ISMG Editors: Examining the Record Surge in RansomwareAlso: Insights From Israel; Costco's Web Tracker Problem
In the latest weekly update, editors at Information Security Media Group discuss how Israeli tech companies are supporting the war effort, how the volume of ransomware attacks reached a record high - with 514 organizations listed on data leak sites in September - and how retailer Costco faces privacy claims for its use of website tracking tools for online pharmacy customers.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity; and Tom Field, senior vice president, editorial - discussed:
- Highlights from an interview with Chen Shmilo, CEO of Israel's 8200 Alumni Association, about how his and other tech companies are supporting the war effort and his message to employees, customers and global partners;
- How the volume of known ransomware attacks surged last month to record-breaking levels, security researchers reported;
- Why Costco pharmacy is facing legal challenges for its alleged unauthorized disclosure of sensitive customer information to third parties by using website tracking tools.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 20 edition on the impact of the Israel-Hamas war on cybersecurity and the Oct. 27 edition on business and cyber resilience in the Israel-Hamas war.
This transcript has been edited and refined for clarity.
Anna Delaney: Thanks for joining us for the ISMG Editors' Panel. I'm Anna Delaney, and this is a weekly editorial analysis of the top trending stories in cybersecurity. It's great to be joined today by Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, the executive editor of HealthcareInfoSecurity; and Mathew Schwartz, executive editor of DataBreachToday and Europe. Tom, you've recorded another interview, in a series which meets with Israeli cybersecurity leaders and looks at the cybersecurity scene there. We had a very moving an important conversation about building and rebuilding business resilience last week. Why don't you tell us about this latest conversation?
Tom Field: Having gone through the experience of what was happening in Maine last week and conducting these interviews, there was a sense of kinship and for me. What happened in Maine was personal. I was born in Lewiston, I still have family members who live in the area, my wife works in the community. We both first heard about the tragedy from her family and friends who were locked down that evening, fearful for their lives. It was surreal to drive by the very hospital I was born and to see international news crews doing their stand ups and to know that we were at the epicenter of the biggest news story in the world. It gave me a sense of what our friends and colleagues in Israel have experienced over the past three to four weeks. As I interviewed these security and technology leaders, I had better empathy for the trauma that their society is amidst right now. Not to the same level by any degree. I don't pretend to know what it's like to live in a warzone and to experience lives turned upside down to the degree that they have, but, I do know what it's like to live in fear and to answer questions you've never been asked before. I want to share an excerpt of one of the interviews where I asked a security leader, Chen Shmilo,from Israel, about what his message is to the world.
Chen Shmilo: The story of the Israeli high-tech is resilience, agility and boldness. We are, the Israeli people, resolved, not just to beat Hamas-ISIS, but also to keep our ecosystem thriving. This is the message to my employees, to the board members, to different tech ecosystem players who are our partners: Israel will keep being the flagship of daringness and out-of-the-box thinking. We will have to work together with domestic and international players to benefit from the knowledge and spirit that have been uplifted and upgraded during the war. I know that we, as the 8200 Alumni Association, are going to expand the scope of the activities from ideation to post-acceleration programs by strengthening the 8200 hub, and recruiting new partners. A month before the war started, we were working and preparing our 8200 global first batch to New York to present magnificent Israeli startups who are ready to scale to the U.S. market, which had to be stopped. I cannot wait to renew the 8200 global first batch, come to New York City, present the Israeli innovation, create new partnerships, and keep the Israeli economy thriving.
Field: A message of resiliency. One thing I'll point out and I ask these leaders consistently, what is your message to your employees, customers and global partners? I want to share mine. The crisis has passed, the news crews have moved on, the headlines are focused on different topics, but lives and families are forever shattered. A rural community that once thought "never here" now knows completely differently - not better, just differently. We're going to heal, we're going to sing, we're going to dance, we're going to play and we're going to celebrate Halloween this very evening. However, we will never forget what we've experienced, and we pray that our children and our children's children never see such an experience again. For me, it's been a very moving week.
Delaney: I'm sure. He mentioned collaboration there. Did you do you get a sense that there is stronger collaboration perhaps than we're used to in our cybersecurity companies, whether in the U.K. and the U.S.? Is there much collaboration among companies in the Israeli cybersecurity ecosystem that maybe we could learn from?
Field: It comes from crisis. I think we're seeing in Israel what Marianne, Mat and I saw in the U.S. after the terrorist attacks of September 11, back in 2001; the competitive walls come down. You'll see rivals work together for common cause, and that's happening in Israel right now. I have no doubt in some ways that the Israelis will emerge stronger from tragedy. You are seeing collaboration that you wouldn't have seen two months ago.
