What, Me Worry? When Ransomware Gangs Issue News Releases

[01:33]
Big Theme of the Day: Ransomware Gangs

Rachael: Joe Uchill is here, Senior Reporter of SC Media. Welcome to the podcast, Joe, we accept a fun chat ahead of usa today.

Rachael: Where to kickoff, Eric, Joe? And then much going on today and I think ransomware is our big theme of the solar day and, as we know, the latest making the headlines. I know, Joe, yous’ve written a few articles here on the Colonial Pipeline and the ransomware and what a mess. How do we effort to rein in this horse, if you will? Where do we even starting time with that?

Rachael: I know you’ve written an article recently on some ways that we could look at regulations, sanctions, things that have been talked most. Merely are there other things that we could exist thinking almost besides? How do we become to the heart of the purse strings that seem to be really driving this whole need for money? Which, every bit we know, this ransomware gang actually put a news release out saying, “We’re only in it for the money.”

Rachael: I’grand just jumping correct in. It’s a jumping-off point.

Joe: I recall one of the interesting things with ransomware is the policy options are extremely varied and most of them are discussed in terms of beingness very detailed, complementary packages that you get five solutions if you become one.

Banning Paying Ransom

Joe: The solutions that get talked about the virtually, I think, right now, the one that I remember captures the public imagination the most appears to be but outright banning paying ransom. There are a lot of problems with doing that. It may very well be a successful approach, only when yous talk near something like banning ransom, it adds a level of penalty to the victims that might not want to incur.

#TTP Ep. 133 – In this special #ransomware edition, we talk to SC Media Seniro Reporter Joe Uchill most the Colonial Pipeline assail, ransomware gangs making headlines this calendar week, why ransomware attacks continue to escalate and more.

Eric: Right. Joe, when you’re saying banning ransom, you’re actually, the payment of?

Joe: Yes, some people have suggested that if you force companies to non pay ransom, it will dry upwardly the economic system entirely. The downside of doing that, it’south very difficult for companies to imagine non existing. Information technology’due south hard to put a company in a position where they are essentially choosing to leave of business organisation, and so a lot of people won’t.

Eric: Or a government arrangement, land/local authorities organization. How practise you close the Metropolis of Baltimore downward?

Joe: Exactly. I mean, in that location are situations where you absolutely want somebody to pay, like a hospital. You don’t desire a infirmary to close. There are situations where companies will pay and but try to keep information technology serenity because no visitor wants to get out of business concern. You lot’re adding a level of penalty. It’s a double victimization arroyo to it. You’re adding another thing that if you pay in one case, that means that the people can extort you lot multiple times over the same consequence. Because you’ve at present broken a police force and every time you lot keep to break the law.

A Solution That Gets Discussed

Eric: Well, and there’southward double extortion, too. They can sell your information, even if you pay them and they unlock. Boom, all of the content they stole, they encrypted and took, potentially took, ends up on the dark web or wherever.

Joe: Yep. There are several other bug with trying to approach this issue that way. A multi-stakeholder group chore force run out of the Establish for Security and Technology couldn’t reach a conclusion when they were discussing whether or not this is a solution which they think governments should pursue. When y’all look at solutions that people are less iffy near, some of them include things like trying to utilise law enforcement or intelligence or armed services resources to endeavour to suspension upwardly the infrastructure used in these networks, in ransomware networks. All of them involve the same kind of command and command infrastructure you see in other malware. If you tin interrupt those servers, you cut off some of that control.

Joe: One solution that gets discussed is trying to increase global cooperation between countries that harbor a lot of these ransomware groups and countries that would rather non be being hit by ransomware. That can come through in a number of ways. Sanctions was one you mentioned. People have mentioned potentially sanctioning Russia. Y’all could go other routes. You could say tie armed services assistance to being more than proactive about investigations with cybercrime. But in a lot of cases, foreign countries do non investigate criminals within their edge with the aforementioned corporeality of vigor as we would hope if they’re pointing their attacks elsewhere.

Sanctions

Joe: One of the things you saw in the DarkSide ransomware, as well every bit with a lot of malware that comes out of Russia. It specifically checks to see if the computer networks information technology’s infecting apply the Russian language. That’south considering at that place’s at least believed to be an unspoken agreement between the FSB and cybercriminals. That if they’re not attacking Russian federation, it’s non going to be their priority.

Joe: The bottom line is that in that location’s very little style to necessarily affect a criminal who’due south in a state that we don’t have skilful relationships with to extradite those criminals. We sometimes capture them when they’re on vacation, and that is a legitimate affair to have on the table. Whenever there are indictments of Russian nationals or Chinese nationals, that’s essentially what we’re saying nosotros want.

Eric: Should the government that they’re operating under, who isn’t doing anything or isn’t doing enough, should they be held responsible?

