ISMG Editors: Ransomware Gangs Are Using Partial EncryptionAlso: Improving Private-Public Collaboration, ISMG'S Africa Summit Anna Delaney (annamadeline) • September 16, 2022
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including an analysis of private/public partnerships today, a preview of ISMG's upcoming cybersecurity summit in Africa and a look at the increasing use of intermittent or partial encryption by ransomware gangs as a means to extort money from victims faster.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday & Europe; Tom Field, senior vice president, editorial; and Suparna Goswami, associate editor, ISMG Asia - discuss:
- Takeaways from an interview with CSO Ron Green of Mastercard, who describes the state of public-private partnerships and information sharing today;
- Highlights and trends from ISMG's upcoming Cybersecurity Summit: Africa;
- The latest ransomware trends including how gangs are adopting intermittent or partial encryption to ransom victims faster.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Sept. 2 edition discussing why hacktivists got bored with the Russia-Ukraine cyberwar and the Sept. 9 edition with cryptocurrency expert Ari Redbord.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney and here, we discuss and analyze the week's top cybersecurity stories. Joining me this week, they need no introduction, but I'm going to do it anyway. Tom Field, senior vice president of editorial, Suparna Goswami, associate editor at ISMG Asia. And Mathew Schwartz, executive editor of DataBreachToday & Europe. Lovely to see you all.
Tom Field: Lovely to be seen.
Suparna Goswami: Always a pleasure.
Mathew Schwartz: Great to be here.
Delaney: Suparna, tell us where you are. That looks intriguing.
Goswami: The background is Africa. So we are having our Africa Summit next week, the second one in as many years in the region. So, virtually I'm there in the continent this week and next week. So, we are having the summit on September 22. So hopefully, some great speakers lined up, hopefully to see you all virtually there.
Delaney: Absolutely, we will be, and hopefully, we'll be discussing this later. Tom, what a sight.
Field: Different kind of jungle, not quite Africa, but Manhattan. I'm in town this week, hosting a virtual event, last night hosted a live event, today talking about SOC modernization. And it is good to be back in Manhattan again, although as I told you earlier, the difference between visiting Manhattan today and when I did when I was probably in my early 20s - I will come through Times Square then and be stopped by people trying to sell me marijuana. I go through Times Square now and I'm stopped by clouds of people smoking illegally.
Delaney: I can only imagine the smell. And Mathew, that looks rather pleasant.
Schwartz: It was extremely pleasant. And this is Stockholm where I was last week to moderate a roundtable on securing the open-source software supply chain. So, it was also a beautiful few days, I was lucky to get out for a bit of a walk and check out the wonderful sea fronts. So much of Stockholm is on the water, but it's just such a beautiful city.
Delaney: Well, it's lovely. I thought I'd share something royal this week, being the week that it is. This is the Royal Opera House in London, which the late Queen was patron of, and I presume the new King will take over the role. So it has stunning interiors if you ever get the chance to visit. Tom, I believe you recently had the pleasure of interviewing Ron Green, who is the chief security officer at Mastercard, and it's an excellent conversation. What did you take away from it?
Field: Yeah, he visited our Government Cybersecurity Summit in Washington D.C. not too long ago. And what's impressive is that Ron Green's a busy man, he's the chief security officer of Mastercard, formerly with the Secret Service. He had to go to a congressional hearing that day. But he made time to come over to our event because he wanted to be on stage for a discussion of public and private partnerships. And he wanted to sit down with me and talk about that before he went to his congressional hearing. So this is something on his mind. And the notion of public-private partnerships - not new, something we've talked about for years - but I think the urgency of it has stepped up particularly this year because we're seeing such faster, broader attack cycles than we've ever seen before. The adversaries are weaponizing zero days faster than we've ever dealt with. And the old notion of threat intelligence, in terms of "this is what we've been seeing" doesn't work anymore. The rearview mirror is not important. It's the windshield in front of you. And we need this intelligence of what's happening now, what's being seen now, so that organizations in the public and the private sectors can be able to respond accordingly. So he came, we spoke about that. And I asked him about the notion of "are we getting better at this?" I hear in the discussions I have people from the private sector, saying that they're a lot more open to information sharing than they had been in the past. In the past, it had been, "I'm open to what you want to share with me, but don't ask for anything from me." I think that's changing. And to some degree, Ron validated that. So, if you don't mind, I'd like to share a clip of the discussion that we had together in Washington, DC.
