Ransomware: What We Know and What We Don't KnowAlso: Log4j and Vulnerability Disclosure Policies and New US Privacy Laws
This edition of the ISMG Security Report analyzes the latest ransomware trends from the European Union Agency for Cybersecurity, findings from the first-ever Cyber Safety Review Board on the Log4j incident, and how security and privacy leaders are harmonizing new U.S. privacy laws.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss why numerous questions remain difficult to answer when it comes to ransomware attacks;
- Grant Schneider of Venable LLP consider the complex issue of governments' vulnerability disclosure policies and the potential implications for national security;
- Healthcare CISO Shefali Mookencherry of Edward-Elmhurst Health outline where she is focusing her efforts as compliance becomes increasingly important with the growing number of U.S. state privacy laws.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the July 22 and July 29 editions, which respectively discuss what happened to Russia's cyber war in Ukraine and how Uber covered up a data breach and avoided charges.
Anna Delaney: Ransomware: What we know and what we don't, and a look at the Cyber Safety Review Board's report on Log4j. These stories and more on this week's ISMG Security Report. Hello, I'm Anna Delaney. Let's talk ransomware. What do we know specifically about how many organizations fall victim to a ransomware outbreak? How many victims pay a ransom? How many victims get stolen data followed by attackers leaking it? And how are attackers gaining initial access to the victims' networks? Joining me is Mathew Schwartz, executive editor at Information Security Media Group. Matt, how many of the ransomware questions I just posed can we definitively answer?
Mathew Schwartz: Anna, the answer is none.
Delaney: And why don't we know these details?
Schwartz: For starters, underreporting remains rampant. Currently, there are a few regulations requiring victims to report such attacks or the details of such attacks. Also, ransomware groups have gotten good at extortion. They have this ability to exert psychological pressure on victims to pay quickly and quietly. For example, if your systems get encrypted by ransomware, when the PCs reboot, there's often a lock screen with a countdown timer usually set initially to a few days, which warns that the ransom demand will double once the timer has counted down to zero. Other things ransomware gangs do include posting the corporate logo of victims, who don't quickly pay, onto the criminals’ data leak site, and then they'll leak data as well if they've stolen it, and many do, when a victim doesn't pay. Criminals also love to upsell their victims. They offer appearance of peace of mind. So, if you're a victim, and you've got backups in place, you can ignore the attackers because all you need to do is hit restore, the criminals are still going to come at you. They're going to say, "If you pay the ransom, we promise to delete all of the data, we still think about what that would mean to your shareholders or your customers or for the class action lawsuits that you will inevitably face because you've fallen victim." These promises are from criminals, they're worth nothing. It's just a collection of vague assurances meant to part victims from their money.
Delaney: What do we know?
Schwartz: I know it's a downer. Thankfully, we do know some things. And numerous studies continue to give us a patchwork of insights into the ransomware ecosystem. The latest such study comes from the EU agency for cybersecurity, ENISA, which analyzed 623 ransomware incidents covering a 14-month period ending in June. These incidents impacted victims in multiple countries, including the United States.
Delaney: And what did ENISA find?
Schwartz: There were seven big takeaways. And to hit some highlights, there are 47 different types of ransomware in that timeframe. There are a lot of players, and a lot of these strains are being offered by groups. Ransomware as a service group will have lots of affiliates, so they could have dozens of affiliates wielding individual strains. Something else ENISA found was that in 94% of incidents, it couldn't tell if a victim had paid ransom. And I couldn't tell because it was looking at public reports and other sources of information, government details about cases that had been reported to it. For example, a lot of times, there just wasn't that detail if a victim paid. But ENISA suspects that in two-thirds of cases, victims did pay, highly lucrative if you're a criminal. In terms of the pressure I was talking about, data leakage is common. ENISA found partial or full leakage of all stolen data in about a third of cases. One thing I thought was interesting was 500 gigabytes was the average amount of data that was stolen in any given attack. So, that's a lot of data. If you're thinking about memos, customer records, databases, there can be a ton of information in there. And that leads to personally identifiable information often being exposed. 60% of the time when data was leaked, it contains PII that can trigger notification rules under GDPR in US states, which is further headache for victims. Another challenge in 95% of the cases studied is that there was no report about how attackers gained initial access. So either they didn't publicize these details, or what I suspect is, a lot of victims don't know how attackers got in. Finally, ENISA found that organizations of every size and in every sector were falling victim to ransomware attacks.