Joe: At that place are non a huge number of ways to do that. I mean, there are sanctions. Nosotros can keep sanctioning Russia, simply those might accept a limited end.

Joe: In that location’southward a maximum number of sanctions we can put on Russia or Democratic people’s republic of korea.

[09:37]Ransomware Is Unique

 Eric: Right, and Nigeria is not going to sanction Russia. That doesn’t work.

Joe: I thing that y’all sort of need is a large global coalition who will exercise whatever yous want to practise together and so you can forestall some of the workarounds that come up through sanctions. A lot of the solutions that yous see to ransomware are avoiding the government and the justice consequence, likewise, in unlike ways. You run across some people talking about, say, modifying how cryptocurrencies are handled. Finding means to intervene in those payments, finding means to contrary criminal payments. Substantially bringing a sort of shadow financial system into the normal global financial arrangement.

Joe: You lot also meet more efforts to try to raise the base cost of intrusions. Lower the profitability of using ransomware because in the long run ransomware is sort of unique. Information technology is very cheap to produce. Information technology’s very cheap to run every bit an attack, and the results are incredibly asymmetrical to the intentions.

Joe: It’s like with the pipeline. Attackers are not necessarily considering that they’re not in it to cutting off 45% of the oil to the East Coast, they would actually just like a payday, but inadvertently they’re cutting off oil.

Rachael: Interesting. Exactly, Joe, right? It sounds like information technology never even occurred to them that, “Oh, hey, nosotros’re targeting this pipeline because we want to get paid, but mayhap they would shut off the pipeline to mitigate this threat.” Information technology’s like information technology never occurred to them, that release they put out. What did they say at the end? “We’ll be more than mindful side by side time.”

Affiliate Ransomware Group

Joe: They’ll be more mindful. They aren’t even the ones that did the intrusion. It’due south an affiliate ransomware group. And so what they ultimately do is they sort of lease out the rights to apply their ransomware at anywhere yous intrude.

Joe: It’southward like the people who come to your door and sell magazine subscriptions.

Joe: Similarly annoying. They don’t traditionally have oversight over who gets attacked and who doesn’t get attacked. So occasionally you run into situations where ransomware groups will say like, “We’ll effort to non do this in the future.” This has happened with hospitals earlier. At that place are means to go too far with this, especially during the pandemic. It’s a risk to global supply bondage that is besides a petty crime. And that’south a very tough affair to wrap your head around on all levels.

Eric: I have a question for you, Joe. Or Rachael, you might enjoy answering this one. The person who I’m going to say accidentally targeted Colonial Pipeline, I don’t know that they even knew what they were targeting. I’m pretty confident from everything I’ve seen they weren’t going afterward the OT side of the business and they had no expectation whatsoever that 45% of the petroleum delivery to the East Declension of the United states was going to be shut down.

WannaCry

Eric: What do you recall happened to the individual who brought the heat of the United States government, DHS, FBI, declares a country of emergency here? What exercise you think happened to that poor individual who made the error of, “Hey, I’thou just running a script to make a couple of million bucks here from a company?” Boom, the United states of america is aiming at them. NSA is looking at them. I can’t imagine how y’all slept that night.

Joe: Well, it may not exist the worst mistake somebody has fabricated with ransomware. And then far information technology appears to be WannaCry, and that’s going back a few years. It’south unlikely the manner that was gear up in terms of they wanted all payments via electronic mail, and so they were anticipating beingness able to handle these things one at a time.

Joe: It did not announced that they thought information technology was going to go out of control that fast. It was poorly designed. They appeared to be working for the North Korean regime. So if there is i person to worry near the furnishings of screwing up a ransomware campaign, it might have been WannaCry guy.

Eric: I heard in North Korea they executed a conductor, I guess, last week. I didn’t fifty-fifty read what he did.

Eric: This is out at that place, though. Like we pissed off the President of the United States and most of their authorities agencies.

Joe: If you’re working for organized criminal offense in Russia, that might non be your first concern is whether people in the United States are upset with you lot. We’re large and frightening, but not as much to an individual who is exterior of our grasp.

The DarkSide

Eric: No, I’m looking at it a lilliputian differently. I’k looking at it more equally you just brought attention to everything nosotros’re doing, to everything nosotros’re almost. We’re on the world stage right at present where we don’t want to be. Nosotros but want to quietly operate under the cover of darkness and, boom, you put the spotlights on united states of america. Because you targeted a pipeline by accident.

Joe: It’s truthful. I mean, it does seem similar that would not be, but certainly y’all don’t want to accelerate the process of creating strategies to terminate the business that you’re in.

Eric: Exactly, or come after me.