Ron Green: I've been at this a long time. So I have to say, yes, across the years, I've seen lots of positive movement, both from the government side and, by example, the work that they've done to declassify things so quickly in response to Eastern European issues that have resulted, but even beyond that, like an agency like the Secret Service, where they provided us information, but it gives us an opportunity to protect other companies. The example I'm thinking about is, I think you understand what a cash-out attack is, where bad guys get in the group and then they pull money out of the ATMs. Secret Service had an ongoing investigation. And they came to us, identified the bank that was involved. And we were able to put in safeguards to prevent the loss. And so that's just another example of the government willing to even risk its own - the things it's trying to achieve in order to see the right thing done. On the private sector side, I think you have a lot of companies that they know, "We can better protect the sector, if we're more open in our sharing." I think you do have organizations that might still be somewhat resistant, they're still afraid of, "Hey, if I give this information, either to CISA or law enforcement agency, it's going to end up in my regulators' hands that are going to use that against me and find me or cause me some other issue." I think there's a lot of work that's taking place to try and ease those concerns with reporting, so we'll have to see how that comes along. But I think all of us should look at the benefit that we get by reporting and engaging with the law enforcement partners or CISA earlier rather than after something bad happened.
Field: There, now look at that, I'm impressed for a change. I'm not wearing the same jacket.
Delaney: That's great. It's interesting to see how the conversation is evolving and even maturing, but you speak to practitioners every day. What do they vent about when it comes to forming and maintaining these partnerships?
Field: Honestly, the conversation isn't about venting anymore. There used to be the notion that if we give something up, it's going to be used against us, somehow, it's going to get to our regulator, it's going to come up in an audit finding, and we're ultimately going to be penalized for whatever we share. That's gone. There's this acceptance now, even came up in the conversation I had yesterday in the virtual roundtable about how quickly zero days are being weaponized now. It used to be a zero day could be announced, it could be two months or more down the road before you start to see that actualized in the wild. And then, it became maybe a couple of days, I'm thinking in the time of the Apache Struts, breach of Equifax. That was a couple of days before you started to say, things went down to hours and minutes in some cases now. And so reality has seeped in - there's no opportunity for venting here, you got to be able to share what you're seeing with people who can respond and to receive that information so you have any chance to be able to respond to the speed and the scale of these attacks.
Schwartz: You're hearing a much greater awareness on the part of the U.S. government now as well. It used to be "We're the FBI, we're here to help you." And now, there's a bit more consensus building. They're trying to give something to get something. It was interesting to see that, a lot of respect at the event that I was at, people listening to each other. And I think there's a much greater willingness with CISA, for example, to ask, "Are we doing this the right way? Are there things we could be doing better?" and there's a greater awareness with things like ransomware, you've got to collaborate, you've got to work together. And so I think there's some goodwill, helping that happen now in a way that maybe it hasn't been happening before.
Field: Now you make such a good point. The tone of the top is so important. And I give Jen Easterly a lot of credit for that, and how she's out in the community. She's part of the community. She's from the community and spreading the word. But Chris Krebs was just as active before her and did a terrific job in setting this tone that I think we all benefit from now.
Delaney: Well said. Great to see how the conversation is moving forward. Suparna, speaking of moving forward conversations, you've been working hard with your colleagues forming to this fantastic event next week, the Africa Cybersecurity Summit. Could you tell us about it?
