February 15, 2023 | 14 minutes
Rob Aragao and Stan Wisseman discuss a ransomware campaign targeting VMware ESXi technology.
About the Guests
Rob Aragao is chief security strategist at CyberRes, a Micro Focus line of business. He has more than 20 years of information security experience, with an emphasis on cyber risk best practices, threat intelligence, security monitoring and regulatory compliance initiatives. He has worked in multiple fields, from financial services to telecommunications. Prior to joining CyberRes, he was vice president of security strategy & innovation for ReliaQuest and served as the chief security strategist for HPE.
Connect with Rob Aragao on LinkedIn
Stan Wisseman leads the Security Strategist team for Micro Focus’ CyberRes in North America. He has more than 30 years of information security experience and has built security into products, systems, software, and enterprises. Prior to joining Micro Focus in 2014, Wisseman served as chief information security officer for Fannie Mae, with responsibilities for information security and business resiliency across the organization.
Reimagining Cyber Extra! | Ransomware: The Good, The Bad, and The Ugly – Ways to Make it Harder on Attackers | Rob Aragao and Stan Wisseman
00:00:00] Rob Aragoa:
Well, welcome back everyone for another episode of Reimagining Cyber Extra. This week we're actually gonna be discussing a topic we kind of haven't touched in a little bit of time, which is ransomware and there's several different news items that have come up. And so Stan and I were chatting and saying, know what,
[00:00:16] we should actually bring this up in conversation and have a conversation on just what we're seeing within this particular area, ransomware and some of the new things that are happening. So Stan, why don't you kick us off?
So Rob, one of the incidents that caught my eye was this ransomware attack that hit the ION Trading UK firm.
[00:00:34] This is a relatively unknown company, but it's a data firm and an aspect of what it provides is software to trading and automation support automation within the financial industry. And so when it was hit by this ransomware attack in late January, it had a pretty [00:01:00] major impact on derivative trading globally.
[00:01:03] And that impact is still being evaluated as of this recording. They left scores of brokers unable to process derivative trades and they had to resort to manual methods. Imagine them going back to using spreadsheets to figure out what's going on as far as their trades. It's one of those things where they were hit, they took off the servers, took them offline and that impacted the derivative trading.
[00:01:30] The threat actor is purportedly LockBit, which is one of the big ransomware-as-a-service attack threat actors. And they basically threatened to publish the data stolen on the 4th of February, and purportedly ION Trading made the decision to go ahead and pay the ransom on the 3rd of February.
[00:01:51] And we are not advocating payment of ransom but that's what they did. And you know that things are back to [00:02:00] “normal” But again, that's one of those instances where they targeted this organization that had much bigger impact to a particular field or sector than otherwise you would've thought.
The other thing that's kind of interesting about this is yes, the ransom was paid. So hence, you know, everything seems to be okay, but okay for now, because if you look at it, who's to say that they don't actually still hold that data, a copy of that data, I should say. And who's to say that at some point in time they don't come back and double dip.
[00:02:32] And saying, We're gonna actually release this information and releasing this information can be negatively impactful to ION because now you're gonna be exposing some of the larger investors that they have and some of the different kind of details relative to the type of business that they do there that could negatively impact the trickle effect right down to their client base.
[00:02:52] It's a touchy subject. And it's, it's kind of, we always go back and forth on, what's the right thing to do? I think ultimately it comes down to each organization's risk [00:03:00] appetite, how they plan to deal with these different types of things. And it's independent, right?
So that's an example of an organization that was taken down that had an impact broadly. But then you have the other side of the equation where you have a vulnerability that is in a number of different organizations. In this case, it was, and this is a campaign that purportedly that's perpetrated right now targeting VMware's ESXI technology, and it's a previously known vulnerability.
[00:03:34] It's been out there for two years. But the reality is that organizations have been slow in patching it. There was a general warning put out by Italy's National Cybersecurity Agency, warning about a large scale campaign now exploiting this vulnerability. Thousands of computer servers across Europe and North America could potentially be impacted.
[00:03:55] Europe is feeling it first in France, Finland, [00:04:00] Italy are most affected at the moment in Europe. US and Canada has a lot of juicy targets that they're potentially also gonna be hit. So again, it's sort of like, okay, well in the first case you had an organization hit, they had then widespread impact that forced the payment of ransom.