Delaney: Thanks, Tom. We look forward to watching the interview on our sites later this week. Mathew, time for more ransomware trends. What's been happening?
Mathew Schwartz: It is more ransomware all the time, and the latest look at ransomware that we've seen suggests that ransomware is continuing to increase. That might not sound surprising, but we have seen rises and falls, and it's never clear which way it might be going. Unfortunately, though, we have seen two record-breaking months this year, including September, which is the last month for which we currently have data. Groups and researchers who look at ransomware groups have been counting the number of victims that get posted to data leak sites. I like to call this "public displays of infection" because it is ransomware groups being really adolescent, listing all the victims that they claim haven't paid. These are not perfect numbers to go by; it's not clear how many victims don't get listed because they didn't pay, it's also not clear how many victims did pay to avoid listing. If we look at how many victims have gotten listed in September, there were 514 victims, which is a record. We have some well-known names in the listings. In the top 10, LockBit counted 72 victims who didn't pay, we have no idea how many did pay. Estimates are that 34% of victims do pay a ransom, which is part of what perpetuates the ransomware business model for these attackers and keeps them coming back for more. We have some established groups at play, we also have some newcomers. There are a few groups you may have heard of, Cactus, RansomedVC - which recently posted a very high profile victim in the form of Sony - 3AM, and CiphBit. I mentioned them to show that there is a continuing influx of new players. All of these groups practice double extortion, which is where a group steals or claims to have stolen data before crypto locking systems, and then threatens to leak that data to get a ransom payment. They'll also demand a separate ransom for a free decrypter. They're trying to monetize these attacks in any way possible. We're seeing a lot of ongoing ransomware attacks targeting vulnerabilities that have come to light. There have been a lot of ransomware groups really quick off the mark in the last few months looking for vulnerabilities. There's a new Cisco vulnerability, which has been patched, which needs a very careful handling to ensure that you've wiped your credentials from the memory of the device. Ransomware attackers are increasingly hitting these sorts of things quicker. We also have seen Cl0p hitting secure file transfer software, the most recent time against progress software's MOVEit software. Marianne has been reporting on this extensively, but the group managed to steal a lot of data; they didn't crypto lock the systems, but they've been using extortion, threatening to leak the data, and earned an estimated $75 million to $100 million from doing this very early in the attacks unleashed at the end of May, though victims and the count of affected individuals and organizations are still coming to light. If I have to sum up the whole ransomware picture at the moment, it's not looking great. A lot of experts are forecasting that it's going to get worse before the end of the year before it gets better.
Delaney: You've summarized the evolution on the criminal side. What about the defender side? What are the most notable changes in terms of our defenses in their evolution? What's really working?
Schwartz: The defenses have been getting better. Defenders have been responding, governments have been helping to improve cybersecurity resilience, law firms and incident response firms are helping victims practice. The ones who recover well are the ones who have practiced before they get hit. It's a long, slow, painful process, but it's less long and slow and painful if you have reviewed how you're going to need to react when this happens, and you've looked at the kinds of defenses you have in place. You know in a worst-case scenario if you need to wipe all of your systems and restore from backups. If that's your worst case, that's not a bad case because it means you're not having to pay your attackers for the promise - which they may or may not give you - of a decryption tool. Defense has definitely been getting better; I'm hearing that again and again from security experts. Another shift we're seeing is a cautionary note. I've been talking about LockBit and some of the other big groups that we see active right now, but we shouldn't get too tied up on attribution. A lot of these groups are using the same tactics, some of them are startlingly simple. It is remote access tools that they're guessing the password for and getting in. That shouldn't be happening, but is happening. A lot of the attackers are affiliates who work with different groups, they may be with LockBit today and Cactus tomorrow. It's less useful in some respects to look at these as being standalone groups, and more are just a bunch of individuals who are doing something, doing it very well at the expense of others, and there should really be more focus on defense. We're seeing it, but I think there needs to be even more focus. Don't get too caught up in who these specific attackers are, look at what they're doing and how they're getting into networks and push it back.
Delaney: Thanks, Mat. Marianne, retail giant Costco is facing legal challenges for its alleged unauthorized disclosure of sensitive customer information to third parties. What's the story?
