No honor among ransomware criminals

Hand reaching down to grab a black cat running past

· 3 MIN READ · AARON WALTON · MAR 19, 2024 · TAGS: Cloud security / MDR

We’ve been talking a lot lately about risk assessment and management. So many of the cybersecurity incidents we see in the news and through various threat intelligence sources are due to unmitigated risk. It’s usually not intentional, of course—unless there’s a nefarious insider threat, no one is actively trying to introduce new risk. But recent developments in the ransomware space highlight the importance of ensuring security programs and controls are up to the task of protecting the organization.

You probably read about the drama occurring between the BlackCat ransomware group and its affiliates. There are plenty of news articles that outline the latest, but I’ll sum it up: the BlackCat group (aka ALPHV) provided its tech to affiliates, who used it in a ransomware attack on U.S. healthcare company Change Healthcare, which may have made a $22 million payment to BlackCat to get its data and systems back online. Normally, BlackCat would share a percentage of the ransomware payment with the affiliates who carried out the attack but, so far, it hasn’t. While BlackCat and its affiliates bicker about the payment, Change Healthcare is stuck waiting to decrypt its data and get back to normal operations (although The Register and others now report that Change Healthcare is now in the process of bringing some systems back online with more to come).

And now BlackCat appears to have ceased operations, making off with the full ransomware payment while the affiliate holds control over Change Healthcare’s data. BlackCat claims that it was shut down by U.S. federal law enforcement, but those claims seem to be a smokescreen the group threw down while it slipped out the back door.

Add this to the list of many reasons we feel it’s a bad idea to pay a ransomware demand. Now we don’t know much about Change Healthcare’s security program and controls, and we certainly aren’t victim blaming. What’s happening is abhorrent, but unfortunately not uncommon. Change Healthcare is just one of many organizations to suffer losses from ransomware. The FBI’s Internet Crime Complaint Center (IC3) found that ransomware losses totaled more than $60 million, with the most targeted industries being healthcare, critical manufacturing, government facilities, IT, and financial services.

This should be a wake-up call for any organization who isn’t certain they have a complete grasp on the risks to their systems, and the defenses they have in place. One thing’s for sure: there’s no honor among ransomware criminals, and when those relationships sour, it’s the the victims who suffer.

How do you know if your cybersecurity is good enough?

Adequate cybersecurity readiness is different for every organization. Every company has a unique threat landscape and profile, and no matter how well protected a company is, it can always improve.

But one way to determine your security maturity is to measure against a cybersecurity framework—and there’s plenty to choose from. Some are even designed for specific industries, like the Payment Card Industry Data Security Standard (PCI DSS) and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), for example.

Unfortunately, there’s no single cybersecurity framework to rule them all. Rather, the best framework is the one that meets the specific and unique requirements for you and your industry. It gives you the information you need to make informed, data-backed decisions about your security posture. And it’s the one that you can measure against regularly.

We’ve mentioned it once or twice before, but we like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). NIST announced version 2.0 of the popular framework in February 2024, and it’s got a lot of great updates that make it even more applicable to modern organizations. We even created a toolkit to help you make sense of the changes and score your own organization on where you are now, how you want to improve over the next six and 12 months, and where you eventually want to be. You can even adjust the time periods to your own preference.

What do cybersecurity frameworks have to do with ransomware?

Essentially, frameworks help identify where you can improve your cybersecurity capabilities and controls. As you make progress in your weak spots and close gaps, you improve your cybersecurity readiness, thus making you less of an easy target. Remember, ransomware gangs and affiliates are looking for a quick way into a company that they think will pay a ransom. (A word of caution: if you think you score well in a framework, it doesn’t mean you’re invincible—don’t get complacent!) Your goal is to make it not worth an attacker’s time and energy to attack, and one of the best ways to do that is identifying your weak spots and addressing them.

It’s important to note that ransomware is just one of the many cybersecurity risks out there. And like all the others, there’s no happy ending if your organization is the victim of a successful attack. Take the steps you can now so you don’t find yourself in that situation in the future.

If you’re not sure how to get started with a framework, or your concerned about the state of your cybersecurity readiness, feel free to get in touch. We’d be happy to help.