A Conversation with Kai Bernardini: The Biggest Threat Facing Healthcare Today
Security researcher, lecturer, and threat hunter Kai Bernandini shares his take on the state of ransomware in healthcare and where it’s headed, and geeks out with Mike on cryptography. PLUS: Our perspective on stopping a ransomware attack long before it can start.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
On today’s episode of In Scope, host Mike Murray is joined by Kai Bernardini, a security researcher and a lecturer at Boston University. Kai has done fascinating work on offensive security and machine learning, among other things, but in this conversation Mike is excited to talk with him about ransomware and its influence in the healthcare space. Before jumping into the main topic, Kai briefly shares about himself and his world; ultimately, he says, he’s a math nerd in a trenchcoat doing security.
With that image in mind, Mike introduces ransomware in healthcare to the conversation, first asking Kai how ransomware works. The common conception of ransomware is of an encryption used to shake someone down for money. However, ransomware is more varied, and is at the intersection of ruining someone’s day and cryptography. While Kai considers it a rather pedestrian method of attack, and something of a blunt tool, ransomware is very effective. It generally compromises a computer with an initial infection, works to spread across the network, and eventually starts locking things. Access to the key is dependent on willingness to pay the attacker.
Mike then wonders if ransomware authors have become more sophisticated, and Kai responds that, not only are they more sophisticated, but their work is larger in scope. He goes into detail to explain this contemporary weaponization of technology, noting along the way the fact that misconceptions about the difficulty of cryptology are common. At this point, Mike and Kai pause for a few moments to consider why cryptography is so challenging. As an aspect of computer science, it is built on an abstract approach, and it is heavily steeped in mathematics.
Turning back to details of ransomware in the healthcare space, Mike asks how attackers make money, why they use the method of ransomware to accomplish their aim, and who they are. They use ransomware, Kai says, because it’s effective, and they are any people trying to monetize via cybercrime. Payment is often made in the form of bitcoin, though some other forms are also used. As a final point on the subject of how ransomware works, Kai points out that, contrary to the usual media image, attacks tend to be opportunistic in nature.
The episode moves toward a close with a look to the future. Mike first wants to know what Kai imagines the reality of ransomware attacks will look like in 36 months. The reality is not going away, Kai responds. If anything, attackers are being emboldened and even working with the trappings of legitimacy. Ransomware attacks feel more organized than they used to, and attacking is quite accessible. If something drastic doesn’t stop ransomware attacks, Kai imagines they will escalate still more.
The COVID-19 pandemic has also exacerbated this situation, especially for institutions like hospitals. It’s not that challenging to attack them, compromise of medical technology could easily push hospital leaders to pay off attackers, and there are not yet strong mitigations in place to stop attacks. As a concluding thought, Kai makes a high-level point that, in order to make ransomware attacks no longer economically viable, it is important for people to start going after attackers.
– Mike introduces today’s guest, Kai Bernardini
– Mike asks Kai to share about his world and about what he’s been up to lately.
– The conversation turns to ransomware in healthcare, with Mike first wanting to know how it works.
– Have ransomware authors become more sophisticated?
– Mike and Kai consider the difficulty of cryptography.
– Kai and Mike talk about the future and the impact of the pandemic.
– How can we make ransomware no longer economically viable?
0:00:02.7 Speaker 1: Welcome to In Scope,The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.5 Mike Murray: And welcome to this week, everybody. This week, I’m so excited because we have Kai Bernardini here. Kai is a security researcher who I’ve known for a bunch of years. He’s also a lecturer at Boston University’s Metropolitan School of Computer Science. And most interestingly, he does some really interesting research into off ensive security as well as some really cool machine learning stuff. But today, most importantly, we’re here to talk about Ransomware because in the healthcare industry especially, Ransomware has been the scourge for the last few years. So Kai, welcome. And maybe give us a quick two minutes on what you’ve been up to lately and what you teach about at school, and just tell us about your world.
0:01:06.5 Kai Bernardini: Hey, thanks for having me, man. It’s really, really great to see you, or in whatever capacity this is.
0:01:11.6 MM: Yeah, far away from all the years, right? Distance and social distancing, as we say.
0:01:18.9 KB: Something like that. No, I’ve been sort of up to my nose in everything recently. On the teaching side, I teach at a high school now too, doing computer science there. I mostly teach discreet math and cryptography, which is sort of the space that I occupy now, somewhere at the intersection of theoretical math and actually building things. I’m still working on that, my data science projects, finding things in certificate transparency logs, actively tracking threats, and reading a bunch of cryptography books because I’m weird and that’s what I do in my spare time.
0:01:48.6 MM: So you’re just an all-around security nerd is what it really comes down to.
0:01:52.3 KB: I’m like a math nerd in a trench coat doing security, yeah.