Goswami: So this time, we made sure that we have representation of some more countries other than South Africa. So we have speakers from Uganda, we have speakers from Nigeria, South Africa, as well as Kenya. And some great speakers lined up. We have keynote from Professor Snail, who is consultant with the information regulator in South Africa. He sets the context and speaks about the cybersecurity landscape in Africa. What are the kinds of crimes that are happening? Where is the market headed? The themes are the same across the globe - so we have a session on Industry 4.0 and how best we can protect the data. So here, I thought, why not get somebody from Malaysia and have him chat with the CIO in Africa. So I got the CEO of Cybersecurity Malaysia, Dr. Wahab, and he has a chat with the CIO of NSIA Insurance, which is one of the big insurance companies in Nigeria, and they talk about the IT-OT merger. Dr. Wahab spoke about how the machines are not designed, keeping in mind the security, but more from a functionality point of view, and how best we can address these issues. So, he said, convergence of IT and OT workers is important. They need to sit together more often, the management needs to clearly communicate the goals of IT and OT convergence, there need to be good objective in both, the groups need to accept those objectives, agree to those objectives, and understand these integration. So, another chat session, which I'm really looking forward to is a panel where we have Julius Torach, who is Commissioner, Information Technology, Ministry of Information and Communication Technology with Uganda government and Varsha Sewlal, who is from railway safety regulator in South Africa, again a public sector government company. And she's also the conference chair for the summit. So, in this panel, we discussed whether Africa should have a common cybersecurity policy, and whether it is a practical thing to have one. So common challenges they spoke about - they have been talking about it for the past few years - but the common challenges that have come across that every country is on a different cybersecurity maturity. So you have South Africa, which is slightly ahead than Uganda or Nigeria. And up until now, it has not worked out since none of the governments have made an effort. So there have been small groups that have been formed. And conventions have been there, but somehow it has not worked out. So we'll hear in this session, how best it can be done and what are some practical steps to achieve a common cybersecurity policy across Africa. We have sessions on zero trust, we can't ignore that, zero trust on cloud, CISOs talking about that. As well as mobile applications. So we all know that Africa is big on mobile adoption. So this session speaks on how best we can balance privacy as well as security since mobile is a private device. So how best can the security team implement policies there that doesn't seem intrusive? Another interesting topic is your third-party risks, which I said, some of the topics are global in nature, which we'll find in this region as well. Yeah, it's a lovely panel. One topic is on how security needs to be an enabler for business. So it's more of how CIO and CISOs can work together and make security ... as well as the CIO and the IT team work together for the betterment of the business. So where are the gaps? How best these can be addressed, and here the speaker's speaking about what she has done in her organization, Nastassja Finnegan from First Rand Bank, like what are the steps that she's taking in an organization with this that CIOs as well as CISOs were collaborating. So some great speakers lined up, some good sessions. So hopefully, it turns out to be a good summit.
Delaney: Sounds incredible. So, was there a particular theme that stood out, for you, being very different to the other regions of the world? Because you conduct panels all over the world.
Goswami: No one particular theme. As I said, these topics are global in nature. But yes, I did. I'm looking forward to that particular panel, where they are talking about having that common, because that came across in two-three of the sessions whether we should have a common cybersecurity policy much like it has been there in Europe, whether they are talking about it, much like the GDPR in Europe, they said whether it is a practical thing to have its own cybersecurity policy in which other countries can look up to. So, three, four sessions, a topic they did touch upon, but I thought, let's have a session on this since we have been hearing this. So that is one particular session. I'm looking forward to it.
Delaney: Well, we look forward to it. Great work, Suparna. Matt, I think it's time for some ransomware updates. What's been happening?
