The news of large-scale attacks at Colonial Pipeline and Scripps Healthcare has brought ransomware back into the news. With lines for gas on the east coast, and Scripps’ medical personnel having to resort to using paper records to track patient interaction, Mike welcomed back noted security researcher and lecturer at Boston University, Kai Bernardini to discuss the alarming trend of ransomware gangs pooling their resources to offer ransomware as a service and the present and future directions of ransomware.
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:19.7 Mike Murray: And I’m really excited to have another one of my favorite guests on this week, so welcome back to Kai Bernardini, my favorite security researcher to talk about ransomware with, and in some ways, I’m kind of bummed that we’re talking this week also it’s timely because if anybody’s been watching the news in the last little while between pipelines going down and Scripps health being hit by ransomware, ransomware is the topic of the week again. So Kai, welcome back. Let’s talk about ransomware.
0:00:46.8 Kai Bernardini: Hey. Thanks for having me back and good to be here when the world’s on fire again.
0:00:50.5 MM: It seems to be that way a lot when you and I chat, so for the people who are out there who may be, at the very least, I don’t think anyone escapes seeing the stories happening, but for the people out there that aren’t up on what’s going on in the world, maybe you can tell us a little bit about all the new stuff that you’re seeing out there in the world of Ransomware.
0:01:08.3 KB: Yeah, if you remember the last time that we talked, we were sort of alluding to, I guess we could call it an escalation where if you give a bunch of people a lot of money, they’re gonna go through and re-invest it in their trade and their trade right now is penetrating networks and dropping ransomware or extorting people, any sort of cyber badness, but this week we have the Colonial Pipeline getting brought to a complete halt, and that having some pretty concrete real-world applications, the funniest of which being, I’m now getting marketing copy from people telling me that, “Hey, you need to get this new EDR because of the Colonial Pipeline,” and the other one that you actually just told me about was Scripps got locked down.
0:01:46.3 KB: And this is something that’s kind of interesting because another one that’s not just the operations of a company getting ground to a halt, but now people are getting medical advice via paper, so you don’t have access to those records to make those informed decisions. And aside from the fact that price of gasoline is going up, this is a pretty concerning trend because this is like what you’re seeing…
0:02:03.4 KB: You’re seeing big game hunting, and this is a bit of a buzz word, but the pipeline being a great example of, Okay, we have locked down this giant oil company or this oil logistics company, and now we’re seeing this real-world consequence of the price of gasoline going up and hopefully, a response from the US government.
0:02:21.5 MM: And the funniest thing for me just sitting in watching is as soon as the US government started to potentially respond, you saw the actors come out and make a statement that, back pedaling, saying, “We’re not political, we don’t really know who we’re attacking, we’re just trying to make money over here.” What do you think of that whole thing?
0:02:37.0 KB: So I can see that going one of two ways, where a lot of ransomware gangs won’t actually do the offensive operations themselves, so especially the ones coming out of Russia are pretty close with each other and cooperate through what I would consider them to be like affiliates or business partners, so rather than going through and doing the offensive operations themselves, they’ll just sell the software that does the locking to someone else, so I could see this going one of two ways, one of which being they sold their ransomware as a service to someone, maybe got a little ahead of themselves or was actually going for a concrete real-world impact or someone bit off more than they could chew at Darkside, and now they’re paying the results because now all eyes are on them, and while it isn’t too terribly hard to fly under the radar, when you’re not going after oil companies, as soon as you go after larger institutions, now it’s all hands on deck, and the amount of OPSEC required to stay under the radar then is probably not realistic.
0:03:29.5 MM: Yeah, I don’t know that I would want the entire weight of the US government plus Interpol, plus all of the US’s allies looking for me on a daily basis, that’s a pretty uncomfortable place to be, I would imagine.