Marianne McGee: Costco is the latest company to face proposed class-action data privacy litigation, involving its alleged use of online tracking pixels to scrape health and personal information about their visitors to their websites and to transmit this information to third-party social media and marketing companies. The litigation against Costco is certainly not the first class-action lawsuits that we've seen filed against organizations accused of doing similar things with their website-tracking technology. However, in the healthcare space, the cases against Costco are interesting and little unusual because Costco is not thought of as being a major player in the healthcare space. The company is best known for selling toiletries, appliances, TVs, automotive supplies, tires, furniture, office supplies and bulk-sized groceries. However, these two lawsuits that were filed against the company - both filed in the same federal Washington State Court - alleged that the customers who went on Costco's website to refill prescriptions, or to seek information about immunizations from Costco pharmacies, did not have knowledge or give their consent for their sensitive information to be scraped and shared with companies like Meta, Google and others. The lawsuits allege similar claims that include that Costco allegedly disclosed various identifiers, including IP addresses of individuals, who the state has considered protected health information under HIPAA, and that the warehouse giant also violated FTC regulations and federal and state wiretapping, and other laws. Meanwhile, the FTC and HHS are, in recent months, warning of potential enforcement actions against hospitals and telehealth companies about their use of tracking tools without the knowledge or consent of patients and consumers. In terms of some of these other lawsuits that we've seen filed against organizations like hospitals, some of these litigations and the lawsuits have been settled. In the meantime, Meta is facing a large consolidated class-action lawsuit that's working its way through the federal courts. It will be interesting to see what happens with the Costco lawsuit. Right now, Costco hasn't yet responded to my request for comment on the lawsuit. I don't really quite know how this is going to shake out for the company. If it's bad publicity, will they settle? What's the defense there? The other thing I was going to also mention, not related to the Costco saga, is that I'm keeping my eye on how President Biden's Executive Order this week, which was thoroughly covered by our colleague, Chris Ryota, about AI. I'm looking at how this will shake out for the healthcare sector and the Department of Health and Human Services. I've not really dug too deeply into the executive order yet, but it looks like HHS is directed to establish a safety program to receive reports of and then to act to remedy harms or unsafe healthcare practices involving AI. What that means? I'm not sure yet; I've made my request for FDA and other leaders to weigh in on that. For medical devices or drug development involving the use of AI tools, FDA is the regulator that oversees that. It'll be interesting to see how this executive order also will play out in terms of what portal that the Department of Health and Human Services will create for receiving public complaints about AI in healthcare and unsafe or discriminatory practices. It'll be interesting to see how much oomph this E.O. has for healthcare?
Delaney: Something to watch for. We've got our own AI summit in the U.K. as well, so we'll be sharing some key takeaways from there. In terms of data privacy, Marianne, what should security professionals take away from these lawsuits and the growing scrutiny on companies using tracking technologies on their websites?
McGee: When it comes to the healthcare space, both FTC and HHS have offered similar guidance that you have to be very clear to your patients or consumers that you're collecting certain information and potentially sharing it with other companies and get their consent. For HHS and HIPAA, companies that are using Meta Pixel or Google Analytics have to get business associate agreements from those vendors, saying that these vendors are taking certain actions to protect patients' information. One of the complaints I hear often is that some of these large vendors - the Metas and the Googles - are hesitant to sign BAAs, in many cases.
Delaney: Thanks, Marianne, for that update. Just for fun, if you could have an AI cybersecurity sidekick with any fictional characters' personality, who would you choose and why? Go for it, Tom.
Field: I want someone that has good investigative abilities. To make a 1980s television reference that you probably won't get, I'm going to have Tom Selleck as my partner, and I'm going to call it Magnum AI.
Delaney: I know Tom Selleck; he's great! Marianne?
McGee: Mine is also a reference from a TV show, but this is mostly 1970s, M*A*S*H, Radar O'Reilly. The kind-hearted, very dependable assistant of the commander of the Mobile Army Surgical Hospital. The setting was the Korean War, and Radar had a knack of hearing things and seeing things and knowing things before everyone else realized they were happening. That'd be good!
Schwartz: I'm thinking I should have gone with KITT from Knight Rider, but I didn't. This is great, you totally nailed this. You said fiction, and I started thinking about books, and just to play the science fiction card, I love the work of Iain M. Banks. One of the repeat characters in his books are ships who are omniscient and keep people around, for the fun of it and so they don't go insane. If you are omniscient and thought about things all the time, you need a little comedic relief. You may or may not know Banks, but one of the great things he does with his ships is gives them these amazing names, and he's a Scot. And, I think that comes through in the ship names, like "Mistake Not," "Frank Exchange of Views" - that's a warship - and "Beats Working." In the books, I'm maybe not giving the flavor of it, but they're often dry, somewhat egotistical. They think they're amazing, because they are, but it's just this "doesn't take life too seriously" sort of approach to things. I don't know how it would sound, but certainly on the page it looks nice!
Delaney: I think you'll all go further than me. I've chosen a dog from The Wizard of Oz, Toto. We're not in Kansas anymore, and I think that he'll be great! Loyal, resourceful, a great companion, brave, bit of humor there. Tom, Mat, Marianne, this has been an immense pleasure. Thank you so much.