Fraud Management & Cybercrime , Ransomware , Video
ISMG Editors: Global Fallout From Leaked LockBit Ransomware
Also: Congress Weighs in on Change Healthcare Saga; Hot Topics at ISMG’s AI Summit Anna Delaney (annamadeline) • April 19, 2024In the latest weekly update, ISMG editors discussed the rise of criminal groups using leaked LockBit ransomware for global cyberattacks, Congress's recent hearing on the cyberattack targeting Change Healthcare and takeaways from ISMG’s Cybersecurity Implications of AI Summit.
See Also: Live Webinar | Endpoint Security: Defending Today's Workforce Against Cyber Threats
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor; HealthcareInfoSecurity; and Tom Field, senior vice president, editorial - discussed:
- Highlights from ISMG’s first-ever AI event, the Cybersecurity Implications of AI Summit, -which showcased a maturing dialogue among CISOs and other experts on practical generative AI applications, especially in security operations centers and in application security - enhancing detection, response, and vulnerability management;
- How nearly two months after the Change Healthcare cyberattack, the widespread software outage is still disrupting the healthcare sector. While a Congressional subcommittee was seeking more details, parent company UnitedHealth Group skipped the hearing but met with analysts to report $872 million in losses from the mega-hack;
- Recent ransomware trends indicating an uptick in LockBit malware attacks on diverse organizations following the leak of version 3.0, coupled with a significant decrease in the percentage of victims choosing to pay ransoms, now at a record low of 28%.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Apr 5 edition on breaking down OT cybersecurity challenges and the Apr 12 edition on unpacking the Change Healthcare attack.
Transcript
This transcript has been edited and refined for clarity.Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this week we're discussing the rise of criminal groups using leaked LockBit ransomware for global cyberattacks, Congress's recent hearing in the U.S. on the cyberattack, targeting Change Healthcare, and takeaways from ISMG's Cybersecurity Implications of AI Summit. I'm joined by my colleagues, Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Tom, you were in Seattle, earlier this week hosting ISMG's Cybersecurity Implications of AI Summit. How did it go? Tell us about it. What did you learn?
Tom Field: This was our first AI Summit anywhere, and starting in the Pacific Northwest was great. We had a maturing crowd. A good crowd and maturing in terms of they were beyond, "should we be delving into gen AI? Should we have policy? How are we going to govern this?" They had many mature use cases, particularly in using generative AI in the SOC to streamline detection and response, and an application security to prioritize and identify some of the vulnerabilities and act upon those. I was pleased to see people coming to the event with some use cases to discuss. At the event, we had CISOs talking about the practical applications and what they've done to educate their boards and their senior leadership and to give them business opportunities. We had chief privacy officers, including Ginger Armbruster, chief privacy officer of the city of Seattle, talking about what they have done to both leveraging and protect data. When I asked the question about guardrails, Ginger's response was "What guardrail?" Which sparked a good discussion among the privacy officers. We had Washington State's AG, Bob Ferguson, there giving us some details on the state's AI Task Force. They're well ahead of this in ways they're trying to anticipate the use of predictive and generative AI. I was pleased to sit on a panel of cross-industry leaders from legal, pharmaceutical manufacturing and transportation, talking about specific use cases, lessons learned in what can be done across industries. Very pleased to see that this was a maturing discussion - not going to say mature - maturing, and that people were willing to share what they're doing and were open to hearing some best practices from others, so they made for a lively discussion. One of the highlights for me was we had a tabletop exercise by Mandiant and the U.S. Secret Service. It was based around a deepfake video from a CEO to a CFO asking for a multimillion dollar transfer over a weekend to fund an acquisition, which ended up being fraudulent. We went through the exercise about how one would go about detecting what safeguards one would put in place? How you avoid having this happen in the future? Terrific tabletop exercise, we had scores of people involved in this. We brought in about a half dozen Secret Service agents to help facilitate that discussion. Some of them want to take the exercise back to their own offices, and they do the very same thing with their own staff, which is good, but they came away with some very good questions and some discussion about how do we do a better job detecting some of this deepfake activity? Because it's growing ever more sophisticated as we as we speak. What layers of security can we add? You don't have that CFO alone being able to make that multimillion dollar transfer because they feel pressured or socially engineered at the moment to do it. Excellent one-day event, but it can't stop there. I'll make sure we take to other regions, other countries and continue this discussion. It's the right topic at the right time.