0:03:41.4 KB: Yeah, and the other thing is, so especially for the ones operating out of Russia, you have the situation where… And this is like a hotly debated topic, so this is more of an opinion than anything else, I’m not of the opinion that you have properly state-sanctioned ransomware attacks, it’s more of, I think people in the IC, I see moonlighting or people finding out that you can make money with this, and it’s sort of being tolerated so long as it aligns with their geopolitical ambitions, but attacking the oil pipeline Logistics is something that’s probably not gonna stay in line with Russian geopolitics, and that’s something that could anger the roof over your head. I think the reason we’re seeing this, where a political response is somewhat upstairs is mad, and you can’t operate in Russia without in some sense the… Let’s call it the blind eye that the government takes, and this is one way to actually turn that eye on you, so.
0:04:27.8 MM: You said something that I think many of our listeners probably don’t understand the complexity of it, you talked a bit about ransomware as a service, and I would love to delve into that a little bit, because in the old days, when ransomware was simple, you’d have one actor that owned everything from the software to the encryption and to the whole activity, the world seems to have fragmented more… Maybe if you can just sort of give your perspective on how that’s evolved over the last few years and what that really means, and especially the Russian gangs, like you said, they’re somewhat complex, and if you don’t really understand how they work, you don’t necessarily understand what the attack pattern truly is.
0:05:06.7 KB: So it’s interesting, the actual capabilities development has fragmented, but I would actually label it as being more specialized, so now you have an arm of a gang that specifically handles offensive operations, even a part of the gang that handles building bots, one part of the gang that handles building crypters and hash busting maybe one part of the gang that does social engineering, but a lot of these gangs talk to each other and will sell each other bots or code, and when you see these things popping up like ransomware as a service, you’ll also see bots as a service, where maybe you’ll sell the actual framework in which where you can go through and build out your own botnet, maybe you’ll just sell access to the bots.
0:05:41.9 KB: Maybe you’ll go through and sell access to code that can be used to go through and lock and receive Bitcoin, it’s cut up in a way that’s kind of interesting, but fragmented, but it’s closer. So these people all talk to each other, and because they all talk to each other, there’s some amount of not needing to have to reinvent the wheel, where if I can go through and just pay this other gang to go through and give me their code that they just wrote, that’s probably gonna get burned in a couple of weeks…
0:06:04.2 KB: Who cares, right? It’s just the cost of doing business. Going through and ransomware as a service is, you literally will pay a premium per month to go through and have access to this code that allows you to go through and lock machines and extract Bitcoin, so that’ll be the infrastructure to receive payments to have the websites, the actual code that will lock the files, etcetera, so it’s fun to see specific gangs building out specific capabilities and sort of coalescing into actors that I pick and choose the pieces that they need.
0:06:29.5 MM: Man. It sounds like any software startup. As somebody who runs a startup, we have a contractor who builds our website for us, we don’t build our own website, we hire contractors to do that and they do stuff, we have other products that we integrate into our product that provide capabilities for certain things, we couldn’t go build that ourselves, or we wouldn’t wanna go build that ourselves, we just have a network of Federated partners that we take their components and we put together a whole solution in a lot of these ways.
0:06:56.4 MM: And I think every startup and every startup founder has lived that model in some amount of way in the last 10 years, for how often we in the security industry, and especially the people who aren’t in the security industry, think of this as like… You and I went and got in a room together and we decided to take down an oil company, it sounds like an actual commercial enterprise with the sophistication of a commercial enterprise.
0:07:17.9 KB: So I actually have no idea how a lot of this started, but if you give enough actors enough money that go through and re-invest it, they’re going to get more efficient with it, and it turns out that efficiency to them means starting to have the trappings of a proper organization, of a proper corporation, so specifically going through and reinvesting those earnings in office space and employee benefits, other things that make working for them more attractive where again, it’s always fun to watch speculation about when ransomware hits and why it’s gone dark, but one of my favorite anecdotes is that the Ryuk guys were like pwning and pwning and pwning and all of a sudden vanished for a while, everyone was wondering what was happening.
0:07:56.8 KB: And it’s still not fully clear, but there’s some evidence that the guys were burned out from working so hard and went on vacation. It’s interesting to see like, these are normal people, they have jobs, they have working hours, they have a corporate culture, they go through and take their money and invest in more workers, they go through and build business by collaborating with other organizations. Again, it has all the trappings of a proper business, and that’s what’s a little scary, because after a certain point with enough money, you can start to buy sophistication in your attacks right now they don’t need it and they probably won’t for a while, but who’s to say.
