better ways to dissuade adversaries in the ransomware sphere. What do you think he meant by that? What sort of creative, unconventional ways was he referring to?
Schwartz: Well, I mean, the Blackhat Europe scene here, he was speaking not far away from this architectural flourish, or whatever we want to call it. Ollie didn't, in his keynote, give any ready answers, I think it was a call to action. And he was detailing a lot of the concerns and a lot of the challenges. And he said what we need to be able to do, and I think how we'll know that we've somewhat arrived, is that we can surprise attackers, we can give them a really bad day in the office. And he was clear about saying, I don't know exactly how we do that. But he said disrupting their infrastructure, I don't know how much of an impact that really has. They're getting much better versed in using, he thinks, infrastructure tools so that if something gets taken down, they can rapidly stand something else up. A lot of these organizations are being run much more as businesses, they have an HR team, they have an admin support. They have developers whose job it is to make more resilient architecture so that if it does get disrupted, probably they can study that and maybe this particular group is offline for six months, maybe they reboot under a different name with a slightly different configuration. And so they've been disrupted in the short term, but the profit potential is still so vast that Ollie said we need to find a better way to disrupt the group, disrupt the individuals. Unfortunately, he didn't have any easy answers. Defense is helping for sure. But this is still an open question.
Delaney: And speaking of infrastructure, news this week that a UK parliamentary committee has warned that the UK Government is at high risk of a catastrophic ransomware attack that could bring the country to a standstill because of poor planning and a lack of investment. I know this is shifting gears slightly. But with everything you know about ransomware and the UK Government, what's your reaction?
Schwartz: I think it's a useful cautionary note. We continue to hear cybersecurity agencies in Britain, and also in the US talking about the need for basics. Basic, Basic, Basic. I mean, how long have we been hearing, let's just focus on the basics. But apparently, there's just still so many organizations, not using multi factor or two factor authentication, wherever they can. We have seen officials urging or recommending organizations, who can't do it themselves, to think more about cloud services. And we've seen with Ukraine, for example, how cloud services has really saved its bacon when it comes to the government and other critical infrastructure sectors. It's Russia versus Microsoft, in some domains now. And if you can't do it yourself, that might be a really good move. So they're continuing to beat the drum. It's a little disheartening that they feel that they need to, but hopefully, at some point, more organizations, more businesses will start to listen.
Goswami: It never gets boring - the space ransomware.
Schwartz: No, no, no, it's always - you wake up in the morning, don't you, and you think what's happened?
Delaney: And they will see the access shift and advance next year now that criminals have more tools in their arsenal, always. Well, thank you so much, Matt. That was excellent analysis, as always. Suparna, what's been happening in the fraud world recently? What are the latest trends that you're reporting on?
Goswami: Thank you, Anna. So yes, I have been speaking with experts in the fraud space for the past couple of weeks, trying to wrap up the year and trends and what to expect next year, completed all the lists that I have, but of the four and five people I have spoken with a couple of themes, the common themes, one was check fraud, and one was - they spoke a lot about the faster payments space. Now, in the year 2023, it might sound silly, that we're still talking about check fraud. Over the years, some massive growth in this kind of fraud as any fraud expert, and none of them thought that check fraud could cause such huge losses to financial institutions have now been speaking about. We have spoken about check fraud in, I think, in one of the other episodes of Editors Panel as well, I did feature. And it just amazes me that even this year how come that check fraud has impacted financial institutions so much. And the suspicious activity reports related to check fraud reached, I think, what nearly 5000 in 2023, highlighting the widespread nature of the problem. Now, there are a couple of things or three factors, which I would say has caused this. One is obviously stolen checks. You know, organized criminal groups are increasingly targeting the US mail system. That's one part. The other, the cyber part is the social media scam that fraudsters are leveraging your social media platforms to lure victims, and evolving tactics like criminals are constantly adapting them, changing their methods utilizing Dark Web or other technologies to create sophisticated, counterfeit checks. And sometimes, the problem is not only about counterfeit checks, but it is also about checks which are legitimate. So this is an area which bankers have not dealt with, the banks are dealing with legitimate checks. And these are being negotiated effortlessly. So this is all closely linked to your identity theft. Fraudsters are combining ID theft and fake bank accounts to deposit checks and bypass authentication. I asked if in 2024, if they think banks will be better prepared, and if you can expect any change in this kind of thought, unfortunately it's likely to remain the same. As the experts said, all fraudsters will continue because the tactic is working exceptionally well for them. And what problem with banks is that these fraud channels - your email, your identity, when the checks are deposited, they all work very independently. There's not a lot of systems they're bringing, they're not vendors that are bringing all these channels together, look at it holistically. And that's the key. But to be fair, banks are - unlike this year and the previous year, banks are trying to improve the control environment when it comes to check because check fraud was never really on their radar. But there is no significant improvement as such, there they are. But there's nothing that can be spoken about a lot. But definitely they are bumping up investment priority list for check for detection solutions. And so looking ahead, I think AI - we said that maybe we have spoken so much about AI this year, AI probably will be used to visually spot fraud patterns, because it reduces number of checks routed for manual review and can help reduce risks associated with synthetic and account opening fraud. So check fraud is something, sorry, artificial intelligence is something that they can leverage. And other was on the payment space. Everybody is very, very excited because FedNow was launched. And what's irresistible about faster payments is that you know, you will get money from A to B as quickly as possible. And that's what excites the fraudsters, they're trying to get money to a place where they can control it, they can cash it out as quickly as possible because it's a matter of time before either, you know, they're being caught. So they need that speed. So that's what they get from fast payments. And I asked if there are some important lessons again, which banks can incorporate since there was so much spoken about with FedNow being launched. So they said that networks now and FedNow is working, the federal banks are working toward that, they need to work on strategies to interact with customers in a way that stops the payment before the payment instruction is accepted. So if I'm a bank or from a payment network, I need to know enough about the customer, customer. It's all the things we talked about, like what devices they are using, what time of the day, who is the sender? Who is the receiver? What is the dollar amount? What is the behavior? So all these factors need to come in.
