Lockbit Take-Down

Many of us in the cybersecurity community woke this morning to very welcome news that the infamous Lockbit Ransomware as a Service (RaaS) crime syndicate was hit with a take-down action of much of its infrastructure. This was apparently led by the UK’s National Crime Agency (NCA), and the FBI, as part of an international law enforcement task force known as ‘Operation Cronos’.

Lockbit was one of the most prolific and destructive Russian Ransomware-as-a-Service (RaaS) groups, claiming over 2,000 victims worldwide and extorting over $120 million in ransom payments. It was, to put it mildly, ruthless, launching secondary and tertiary attacks against victims who refused to negotiate with the extortionists or to pay their extortion demands.

As part of its initial seeding of compromised networks with ransomware, it exfiltrated confidential information and threatened to publish this on its websites if payments were not made by the organization. When demanded ransoms were not received, the group contacted individuals whose information it had stolen, and demanded they pressure the victim organization to pay the ransom, or sometimes offered to exclude their information from a release if a payment was received.

    

Richard Staynings, Cylera

“Many times, corporate and individual victims paid the gang only to see their information posted publicly anyway” claimed Richard Staynings, Chief Security Strategist with Cheltenham based cybersecurity firm Cylera. “There is after all, no trust in thieves,” he added.

The group was also known to publicly taunt victims on its web site with a countdown clock when the information would be published unless payment was made.

Operation Cronos appears to have finally brought this criminal RaaS business to a halt, or at the very least slowed it down and ruined its reputation. Whether it stops the affiliates who use the RaaS to execute their attacks remains to be seem as it's likely that many of the Lockbit tools are still out there and affiliates are likely to have copies of these. 

It’s also quite likely, that many of the un-indicted perpetrators involved in Lockbit, will simply pick up and move into new crime groups to continue to ply their crafts as part of other cybercrime services. This has happened in the past when law enforcement took down other crime syndicates. It is also possible that a new Lockbit rises from the ashes and starts over again, perhaps even under the same name with some of the same people.

Some of these crime syndicates are thought to be associated with the Russian Mafia and many in the past have worked closely with the Kremlin, FSB and GRU for espionage purposes, or to punish other nations, while Mother Russia can claim plausible deniability.

Many of the cybercriminals who engage in ransomware and other forms of cyber extortion, are of Russian origin and are able to attack victims from within Russia and other former Soviet states with near impunity. This is largely thanks to a lack of extradition treaties between these countries and the rest of the world, combined with a legal system that is easily corrupted by those with power, influence or money.

The FBI has accused Russia of harboring cybercriminals for years, where as long as the perpetrators of cyber crime direct their craft against victims outside of Russia, then the Russian state will conveniently turn a blind eye. This makes it particularly difficult to bring criminals to justice so long as they don't leave the former soviet block of countries.

Of course some wanted criminals used to considering themselves above the law have traveled outside of the former Soviet states and have been arrested or renditioned back to the United States for trial and punishment. One of the more notable of these was Roman Seleznev, the son of a close Putin confident and a member of the Duma lower house of parliament, Valery Seleznev as reported some time ago by this site. 

Lockbit was the largest RaaS and worked by selling its criminal services, acting as a one-stop shop to customers known as affiliates. These affiliates then identified and attacked victims using the Lockbit framework of tools and services. Based upon volume, the affiliates then received between 60% and 80% of the ransom payments they were able to extort back from Lockbit. The Lockbit network consisted of hundreds of so called ‘bullet proof’ servers located all over the world. These have now been taken over by law enforcement as part of the Europol action. Copies of the Lockbit code, however, remain on PCs and servers in Russia and other countries where international law enforcement was unable to seize assets, since the crime of ransomware is not recognized in many of these countries.

It was perhaps inevitable that the NCA would lead this takedown effort following a January 2023 ransomware attack against part of the UK Royal Mail in which packages could not be mailed overseas for many weeks. The attack was identified as using Lockbit so the group must have been in the sights of the NCA ever since. The Royal Mail is a critical infrastructure industry (CII) of the UK so any attack against a CII would have garnered attention at the highest levels, just as Lockbit attacks against the NHS have done so in the past.

“While not all cyber crimes can be fully investigated, I am sure that Lockbit and its affiliates were prioritized by the NCA and the UK government following the Royal Mail attack,” said Staynings. “Lockbit ransomware attacks against NHS trusts was already sure to get the NCA’s attention, so the Royal Mail attack may have been the nail in the coffin for the group.”

“Gangs would be well advised to stay clear of national infrastructure industries if they want to avoid unnecessary attention. That goes not just for the UK, but for any law-abiding western power,” Staynings added.

While the Lockbit infrastructure was taken offline and decryption advice and keys posted on its servers, law enforcement reportedly obtained access quite some time ago. It's highly likely that they have been digging around and gaining intelligence on affiliates and those involved in building and maintaining the Lockbit service. It is also likely that they were mapping out the entire infrastructure so as to capture as much of it as possible in one go with a single legal seizure action.

This has resulted in the identification, indictment, and arrest of many of the gang’s generals. But it has also shed light on a much greater number of victims than has been reported, many of whom appear to have paid ransoms against the advice of law enforcement and national laws in their respective countries that forbid extortion payments to terrorists. Ransom and extortion are, after all, forms of terrorism.

“The cat is now out of the bag, and we could see legal actions against business leaders and their legal counsel, who made ransom payments against national laws and hid a cyberattack from shareholders, and the SEC, FCA, and others,” claimed Staynings.

Graeme Biggar, NCA

The NCA’s Graeme Biggar, said it assessed that the group was responsible for 25% of ransomware attacks in the last year including 200 that were known of in the UK - though he added that, there may have been many more. Indeed, total losses and damages from Lockbit and its affiliates could be in the billions of dollars. Whether this surpassed losses from ‘NotPetya’, another Russian cyberattack attributed to the Russian military GRU, remains to be seen.