0:08:30.9 MM: The funniest thing about that, and I think my enlightenment around that was when we were working together back in the old days, and I learned about the NSO group in Israel and how basically they’re a full-on software company with venture capitalists and all of the trappings of a… Like you said, an office and for certain actors, back in the day, we had pictures of their Christmas parties, not the NSO group, but other actors like we had pictures of their holiday parties and pictures of them on vacation, ’cause they’re just posting it on LinkedIn ’cause they actually have real jobs, but their job is writing malware and performing cyber crime, and it’s just fascinating.
0:09:05.7 MM: It’s not the media’s portrayal of the uber hacker, right? We like to think of this lone actor, super shady person, where you might come out of school in another country and instead of going to work at Microsoft in that country, you go work at the cyber crime business of choice.
0:09:22.8 KB: Sure, sure. And it’s always fun watching actors like when Cheap’s house got raided from the Emotet gang and to sort of see the conditions that they live in, where the main difference between an organization like the NSO group and something like Emotet is the sort of public acceptance of it, so the people of the NSO group don’t necessarily need as much OPSEC as someone at Emotet, there are still things that they can do to protect themselves, but they don’t have to hide the fact that they work there. It’s probably in their best interest, but no one’s gonna kick down their door, if it’s super public knowledge.
0:09:51.5 MM: Entirely true. So let’s turn the corner slightly, ’cause one of the things I always appreciate about you is your view of the future, and like you said, the gangs have been super busy for the last 12 months to the point that they’re burnt out and need to go on vacation but that always presages to me, evolution, the more activity you have, the more opportunities you have for growth and the evolution, and so where do you see us going from here? Your crystal ball is always pretty clear, so what do you think we’re gonna see next?
0:10:19.7 KB: I mean, I’m wrong all the time, and all these are forecasts, but specifically with ransomware as a service, I think you’re gonna start to see a coalescing of agencies where once you have these actors in these groups that have enough money, they’re just gonna start doing development in-house, I might start my organization on AWS, but eventually if I have enough resources and enough need, I’ll just move to my own private cloud, so once you go through and start getting the talent and all the capabilities in-house, you’re gonna see a pretty well-oiled machine.
0:10:47.2 KB: And that’s scary because by and large, there haven’t been too many consequences for these actors, and to be clear, I don’t know what the right answer there is, you can’t really tell people to stop paying… That’s not always realistic. This isn’t necessarily an act of war, like cyber bullets and whatever, but in terms of retaliation or how to go through and stop this, it’s a pretty difficult challenge, and if there isn’t a solution that’s come up with relatively soon, these people are making tens of millions of dollars and with that, they’re gonna invest in a new and more sophisticated capabilities.
0:11:16.6 KB: So it’s a matter of time before this becomes a problem that requires like effectively a coalition of the willing to attack, so it’s not enough to just dox these guys, because sometimes that doesn’t matter if I take a look at Aqua, he’s still living his life in Russia completely happy despite the fact that he’s been doxed.
0:11:32.0 MM: Russia seems to be a place where as long as you have… How did you put it? As long as the state turns the blind eye in the right way, it doesn’t really matter who you are.
0:11:40.8 KB: And there are rules, there are always rules, but there are rules that allow them to operate there, still make a lot of money and still cause a lot of harm here, so again, there’s nothing magical about what I’m saying, it’s just a vicious cycle of you have actors that can basically act with impunity, they can keep siphoning funds from the US or other places, they can then take those funds, re-invest it in their organization, hire more staff, build more capabilities, effectively get larger and more specialized.
0:12:05.9 KB: And all of a sudden you’re gonna have, effectively, a fully functional organization that can do… Red Team is better than some US orgs. It’s one thing when people are throwing spaghetti against the wall and going after the slow targets and hoping that you don’t have some EDR or you don’t have a fully functioning SOC, they’re gonna get past the point where even with a lot of these controlling mitigations, it’s not gonna matter.