0:01:56.6 MM: That’s fantastic. So I brought you on today because I’m sure you can tell me more than I can tell you about how much of a difficult problem Ransomware has been for healthcare organizations over the last five years, right? Healthcare is the sort of… The default case. When you think about Ransomware, you think about healthcare a lot. So you’re the best person I know about, what is Ransomware all about? Everybody knows that it encrypts some devices and then you have to pay them money, but how does it actually work? Tell me what you found, tell me all about… What are the gangs all about? Let’s just dive into it. Tell me what’s going on.
0:02:35.1 KB: So maybe starting with exactly how they work. So it’s not just about detonating something on a system and then encrypting everything and shaking you up for money, like you said. There’s a lot that goes into it, and that can range anywhere from trying to take over as much of a network as you can, so you get the most bang for your buck. That can be writing something that’s somewhat wormable. I mean, I’m sure you know that one of the ways that this stuff spreads most commonly is just looking for weak credentials in RDP or seeing what access people have. You can see things that do something similar to like what Bloodhound does, where you actively probe domain controllers to see, “Okay, what boxes can this computer access?” And it actually has a pretty interesting model where it’s not just exclusively doing Ransomware or exclusively doing network stuff, they can piggyback off of other services.
0:03:22.5 KB: So there are a lot of gangs out there, so I can’t speak confidently about what every single one does, but what’s interesting to me is how this all lives at the intersection of ruining people’s days and cryptography. And sort of interestingly, like how a lot of these people do roll their own crypto and build out their own tools. So precisely how it works is there’s some sort of initial infection where some computer somewhere gets compromised and they find a way to spread that across a network, typically an internal network.
0:03:50.2 KB: And the reason that’s significant is because you have this big, wide spread issue of the really hard or, in parenthesis, hard outer shell, and the soft gooey interior of like an internal network. Where I still remember taking a cyber security class in college with one of my favorite professors and we did a couple of vulnerable machine exercises where you just try to take over a web app, and I’m like, “Man, this is wild, but like this is never gonna happen in the real world because this is super dumb and someone would have fixed this by now.”
0:04:18.9 KB: And it’s not so much that the people who build this are dumb, it’s that they’re spread super thin, and there’s just such a huge attack surface that’s super hard to lock down that you do see this kind of like old school-like, remember like Damn Vulnerable Web App. It’s a box that is used to train people and you’re like, “Alright, you’re not gonna see this in the real world.” And then you do.
0:04:40.2 MM: Actually, what was the breach last year? Wasn’t it Equifax that had basically that, one of the Damn Vulnerable Web App? It was like a super simple [inaudible] that created this massive data breach?
0:04:55.1 KB: Yup. It’s just like this kind of interesting looking command injection and you see this all over the place. And again, Ransomware, there’s this issue of, “Okay, I wanna go through and take over as many machines as I can and figure out a way to monetize this somehow. And there are a lot of strategies for this, some of them more intrusive than others, like one of the more interesting ones that I’ve seen recently is just Monero miners that take over Kubernetes clusters and just use that to try to find as much as you can.
0:05:22.9 MM: By the way, Monero?
0:05:25.4 KB: It’s just one of the privacy coins, so it’s basically like Bitcoin, but it has some nice interesting features like ring signatures where you can have some degree of plausible deniability about how much money you have and who you’re paying, and it’s significantly harder to track who has what. But the specifics of how you actually mine Monero are somewhat different than how you would mine Bitcoin, which makes it suitable for mining on things like Kubernetes clusters. So you have all of these interesting ways of trying to monetize it, and Ransomware to me has always seemed like the most pedestrian way of doing it. And I say that not necessarily as an insult, because it’s also one of the most effective. I don’t know, you could rent out botnets and use it to install other malware and sell to spooky people and do all this other stuff, but how about you just have them pay you. And it seems like such a blunt tool that just is so widely effective.
0:06:18.0 KB: So specifically how it works, is there’s that initial infection, it tries to spread across the network and get as many machines as it can, and at a certain point, it’s gonna start locking things. So the way that it does that is typically through some sort of asymmetric protocol. So in cryptography, you have all these cool things that allow you to solve problems like, okay, so let’s pretend there’s someone else on this call listening to us, which there probably is. I can shout something at you, Mike, and you can shout something at me and everybody can hear that we shouted at each other, and all of a sudden we have a shared secret key. And there are these other systems in place where you have public key cryptography, so most ransomware will rely on RSA in some capacity.
0:06:53.7 KB: Not always, but you need some sort of asymmetric protocol, where what happens is, the sort of general workflow is once you’re ready to start encrypting files, you have a list of file extensions you want to encrypt, you have a bunch of folders you want to encrypt, ’cause if you encrypt the operating system, all of a sudden it becomes unworkable. And you encrypt all the file types that you want to, so typically you’ll encrypt Word documents, text files, everything in your home directory, etcetera. So enough where the computer still works, but everything on there that you want is now hopelessly lost, in parentheses.