Delaney: It was a rich agenda there. Was there anything that particularly surprised or even challenged your views on AI and cybersecurity?
Field: No, I wouldn't say anything challenged my views on it. I was pleasantly surprised to hear about the maturing use cases because I've spent too much time in sessions where CISOs are talking about how they're still trying to have the conversation with the senior management the board about what should they do? What could they do? What are they doing to limit the impact of shadow AI? I'm glad that we put behind us some of the 2023 discussions and we're having some rich 2024 ones that are going to propel us forward.
Delaney: Brilliant, looking forward to hearing more about these summits that are in the works. Marianne, back to Change Healthcare, this week. You've reported that Congress has held a hearing to address the cyberattack on the company examining its impact and data security concerns. What did you take away from the hearing?
Marianne McGee: There was a hearing examining the impact on the healthcare sector. Lawmakers were very curious about what went wrong at Change Healthcare. A point that was a big bone of contention with the lawmakers was that no one from UnitedHealth Group showed up to testify. Instead, the lawmakers questioned a panel of industry experts. During that query of the experts, none of the experts really had any in depth insight into what actually went wrong with Change Healthcare's IT systems or products that caused the massive IT disruption, or what actually went wrong in terms of the compromise. There was a lot of drilling of the healthcare sector about the impact that this is all had on the healthcare sector. While this hearing was going on in DC, the UnitedHealth Group was in the midst of dealing with this latest problems with this attack. That included reports that cybercriminal gang RansomHub had begun posting screenshots on the dark web that supposedly show sample of the four terabytes of data that was allegedly stolen by an affiliate of another ransomware group, Black Cat, also known as ALPHV. RansomHub this week also listed Change Healthcare's data for sale on the dark web. In the midst of all this, UnitedHealth Group also quietly updated its own website about the status of the attack this week. The company has confirmed now that a breach of protected health information and personally liable information had occurred in the incident, which triggers federal and state breach reporting and notification obligations. The company said it is working with forensic experts and the U.S. Department of Health and Human Services Office for Civil Rights to determine the extent of that breach. Up to now UnitedHealth Group only publicly stated that data was taken in the attack, but never said whether or not it knew for sure if that included patient PHI or PII. Going back to the congressional hearing, because no one at Change Healthcare was there to testify the discussion centered around the disruption. That included the fact that even though Change Healthcare's IT systems have been slowly going back online, it's still causing all sorts of problems for hospitals and health practices that were affected. That includes, many of them still waiting to get paid for claims that they could not submit during the outage. A lot of these providers are having to spend hours helping patients sort through erroneous bills that they're getting in the mail form about care that they received during the outage, but that were not submitted in time to the health insurers. That discussion also veered into the struggles that the healthcare sector entities, especially small practicing hospitals and clinics themselves face in terms of their own cybersecurity. A lot of that comes down to funding. There was always a need for funding. There were pleads to Congress on ways that the feds could help with grants, and technical assistance, and so on. There were lots of complaints about how devastating this attack was on the healthcare sector. Some of the potential solutions are things that we've heard about before it's a matter of funding.
Delaney: Back to the industry experts at the hearing, did they suggest any immediate actions or even long term strategies?
McGee: The people who testified included a CIO, who's also the chair of the College of Healthcare Information Management executives, which is a CIO-CISO professional organization; John Riggi, who is National Cyber director at the American Hospital Association; Greg Garcia, who is executive of the Health Sector Coordinating Council. There were a lot of heavy hitters there. A lot of it comes down to funding. The healthcare sector is dealing with low reimbursement rates from payers, and some of these reimbursement rates are getting even lower, there's not enough money to go around for all the other things they have to do. Another thing that came up a few times is the liability of third-party vendors, who are often at the center of these breaches, vulnerabilities that are exploited. The contracts that these hospitals and small doctor practices sign shift the liability to that those entities. Vendors have a limited amount of liability. It all shifts back to healthcare providers, and they weren't the cause of the breach, but they're getting blamed, and they're going to have to dole out money to respond to it. That was an issue that came up too. I'm not sure what Congress might do or can do, but that was something that was pleaded by these witnesses.