0:12:23.9 MM: Actually, if you had the chance to read this statement that was put out by the folks at Scripps, they actually talked about exactly what you just said, they talked in the statement that they put out publicly and they didn’t name EDR by name, but they talked about specifically having a bunch of controls, and I happen to know that that organization has invested in security and that they had done some of the right things.
0:12:43.8 MM: It’s one thing when you have seen over previous iterations of this type of threat where, like you said, they attack the hospitals that are perhaps community hospitals that have lower budgets. That don’t have dedicated security teams. But when you start to see teams like UHS, which got hit last year and Scripps and these bigger teams that have actually done some of the right things, and especially when you see their EHRs get hit, because that’s literally the crown jewels of every hospital that tells you that what you’re saying is right on, these folks are now up-leveling their capabilities, so that before, if you were doing a bad job, ransomware was something that was very likely to take you out, now you can be doing a moderately good job and ransomware can still take you out, and I think that that’s a scary future.
0:13:26.2 KB: Yeah, and again, ransomware being something that self-identifies is of course pretty scary, you’re gonna start to see people that go through and they’re trying to squeeze as much value out of it as you can, I can get a lot more value from your company by just sitting on your Outlook or sitting on your Exchange server, if I can get into your electronic health records, that’s supremely valuable.
0:13:44.8 KB: Security is really, really hard. Even if you have a really great EDR, even if you have a fully staffed SOC, it’s not running 24 hours and I attack you during off hours, I might generate a bunch of tickets or a bunch of notifications, but as soon as you guys lock on, I’m already locked to your entire network, these guys move really, really fast, it’s not just about building up more capabilities, they move faster now, like the time to lock has actually been going down, and that’s sort of just reflective of them getting better at their jobs, despite the fact that a lot of the tech they’re using isn’t super super new.
0:14:16.1 KB: They’re still using the same techniques for process injection, they’re still using the same lateral movement techniques, but they work and it’s hard to get them to stop working without serious investment, and serious amounts of training and in the meantime, it’s a losing battle because the amount of money you have to put into protecting yourself is nothing compared to the amount of money it takes to build out these capabilities to penetrate these networks, like you said, the future looks a little bit sketchy as it relates to going after not just, big game targets that can provide larger payouts, but if you do start to see that, hey, maybe that roof over my head is starting to have some interest in an org that I just got a bot in, so I might go through and lock it anyway, but maybe during that process, you siphon off a bunch of interesting data… I don’t know, it’s really tough.
0:14:57.1 MM: And hospitals even doubly so, when more than half of your medical devices may still be running Windows XP or Windows 7, you talked about using old technology, and by the way, none of those devices can you even deploy an EDR on because they’re regulated in particular ways, and not to mention that most modern EDRs wouldn’t perhaps run so well on Windows XP.
0:15:19.7 KB: Yeah, and even if they could, it’s not a panacea, it’s like a full company effort, and it’s really hard to… What was it? You told me that a while ago that there are some number of thousand hospitals in the country, so you put a secure…
0:15:30.6 KB: 6000. Okay, so you put a security engineer and that’s just one engineer at every single one we’re already talking, let’s say two, so that they can have two shifts, you’re already talking like probably billions of dollars a year. Right, this is not an easy problem. So the question is, how do you go through and make it no longer valuable for them to be going down and locking hospitals? That’s a tough question to answer because sometimes you have to pay.
0:15:51.5 KB: Sometimes you don’t have a choice, it’s a good step to go through and start sanctioning specific entities, but again, because of the way that ransomware as a service works. Sure, like REvil’s been sanctioned, but there’s a long stopping REvil from just selling their software to someone else or just making a new “shell” organization or like “shell” gang, and all of a sudden now you can go through and pay them sanction free.
0:16:11.8 MM: You mentioned something that I think is particularly interesting, and it’s something that I’ve talked about a lot with different folks, but I don’t believe that anyone other than internally, we have a solution, it’s not something that I’ve seen solved at scale in the hospitals, we’re very worried about the ransomware, but the idea that a gang would be low and slow and have access to, for example, a medical device that had access into your EHR and could siphon records off, I don’t know many organizations that have a detection strategy that would allow them to even see when that kind of activity is happening. And so the focus is on the ransomware piece, not on any of that low and slow activity that could be used in other ways.