0:07:25.7 KB: So what happens generally is you use an asymmetric protocol with a public key that is associated to whatever game you’re dealing with. And they can build as many of these or as few of these as you want. And I have an interesting comment about that in a minute, but what it will then do is it’ll, basically on the spot, generate some sort of symmetric key, typically an AES key ’cause it’s kind of hard to mess that up. But you have seen people do things like roll their own RC4 and encrypt files with that. And once it’s done encrypting the files, it then encrypts that file with its public key, shreds it, and you can either see it send that key to a command and control server so that you could unlock it later, or even write that file somewhere on disk. And at that point…
0:08:06.9 KB: ‘Cause again, you need a way to unlock it or if you don’t, people will stop paying you and then you stop making money. So the economics of this are all interesting, but with this public key setup, what’s interesting to me is… And again, there are some that will establish sessions and trying to communicate back and forth with the server, but if you’re working on an internal network and you don’t wanna build up some ridiculous, I don’t know, tunneling setup, then you probably don’t have a path to the open internet or if you do, it might be unreliable.
0:08:34.7 KB: So you wanna have a way of encrypting things, telling people where to pay you, and then having the ability to unlock it even if you can’t connect directly to the machine. So what I’ve seen a lot of is people directly writing the encrypted keys to disk, and then the unlock file will go through, encrypt that key and use it to go through and encrypt the rest of the computer. So that’s sort of ransomware at 10000 feet. And obviously, you get the big scary pop-up and it’s like, “Pay us or you lose everything.”
0:09:00.9 MM: So in the early days of ransomware, I remember like five years ago when ransomware was… It got in the system and immediately just blitz encrypted everything. I feel like that has changed. I feel like people are being smarter about it. We saw the recent ransomware incident at the University of San Francisco or UCSF, not USF, where they seem to be very targeted. Have ransomware authors become more sophisticated over the years? And sort of how has that changed from the early days of just like, I get on and I look at every share and I’m gonna encrypt everything.
0:09:36.9 KB: Yeah, just at like a high level. Take something that might not necessarily be wormable and it’s just like single use for a single machine. I put a Trojan inside of something, it can convince you to download it, and now I can charge you, the end user, like maybe a couple hundred bucks before it’s no longer worth it for you to pay to unlock it. And then that’s it.
0:09:56.4 MM: By the way, just for the listeners, the UCSF ransomware that just happened, they paid in the many millions of dollars, just to give Kai some context. But yes, keep going, dude. Sorry.
0:10:08.8 KB: Yeah, yeah. And early on, what you’ve sort of seen as the evolution in cyber crime where nothing goes to waste. And again, I’m serious, they will use everything they can. They will steal emails and use them for spamming campaigns. They will go through and lock things, then hopefully leave something like hitting someone that they can maybe exploit later. Steal data along with it. What you’re seeing a lot of is things that are not only necessarily more sophisticated, but larger in scope, where, sure, I can go through and take control a bunch of client accounts or end users who might have considerably shallower pockets, and nothing really happens if they can’t get into computer. Sure, they might get disrupted, but take hospitals, for example. If I lock everything down, people can’t get care. So there’s this considerably larger urgency to go through and fix everything.
0:10:57.0 KB: And in order to go through and spread that much more widely, you need some degree of sophistication. And it doesn’t even need to be really sophisticated. Again, [inaudible] was spreading through RDP for a while, and typically with empty credentials or weak credentials. There are botnets that do nothing but try to brute force like gateways under private networks or devices where there’s some sort of account oracle.
0:11:19.8 KB: Account oracle being something like, “I wanna log into your internal account or log in to your Outlook-like account. I can just start spreading credentials across the internet and see what sticks.” And that oracle basically tells you whether or not like, “Okay, this account is valid or not valid.” And then, typically, all you need is a couple of sets of valid credentials and you can spread like wildfire. And again, because everything on the outside’s locked down and everything on the inside is considerably squishier.
0:11:43.6 MM: And by the way, just to give everyone some context, people think about ransomware as though it’s this… And honestly, they think about all hacking this way, but they think about ransomware especially, as that it’s some sort of uber technical thing, not just like, “Hey, we’ve tried to log in with some doctored passwords and it worked.” And I think it always blows people’s minds when they understand how easy some of this stuff actually is.
0:12:12.9 KB: Easy and you just start breaking like little unwritten social rules. Maybe once you steal an account, you start fishing internal employees or start spreading like wildfire there. Sure, there are people that were leveraging exploits, like if everyone remembers WannaCry which kind of hard to not remember it.
0:12:28.0 MM: Yeah. [chuckle]
0:12:29.1 KB: You take something that was actually a pretty sophisticated exploit and weaponized it, but that’s not always what people do. And after it was already weaponized for them, you just reuse it. And after you reuse it, you start spreading. And the actual software behind how ransomware spreads can be interesting, but the most sophisticated part of it is how you actually encrypt things, because crypto is really hard to roll it yourself. The punch line in every single crypto class I’ve ever taken is, “Yeah, this is hard. Don’t build it if you’re not an expert.” And if you have to ask if you’re an expert, you’re probably not an expert.
