Fraud Management & Cybercrime , Ransomware
Exploring the Consequences of Not Paying a RansomAlso: Mitigating Cybersecurity Risk During M&A; Dealing With SaaS and Shadow IT
The latest edition of the ISMG Security Report discusses how Australian health insurer Medibank is facing stark consequences for not paying a ransom to a group of cyber extortionists, how to limit unnecessary cybersecurity exposure during periods of M&A, and how to manage challenges in hybrid environments.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Jeremy Kirk explore the consequences of Australia health insurer Medibank's decision to not pay off extortionists;
- Ben Murphy of American bank holding company Truist describe how to stay ahead of security threats during mergers and acquisitions;
- Phyllis Woodruff of Global Payments explain how to deal effectively with SaaS needs.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Oct. 20 and Nov. 3 editions, which respectively discuss the new target of Russian-speaking ransomware gangs and the deliberations by Australian health insurer Medibank on whether to pay a ransom to extortionists.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Anna Delaney: Exploring the consequences of saying no to ransomware gangs, and mistakes to avoid when migrating to the cloud. These stories and more on this week's ISMG Security Report. Hello, I'm Anna Delaney. It's been a turbulent time for Australia's largest health insurer Medibank, which had the data of 9.7 million of its customers stolen last month, a sample of which, including abortion data, was published this week by criminals after the insurer refused to pay a ransom. So what are the consequences of Medibank's decision to say no to ransomware wielding attackers, ISMG's executive editor Jeremy Kirk reports.
Jeremy Kirk: The stark consequences between paying a ransom and not paying a ransom to a gang of cyber extortionists became painfully clear in Australia on Tuesday. A ransomware group began releasing some of the data it stole from the systems of Medibank, which is one of Australia's largest health insurers. Medibank says the breach affects 9.7 million current and former customers. The data includes claims-related information, including codes for medical diagnoses, such as whether a person smokes or may use illegal drugs. Medibank counts the country's Prime Minister and ironically its Cybersecurity and Home Affairs Minister as customers. Its data breach and subsequent extortion have caused the country to take a hard look at whether it's doing enough to protect personal data.
Clare O'Neil: I cannot articulate the disgust I have for the scumbags who are at the heart of this criminal act. People are entitled to keep their health information private, even amongst ransomware attackers. The idea of releasing personal medical information of other people is considered beyond the pale. So make no mistake about it. This is not just any ordinary group of scamming criminals, this is the lowest of the low.
Kirk: That's what Home Affairs in Cybersecurity Minister Clare O'Neil told parliament on Wednesday during question time after the attackers began releasing data. Medibank publicly announced on Monday that it would not pay the attackers. So who is attempting to extort Medibank? Why did it tell its attackers it wouldn't pay ransom. And will this deter future cyber extortionists? Medibank's announcement was the equivalent of flipping the bird to their attackers and one that aligns with the Australian Government's position. Medibank's CEO David Koczkar has said the amount asked by the extortionist, which he did not reveal, was irrelevant. Even if Medibank paid, there's no guarantee that the data will be deleted, he said. He's right. What's remarkable and nearly unheard of is how open and transparent Medibank has been at every turn of this extremely sensitive situation. Publicly stating no ransom would be paid was a strikingly bold move. Rarely do companies say either way if they've paid. Some cybercrime researchers have dubbed the group that struck Medibank as BlogXX since it doesn't have a clear name. BlogXX's website has links to the infamous REvil ransomware gang which attacked the software developer Kaseya in July 2021 and JBS Foods in May 2021. Although REvil disbanded around October 2021, some of REvil's old infrastructure that it used to leak data began redirecting to BlogXX's website that's led some experts to believe that BlogXX may be the remnants of REvil. So where does this go from here? Cybersecurity and Home Affairs Minister Clare O'Neil warned parliament on Wednesday that this data leak situation could drag on for weeks or even months. In the first release of data, the ransomware gang released the negotiation chats it had with Medibank. In those chats, the gang warned that "in the event of a negative outcome of the negotiations for us, we will do everything in our power to inflict as much damage as possible for you both financial and reputational." Will not paying send a message to other extortion or ransomware gangs to not mess with Australia." They will no doubt take note. But cyber criminals don't observe normal deterrence. Attacks on IT systems have a low opportunity cost. And there are probably quite a few Australian companies that have paid ransoms over the years as well. How does this shake out? It's going to take many more companies than just Medibank saying no to extortion, but it's a start. For Information Security Media Group. I'm Jeremy Kirk.
Delaney: In 2021, U.S. mergers and acquisitions shot up 55%. In 2022, that percentage is set to climb even higher. The wave of post-COVID M&A demands that cybersecurity leaders improve their efficacy. At the recent ISMG Southeast U.S. Summit, our senior vice president of editorial, Tom Field, spoke with Ben Murphy, senior vice president and head of cyber operations at bank holding company Truist about how his team stays ahead of the security threats during mergers and acquisitions.
Ben Murphy: So a lot of what we do now - I'm running operations. So a lot of it is reactive and we integrate closely with our security architecture side, which is much more of the proactive side. So we expect a lot from our architecture team to develop repeatable patterns that we can say, "We've got a new business we're bringing in. If they're in this environment, here's what we've developed. They need to align to this pattern." Another thing is that we have to - from, we say reactionary, but it's actually proactive - I have to start monitoring not just for what's going on on the network, or what events are occurring, but I have to start monitoring for what is the business doing, what was deployed yesterday into the cloud that I didn't know about? What new data bucket was just deployed? And how is it accessed, and what model is it following? And is it part of our pattern that we've developed? Or is it something someone else developed? I have to start monitoring and responding to that the way I used to monitor and respond to port scans and attacks on the firewall. These are my new attacks. What did my business do that I need to respond to and make sure it's secure.
Delaney: And finally, also speaking at ISMG's Southeast U.S. summit was Phyllis Woodruff, vice president, IT risk and compliance at Global Payments. Her topic was cloud security dealing with SaaS. Woodruff says, as we migrate to the new, we can't throw out some of the old. Tom Field asked her about what exactly organizations have to retain in their journeys to the cloud.
Phyllis Woodruff: Within security, we've always used frameworks, as I grew up with security. We've used frameworks to make sure that we were checking off the boxes and crossing all the T's. So if you think of NIST CSF, if you think of NIST 853, if you think of COBIT, all of those frameworks were put in place to make sure that we are covering all the bases. We internally use a master control inventory, because regardless of whether it's cloud or on premises, and we still have a foot in both, you want to make sure that you're closing all of the necessary gaps. Think of perimeter defense. Are we defending that perimeter? And how are we checking that we're defending that perimeter? Are we doing our asset inventory accurately? We have to identify first if we would go back to NIST CSF. And so we have to take those disciplines with us. It's not just about the next whiz bang tool, although those are cool too.
Delaney: That's it from the ISMG Security Report. The music is by Ithaca Audio. I'm Anna Delaney. Until next time.