Below: Israel blocked Ukraine’s efforts to buy NSO spyware over concerns about upsetting the Kremlin, and a British teen may be the mastermind behind the Lapsus$ ransomware gang.
What’s the damage from ransomware attacks? Hard to say.
U.S. officials are still almost entirely in the dark about the impact and pace of ransomware attacks.
They don’t know how many attacks are happening, how costly they are or how much of a disruption they’re causing to the nation as a whole — largely because of limited and inconsistent rules for when companies must disclose such hacks.
That’s the big takeaway from three new reports this week on the cyberattacks that have become a scourge on U.S. businesses and other institutions in recent years.
Ransomware attacks became a top concern in Washington last year when they locked up computers at Colonial Pipeline, the meat processor JBS and other firms in critical industry sectors. They’ve fallen from the spotlight somewhat since Russia’s invasion of Ukraine, but the pace of attacks has not slowed.
And their impact could skyrocket if the Kremlin opts to retaliate against U.S. sanctions by unleashing Russia-based ransomware gangs on U.S. businesses — something U.S. officials are highly anxious about.
Help’s coming but not soon. A recently passed law is likely to dramatically increase government insights into ransomware, but it won’t go into effect for nearly two years. The law requires companies in critical industry sectors to alert the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours if they pay a ransom to hackers and within 72 hours about a broader range of hacks.
The first report is the FBI’s own annual assessment from its Internet Crime Complaint Center.
It reports 3,729 complaints about ransomware with a total cost of $49.2 million last year.
Does that seem strikingly low? The point here is that the report just lists ransomware attacks that are proactively reported to the FBI center and that’s likely only a tiny portion of the total attacks that go unreported.
Based on the report’s limited window into the problem, ransomware is not even among the top six most costly Internet-enabled crimes hitting U.S. victims — behind scams in which hackers romance their victims, lure them into phony investments and con them into fraudulent real estate deals.
To be fair, that’s likely not the total figure of ransomware losses that the FBI is aware of through investigations and other means. But the findings are, of course, far out of step with what’s observed by researchers who track cybercrime closely.
Here’s Emsisoft Threat Analyst Brett Callow:
…. this simply confirms that reporting levels are extremely low. We estimate that US orgs paid more than $920 million ransom demands in 2021, with downtime, legal expenses, etc. further increasing the costs. 2/2https://t.co/awVfHUvkhL
— Brett Callow (@BrettCallow) March 23, 2022
Mandiant Threat Intelligence Chief John Hultquist:
Emsisoft estimated the cost of U.S. ransomware attacks last year to be at least $920 million and probably closer to $3.7 billion.
The lower figure is based on reports to the ID Ransomware service, which helps victims determine the type of ransomware they’ve been infected with — which can sometimes be useful in finding a way to unlock their computers without paying a ransom. The higher figure simply multiplies the lower one by four — based on the presumption that about one-fourth of victims visit the ID Ransomware site.
The second report comes from Sen. Rob Portman (Ohio), top Republican on the Senate Homeland Security Committee.
The report, released this morning, takes a deep dive on the experiences of three companies hit with attacks by the ransomware gang REvil. That’s the group that launched what’s likely the costliest ransomware attack in history against the IT firm Kaseya and its clients.
One running theme is that the companies weren’t pleased with assistance offered by the federal government — in all three cases the FBI was the main contact and the companies weren’t in contact at the time with CISA.
- One Fortune 500 company “found the FBI to be unhelpful throughout the process” and said the bureau “prioritized investigating those responsible for the attack” over aiding the company’s recovery.
- The company “recommended the federal government better coordinate its approach to responding and defending against such sophisticated and well-funded adversaries,” the report states.
- Portman’s staff declined to identify any of the victim companies by name because of concerns about making them targets for additional hacking. The staff asked the FBI to weigh in on the report, but the bureau declined, an aide said.
To do: A Senate aide called the report a strong argument for implementing the cyber incident reporting act as speedily as possible. The Senate version of that bill was sponsored by Portman and committee Chairman Gary Peters (D-Mich.).
That law won’t substantially increase the assistance individual companies get from the government after they’re hacked. But it will dramatically expand how much CISA knows about the ransomware playing field and make it easier to share information back with companies that will help them prevent getting infected with ransomware in the first place.
The third report comes from Palo Alto Networks.
Released this morning by the company’s Unit 42 cyber research unit, the report found ransomware hackers are growing more aggressive, hitting more targets and demanding higher ransoms.
“The average ransom demand on cases worked by Unit 42 consultants last year climbed 144 percent to $2.2 million, while the average payment rose 78 percent to $541,010,” the report notes. The second figure is lower because victims often hire firms to help them negotiate ransom demands down.
Israel blocked Ukraine’s effort to acquire NSO Group spyware over fears of upsetting Russia
Ukraine is believed to have asked for the powerful spyware as far back as 2019, but Israel’s Defense Exports Controls Agency blocked such licenses, our colleagues report. Officials were concerned that the Kremlin would see such a purchase as an escalation by Ukraine.