Delaney: And how about policy and regulation, Suparna? What policy or regulatory changes do you foresee being implemented in response to these emerging trends that you mentioned? And how might they impact individuals and businesses?
Goswami: I don't know where they happen to count on for, but I'm expecting with my interaction with the experts is because FedNow has started, reimbursement model will definitely pick up in the US as it is. Definitely it's, like 2002 in the UK implemented with the reimbursement model. US will do that. That's my prediction. And that's what not my prediction, but yeah, that's what even experts are saying. So, because FedNow launched this year and faster payment adoption is expected to increase and at present, what is happening is a fraud rate on this networks are very low. So, they are not really concentrating much on the fraudsters because FedNow, RTP, I think the per day transaction, at least on FedNow is below 100 per day, which is very less. So by 2024. If it is increasing, so will the scams increase, and so will be the reimbursement, the call for reimbursement, there was some talks early 2023, but they died down. But I think because this is faster, the FedNow is by the Federal Reserve Banks. So if it increases, I think the reimbursement model will finally be live in the US. And the other space, I think there will be a lot of talk about and I think something will come around is in the identity fraud space where they're depending on KYC alone. So I feel that KYC is a tipping point, especially in the digital space why nobody's contesting that KYC is not important is of course important, but it is not enough. And we need those digital signals that are outside of information that has been provided to us, like in some cases, organization may want to take a picture of the driver's license, or passport, your ad spoke about your phone, they may want to type out the kind of product or services that are being provided, you know, so I think it will go beyond just KYC your digital authentication. So they will create all these kinds of signals and provide that identity assurance, like phone is one of the major things even they're talking about mobile driving license, and if they can, that can be used to open bank accounts in the US. But of course that itself, because not every state has a standard way of you know, having that mobile the secure way of having more MDM. So I think Georgia is very mature, but the other states probably are not. So they can't really standardize it. But I think it will go beyond just KYC in 2024.
Delaney: Great overview of the trends, Suparna. Thank you very much. Rashmi, let's turn to cryptocurrency. And it's been a very busy year in that sphere as well. What are the most important cases that have shaped the industry this year? Very decent indeed. So there's a lot of talk, there's a lot of agreement that regulation is needed. Are we likely to see anything shift next year, in terms of regulation?