Joe: At the aforementioned time, DarkSide has been incredibly visible in the past. Like y’all said, they put out a printing release. They talked to the media. They are incredibly comfortable. They’re not the kind of criminals that you lot await in the United States who are trying to stay entirely hidden.

Eric: Well, hither’southward my perspective. Nosotros know President Biden was briefed on Saturday forenoon almost this. I suspect DarkSide’s never been briefed to the President earlier specifically. That’south where information technology’south like world phase. Yous kind of came out of the shadows, and I’m not sure you wanted to do that when you’re skimming your millions off the meridian.

Joe: You lot certainly don’t want to be in a scenario where the President is going to transport Cyber Command on a criminal mission to try to intervene on something. In one case you become a national security threat, there’south a different level of aggression.

Eric: Well, and your host nation at present has attention on them, which I’chiliad sure is less than favorably looked upon, correct?

Joe: You lot would imagine so. I’m not certain how you tell the difference between the human relationship betwixt the Usa and Russia before something goes wrong and after. That isn’t a relationship they’ve tried particularly hard to maintain and foster.

Eric: No, I get that, merely just sometimes for me it’south like we merely didn’t need this. It’s almost similar when your kids do something stupid and y’all have to deal with it. It’s like, “Look, you know what, I didn’t need Biden all over me correct now and NSA escalating and Cyber Command looking at how are they going to deal with this. Could you have just picked a small town in Florida? Could you have but picked a pizza shop in Oklahoma?”

Medical Institutions Were Attacked by Blow by Ransomware Gangs

Joe: They will go on. I mean, one of the problems with, peculiarly in affiliate service, just with targeting in general, in that location are a lot of well-documented mistakes in targeting that get made. A lot of times when you lot meet ransomware that attacked, say, medical institutions, and not a lot of times. But in that location have been recorded instances where medical institutions were attacked by accident. Because they thought they were educational institutions like ones that are attached to universities.

Joe: Having never targeted one of these campaigns myself, I can’t really speak to it. Just I get the sense that it’southward not the precision scientific discipline on all levels all the time that you might hope. They’re not necessarily doing a full threat. No 1’s anticipating that they’re going to practise a total-threat assay, like fully appreciate what’s going to happen after they deploy something. You exercise get the sense from reading negotiations that they are very well prepared on a lot of fronts. They know what your policy is so that they can ask for the maximum amount of insurance payout correct abroad. I tin can’t speak to whether how precise information technology’s reasonable to expect them to be.

Rachael: What did we run across with the whole SolarWinds? It was a kind of spray and pray, kind of, “Allow’south cast a wide internet, see what we get, and then like start figuring out the whale targets that we got and become after those.” It was kind of like that-ish?

Spray and Pray

Joe: A lot of times with ransomware, you see people purchase access to specific systems that there are multiple phases in that kind of economic system. Where there’s one group of people doing the physical breaching, one group of people buying the access to put in the malware. I don’t know that this was a spray and pray kind of consequence. Especially with an affiliate plan since there’s many different actors who were operating on it. I don’t know what’s normal for the group in full general and I don’t know what’due south normal for the specific person who was leasing the ransomware from the group.

Joe: I’m not in the position to draft a night evaluation of the quality of the ransomware prospect.

Eric: Correct, the targeting.

Eric: What if it ended in significant loss of life? It was a mistake. Criminal group going after a couple million bucks of money. We near talk near it similar it’south little crime, not that serious. It’s not on the same level equally nation state attacks. What if something happened that killed a hundred people in America? How do we think about it differently?

Eric: It was an accident. “Well, we didn’t really target.” They probably didn’t target. It wasn’t their intention, but it’s not money anymore. Now, it’southward somebody, a criminal group, country-authorized. The state’s looking the other way, reaching into our country and I don’t know. Something happened in a hospital and all of a sudden the medical systems you know, people died. Do we recollect about it differently? Is it more serious?

Joe: You lot would hope that the more than severe the result, the more seriously information technology volition be taken on a global level. At the aforementioned time, you sort of hope that nosotros will reach some kind of stasis where the enterprise in general is being treated like that. Where information technology won’t accept the bad consequence to expect into the prevention.

Joe: I phrase that merely in order to successfully reduce ransomware, nosotros’re going to demand systems in identify that be and take seriously instances that don’t upshot in the loss of life or result in a cutoff of petroleum to the Eastward Coast. The bar is going to have to exist lower not higher for us to be disturbed in gild to successfully accost the problem.

Eric: We’re not that disturbed today. We’re kind of okay with it as a society. We’re not doing a whole lot.

[23:21]
Nosotros Are Spared by Ransomware Gangs

Joe: I recall it may be dissimilar for the U.s. than in other countries just solely based on our time zone, of all things. With WannaCry and NotPetya, we were sort of spared considering the attacks could be cutting off. The attacks started on European fourth dimension, not on American fourth dimension. By the time we woke upwardly, a lot of it had been.