Field: Marianne, in the constellation of healthcare breaches, and I know that this story changes by the day, it grows by the day, how big is Change Healthcare among the healthcare breaches we've seen over the past?
McGee: Ah, well, United Healthcare is the largest healthcare company in terms of this breach, it could be potentially the largest breach and the reason why I say that- again, the hackers claimed four terabytes of data. I don't know what that means in terms of how many patients but the problem for United Healthcare is that - at least legally - under HIPAA if there's any potential individuals' protected health information was accessed, viewed, or disclosed without authorization, that's a breach. Often what happens in these larger attacks, like if there's a database that was breached or there was data exfiltrated, these companies when they started examining what was affected, they can't definitively say, "Okay, it was only these people, we don't know if the hackers actually saw those people, even though the data wasn't exfiltrated for that group of people." Therefore, everyone in the database is a potential victim. Because this company is so large, and there's so many systems that had been shut down due to this incident. The Anthem breach, in 2015, when it was reported, was 79 million, which is a record holder now, since then almost 10 years. This potentially couldn't exceed that. However, we don't know yet. As a result, do you think this is going to trigger big changes in the healthcare industry? The fact that we rely on a group so large. Congress is certain, they're angry, because they're hearing from their constituents. There was a congress person who asked questions, prefaced it by saying, "Well, you know, this medical practice in my district says..." And everyone has heard of somebody, if not multiple people who have been affected in one way or another. I think Congress feels this burden that they need to do something, but I'm not sure what that's going to be.
Delaney: More updates, I'm sure, next week. Mat, you've got a couple of ransomware updates for us this week. Diverse organizations are being hit by LockBit malware following the leak of version 3.0. At the same time, the percentage of ransomware victims choosing to pay a ransom has dropped to a record low of 28%. How are you making sense of all of this?
Mathew Schwartz: There is a lot of news to make sense of. A flurry of activity on the ransomware tracking front, just to start with LockBit, since you started with that, there's been an interesting thing that's happened since the LockBit ransomware builder code got leaked back in 2022. A builder is how you make a piece of ransomware, it's the secret sauce for a lot of organizations. A lot of criminals or wannabe criminals who wanted to enrich themselves off of ransomware would have looked with envy at the sophistication and speed of what LockBit was offering. However, the barrier to entry would have been pretty high. LockBit is a Russian-speaking organization. They do also work with non-Russian speaking affiliates, but they thoroughly vet their affiliates before they allow you to use their crypto blocking malware. Some of that is they only want people who are going to bring in the big bucks. Some of that is also they want to repel any attempts by law enforcement to infiltrate the operation. Thanks to this leaked locker code, anybody can pretend to be LockBit, or anybody could just use the LockBit code and call themselves something else. We've been seeing a bit of both on the rise actually. There have been some LockBit imposters - and not to engage in schadenfreude or anything - but what I love is these fake LockBit groups have been getting LockbBit into hot water because they've been attacking Russians. If there's one thing you don't do, as a Russian-based cybercrime operation, it's target anybody in Russia or the other Commonwealth of Independent States, the CIS - the former Soviet satellite states - including Russia, because that will earn you a very quick trip into jail. When these attacks came out, the head of LockBit came out and said, "It's not us. It's our leak locker. If you don't believe me, just look at the email addresses. We've never used those before." You know, "Please Mother Russia, we only hit the unworthy Western scum don't lock us up by accident." Yet more drama with ransomware. What's interesting is the code is apparently pretty good, yet a lot of the people who are using it don't seem to be very sophisticated. There's lots of default settings they could be configuring. However, Kaspersky cybersecurity firm based in Russia that's been tracking some of these attacks, basically reports that a lot of the LockBit knock off aficionados, they're pretty basic with what they're doing. Is it a threat? Yes. Is it as big a threat as we've been seeing with the more sophisticated groups? Perhaps not. Although small- and mid-sized organizations are falling victim to this, which is unwelcome news. In terms of more welcome news, there's a new report out from Coveware - a ransomware incident response firm that works with a lot of organizations, sometimes one on one, sometimes through insurance firms, helping them to respond, and it doesn't advocate whether people pay or don't pay. My