0:13:08.0 KB: I will never forget this guy from the… I think the Tel Aviv University rolled in with a giant sausage, and he called it the meat-in-the-middle attack, which was a play on words for a meet-in-the-middle attack, and he attached alligator clippers to it and poked the computer chassis, and you could see an elliptic curve key in front of your face as it was being… I don’t know. That stuck with me. And all of the things that go into creating decent crypto is really, really hard. But what they’re trying to do is different.
0:13:36.7 KB: They’re not necessarily trying to go through and communicate securely, they’re just trying to lock things down. And once you go through and lock everything down, unless you’re on the machine actively watching it while it’s being encrypted, if you miss out on that, or you’re not well-positioned, you’re kind of out of luck, because AES, from what we hope, is really solid, and it’s that sort of situation where if you try to do nothing for the next couple of billion years with an insane amount of computing power you would still be nowhere near getting it on average.
0:14:06.7 MM: That’s another thing that people don’t really understand about Ransomware. I have talked to a million people who say, “Well, they encrypted it, how hard can it be to unencrypt it?” And people don’t necessarily understand how hard cryptography is. And I have been in computer security for 25 years, and I know fundamentally, beyond all shadow of a doubt I’m not smart enough to be a cryptographer. And maybe you can give some color on why this is so hard. Why is math hard, I think is really the question I’m trying to ask, which probably has an easy answer, but…
0:14:44.4 KB: We would need way more time for the why is math hard…
0:14:48.4 KB: And to be clear, I’m not qualified to be a cryptographer. I don’t roll my own crypto. I’ll sometimes build things out for funsies, and just to show that I understand how the algorithm works, or maybe you need to build a decryption routine for something that you saw rolled in the wild, but in terms of how I communicate online, I rely on other stuff, because there are a lot of really difficult things that go into making it. And some of them stem from the transition from blackboard to code, where great, you have something that works really great in theory, are there other side channels that are involved? So effectively, security, in a nutshell, for me has always been a question of, how do I invalidate other people’s assumptions?
0:15:28.0 KB: So one of my favorite examples of that being Rowhammer, which came out of Project Zero. And that entire thing was… “Yeah, you think hardware works the way you think it does, you think that there’s this perfectness in how chips function where if you start poking DDR RAM charges don’t jump, and if you can flip a bit in the right place and that points to the right offset to a page table that you control, you can take control of a computer, or get ROOT on that.” And when it comes to the cryptography… Yeah, go ahead.
0:15:53.8 MM: Dude, I’m sorry, I gotta interrupt you on that one, because Rowhammer breaks my brain, and I know that about half the people who are listening to this probably haven’t gone deep on what Rowhammer is. But at the most basic level, Rowhammer was this exploit where people figured out that if you could make certain calls to memory over and over and over again, I.e., hammer, hammer this part of memory, you could create certain patterns in computer memory at the ones and zeros level that would let you take over a computer.
0:16:30.5 MM: And I’ve been doing this for multiple decades, and I will tell you, I looked at Rowhammer and went, “Wow, that’s really frigging complicated.” And by the way, you just explained it in 30 seconds, which I’m sure went by a lot of the people that are listening to this, but you explained it perfectly. Rowhammer is hard. And what you’re talking about is some of the really most complicated and most difficult things in computer security, and you’re making them sound easy, but this stuff isn’t easy for most of the people who have been in this industry even as long as I have. And I think it’s important to understand that some of these exploits are really complicated, and especially when you get to cryptography, when you get to things like ransomware, and it’s just like, “Well, why can’t you just reverse engineer it and find the key?” It’s not that easy, is it?
0:17:19.2 KB: Not always. And I don’t wanna get distracted with Rowhammer, ’cause I will sometimes just not shut up about it.
0:17:23.7 MM: You and me both. We could do a good hour on Rowhammer. Maybe some other day we’ll come back and we’ll do an hour on Rowhammer, ’cause it… And by the way, the mobile version of Rowhammer, which we both played with at Lookout.
0:17:33.9 KB: Is feng shui.
0:17:35.6 MM: Yeah, it’s exactly. It’s so much fun. Anyway, back to what you were about to say. [chuckle]
0:17:40.4 KB: But basically, that’s just a really great highlight of… Computer science is built on the abstract approach, where I don’t really know how CPUs work, at all. I’ve played around with tiny microcontrollers, and I know that there’s some instructions that it can do, but generally speaking, I trust that it’s going to behave a certain way. And with memory, I trust that it’s going to behave a certain way.
0:18:04.4 KB: And when it comes to building a cryptography you can build something on a blackboard that’s hopefully rock solid and under certain assumptions is going to function. The problem is something has to perform those operations. So in that example where I was the crowded room problem of me shouting something at you and you shouting something at me, there’s a lot that can go wrong. If you’re not careful about how you perform the group operations that create this crypto system, you can leak information that can completely compromise it and that’s happened. It’s not just something that you could do. People have done this. And when it comes to taking crypto and building something that will lock a system down, we’re talking exponential growth in a way that’s impossible for me to grasp.