Joe: If you lot had lived through NHS in the UK, having to shut down hospitals. Or if you were in the Ukraine where a substantial number of industries entirely businesses went broke. Y’all’ve seen a much more robust range of impairment that ransomware can cause. In the Usa, we haven’t really had that same scale of damage. And we practice a bad job in general converting what the equivalent of the financial amercement to companies would exist in terms of physical harm.

Joe: 1 time I went through just the reports for public companies in losses from WannaCry. We’re near the same as like a medium-sized hurricane hitting the Usa. While you don’t become the same loss of life and you lot don’t physically encounter devastation, and I don’t want to minimize either of those things.

Joe: The run a risk for ransomware to be devastating and shutting downwardly a factory for a week or a port for a day is a substantial financial touch on that has a substantial ripple effect to the people who are involved. Information technology’s hard to experience that. It’s hard to see what that did the way that it is with other types of crime.

Substantial Financial Impact

Eric: No, y’all’re correct. I was simply trying to await up like with WannaCry, FedEx was impacted pretty severely. Nosotros’re talking tens of if not hundreds of millions of dollars equally I think. Maersk, aforementioned affair, but I like what you said. Well, I don’t like information technology, but I agree with you. We kind of rode information technology out like it was a mid-sized hurricane or perchance even a small 1, and I don’t recall the government fifty-fifty got involved like FEMA wasn’t activated or anything else. They simply dealt with it.

Joe: There were investigations backside the scenes. They tried to proper noun and shame the people involved. Plainly, there were press conferences, but I don’t think information technology was something that the people inside the U.Due south. felt the same way that Europe did.

Joe: Well, no one felt similar the way that Ukraine did.

Eric: Right. I keep going back to Steve Grobman, CTO of McAfee. He always talked about the probability of cyber, which I think information technology’southward incentive divided past chance. Probably of cyber equals incentive divided by risk, and you’re talking virtually the incentive, right? They’re skimming millions of dollars off of organizations. They empathise what the insurance payout is, so they know exactly what to enquire for. Almost organizations, from everything I’ve seen, actually pay, and the risk is pretty low. The nation-state that they’re represented from isn’t going to practise a whole lot. The Us or the free can’t reach into those countries very easily to practice a whole lot, so why finish?

A Nonprofitable Crime

Eric: I think that’southward the problem. Why cease?

Joe: Yeah. That is the problem, and you see a lot of solutions that they’re trying to interrupt either the payment systems that become into information technology, trying to introduce fiscal system-similar regulations to cryptocurrencies to brand it more difficult to get payments. If you get in impossible to pay or if yous disincentivize payment, it makes it a nonprofitable crime, and nonprofitable crimes are not real crimes, or they’re non crimes that exist.

Joe: When yous await at the ways that people have tried to approach that with cryptocurrency, it’s that’southward by adding in traditional cyberbanking regulations. Like know your customer, where exchanges and other places where you lot would cash out, convert the cryptocurrency back to normal currency. Would have to be able to rail the customers that they’re involved with. Some people have suggested that in order to list your cryptocurrency with an commutation that works in the United States, you lot would demand to have some role to either recover funds or freeze accounts.

Eric: Right. Can you do that with crypto? I mean, today, that seems technically difficult.

Joe: Today, no.

Cryptocurrency

Joe: The matter is with cryptocurrency is, function of the appeal is across it just being this weird speculative economy that it isn’t very good at being a currency right at present. Beyond that, people do value the anonymity and the ability to transfer funds across borders without paying taxes.

Eric: There’s no governing authority really.

Joe: At that place is by pattern.

Joe: The government. The governing authority are a agglomeration of people who ain the currency and would have to vote for it to be changed.

Eric: I’1000 saying till it’south inverse, part of the pattern is that distributed nature.

Joe: Yes, and until they are specifically changed, but the The states might have the ability to exercise is go far harder for exchanges to merchandise those currencies, and so that would incentivize them to change them. Or, they could get in harder to take an bearding business relationship with one of the exchanges, so it would be harder to purchase or cash out those.

Eric: Let’s say we discover a way with cryptocurrency. What prevents them from just doing an account in the Cayman Islands?

Eric: Wire some coin to this unknown account and we’ll unlock your gear?

The Other Cash-Out Method of Ransomware Gangs

Joe: I think to an extent it’s withal more difficult to do. There’s more than friction involved in that. People have this image of Swiss banks, but I don’t think that there’s the aforementioned level of anonymity within the global banking organization at that place had been in years by.

Joe: Swiss banks are no longer Swiss banks, basically. But the other greenbacks-out methods that criminals have used over the years are things similar buying gift cards, and that’s very hard to do in multi-meg-dollar denominations.