[00:04:15] And this context, it's like, well, if you're not gonna patch, we'll take a advantage of that. You know, that vulnerability in your server farm and now multiple targets are possibly hit.
And this is the thing, right? It's two years old, right? So it's the constant theme of here's the vulnerability, here's the patch, and then people aren't able to take action on it.
[00:04:36] I mean, we're talking about two years and it nothing new. It's not to say that there aren't other vulnerabilities and exploits that have been known for long period of times that people aren't taking action on to get up to speed and ensure that that system is properly protected.
[00:04:49] The Italy piece that was interesting was that it basically knocked out telecom and they're streaming services for different types of sporting events. So that was a big thing. I think if we would [00:05:00] have a sidebar conversation with our producer, Ben, he may have been aware of what was going on with his big, you know, following of football as they call it over there in Europe.
[00:05:08] We never know. What else, what else are we seeing out there, Stan?
Well, I mean, there was some good news. I mean, it made the news several weeks ago that there was a global effort by law enforcement, I think spearheaded by the FBI. To dismantle one of these ransomware
[00:05:23] as a service providers. I mentioned LockBit earlier, they're one of the big players. BlackBasta is another one. Hive is another major high profile ransomware provider, they had a multi-year effort of taking down Hive. You know, if you look at some of the history of what they've done, they've extorted money from organizations in 80 different countries around the globe, you know?
[00:05:44] So this is great news. There were no arrests in this, I mean they took down servers. They basically really hampered the ability of one of the most prolific ransomware groups to do business, [00:06:00] unfortunately, you know, they could just instantiate themselves potentially elsewhere. And some of these individuals behind these services are untouchables.
[00:06:08] They can't get to them as far as some other countries they're in. So that's unfortunate. But I think it's great news. One of the things that as they were in Hive, they were able to get access to some of these encryption keys and behind the scenes they were providing these encryption keys
[00:06:25], to targets, at least some of the ones that they knew about. Again, this goes back to the information flow between law enforcement and victims. If the victims are not identifying themselves back to law enforcement, they can't help. And in this case, they were able to help provide this information back to them to help them decrypt their data.
[00:06:48] There are others out there that potentially could take advantage of this if they raised their hand.
It's a big win for the FBI and law enforcement in general. Think about it, they were able to infiltrate Hive’s network for several [00:07:00] months, sitting there learning and ultimately the big win is getting the decryption keys.
[00:07:05] I think I had seen it was somewhere in the range of 130 million US dollars roughly that they were able to actually save for the impacted or victims out there. So Hive who ultimately in the past almost two years that they've been in operation now get up to about a hundred million or so
[00:07:21] in kind of revenues in this ransomware as a service model but yet again a great win.
And I mentioned the FBI, but, but there were other players involved too. I think the German Federal Criminal Police was another organization that was involved, and I think they had to coordinate with a number of different law enforcement agencies
[00:07:40] across the globe to help take down this website and associated servers from a broader perspective. Again this take down shows that the international enforcement against ransomware threat actors is increasing. I think this is a good sign. It may make it more difficult for some of these entities to target organizations of the [00:08:00] future, but as we talked about at the top, they're still ongoing
[00:08:03] and so it's going to be difficult to truly mitigate this threat if you can't reach those that are behind it but if they're able to get in and actually help those that are being victims and that's again the communication the victims need to be working with law enforcement. I know that the ransomware actors
[00:08:23] threaten victims not to work with law enforcement. But I think that's a decision each organization has to make as far as exactly to handle that.
We've also discussed and had guests on the topic, but then general topics that interconnect back into helping organizations with ransomware. So maybe we can kind of get into that, what are some thoughts, what are some different kind of approaches to take?
Well, I mean, actually if you go back to last year, one of the things that our Galaxy threat intel platform did is they published a great report on ransomware, it talked about the different threat actors and helped you better understand their tactics and techniques. But it also addressed [00:09:00] some of the mitigation strategies.
[00:09:01] And I think that we were just talking about whether or not you should pay the ransomware, whether or not you should deal with law enforcement. You should be thinking about that, your strategies and how you actually would approach some kind of attack ahead of time. You don't wanna be making those decisions
[00:09:18] in real time during an attack.
Yeah. I mean, I think it's like, almost like a tabletop exercise. Like this is part of a tabletop exercise you have to go through, be aligned with the business and you know, everybody understands what decisions are planned to be made when and if something like this occurs.