0:18:48.0 KB: It’s something like trying to understand how big 2 to the 128th is or 2 to the 256th bit is really difficult. There’s a great video by a guy who makes really cool math videos called “3Blue1Brown” that highlights it.
0:19:02.5 MM: Wait, what was that video again? We’ll put it in the show notes, but at the same time, say it again.
0:19:06.7 KB: 3Blue1Brown, and he basically tries to help you visualize how big that is using the language of, “Okay, let’s give everybody on earth like a megagoogle and take copies of that universe, and then take copies of that solar system, and it just keeps iterating. And the punch line is, “Yeah, and even if you have all of that, it would still take thousands of years, probably more, probabilistically, right?” Of course, there’s a universe in which you get incomprehensibly lucky, but I have trouble grasping how incomprehensibly unlucky that would be. Or lucky, I suppose.
0:19:39.1 MM: Those numbers break human brains. So let me take you in a different direction. So somebody’s making money off this, how does that actually work? How do they get paid? Where does the money go? Who’s behind all of this? And obviously, every ransomware gang’s different. So I’m asking for broad, broad, broad generalizations, but just give us sort of the story. Why are they doing it and what’s behind it?
0:20:04.5 KB: They’re doing it because it’s really effective, and there’s this sort of policy that a lot of government institutions take on where it’s like they don’t negotiate with terrorists or they don’t negotiate with kidnappers, and a lot of high networth individuals have a similar policy. And I’m not here to say what’s the right answer here, but there is merit to the fact that if you don’t pay them and it no longer becomes profitable, it slows down. And the way you get around that is you pick institutions where they physically can’t just be out.
0:20:36.7 MM: You mean like a hospital?
0:20:37.9 KB: An outage. Yeah, exactly. Think of a nightmare scenario where the power gets cut and eventually your generator runs out, you’re screwed. Everybody in the ICU is done for. And that’s not just a hypothetical, people start getting sick and die if you start to take down hospital infrastructure. This is something that I think most people can agree on. What you can definitely argue about is how much a ransomware attack does affect hospitals, but in essence, and this is for larger institutions, think about any sort of industrial control facility that requires machines to be on 24/7. If they just stop working, you as the operator of that facility are gonna do everything in your power to get it back. And If it’s cryptographically locked to the point where there’s not a damn thing in the world you can do to unlock it without the secret key, people started paying in a way that I find reasonable.
0:21:30.0 KB: And a direct result of that is when people started paying and it became a reasonable thing to do to start paying, this started to embolden them where you’ve seen a rise in the asking price for an unlock. So the way that it’s monetized is nine times out of 10, they’re gonna use something like Bitcoin. We have seen people using more potent privacy coins like Monero that are harder to track.
0:21:51.5 MM: Zcash.
0:21:52.3 KB: Yup. And part of the reason I think that you haven’t seen wide widespread adoption yet is, in part, because some people might not know that they exist or why they’re better, but also once you get all of that money, you have to cash out somehow. So this ecosystem also takes into account, okay, typically it’s this interesting situation of malware that self-identifies and tells you, “Hey, I’m malware and you lost, I win.” Which is not what you normally see, and it also tells you how to unlock everything. So it’ll give you an address, it’ll tell you where to send all this money to, and there’s this some system around it where people will pay consultants to pay the ransomware people for them, and the ransomware gangs, effectively, have to take this bitcoin somehow and clean it. So there are tumblers that do this, there are launderers that do this, and that’s a whole other discussion that’s worthy of another episode.
0:22:43.6 KB: But in terms of who it is, anyone who’s trying to monetize via cyber crime, you’ve seen a lot of gangs out of Russia doing this. There was one of my favorites, recently, where someone bit off more than they could chew in China, and then sent out the decryption cheat queries to a cyber security firm there. I’ll send you the article link. I’m forgetting the name of it.
0:23:01.9 MM: We’ll put it in the show notes for the listeners.
0:23:03.8 KB: But effectively, you’ll see a lot of this show up in different types of cyber crime. So the SaltStack RCE that showed up a while back that let people into data centers, people were mining cryptocurrency on it. This is like an opportunistic setup where they’re don’t… As far as I know, a lot of these people don’t have dedicated exploit devs who do nothing all day but try to break into these systems via sophisticated-like exploits. They kind of just don’t let anything go to waste. They wait for things to drop or they just try to guess credentials or whatever other way they can easily get onto a system, spread, lock it down, and then shake them down, and then rinse and repeat.
0:23:40.1 MM: Can I just stop and unpack that for a second? ‘Cause I think we need to pause and you need to almost say that exact thing over again. Because far too often we think of attackers as something off of TV. They’re doing this amazing thing where they’re shutting down 15 city blocks and they have zero days that no one’s ever heard of. But far too often, it’s not that, right?