Eric: I go like a $52 hither. I would lose them. It’s a mess.

Joe: Your $250 million Applebee’due south souvenir card.

Eric: Yeah. I think you lot’d lose it. It’s almost like losing your Bitcoin.

Joe: There are other ways to attempt to tamp downwards a footling bit on this. 1 of the things that have been mentioned and accept been required is reporting of cryptocurrency payments then that companies can’t practice it in hugger-mugger.

Eric: They’re nevertheless doing it.

Joe: They’ll however exercise it, simply it adds a level of infamy to it, or even merely requiring the take chances assay to make sure that they are actually saving money by doing the payout.

Joe: Because in some instances you’re not. In many instances, you are, but in some instances yous are not. There’southward a legitimate business instance to exist made for paying ransomware in many situations, just by requiring people to expect into whether there’s a decryptor fundamental that’due south already available or the backups they have, will it exist cheaper to restore from that than it will be to go one by one and unlock systems?

[32:13]
Speed and Lack of Friction

Joe: Doing that kind of analysis isn’t currently part of the process. A lot of times with insurance companies, they go for speed and lack of friction over that kind of consideration. Doing that might reduce the amount of times people pay.

joe: What you need to see is a multi-faceted solution that both attacks the economic system of ransomware and creates. You lot demand to see something that works on a geopolitical level, on an individual level, on a business level, and a financial arrangement level. Information technology’s not a thing that a single solution will fix.

Eric: Go back to the incentive and the run a risk and you lot’ve got to lower the incentive and increase the run a risk essentially.

Joe: Or at least that’s based on the approaches that I’ve heard. Ane of the things that the RTF written report, the IST group is very articulate on is that we need complementary solutions. Roofing a variety of dissimilar phases of the attack working in concert with each other. It’south not a problem that can be It’s not just that there’southward no silver bullet. I am struggling to come up with a proficient metaphor.

Eric: There are no silver bullets.

Joe: You need both like a gun and a bayonet. I’yard really not doing practiced with the metaphor. It isn’t working well, but the point is that yous might need a multi-layered or a multi-faceted arroyo.

Joe: Fifty-fifty then you will likely see a lot of the people who are involved in these crimes get to other types of crime. In the past, you lot’ve seen things like when one aspect of law-breaking has reduced, other aspects of crime increased.

What Ties Businesses to a Railroad Track

joe: You’ll run across the aforementioned thing hither, only hopefully non in a way that ties businesses to a railroad rails. Hopefully not in a manner that risks closing a company.

Eric: I think about the team at Colonial Pipeline. We just know what’south publicly available. It seems they did the correct thing to protect the business organization once they were compromised. I think nigh all of the businesses that don’t have the publicity.

Eric: Don’t have the back up of the President of the United States, of NSA, of CISA, you proper name it, the Department of Transportation. Sometimes I think near all of those picayune businesses. The Urban center of Baltimore, nosotros’ve got to write a check. What do we do, what do you do?

Joe: People tend to believe a mutual narrative that paying ransom is both risky and a moral failing. Sometimes in that location are a lot of instances where you tin can contend the moral failing. At that place are a lot of instances where it is non risky. It is probably the best business organisation decision a company tin brand.

Eric: In fact, they talk about the majority of companies pay and the majority of companies become their data back.

Joe: Companies that pay through using a negotiator. Using somebody who knows the player and is able to vet whether this is a company that will vet.

Eric: It’s legitimate.

Joe: Yes, but whether they volition give you your data, give you the key dorsum.

Eric: A legit hostage negotiator.

Joe: About 98% of the Baker Hostetler clients utilise ane of those. Nigh 99% of them retrieve their data. It works.

Eric: I’k going to tell yous to pay me or yous lose everything. You say, “Well, okay.”

The Mechanism of Entry for Ransomware Gangs

Eric: You pay me and you get it back and I go do information technology to the next person.

Joe: There are considerations that need to you to consider. If you pay, you encourage other payment, you encourage the law-breaking to continue. Yous yet practise need to fix your networks and so that no i uses the same machinery of entry.

Rachael: That’s the thing. There was the visitor that got hit by the same ransomware gang twice. They paid, they got information technology dorsum, they didn’t fix information technology. The gang like poked around, “Hey, the door’s notwithstanding open.” Got them again. They had to pay ransomware twice.

Eric: The door is always open. I tin become here, I can become in that location. Y’all’ll ever be able to get in.

Joe: The Ransomware Taskforce, the Institute, The Security and Engineering science Group. One of the things they propose is coming up with a fund to help restore companies that don’t pay. To provide some financial incentive not to pay and make information technology easier for companies take some of the incentive to immediately pay away

Eric: Take the incentive from the attacker?

Joe: Aye. Or at to the lowest degree information technology changes the economic science of It changes the demand.