Delaney: Can those findings be said to be definitive?
Schwartz: I've hit you with all these highlights. And we don't even know if this is accurate and ENISA is clear about this. This is a study attempting to ascertain actual trends. But in that 14-month timeframe, although they had information and reports on 623 incidents, extrapolating from what they know, they think there were 3600 successful ransomware attacks, so they were only able to get 17% of attacks' details. So what do we know about the 83% of cases that we don't have these details for? We don't know anything. So, ENISA cautions that this is just the tip of the iceberg about what we're seeing. What's being exposed here might not give us great insights into a whole. What we do know though, is the damage is significant, dozens of strains. Blockchain intelligence from chainalysis tracked more than $692 million in ransomware payments in 2020, and the same amount in 2021 and both those figures are going to go up as more intelligence comes to light about the cryptocurrency wallets being used by criminals. So, more than half a billion dollars in ransom were proceeds that we know about per year. Ransomware remains highly lucrative. Details of the vast majority of attacks are never becoming public, and this is allowing many in the ransomware ecosystem to continue operating from the shadows. So, it's no wonder so many criminals keep trying to get in on this ransomware action.
Delaney: Matt, thanks for filling us in on what we do and don't know.
Schwartz: Anna, always a pleasure. Thank you.
Tom Field: You're listening to the ISMG Security Report on ISMG radio. ISMG, your number one source for information security news.
Delaney: In ISMG's latest episode of Proof of Concept, former federal CISO Grant Schneider, now senior director for cybersecurity services at Venable LLP, applauded the first ever Cyber Safety Review Board's report, which shares recommendations in response to the Log4j event. In the report, the board applauded Alibaba for following recognized practices for coordinated vulnerability disclosure of Log4j, but is concerned about the Chinese government's vulnerability disclosure rules, which compel researchers to tell the government about vulnerabilities within two days of discovery. The worry is that the PRC government could gain early access to serious exploitable vulnerabilities before they are patched. I asked Schneider if this was a concern of his too.
Grant Schneider: It's a concern of mine that China has that law. It's a concern about how it could be implemented and leveraged maliciously. It's a fair warning because we've seen similar drafts or proposals in the US as well to have early vulnerability reporting to the government. And I would caution the US government and our lawmakers that we can't put something on the books in the US that we have concerns about in China. And it's easy for us to say, "But we're going to use it for good. We want to be able to mitigate critical infrastructure and federal in advance." And I understand that, and I want us to be able to do that. At the same time, if it becomes a precedent, if we have undisclosed, unmitigated vulnerabilities being reported to governments, less friendly governments are going to follow suit. They're going to have the same laws, and they're going to point at us and say, "We're doing the same thing as US." I think it's a warning for us. It's a concern with China, though, having that on the books. And I also applaud Alibaba for following appropriately what I would coin as international norms and what we expect from the cybersecurity industry.
Delaney: And finally, with more states in the US adopting their own privacy legislation, what are some of the areas that security leaders and their privacy teams in the healthcare sector are focused on as compliance becomes an issue? This was a question posed by Tom Field, ISMG's senior vice president of editorial at our recent Midwest Summit to CISO Shefali Mookencherry of Edward-Elmhurst Health. Here she is sharing how her team is trying to harmonize the disparate US privacy laws.
Shefali Mookencherry: There's a lot of change happening. The HIPAA rule of 1996 is being looked to be revamped. When that was written originally, it was based off of paper records. Now, we have electronic health records. We have mobile devices where you can access your EHR. We're more of a global nation than we were before. And so, we have to look at how our electronic information will assist us in making sure the privacy continues. So, when we look at GDPR in the European Union, we look at the CCPA in California. Utah has recently adopted their privacy law. So there is a trend to look at GDPR. I look at GDPR as almost like the brother or sister of HIPAA, it's a little bit more complex than HIPAA because it has a stronger privacy engagement for organizations. But I believe that within Edward-Elmhurst Health, we have to work on operationalizing the privacy side, and what I mean by that is when a patient comes in, and they're wanting to get a copy of their medical records, what is our process to give them medical records. So, looking at that, if it's a husband that comes in for a wife and says, "I need to get a copy of my wife's records,” what is entailed? Those things will change. How do you obtain a copy of your own medical record? Do you get charged for it? In the old days, they used to get charged 10 cents per page after a certain number of pages. Now you get a CD and maybe you're charged two cents for it. So, times are evolving.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca Audio. I'm Anna Delaney. Until next time.