0:24:01.8 KB: Mm-hmm. No, and one of my favorite quotes from one of my friends is something to the effect of like, yeah, one of the things that really threw me through a whirl when I started taking computer science is that how stupid computers are. And you have to tell them to do exactly what you want to do and getting them to do that is highly non-trivial. And when it comes to the sort of media portrayal of what hacking looks like or what all this stuff looks like, it’s a meme in and of itself. The other thing is, even if they did have the ability to do this, which they might… There’s a lot of overlap in how these people operate. Again, nothing goes to waste, but more to the point like, why bother? If the easy stuff works, why bother burning something that’s more useful? If you’re a ransomware gang and you have bigger fish to fry, why would you go through and burn an O-day on a hospital when… I don’t know, man, they have really old versions of Windows running.
0:24:57.3 MM: Yeah, when some old medical device is running Windows 98 or Windows NT 4.0 with Unpatched or NT 4.0 Service Pack 5 still with all the original vulnerabilities in it, why would you burn an O-day?
0:25:12.1 KB: There’s no reason to, and it’s very much, if you don’t have to you’re not going to, you’re just gonna use what works. Most of these spread through other publicly available exploits or just no exploits at all. You just use legitimate software, live off the land and just pivot through that.
0:25:28.0 MM: Let me take you a different direction, and I ask this of everyone. So we understand where we are now. We have a sense of where we are. Fast forward 36 months, where are we gonna be? Especially criminal gangs, ransomware gangs, attacking healthcare organizations, specifically, what are we gonna see in terms of evolution? How’s it gonna change?
0:25:49.2 KB: That’s hard to predict.
0:25:50.4 MM: Give your best guess. You understand these folks better than most, so your guess is probably as good as anyones.
0:25:56.3 KB: It’s tough. I mean, what we’re dealing with here is a tremendous amount of uncertainty. And the way that I deal with risk is non-standard, I think, just because of all the statistics I’ve taken, but effectively, one thing to keep in mind is there has been a pretty significant uptick in the asking price to unlock everything, and there are all of these sub-industries that have popped out as a result of it. So namely, this isn’t going away, and if anything, they’re being emboldened because it’s still highly profitable. And so long as you can make money by doing this, there will always be people who will try to take advantage of it. There have been ransomware gangs that have said, “Okay, with the pandemic, we’re not gonna go through and start locking things.” But they did anyway.
0:26:39.5 MM: Yeah, that only lasted a few weeks, right? [chuckle]
0:26:43.1 KB: Again, in some sense, these people have their price, and it’s opportunistic in the way that the reason it’s so effective is the people who have been blank targeted by this don’t have a backup plan. And if the difference is a few million dollars, or a few thousand dollars, or whatever the astronomical price is, and a couple of days of outage, it’s a really tough call to make. And if anything, the urgency of healthcare right now with the pandemic… I hate to… I hope this isn’t coming off as fun or anything, but with the urgency of everything that’s happening, the appetite for risk for hospitals is starting to diminish, and it’s becoming more and more reasonable to me that like, “Yeah, if they do get hit they’re probably gonna pay.” Especially if they’re overwhelmed, the last thing they wanna deal with is some sort of ransomware outbreak that locks everything down.
0:27:33.8 KB: And by the way, even when they do get hit, they’re still out of commission for a little bit, so they’re highly, highly destructive. So best case scenario, you pay day one and what is interesting though is the amount of customer service that you get from these gangs, where they give you email, they respond in a timely manner, they’re super, super helpful. If one of their tools doesn’t work, they’ll help you unlock it. I don’t know. That part stuck out to me, where this is a proper business, and it’s a super illegal one, but it’s one that has the trappings of legitimacy, if that makes sense. So in terms of where it’s going, this is getting… It feels more organized, and it feels… Unless something drastic happens to stop it from being so lucrative, and stop it from being so accessible, it’s gonna continue to escalate. I’m not here to doom say and be like, “Yeah, Cyber Pearl Harbor is gonna happen.” ‘Cause that’s not how things work. [chuckle] Forbes.
0:28:26.1 MM: We hope.
0:28:28.0 KB: We hope. But it’s getting more sophisticated, and it’s getting more organized, and I think it’s going to continue to be a problem for the foreseeable future.
0:28:36.6 MM: You brought up something interesting and something that I’ve been saying inside the Scope for a while, but I’d love to hear your thoughts on it. My thought on the pandemic is that because hospitals in the last six months and in the next six months are so stressed, if you look back a year ago, you might have had the time, like, “Oh, I can be down for a few days because, yeah, it’s gonna impact my business, but I have time.” When the world is so under stress, to me it’s almost a fire sale in some ways for the author, in that they know that the hospital, whereas a year ago it might have been like, “Oh, we can wait a week and restore from backups.” Now it’s like, “Our ICU is full, we have COVID patients everywhere. Oh my goodness, we cannot afford to be down for even another few hours.” And I think to me it gives an opportunity for the ransomware author to basically take effect of, the customer now must pay. Do you agree with that?