Eric: That almost takes the incentive to protect yourself and lowers that incentive. Information technology’south like insurance. I’ll be okay.

Joe: It might need to be something that would be done in concert with raising regulatory levels. Increasing the regulation bare minimums of cybersecurity. That might be something that needs to be washed anyway even without it. It’s a whack-a-mole game.

Promoting the Activeness of Ransomware Gangs

Joe: Anytime you increase the interest of either constabulary enforcement or the government in trying to prevent information technology, you lot disincentivize people from protecting themselves. Anytime you incentivize people to protect themselves.

Eric: You’re promoting the activeness.

Joe: It’s something that well-nigh people believe you lot need multiple layers of to reach.

Eric: It’s a hard problem. Joe, y’all’ve spoken with people at the policy level. Y’all’ve spoken to people on the attacking side, on the defending side. Are you hearing a lot of organizations really step up their game in protecting themselves? Or are they only like, “Look, it’southward whack-a-mole. I’m going to practise what I’m going to do and if nosotros get hitting, we’ll deal with it when it happens?”

Joe: I of the things with businesses is information technology’due south a wide and terrifying tapestry of stances toward cybersecurity. When y’all look at some of small businesses, businesses that are very concerned with growth oftentimes neglect cybersecurity. Y’all don’t tend to run across a cybersecurity guy in the first five hires of a visitor. It’south not the first concern that you accept.

Joe: There are certainly companies that are better situated to handle an attack than others. Companies that are proficient at evaluating risks will know that this is a risk. Information technology’s a fairly substantial chance considering information technology’s not merely the risk of the ransom that you lot accept to pay.

Joe: It’south a risk of the mill floor may be shutting downward. Sending your employees habitation for the 24-hour interval, bad press, potentially having files leaked. Who knows? Even depending on some instances information technology might be a cover for a different blazon of attack. Who knows?

[41:08]
The Fundamental to Retrieve the Files

Joe: Fifty-fifty though virtually everybody received the fundamental to think their files once more in that law business firm report.

Eric: In the report.

Joe: You lot don’t want to be counting on someone else’s power to lawmaking a decryptor when it’south your files. Yous don’t want to be in the situation where you’re hoping someone else is technologically capable of solving the problem they’ve created.

Eric: Well, let’south take information technology up a level. If I’m Russia, if I’chiliad a China, some of the bang-up disruptors out there who like the Usa to be disrupted. They can do what they want to do, what a slap-up next example hither where if I want to, I don’t know.

Eric: If I want to do something against my population. I don’t want it to be on the forepart page of the printing. I’m going to have the DarkSide boys in my lawn going, “Hit another pipeline next time.” Or, I want to invade the Ukraine? Boom. “Hey, DarkSide, go kick this off on May 12th.

Joe: That is essentially what happened with Sandworm, with the NotPetya assail.

Eric: NotPetya, exactly.

Joe: It’s massive Information technology was past some accounts the largest cyber attack in history. Information technology’south disguised, and was put on nether the guise of a ransomware assault. It presented as a ransomware attack. That is yet some other reason to try to solve the trouble.

Joe: If you can eliminate a lot of the bodily ransomware, y’all also brand that a less attractive cover. Non that other governments will surrender and become dwelling. Only you cutting down some of the bushes that you could be hiding in.

Critical Industries

Eric: Power, oil and gas. There’southward some critical industries here where the government does stop up belongings the bag. Maybe Colonial Pipeline did a proficient job on cybersecurity, maybe they didn’t. You know, I certainly don’t know. Merely the authorities ends upward to some extent having to deal with the people who don’t accept gasoline heating fuel.

Rachael: And all of the hoarding that’south happening.

Eric: There are downstream consequences. It’ll be interesting to run across. Did they pay it? Are they going to pay it? What’due south the influence they get from the authorities to pay it or non at present that they’re on the national stage, international?

Joe: They have said that they could. Some of the issues, at least co-ordinate to them. Some of the shutdown was precautionary. They endeavor to prevent a problem on their Information technology networks from converting to their OT networks. And then going from their business networks to the principal.

Eric: Well, they’re keeping it from spreading

Joe: They’re keeping it from spreading.

Eric: That makes sense.

Joe: It’south said that if they needed to if they were willing to be risky, they could open up the pipelines again. They just don’t want to. It’due south non a examination they desire to run on the fly.

Eric: Because their IT/OT networks are continued. Their OT networks are connected to the internet, which is horrible. It happens everywhere, simply horrible do.

Joe: It’due south ane of those things. If we lived in a world that all wealthy industrialists as well worked in information security, information technology would probably not work that way. But you run across things like the pandemic, where if you need to run a work-from-home operation with your industrial equipment.

Eric: Turn information technology on.