Schwartz: I hope I'm not getting too predictable with the constant ransomware updates, but it's so much innovation happening around these attacks that it's interesting to track and to see what is coming out of the mind of these crazy guys who are involved in these ransomware gangs. So, a couple of interesting things to highlight. One is that someone's been disrupting a lot of ransomware groups' operations. Specifically, we've seen the likes of Everest, Hive, Quantum, Ragnar Locker, Snatch, Vice Society and LockBit having their data leak sites get disrupted by DDoS attacks. So that begs the question, who is doing the disrupting? And nobody's taking credit for it. It might be nice to think this is some coordinated interest national government or military smackdown finally coming to bring disruption in mass to scores in society that is ransomware. Unfortunately, I suspect it's disaffected rivals, teenagers, involved in these ransomware groups, basically trying to smack each other down. You see all this teenaged, adolescent soap opera type stuff when these different groups denigrate each other online. And there's this undercurrent in a certain strata of Internet users that you have seen before with gaming sites, where people will DDoS the gaming sites just for the lulz, and just to cause disruption and be annoying. So I suspect that's what's happening. But it is one of those grab-the-popcorn moments, interesting to watch because the data leak sites, where the group's attempt to name and shame victims to try to force them to pay a ransom have been disrupted. Unfortunately, we're not seeing get disrupted the sites that they're using to communicate directly with victims. I guess that's maybe an upside if you're a victim, and you do make the business's decision to pay. So that's not been disrupted. Also, apparently, not disrupted are the portals used by ransomware groups, business associates, their affiliates, who will download the cryptolocker malware, and victims with it. Apparently, they can still get access to those portals, whoever's DDoSing the sites, it's easy to find out where the data leak site is. But a lot of times the sites for victims and the sites for portals being used by affiliates are not well known. Or maybe they're known to intelligence agencies and law enforcement. And historically, they have not disrupted them. I think if they can get visibility into those, they will probably take that and use it to try to build intelligence. So we've seen these DDoS disruptions. And we've seen, as always, ransomware groups attempting to shift the narrative around, "Oh, we're not the victims here. We're the masterminds." In the case of LockBit, for example, "Well, if you're going to hit us with a DDoS attack, maybe we'll hit you with a DDoS attack." Like I said, adolescent grade response here, where they're saying, "Well, maybe we'll add DDoS to the things, the arsenal that we bring against our victims." Other groups have already done this before, doesn't seem to have stuck so much. So that's the DDoS side. One other interesting thing to highlight is a rise in the use of intermittent or partial encryption. And this is not a wide-spread technique. But it's being used by groups to big themselves up a little bit. Ransomware operations compete with each other, as I was just indicating, and one of the ways they try to differentiate themselves is via their technical acumen. And so what some groups have been doing is saying that they can encrypt victims faster. So if you're an affiliate, this has upsides, the faster you can encrypt a victim, the less the likelihood that they will see it or even if they see it, that they will be able to meaningfully stop it. So we have this technique, it's called intermittent or partial encryption, where, it turns out, if you want to encrypt files, you don't necessarily need to encrypt the entire file, you just need to encrypt parts of it. And by encrypting parts of it, you can make it unusable, thus still potentially driving the victim to have to pay for a decrypter. For example, if there's a 50 gigabyte file, if you use these tactics, you can encrypt it in two minutes less than it would otherwise take. If you think about a bunch of servers, a bunch of systems, this could lead to a big savings in the time that it takes to hit a victim. So we've seen Conti spin-offs advertising this capability. Black Pasta, also BlackCat are offering this, as are some other new ransomware groups. I don't know if it's going to take off, if everyone's going to do it. There are some ways of combating this. I spoke with security experts and they say that these tactics attempt to make a file look like it hasn't been encrypted. But they are accessing certain fast-read techniques in the operating system. So, if anti-malware isn't already looking for this, I suspect that we'll see it being coded to watch out for this type of activity, because there are some definite tells, some definite red flags that come along with this. But I highlight it because it's interesting to see how ransomware groups continue to innovate. You have the marketing side of things, like, "We're going to run DDoS attacks against those who dare to DDoS us," and you have the technology side of things where they're trying to make the attacks faster and more effective in order to get more people who want to work with them.
Delaney: Fascinating, Matt. So, does this change anything for the defenders? What should they be doing differently when it comes to partial encryption?
Schwartz: Ask your anti-malware provider if they can spot signs of a partial encryption attack at work. That would be one of my main takeaways here. With a lot of this technical-level stuff, there are defenses that can be brought to bear. And so, it's good to be aware of how you might get hit, good to know what this kind of attack might look like. For example, it might leave a file partially readable and you might be thinking, why is this happening? Well, partial encryption by ransomware gang. That's possibly the answer. So be aware, I think is the big thing here. And it'll be interesting to see if we see a rise in these types of attacks or not.