0:29:40.9 KB: Definitely, the sale of convincing hospitals to pay is considerably more compelling, and especially because with everything that’s happening, to piggyback off of that, locking down hospital networks is notoriously difficult. I think you were the first one to tell me that, yeah, there’s a reason it’s not segmented, it’s because it can’t be. And I was like, “What?” And sort of to tack on to that, there aren’t dedicated security engineers at hospitals, or not nearly enough. And fixing things as they get broken, once you get infected by ransomware, they probably used something to get in, and if you don’t figure out what that something is they’re gonna be back. And who’s to stop them from just leaving a back door somewhere and just relocking everything, or not relocking everything, but siphoning data. Again, I know I’m repeating myself, but nothing goes to waste.
0:30:30.5 MM: Let me interrupt you and mention something, ’cause I don’t know if you know this. So in the early days of ransomware, ransomware wasn’t considered a breach, because it was locked and the idea was that the data hadn’t left, but more and more, now we’re seeing ransomware attacks especially by OCR around HIPAA saying, “If you get that data locked it is assumed to have left.” And suddenly now you’re not just talking about I have to unlock it in order to do my business, but now that it’s locked, I now have to deal with a breach fine. We have added the complexity because of everything you just said that I think is also really interesting from a, “Do I pay the ransom perspective, now I also have to pay the breach fine that goes along with the ransom.”
0:31:13.6 KB: And think about how valuable that data is too. Patient records, yes, insurance information, yes, who’s seeing what, who was getting treated for what, financials. Everything is just super, super valuable there.
0:31:27.2 MM: Trial data, think about COVID vaccines and just any sort of medical device… Any sort of medical trial. That stuff is all incredibly useful from an IP theft perspective.
0:31:38.9 KB: And I still think about one breach from, I think it was J. P. Morgan years and years ago, where all they stole was emails and names. And that seems innocuous enough, and then some dudes just did nothing but… It was like a giant pump and dump scheme that was built on that email list that made a few million dollars. So everything gets sent upstream and everything gets used, so this idea that it’s locked is like, “Yeah, it is locked, but who’s to stop them from siphoning it off first?” And that’s a harder thing to do unless the machines are completely exposed where they can still talk to the Internet, which does happen, which is why you’re starting to see some more of that. But the escalation that you’re seeing, is you’re right, they’re not just one-offs that lock a computer and then say pay us. They get on a computer, they wait a little bit, they spread around and they siphon off what they can, and then after they’ve wringed it dry, great, this is the way to squeeze the last bit of value out of it.
0:32:36.1 KB: So after the pump and dump scam, this is something that… Everything can be monetized, and cybercrime is all about monetizing things after breaches. And the kind of interesting case of hospitals is, the amount of work you need to do to develop a way to get on to a network, is pretty small. Cyber security is a lot of economics, if you wanna hack Google, you probably can, if you have enough time and money. The thing is, the amount of time and money it takes to do that, is somewhat astronomical, where these smaller gangs just can’t do it. But getting on to a hospital is a lot easier, because there’s no real unified way to lock everything down and attempts at that have been somewhat dodgy, best of luck to you. [chuckle]
0:33:17.4 KB: But in that respect, the amount of money they’re siphoning off of this is growing pretty rapidly, the defense mitigations for stopping this are still ‘eh’, and it’s still a really pervasive issue. So it’s this perfect storm of they’re making money, it’s still pretty easy to do, the code reuse out there… You can Google crypto modules and just include them, you can build out these services that are built around unlocking, there’s a lot of code that’s out there. So all of this to say, the cost of developing a ransomware-like setup is not super high, the amount of money you get from it, is astronomically high, and the mitigations that are in place to stop it from happening are still ongoing. So in terms of where it’s gonna be, probably bigger than ever, especially with all this urgency. And with everything in chaos right now, you can just wait for opportunistic times to lock things down. But I don’t wanna doom say too much because again, this isn’t the end end of the world. It’s not great, but we’re still gonna be here.
0:34:27.7 MM: This is why we had you on, it’s because… Not to doom say, but let’s be honest, this is a problem, this is gonna be a problem, we gotta… We as an industry, have to deal with it, and we’re all very lucky that people like you exist and are out there dealing with some of this problem and chasing around these gangs. Quickly, where can people find you? Where can they get in touch with you? Where are you on Twitter? Where are you teaching? What are you up to? Give kind of the, “Where do we find Kai, if we wanna ask him more?”
0:34:55.9 KB: For sure. I’m on Twitter, KB Intel, I think, like I put in the bio. I should know.
0:35:01.0 MM: KB underscore intel, I believe.
0:35:02.7 KB: Yeah, yeah. I’m on LinkedIn, don’t really respond to DMs. I’m on Keybase, I think that’s also… No, it’s KBSec on Keybase. I respond to DMs pretty frequently.
0:35:13.5 MM: And you can always reach out to me and I’ll make sure that you find Kai, ’cause he’s a great dude.