Some Level of Connectivity Amidst Ransomware Gangs

Joe: Yeah, y’all tin can’t do that unless you have some level of connectivity. COVID fabricated it almost impossible for most-

Eric: I don’t want to go into a sales pitch, but there are technologies out there. DarkSide, on their website on Mon, I’m going to read it here. They didn’t straight refer to the Colonial Pipeline, only they had a heading almost latest news. They noted, “Their goal is to make money, not create problems for a guild.”

Eric: Why do you retrieve they didn’t just decrypt the ransomware? They let Colonial Pipeline get back to concern safely and securely. Is it because at that place goal is to brand coin? And they despite “Deplorable about that targeting mistake, but we’ll at to the lowest degree make coin off of it?”

Rachael: Well, yeah. They’re hither to brand money. That first and foremost is kind of similar, “Oops, sorry virtually the shutdown.”

Eric: So, “Nosotros’re on the world stage, distressing about that, simply we still want our coin.”

Rachael: “But if you lot pay u.s.a., we promise nosotros’ll give you lot your stuff back.”

Joe: Not as well altruistic here, but they did say to avoid social consequences in the future.

Rachael: They would exist mindful.

Joe: They’re going to exercise checks on their fellow cybercriminals. That was a great saying. I felt much improve going to bed that night. They’re nice cybercriminals, the ones that you lot tin bring abode.

Eric: They take a heart. They still want the money, though, to turn things back on for poor onetime Colonial Pipeline.

Joe: Based on what we can see, that does seem to be the instance.

Rachael: At this bespeak, you might besides get paid. If information technology gets all of this attending, you lot don’t want to walk abroad empty-handed.

A New Name

Joe: You would need a new name. I hateful, LightSide.

Rachael: Maybe you could outset a Twitter entrada for suggestions and allow them know.

Eric: Collect money that way. They could probably brand some money on that, besides.

Rachael: A GoFundMe for renaming DarkSide.

Eric: Where do we become from here, Joe? We’ve got policy issues, we’ve got a lot of options. A lot has to happen, a lot has to come up together. Exercise you see material change after this? Or this is simply yet another one of the many ransomware attacks. The many industrial control system attacks that we’ve seen. We’re just going to continue to see more until something bad happens?

Joe: If you watch the government here, if you spotter the federal hearings right now, y’all run into a lot of representatives and senators. They’re discussing ransomware attacks on either local businesses or even more often on local governments. It’s clear that the status quo can’t be maintained.

Eric: The number of attacks are going up, and so the problem is growing. At some bespeak, we take to exercise something.

Joe: Correct now, it does seem like there’s an appreciation that that is a problem. The other issue right at present that they are working on is also supply bondage. In the past, there have been some problems with Congress working on two cybersecurity issues at the same time.

Joe: Just role of that has e’er been that their expertise and exposure. We might be at a point correct now where it’s reasonable to await some kind of activeness at some point on information technology.

[48:57]
Some Kind of Activeness From Ransomware Gangs

Eric: When you say some kind of action, are you talking material? Or Cyber Command may practise something to make a argument?

Joe: Before all of this, earlier the pipeline assail. I already heard some rumbling about Cyber Control becoming more involved in these kinds of criminal enterprises. And ransomware enterprises that might be of danger to the national security.

Rachael: Like more offensive strategies type of thing?

Joe: Because that’s military. Well, in that location are ransomware gangs that take some ties to the Russian government. Plain, N Korea has had their mitt in ransomware before. There’s been talk that they might do more than with let’s call them the private sector, but privatized ransomware.

Joe: But at the aforementioned time, y’all get the sense in Congress that they see the economical impairment that can be acquired. they see the government harm that tin be caused. Every one of these instances brings that back.

Joe: From the discussions I’ve seen, in that location doesn’t seem to exist a atypical idea that they’re coalescing around. One of the reasons that I keep bringing upwards The Ransomware Taskforce Report, they take praised that. A number of the people from the report were called into a hearing terminal week.

Joe: Sorry, one of the effects of COVID is I have no sense of fourth dimension anymore. They’ve received expert printing from that. Information technology was a report that was done in conjunction with several government agencies within the United States and abroad. But it seems similar there’due south an appreciation that this isn’t a theoretical problem right at present. That’s almost ever the outset of something better.

Massive Changes

Joe: In the past, certainly after Equifax. Nosotros didn’t see the massive changes that people expected afterwards the Russian attack on the elections. And so who knows? At that place’s reason to be optimistic from a policy standpoint, at to the lowest degree.

Joe: In that location’south even more reason to exist optimistic. Businesses understand that there’southward a problem merely they might want to cease standpoint. Hopefully, between the two of them, between all of that, at that place’s a skilful solution that comes out of information technology.