Field: I do appreciate the conversation I moderated last night. It was about ransomware defense and a couple of big topics. One was the desire of many of the participants to start tokenizing their data, and the idea of making data worthless to anyone who might get a hold of it. The other conversation was about why don't we prohibit the paying of any kinds of ransoms. And interestingly, on the panel was a member of the former Cyberspace Solarium Commission. He said he argued against banning ransomware payments for the notion that you don't want to criminalize someone who's just been a victim.
Schwartz: Absolutely, there's so many unintended consequences. If you're a healthcare organization, for example, and you need to operate and you can't get the records. There's a lot of horrible outcomes. And sometimes you think, "Hollywood style sort of stuff." But there's so many unintended consequences that can happen. I think it does need to be made a business decision. Hopefully, more people will get their defenses in order. But we can't expect that no one's ever going to get hit. And then, that won't cause some sort of public health or national security or other type of crisis.
Goswami: This is such a gray area. There's no black and white because it's a business decision at the end of the day, like Matt said, it's a very gray area. You can't really say it's the wrong or the right thing.
Schwartz: You need to be careful about, as you said, black and white sorts of approaches to technical matters. There's often some nuance you hadn't considered which could be horrifying.
Delaney: The debate continues. Thank you, Matt. Final question for you all, who is on the top of your interview dream? So someone you haven't interviewed in the industry. And you'd like to.
Field: Reminds me early in my career, I had the opportunity to work for James Russell Wiggins, who was the former editor-in-chief of The Washington Post. He stepped down and Ben Bradlee came in. And someone from Time magazine interviewed and said, "If you could interview anyone in history, who would it be?" He looks straight at the interviewer, he said, "God! No, really Thomas Jefferson." I would say I would like to interview, if God is not on the list, I'd like to talk to Angus King, senator from my state of Maine. He was the head of the Cyberspace Solarium Commission. And things have changed considerably in a couple of years since the Commission issued its report. I'd like to catch up with him. The last time I spoke with him, he was the first congressional leader I have spoken to. They could talk about cybersecurity without having first had a briefing and refer to those briefings notes. He knew what he was talking about. Now, let's speak to him again.
Delaney: Brilliant. Suparna?
Goswami: Yes, I'm not somebody from the industry. But I thought of interviewing our prime minister and asking him when the data prediction will be out, considering that it was rejected by so many government? I mean, the government decided to revisit it again, present a new bill. They have not presented a new bill, but work on it completely in a new fashion. So I just want to ask him, when is the country going to be out with the privacy bill? The law we have been working on it since 2018. So it's high time and everybody is looking here at India, asking when's the bill going to be out? So I think we need an answer for that, and I'd love to have an interview with him on that particular topic.
Delaney: I'll definitely watch that, Suparna. Great choice. Mathew?
Schwartz: I'm going to go for a twofer. We've mentioned Jen Easterly, the director of CISA. I've not had the pleasure of interviewing her before. And I'd also like to interview her counterpart here in Britain - Lindy Cameron, the head president of the National Cyber Security Center. I'd love to get both of them together on a panel, just have the two of them talking about top challenges, top approaches, and just their perspective. It's so fascinating to speak with government cybersecurity leaders and to hear their perspective because they see things that would horrify us. We wouldn't be able to sleep, I'm sure, and just to get their perspective on how things are unfolding, what they're keeping track of, what they're advocating, it's great to get that perspective. So I have a twofer there on my wish list.
Delaney: Absolutely. I had Lindy Cameron as well. So there we go, we have to fight over her, Mathew. But my plan B is a bit like the God, but Tom, it would be Alan Turing, I'd love his opinion. Of course, he's the founder of computer science. What would he think about today's state of affairs and cybersecurity?
Delaney: Next time. So, thank you very much, everyone. Mathew, Tom, Suparna. This has been a pleasure. As always. Thanks so much for watching. Until next time.