0:35:17.3 KB: One thing I do wanna say though, just at a high level, so one thing I was talking about is, in terms of where the state of ransomware is gonna be. They’re definitely being emboldened, and the one thing that’s always stuck out to me as an interesting question is, okay, it seems like it’s kind of hard to stop them from getting on the networks, and it’s kind of hard to stop them once they’re on there, ’cause the telemetry data is not there yet, the tools in place to do IR are not there yet, or they’re still in their infancy, and the question becomes, “Well, how do you make this no longer economically viable for them?” And that’s the kind of space that I’ve been occupying recently. How do you go through and make building botnets more expensive, making ransomware attacks more expensive? And the sort of solution that I’ve arrived at, with a bunch of other people is, “Yeah, we should just be going after them,” we should be trying to cut their head off any way that we can, because you’re seeing the centralization of a lot of these groups, where they are getting bigger and they like have all the trappings of a proper company.
0:36:15.2 KB: They hire developers, they have legitimate infrastructure, they have this customer support attitude, and what I’ve always thought is interesting is, okay, you can start to go after these bigger fish in more robust ways, and there are a lot of ways that you can do that, I think, but I hope that the future has a kind of shift in perspective of, okay, if you’re trying to do the defensive thing constantly, it’s always gonna be a cat and mouse game, and if you increase the sort of barrier to entry, that’s gonna curtail it a bit. Take a look at phishing scams. They’re so freaking pervasive because it’s super easy to do. All you have to do is…
0:36:51.6 MM: And cheap.
0:36:51.7 KB: Clone a website, it’s so cheap, you can run on shared infrastructure for under $5 a month, clone a site using publicly available tools, and all of a sudden, you start stealing PayPal accounts and you’re making more money than you know what to do with, and there’s no obvious way to curtail that. So if you constantly make this cat and mouse game, then you’re always gonna be on the defensive. So start going after them and see what falls out of that.
0:37:16.2 MM: By the way, you know I agree with you on this, and we’ve had this conversation many times, but let’s just be clear to all the listeners, please don’t start trying to hack all your ransomware gangs that come after you. [chuckle]
0:37:27.1 KB: No. That is not what I’m advocating.
0:37:29.4 MM: Regardless of what Kai said, ’cause I think Kai’s point is much more nuanced. I don’t… You hear the, “Let’s go after the ransomware gangs and the phishers…
0:37:38.4 KB: Get your pitchforks.
0:37:40.0 MM: Yes, yes, exactly. Pitchforks and flaming torches, but… Yes, completely agree with you there.
0:37:48.8 KB: And just to clarify, more along the lines of making it economically less viable. And that can be disruption, through proper legal channels, of course.
0:37:57.3 MM: Yeah. There are ways, and actually, that’s… By the way, that’s a whole other episode, we should come back and do that conversation, ’cause I’m a big fan of the economic argument around that. But dude, thank you so much, this has been a blast. You know I love having you, any time we can get on the phone and chat. This is great, but seriously, dude, thank you so much. We’ll have you back again and we’ll go into some of those other topics and hopefully people get in touch and we’ll talk again soon.
0:38:24.9 KB: Heck yeah. Thanks for having me, man. You’re an absolute treasure. Pleasure as always.
0:38:28.4 MM: Dude, thank you so much. Alright, thanks. Stick around, for this week’s installment of Vital Signs, our quick take on a timely issue we think the healthcare security industry should know about.
0:38:41.8 Jeremy Richards: Hi, my name is Jeremy Richards, Chief Architect at Scope. Ransomware incidents are wreaking havoc on networks across the world. This is especially true of hospitals, where multi-million dollar diagnostic machines are expected to have a useful lifespan measured in decades. These devices are often running unsupported, vulnerable versions of Windows, and in many cases, are managed by the vendor. So deploying a patch isn’t even possible. Ransomware though, is often the end game of an intrusion. There are usually weeks of exploration and lateral movement, before a ransomware payload is dropped. It may not surprise you to find that the primary point of entry, is phishing. So to find them before they’re on the network, monitoring incoming email with an email gateway, is essential.
0:39:27.6 JR: When a phishing email does slip though the cracks, end point protection can provide the telemetry needed to identify a compromised machine, but because of the sheer quantity of data, this type of host telemetry is only useful in a retrospective investigation, unless some kind of automated anomaly detection is used. After an attacker has compromised a host, they’ll work on lateral movement.
0:39:52.2 JR: To locate this activity, you’ll need to look at traffic logs generated by your networking equipment. So for Cisco, this is net flow. Compromised hosts also call home, this beacon to a command and control server, can be captured by analyzing your internet proxy logs. Known C2 servers are published by threat intelligence firms frequently, and new ones can be discovered with traffic analysis. Ransomware attacks are nasty, but they’re also noisy. Now you know where to look, to stay ahead of the game.
0:40:24.7 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, pop on over to www.scopesecurity.com, to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Kai Bernardini is a security researcher, consultant, and lecturer at BU’s CAS School of Computer Science where he teaches probability, discrete math, and malware dev/analysis. His current areas of interest are split between offensive security research and leveraging statistical learning theory to hunt for threats. Ask him about his Llama.