NotPetya is thought to have caused between $10 and $12 billion in damages to global organizations attacked, including Maersk, Mondelez, Merck, WPP, Reckitt Benckiser, Saint-Gobain and TNT Express. 

Maersk alone lost $250 million and suffered a further $300 million in damages. The 2017 cyberattack currently stands as the single most damaging and costly attack of all time. Its attack code was designed to attack Ukraine, but the malware unintentionally spread right the way across the world, impacting Russian businesses as well.

As part of the seizures, more than 200 cryptocurrency accounts believed to be linked to Lockbit have been frozen, so it seems likely that once the investigation is complete, at least a few victims may receive some of their ransom payments returned, as has been the case in other confiscations.

“It’s great to see the home team win a game finally, but there’s a long way to the finals” claimed Staynings. “The trouble is that with cybercrime it takes many months or years to properly attribute actions. That includes victims, criminal actors, and all those involved in a cyberattack.”

“Undoubtedly, law enforcement needs to do things properly in order for prosecutions to stick and to identify all those involved in a criminal act. This was one of the better days, that’s for sure!” he concluded.

Read More

Cyber Risk Insurance Won't Save Your Reputation

A myopic focus on healthcare compliance has resulted in checkbox mentality, rather than a holistic risk-based approach to cybersecurity.

The financial and reputational costs associated with a security breach can be expensive and reputationally damaging. But in critical industries like healthcare, a cybersecurity attack could expose patients to some major safety risks that no amount of cyber breach insurance will likely fix.

Healthcare has historically had a myopic focus on privacy and protecting the confidentiality of patient information–largely caused by HIPAA, Caldicott, APA, PDPA, GDPR, and state breach rules. These have resulted in a skewed compliance-based approach to security by senior management and a 'checkbox mentality' of ‘have we done the minimum necessary’, rather than a holistic, risk-based approach to identify, protect, detect, respond, and recover from threats and vulnerabilities.

Risks change, and in healthcare those risks are changing quickly (as are legal liabilities and exposure to inadequate cybersecurity protection). CISOs, CROs, and GC/CLOs (General Council or Chief Legal Officers) are beginning to understand these changes and how cybersecurity posture and preparation are critical to protecting patient safety. Many of their bosses in the CEO seat are slowly beginning to understand not just their patient safety exposure in the age of digital inter-connectivity and cyber attacks, but also the potential impact on reputation.

“Cybersecurity is no longer a question of simple compliance,” said one hospital CEO at a recent US healthcare conference, “it’s about protecting the hospital’s reputation and ensuring patient safety while our systems are under attack and misbehaving."

"We purchased cyber risk insurance to cover all the un-budgeted costs associated with an attack. We keep our fingers crossed that we won’t need it.” he added.

But many insurers are now claiming that cyber attacks are an 'Act of War' and are therefore exempt from coverage under the terms of their policies, a fact that is currently being disputed in court by drug maker Merck and its insurers. So maybe the insurance, a company is counting on won't be there when really needed.

An OCR fine and the institution’s name being posted to the OCR 'Wall of Shame' is one thing, but patients being turned away or even held to ransom by cyber-attacks compromising medical devices are an entirely different order of magnitude!

Given our reliance today on HIT / HIoT systems to treat patients, there's a real risk that someone could die on us because critical systems are not available to diagnose and treat them following a cyber-attack. So too is the reputation hit when a hospital is forced to go on Full Divert following a cyber-attack as part of the British NHS had to when attacked by WannaCry in 2017. More recently, Campbell County Health in Wyoming, USA was forced to go on Full Divert following a similar cyber-attack.

“I would find it much more preferable to have HHS OCR camped out in my office examining all my papers following a breach, than the FBI walking the halls investigating a series of patient deaths at my hospital caused by a cyber-attack.” said a prominent San Francisco area CISO who preferred not to be named without clearing his statement with his employer. “One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it,” he added.

“One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it!”

Some years ago I did a walk-through of a hospital in Tasmania as part of its parent company’s risk assessment. The top floor was dedicated to a large and sprawling maternity department. Patient rooms with open doors and sleeping new moms and their infants lined either side of a wide corridor so nurses could come and go to check on both. Mothers and infants had similar plastic straps around their wrists with their name, D.O.B., and patient identifier. Neither were RFID-tagged. It would be very easy for someone to walk into a room, remove the sleeping child, and walk down the corridor to the elevator and take that straight to the underground parking complex. There was no physical security to stop them–only a few nurses moving in and out of rooms.

In our debrief, I asked the Obstetrician running the department what would happen if someone were to abduct a newborn. She protested at first to say that no one ever would, nor had anyone in the past – this was Tasmania - where there was a surplus of babies. But she did acknowledge that maybe this might be a problem in Sydney or Melbourne. After thinking about it for a minute, she announced, “In a small-knit community like ours, we would close! It would ruin our reputation and no one would come here to give birth again!”

The message here is that no amount of liability insurance is going to protect your reputation fully. It can cover costs for forensic investigation, breach notification, loss of business while down or recovering, and even for extortion payments if you are unable to recover critical data wiped out during a ransomware attack–but it can never cover what your customers think of you! Cyber risk insurance is valuable, but it’s no replacement for a well-functioning cybersecurity program.

Some of us continue to shop at Target following its massive breach of customer data some years ago, but most of us would never apply for a Target Card, nor would we ever consider using an email service provided by Yahoo for similar reasons!

“Once damaged, reputation is a big problem to fix” said the US hospital CEO. “It’s something that is becoming an increasing concern for all of us in healthcare. But how do you do that without spending a fortune on cybersecurity?”

Read More