Eric: We certainly need to do something. Nosotros’re trending in the wrong direction. Joe, again, your Colonial Pipeline attack up on scmagazine.com on the 10th of May. It really had some thought-provoking ideas in there. Some of the people you interviewed, the way you wrote it, I do appreciate information technology. I wish there were a better reply here.

Rachael: My favorite quote was, “Would the mafia always put out a news release?”

Joe: I believe that was Jim Lewis from CISA. But his point is ransomware gangs are very comfortable. They will not be in any existent jeopardy while they are even so inside Russia.

Eric: It’s non like the FBI tin just go afterward organized crime in New York or New Jersey or any. They’re not in New York or New Bailiwick of jersey.

Joe: It’s not like it was a crime group out of England where we could ask for help. If you expect into it, there’s been a surprising amount of people who have been arrested going on holiday, more than than y’all’d think.

Joe: Probably not enough that information technology would… It doesn’t seem immediately like there’s been obviously. It’southward a crime that’s been growing and it doesn’t affect everyone. The arrests have non stopped everything and there needs to be more done, but I don’t want to-

Getting the Tourism Industry Involved in Ransomware Gangs

Rachael: We demand to get the tourism industry involved here is what you’re proverb.

Joe: Yep, we need to. If you can telephone call the Seychelles, and I believe Mallorca is another place which they’ve had some arrests.

Rachael: Carnival Cruise Lines.

Joe: You become big bargains.

Eric: They should run special programs. Any computer IT personnel, really skilled at malicious whatever, xx% off next month.

Joe: The combination capture the flag airline ticket promotion, and that was all Francis. I think we’ve solved information technology.

Rachael: That’southward it right there.

Eric: That’s the answer. I’g worried that the adjacent one has second- or third-society consequences that are a lot worse than what we’re even seeing here. I promise you’re right. I’m not sure it’s quite on target, but you’re close. We definitely need to do something. It’s time for the regime to step upward and aid out.

Rachael: Final question. Optimism for the cyber path ahead?

Joe: Do I accept information technology? Aye. There are so many means that things take gotten better since I started covering this. Information technology’southward hard not to be optimistic. There are a lot of ways that things have gotten worse. When I started covering cybersecurity, if I didn’t show upwardly, no 1 would discover. That’south non really an pick now.

Eric: It’southward so disquisitional to our lives. Information technology’s embedded in every facet of our livelihood.

Joe: There was a fourth dimension when everything we were writing about was like, “This is a thing that could happen soon.” We’ve reached that soon. Everything that nosotros were writing nigh as an option is now happening.

Things Take Gotten Improve

Joe: We’re reaching the point where things that nosotros weren’t considering happening are happening. That might accept been 2016 when that started. To me, it’s things take gotten better even equally things have gotten worse. Merely the things that have gotten better are things similar awareness. There is a problem and the desire to spend money to fix it. Those are kind of things that seem like a skillful foundation. Worse case scenario, I’ll notwithstanding take a task in 15 years.

Eric: Aye, that’s not a great situation, no criminal offence. For all of the states to be unemployed and employed in a different industry.

Joe: My very employment is a sign of failure. Here’s to hoping that I’ll be unemployed. Yes. No, it’s a trouble that will obviously always exist there. But it’s no longer merely a problem that yous see. Information technology’south not the kind of thing that is just in science fiction movies right now.

Acknowledging the Trouble

Eric: They’re only with the experts who are trying to get some acknowledgment that this is a problem. When we’re hitting the gas when nosotros’re hit shipping with NotPetya and the similar. The banking power in Ukraine, the common person is talking about information technology. They definitely know. You see it in very mutual publications fifty-fifty. Yes, large problem.

Rachael: We’ll effigy it out.

Joe: I’chiliad hoping we do.

Rachael: I think we simply need one more than podcast, the 3 of us, and and so nosotros’ll take it.

Eric: You recollect that’south it?

Joe: We’ve got ransomware, so nosotros just need to do what, denial of services and people defacing websites, and nosotros’re done.

Eric: Yes, nation-land attacks, and we’ve got a few others out there. Joe Uchill, thank yous and so much for spending fourth dimension with us.

Rachael: To all of our listeners out there, be sure to smash that Subscribe button. You get a fresh episode every week delivered right to your inbox. Until next time, stay safety out at that place, everybody.

Most Our Guest

I’m Joe Uchill. I’m a long-fourth dimension cybersecurity reporter who has written for places similar Axios and Motherboard. I founded Axios’ Codebook cybersecurity newsletter and likewise wrote cybersecurity newsletters for The Hill and Christian Science Monitor. Newsletters are something of a specialty.

In my spare fourth dimension, I piece of work on coding projects to bolster journalism. I ran a Washington D.C. surface area group of hackers, analysts and reporters who collaborated on that until COVID-nineteen put an end to in-person meetings.