understanding is the firm has a flat fee regardless of how the victim chooses to approach what they do. The useful thing for those of us not responding to incidents is they share their data about what they're seeing. As you mentioned, fewer victims than ever before are choosing to pay. That's great news. What's also gone down is the percentage of victims who choose to pay only in exchange for a guarantee from attackers - you can see there's a problem there already - a guarantee from attackers to delete their data. About a quarter, 23%, in the beginning of this year of victims paid solely for that promise. That's still too many, but it's a decline from what we have been seeing. Because if there's one thing you can guarantee is that ransomware attackers aren't going to keep their promises. We see this again and again. LockBit got disrupted not very long ago by law enforcement, and the National Crime Agency in Britain said that after it penetrated the infrastructure, it recovered data that LockBit had assured victims it had already deleted. We've seen this in some other cases as well. The Hive ransomware group got funds and said, "Okay, we've deleted it," and then it rebooted, and they're the same victims got shaken down again. Don't pay these ransomware outfits for promises. If they give you a decrypter, experts say that's one thing that's tangible, you might need that to help restore, hopefully, you won't. The reason fewer organizations are paying is because they've gotten a lot better at defense and recovery. Coveware said, a lot of them don't even need to think about paying a ransom, they can simply wipe the affected systems and restore. That's music to our ears, because that tells ransomware attackers, "You've disrupted us, but we don't have any need of you. So, take a hike." The more that happens, the less lucrative it is, hopefully, people who are dabbling or worse in ransomware will look elsewhere.
Field: May I assume that you have to give us your opinions on this.
Schwartz: Uh, yeah, I don't know, I like to talk caveat these things just a little bit.
Delaney: Really interesting insights. Back to the LockBit 3.0 story, are there any technical differences between the original LockBit 3.0 ransomware and its knock offs? And what makes them so dangerous? And what makes them so effective?
Schwartz: What makes them so dangerous and effective is it's free. That's going to attract a lot of people - that has attracted a lot of people - not just to the LockBit code, but also to leaked Conti code, leaked Babuk code. Something else we're seeing is Phobos, which is normally a ransomware-as-a-service operation, offers its code to anybody. You don't need to pass any tests to join this club. All you got to do is pay 100-150 bucks or the crypto equivalent, and they'll let you use their code. It's not as sophisticated, but it is maintained and up to date. These give attackers a lot of options. We see some upstarts that people have never heard of before using it. We also see some more established groups using it, even LockBit, after version three of its code, when it put out version four, it was Counti's locker that they had tweaked. All of these kinds of ransomware are very effective. If they haven't been modified, it's possible that they can be more easily detected, but there are bases. So, if you have a degree of sophistication, you can use them to make something better, something very effective, unfortunately.
Delaney: Mat, thanks so much. Finally, and just for fun, we are approximately 100 days away till the Olympic Games. This week, I'm sure you saw the Olympic flame was lit in Greece and it's making its way now to Paris. In honor of this, if there were a Cybersecurity Olympics, what would one of the events be and who do you think would take home the gold?
McGee: Well, I was thinking about a contest or a meet of programmers and who can address a previous unidentified vulnerabilities in software fastest who can patch them? Since that seems such a major problem, at least for the healthcare no one wants to patch those vulnerabilities. Who could do it the fastest? I don't know who would win but it's worth trying.
Field: I'm a fan of the Deepfake-athlon, which is 10 individual activities with which you can use text, audio and video to fool executives and employees and users. Who would win? The Chinese are stealthy, but the Russians dope.
Schwartz: My event might break Olympics rules and might be a bit transnational. I'm thinking about something along the lines of Running Man, that game show where if you don't succeed, you die. We might need to make it a little more suitable for primetime, so I'm thinking Capture, specifically, we get some law enforcement officials, and we'd release them in search of some Russian or other cybercriminals, and see who could bag the bad guy quickest.
Delaney: I'm going for Cyber Synchronized Swimming. This is an event where teams would need to flawlessly coordinate defense and attack strategies, under time constraints. I'm not sure about a winner, but I'm thinking it's a close call between South Korea, Japan, Germany, and maybe the United States of America. I look forward to attending these events. They sound quite fun. Thanks so much as ever for your contributions and informative discussions.