[00:09:31] And I think you bring up a great point that was an excellent resource. It's been out for almost a year now, right? We can put that in the show notes for sure. Cuz it, it is a good guiding kind of set of key areas to take into consideration. Kind of keep it simple at a top level of, these areas you mentioned where you start with that strategy, you connect it to the alignment of the business stakeholders.
[00:09:51] And so everybody gets on the same page. Then you can start really driving at what are the actual kind of control mechanisms we're gonna put in place to best secure[00:10:00] those particular assets in the environment most concerned about. So I think it's good to see some kind of guiding principles on the things you should be concerned about and consider
[00:10:10] in regards to how you're dealing with ransomware response in general.
So Rob, you mentioned tabletop exercises and their value. Right. We had Brett Thorson from Boston Consulting back in episode 12 in the spring of ‘21. And he leads a lot of those kind of tabletop exercises to help executives think through these kind of challenges, and it helps prepare them.
[00:10:35] I think also you just need to actually have your contingency plans, you need to have your business continuity plans and disaster recovery to include these kind of scenarios about not only physical disasters, but also things like ransomware attacks, what would you do? I mean, in this case in point, with ION Trading and the impact to derivative traders, you can no longer access your [00:11:00] systems that you normally would use to be able to process.
[00:11:04] How would you do it? Do you have supporting spreadsheets that allow you to then continue to do work and process trades? Are you done? You know, that's another thing to think through.
But it got me also thinking, as you mentioned about Brett. I remember we also had a good conversation on tabletop exercises with Jim Routh, one of the very early conversations and episodes actually, and he was talking about a great learning experience
[00:11:25] coming out of that was also how having the executives there for the exercise, walking through a scenario and it made them all realize that when something like that occurs, that particular scenario, there's not a need for us to be communicated to, to ask permission to take action. Take the action!
[00:11:46] We’ve blessed you in essence, go take these actions we entrust in you running our security organization to go ahead and do so. Right? And so another lesson learned. But again, if you haven't gone through and thought, because you have to act quickly, [00:12:00]
you have to act quickly in these instances, but you have to be empowered and know that you have the ability to make these decisions, whether it be pulling the servers offline
[00:12:07] or reaching back to your backups now. You mentioned also, you taking steps to secure your organizations and so obviously backup everything but you have to have an architecture. Because threat actors, the LockBits of the world know that you have backups and they're going to go after those backups.
[00:12:28] in the process of discovery and try to either knock them out or Lock 'em up so you have to have an architecture that has that in mind of these threat actors coming into your environment. So, I mean, that's another thing to think about and other layers of protection, you know, the, detection and hopefully detecting these bad actors coming in as quickly as you can to, to hopefully isolate and mitigate that, as well as putting in place things like multifactor authentication, we've talked about that before.
[00:12:59] And the fact that [00:13:00] MFA might help prevent some of the easy buttons as far as coming into your environment.
And I think that's a very, very key point that, we can't emphasize enough and again, in many episodes we've discussed this, making it harder for the attacker, making it harder for the attacker, basically gets them to move onto a softer target.
[00:13:21] right? So the more you can do on these different types of different kind of techniques, putting them in place, they're gonna move on to the next victim. They're not gonna sit there and try to continue to battle away and waste their times cuz their time is money and it's a business at the end of the day.
And, and we sort of talked about that with Shawn Tuma and the episodes on cyber insurance. The fact that the cyber insurance providers are trying to ensure that these protections and these controls are in place because they have seen where they have been exploited and they don't wanna continue to pay out
[00:13:53] due to, a successful exploit and ransomware, they don't wanna have to pay anymore. [00:14:00] There are a forcing factor as far as getting these controls in place.
It's just a really important topic that I think it's great that we were able to bring back to the light and say, you know, this stuff is still out there going on, and you can see some different examples of the bad things, but also the good things that are occurring in this space.
[00:14:14] So hopefully people enjoy today's episode. We're looking forward to the next Extra and the next episode coming up as well in the podcast series. So thanks everyone.
Thanks Rob. Till next time.
Listen in as Dan Winchester discusses how his Scamalytics platform helps online dating sites automatically remove scammers in real-time.
In this EXTRA! episode, Rob talks about his recent trip to "NightVision: State of Cyber 2023."