Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, June 16th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes guest commentator Jim Love of IT World Canada will be here to talk about some recent news. But first a look at some of the headlines from the past seven days:
A leading Australian law firm confirmed it was hit in April by the BlackCat/AlphV ransomware gang. The confirmation came after the gang started leaking stolen data because the law firm refused to pay a ransom. Jim and I will discuss the situation.
We’ll also look at a crimeware gang called Asylum Ambuscade that targets individuals, cryptocurrency traders, and small and medium businesses. We’ll have thoughts on news that a hacker has been scraping and giving away API keys from source code they get their hands on. And we’ll also examine a report by academic researchers that hackers might be able to steal encryption keys by taking a video recording of the flickering LEDs of smart cards.
Also in the news, Shell confirmed it is one of the companies hit by the compromise of the MOVEit file transfer tool. This came after the Clop ransomware gang, which found the vulnerability, listed over 10 organizations around the world as being victims. They include three financial services firms in the U.S. The TechCrunch news site says a Canadian company was briefly on the list.
On Monday’s podcast I told you about a vulnerability found in Barracuda Networks’ Email Security Gateway that has to be addressed. It’s been exploited by a threat group since last October. Well, on Thursday researchers at Mandiant said they have evidence that threat group may be linked to China.
Microsoft has put a code name to a Russian-based threat actor it previously tracked with a number. The group now called Cadet Blizzard is associated with Russia’s military intelligence agency known as the GRU. Cadet Blizzard created and deployed the WhisperGate malware against Ukrainian government departments when the war started. This group focuses on destructive attacks, espionage and stealing information.
Finally, more Canadians are worried about privacy and have less trust in how organizations handle their personal information than ever. That’s according to results of a poll released this week by Canada’s federal privacy commissioner. The survey, done late last year, shows 93 per cent of respondents expressing some level of concern about their privacy. Forty per cent of respondents said they are more worried about their privacy and the protection of their personal information since the start of the pandemic. Six in 10 respondents feel the federal government respects their privacy, while only four in 10 believe businesses respect their privacy.
(The following is an edited transcript of one of the topics in today’s news discussion. To hear the full conversation play the podcast)
Howard: The ‘r’ word — ransomware — is still constantly in the news. I was drawn to news that an Australian law firm admitted it had been hit in April. We only found out because the BlackCat/AlphV ransomware gang took credit and started publishing stolen data because the law firm refused to pay a ransom. This brings up — again — the old debate on whether an organization should pay to protect its corporate or customer data, or risk reputational harm. Where do you stand on this?
Jim Love: You can look at it from purely the rational and logical place, and that’s difficult. There are tons of surveys, and all of them have different results. I saw a Forbes piece that said 92 per cent of companies don’t get their data back [after paying] and another one from Kaspersky that says 17 per cent, so the numbers are all over the place. Should you pay? No. If nobody paid ransoms, ransomware would die. There’d be some reputational damage, some companies would get hurt. But ransomware only exists because it’s profitable. That’s fact number one, fact two, and it doesn’t matter where the number is going to. A lot of people don’t get their data back. You’re feeding an industry. You’re not guaranteed you’re going to get your data back. And why would you? You’re dealing with crooks. Maybe people get their data back but a lot of it may not be restorable. There’s no guarantee they didn’t mess up your data when they encrypted it — these are not encryption geniuses here. They want to do it fast. They don’t care about the quality. There’s a good chance if get your data back you might not be able to restore it.
The last piece — and I’m seeing this over and again — a growing number of findings say that companies get hit again a second and a third time. Why? The attackers know you’ll pay.
But maybe you don’t have a choice not to pay. You’ve got to have some sympathy for people like this. Maybe they don’t have a recoverable backup, or or they can restore but they’re worried that the crooks will expose [the stolen] data and hurt their business. So assuming you’ve called an expert first [if you’ve been hit by ransomware — and I think you should — check to see if there are publicly available keys to unlock your data. There are places like No More Ransom and others where you can check [for free decryption keys].
Still, desperate people are going to do desperate things and if you think you’re going to lose your business how do you fault people for for saying they’re going to pay the ransom? I don’t think they should, but I understand why they would. It points out one thing: Businesses, regardless of their size, shouldn’t make those decisions when they get hit. You have a conversation about this now and what you’re prepared to do befor an incidence. You don’t want to be desperate. Even if you’re small, a lack of technical knowledge or budget shouldn’t stop you from doing this. Because you can have a recovery plan. You can plan in advance, and then at least if you have to make that decision you’ve thought about it in advance.
Howard: The other thing is you’ve got to have a rigorous cybersecurity plan/strategy that will help reduce the odds that you’re going to be hit by ransomware.
Jim. Absolutely. But these guys are good. I keep seeing numbers saying how many people get hit. I think everybody’s going to get hit at one point.
Howard: That’s true. But that doesn’t mean that an attacker has to get all of your data, that the hacker will destroy your company. And in my opinion, there’s no excuse for a company where 50, 60, 70 per cent of their data is gone. There are defenses that you can put up to prevent that.
Jim: Exactly. You can minimize their damage and you can make it harder for them to get you. That’s what I mean by having a recovery plan in advance and a plan to at least limit the damage. You don’t need a rocket scientist or a security person to do the basic things — segment your data, have basic protection in place, enable two-factor authentication. Everything you do makes it harder [for the attacker] and I think that’s what everybody agrees on. Limit the amount of damage you get. You may lose some data, but you just really want to be very, very careful about [protecting] the stuff that could really embarrass you.
Howard: Last year the U.S. made it mandatory for organizations with more than 50 people, plus state and local governments and nonprofits to privately report ransomware payments to the Cyber Security and Infrastructure Security Agency. They have to report that they made a payment. That way at least the U.S. government knows how big the problem is. Is that a good idea?
Jim: Yes, full stop. It’s a good thing to do. But I saw stat the other day that almost half of the companies in Canada don’t or won’t report, even though they know they should. If governments want this to happen it would be an absolutely great thing to have to have valuable information for law enforcement. But they’re not going to get it if they keep blaming the victim [companies] You should be able to go to the government for help — especially small companies — without penalty.
Howard: Still on ransomware, this week seven cybersecurity agencies in Canada, the U.S., the U.K., Australia, New Zealand, France and Germany put out a report to help security pros understand the LockBit ransomware gang. This report estimates that LockBit has pulled in $91 million since 2020 from U.S. victims alone. Are we facing a ransomware crisis?
Jim: I don’t think it’s a crisis; I’d call it an industry. LockBit is the competitive geniuses of this. I’ve seen stats somewhere that like 1 in 5 attacks are attributed to LockBit. Factor in that this [ransomware] is profitable and there are going to be people coming into it. LockBit is the marketing geniuses of this. But is it growing at a rate that makes it more or less of a crisis than last year? I’m not sure. The stats move up and down. But it’s a healthy and profitable industry — and it’s going to be here with us for years to come.