Ramesh: Hands down. It's been Binance and FTX, of course. So Binance's former chief Changpeng Zhao and FTX's former chief Sam Bankman-Fried who were superstars of the industry. And confirm felons. So this has had one very clear impact. An industry that has famously been, you know, regulation averse, almost like the Wild West, is now not only contemplating government impose rules, but also possibly welcoming them. So I spoke to many experts about this. And they're all of the opinion that crypto is not dead. But it will look very different. Once regulators and governments have taken steps to control it more. So they say what we need is a tailored and a more comprehensive oversight of crypto and water recycling of regulations that exist for traditional finance. But we still, you know, borrow from experience. So crypto faces a lot of issues today that traditional finance has been able to address just by existing for all of these years. For example, having disclosure standards that ensure that crypto companies, that custody digital assets, don't sweep them up in case of bankruptcy and also ensure that customers have actual records if their assets are mishandled. And the legislation does not have to be one big inclusive omnibus, right? It needs to start with more discrete measures and evolve as the technology evolves. And of course, there will always be those who claim to want regulation but not really wanted and our very own SBF is a case in point. He rallied for crypto regulation in public, but derided it as just PR in private. There are some parts of his text messages that were unveiled during his trial that show as much. I'm not allowed to use that language on camera. But if you just go back to the transcript, you can read all about it. And it does not, it actually focuses quite a bit on the fact that cryptocurrency does have a crime problem. SPF ran a very poorly governed and very under compliant family of companies under the guise of compliance. Now it's all of these companies were registered in all the right ways. And all the district jurisdictions they operated in, but and they seem to be like a poster child of compliance, right. But we all know how that went on. Anyway, the industry, the issue is that the industry grew too quickly. And initially, during its boom, it was run by technology folks who had little interest and very little inclination for regulation. But even if you fast forward to the present day, when a majority of the industry is agreeing that maybe we do need regulation, there's an issue on what compliance even means. There is a massive disconnect between policymakers and the industry on how to even define certain things in blockchain transactions, starting with even defining what cryptocurrency is. Is it a commodity? Is it a security? Is it a collectible? What type of regulation does it come under? And which agency is responsible for regulating it? And even if they figure all of this out, how do you figure out if the service providers are actually complying in a meaningful way? So the crypto regulations in the US right now are primarily being shaped through enforcement. So having clarity on, you know, defining what the parties are, what the assets are understanding the unique identification challenges in blockchain. And also understanding that it is an iterated approach is what we need, rather than a fixed regulatory approach. I think that's what will help and also have to take into account the decentralized nature of crypto to deal with because it's not owned or controlled by any government or central bank. So you can't really control the currency, you can only control companies that deal with it, and different countries regulated in different ways. So, decentralization makes it really, really hard to apply the same rules that you bought to traditional finance, like the travel rule, for example. So anyway, I hope that's a defense overview of the regulatory mess that we're currently in, in the crypto space. Hopefully, we will see, we will definitely see more regulation. And hopefully, that regulation takes into account all of these issues. As someone boating in the space for a bit, I personally don't really see much clarity in defining what cryptocurrency is, or the category it falls under and who regulates it. Not at least in the next one year, maybe by the end of the year, because this is an issue we've been dealing with for quite some time now. But one interesting development that an expert mentioned to me is that he thinks the recent cases will put the spotlight on the role of money laundering reporting officers, and Bank Secrecy Act compliance officers. So many organizations, especially in like the FinTech and the crypto space, basically have a tick box compliance heads and MLROs and BSE officers who have very little experience or knowledge and are certainly not sufficient, which are certainly not sufficient to perform that role effectively. He mentioned that he has seen CEOs or head of operations acting as MLROs, which is a massive conflict of interest. So he says that this is likely to change the upcoming year. So here's hoping.
Delaney: Wonderful insights. Thank you very much, Rashmi. It's been a busy year for you. And finally, and just for fun, if you had an AI powered chef in your kitchen, what type of cuisine would you want it to master? And what signature dish would you name after the AI? Leap in, Suparna.
Goswami: No, I couldn't come up with a lot of very innovative I was like, Okay, let me have the master what is India outside? People swear by chicken tikka, sp I was like, maybe I'll name it neural spicy chicken tikka, but I I'm not very happy with the name. Maybe I thought of something better. This is what I came up with.
Delaney: Yeah, well, me to work away. Maybe you could ask ChatGPT.
Schwartz: Wow, that sounds so Cyberpunks, Suparna. I'm just like, I want to taste that, maybe only once though. So what I would love I mean, it's already a thing kind of but you know you have sushi robots. But imagine if you could have sushi robots plus the power of AI. And so I guess I guess you could have like a cyber roll or something or a cyber AI roll. I don't know what it would have in it just excellent cutting tolerances, perhaps I need to think about the ingredients there.
Delaney: Sushi on tap. I love it. Rashmi?
Ramesh: I'd have a very world peace sort of ahimsa. So because we currently live in a world where in every corner, there's a war or countries are on the brink of one. So if I had an AI Chef, I'd have them combined nostalgic flavors of these regions to make new foods that people in conflict in countries can relate with. So yeah, and I'd probably call it I don't know, harmony or something.
Delaney: I love that. Lovely. I sort of like going in the same vein. So when you go on holiday, you have a delicious meal with some wine or cocktails and everything's perfect. Then you come back and you try and recreate that dish. It's never quite the same because maybe the water is different. The ambiance is certainly different, smells are not there. Well, my AI chef would not only create my favorite holiday dish, but also conjure the entire sensory experience with it. And I call it epicurean maestro, bringing a touch of magic to your tastebuds and senses. Nice. This is all make me feel very hungry. Thank you very much, Suparna, Rashmi, Mathew. Always a pleasure. Great insights.