“Concerns about Russian reaction also affected NSO’s dealings with Estonia, a member of NATO,” people familiar with those actions told our colleagues. “According to these people, NSO had licensed Pegasus to Estonia, which achieved independence from five decades of Soviet rule in 1991 and is known for its aggressive counterintelligence measures against Russia, but the company later imposed restrictions on the spyware’s use.” It’s not clear what those restrictions look like, though Estonia can’t target Russian phone numbers with the spyware.
NSO Group, when given a detailed list of questions, said in a brief statement that the company “continues to be subjected to inaccurate media reports regarding alleged clients, which are based on hearsay, political innuendo and untruths.” Ukraine’s Deputy Prime Minister Mykhailo Fedorov declined to confirm that Ukraine sought NSO’s Pegasus spyware.
Russian cyberattacks on Ukraine aren’t slowing down, official says
Russia continues to launch cyberattacks directed at Ukraine’s government and critical infrastructure organizations, Victor Zhora, deputy chairman of the State Service of Special Communications and Information Protection, told journalists.
Here’s more from Zhora’s briefing:
- Zhora confirmed that Russian hackers are targeting European charities that are working with Ukrainian refugees.
- Zhora rejected suggestions China is helping Russian spying in the country, saying “we do not have facts that can prove the alignment or coordination between different countries with regards to aggression against Ukraine.”
- Ukraine has received all the cyber defensive assistance it’s requested from the United States and other countries, Zhora said.
- He said Ukraine has not requested assistance with offensive hacks and that the state does not conduct them as a policy, though he acknowledged Ukrainian civilians have launched some offensive hacks.
- Asked whether pro-Ukrainian hacktivist attacks could further entrench anti-Ukrainian sentiments, Zhora said minds in the Kremlin are already made up. “Believe me, they hate us. They hate Ukrainians. They hate the West. They hate you, the Europeans, the United States,” he said.
Ukraine also confirmed that it has begun to use facial recognition tools to ID dead Russians. They’re using technology from the firm Clearview AI so they can tell dead soldiers’ relatives that they were killed in the war, Forbes’s Thomas Brewster reports.
Pro-Russia accounts are still posting propaganda to social media
At least seven individuals sanctioned by the U.S. government appear to have active Twitter accounts, and at least two had YouTube accounts that the company removed Wednesday, Cat Zakrzewski reports. Social media companies have for years faced questions about what limits they should impose on controversial or even sanctioned leaders, but those questions are even more urgent in wartime.
Teen suspected of being the mastermind behind a hacking group that breached tech giants
Four researchers hired by the hacking gang Lapsus$’s victims tied a hacker known as “White” and “breachbase” to the group, though they haven’t definitively linked him to all of the group’s hacks, Bloomberg News’s William Turton reports. Lapsus$ has been on a tear recently, claiming that they successfully breached Microsoft, Nvidia, Samsung and — most recently — a support contractor for the online identity verification firm Okta.
“Another member of Lapsus$ is suspected to be a teenager residing in Brazil, according to the investigators,” Turton writes.
Here’s more on the Okta breach from Rachel Lerman.
New bill aims to boost health-care sector’s cybersecurity
The bill, which was shared with The Cybersecurity 202 before its release this morning, would require CISA to study the cybersecurity risks that the health-care sector is facing. It would also require CISA to enter into an agreement with the Department of Health and Human Services and would authorize cybersecurity training for health-care owners and operators. The bill was introduced by Sens. Jacky Rosen (D-Nev.) and Bill Cassidy (R-La.).
Biden tells governors to ‘take urgent action’ to protect infrastructure from Russian hackers (Politico)
As GOP lawmakers push for more election fraud charges, prosecutors find few cases (Rosalind S. Helderman and Amy Gardner)
Health data breaches swell in 2021 amid hacking surge, POLITICO analysis finds (Politico)
FBI adds Russian cybercrime market suspect to its ‘Cyber Most Wanted’ list (The Record)
Italy rail operator detects signs of hacking in system (Bloomberg)
Judge Frees China’s ZTE From Some U.S. Oversight (Wall Street Journal)
- Homeland Security Secretary Alejandro Mayorkas, CISA Director Jen Easterly, National Cyber Director Chris Inglis and other U.S. government officials speak at the Hack the Port 2022 conference this week.
- CISA senior adviser and strategist Allan Friedman speaks at an Institute for Critical Infrastructure Technology event today at 1 p.m.
- The ShmooCon hacker convention convenes in Washington today through Saturday.
- Inglis speaks at the Atlantic Council’s opening of its DC Cyber 9/12 Strategy Challenge on Friday at 8:30 a.m.
“This is not cojones, it is cowardice.” Thanks for reading. See you tomorrow.