0:16:51.9 KB: Yeah. And that’s a really good point too, because in some sense, lucky because especially the Russian gangs, they don’t really move low and slow, there’s no reason to, right? And even on red teams, I’ve had a lot of luck just moving really, really quickly where it might not matter if I get caught, if I become enterprise admin and lock everyone else out or already get to your crown jewels. Who cares?
0:17:10.4 KB: The goal here isn’t like long-term persistent access, it’s to go through and smash, grab, take whatever you can, lock them down and then pillage in some sense, that’s not good news because it makes defending against it especially difficult, and for now it’s sort of good news because well, it doesn’t seem like they’re moving low and slow, but that could change and they might already be… And we’re just not seeing it. There’s no self-identifying, Hey, you’ve been hit with a low and slow spyware for the last 10 years or the last 10 months, like good luck.
0:17:37.7 MM: No Russian actor has ever been accused of being subtle. So I miss the days when we were focused on China and actors that were low and slow, remember when APT meant low and slow, by definition, we’re not in that world anymore, so it’s funny, we ended up talking about APT. I wanted to talk about something else that you got going on, You’ve got a fun class you’re about to kick off at a university. Maybe we should talk about that a bit.
0:18:02.5 KB: Oh yeah, so I managed to convince BU to let me write a class with another security researcher Winnona DeSombre, I believe she’s at TAG right now, but we’re writing a class on effectively adversary emulation and it’s gonna come in two pieces. So the first is, I’m gonna go through and write a simulated threat called APT chunky bear, and the name will make sense if you ever get to look at the malware, but the first loader they get is gonna have a ton of random garbage inside of it, just because still to this day, a lot of anti-viruses won’t scan big files.
0:18:33.1 KB: So hence chunky, the plan is gonna be that we go through and disseminate out a bunch of malware to students that they then get to go through and reverse engineer and then re-implement those capabilities so it’s not just, Here’s how you go through and write malware. It’s here’s how to go through and understand malware, look at the tactical objectives of whatever this group is and emulate it. So my day job right now is still doing Red Teaming at a security consulting firm, and I go through and look at particular threats that people are afraid of and try to go through and be them.
0:19:00.1 KB: So my style is, tends to be a little bit more low and slow, but sometimes they’re afraid of people that come in and do some smash and grabs, and that’s a lot of fun, and teaching people how to go through and write tools that can emulate those behaviors as well as go through and develop defensive mitigations for it, that’s a really cool class. And kudos to BU for letting me do that. I’m surprised I haven’t heard from any lawyers yet.
0:19:19.2 MM: I am too, and I’m so jealous of your students. My degree is in Philosophy, and I took a whole bunch of computer science classes, and the closest I think I ever got to anything security-related was algorithm design or big O notation, the idea that you’re gonna teach people coming up how to do those same sorts of skills, it’s such an incredible opportunity for them.
0:19:40.3 KB: No. Especially because BU has been doing a much better job about getting more people involved in computer science and especially cyber security, so getting to sort of demystify what exactly malware is, is gonna be pretty magical because it’s just code… It’s just code, it’s like software engineering, like any other kind… The only difference is you get to try to go through an abuse functionality instead of implement it… It’s kind of like an esoteric OS class. Really?
0:20:03.4 MM: Yeah, I was gonna say, by the way, that’s a great way to learn about operating systems and system design, even if you don’t care about adversary-emulation as a long-term career path, learning how to break something is a great way to really understand how it works. Yeah.
0:20:16.1 KB: And even like tearing through something that is trying to hide what it’s doing and understanding what it does, I mean there’s… I forget who said it, but there’s a great quote that like, “Yeah, you can’t really stop a reverse engineer, you can just slow them down or try to demoralize them.” If they’re dedicated enough, they’re gonna figure out what it does, giving them the opportunity to go through and occupy that space for a little bit, hopefully in a way that doesn’t scare them away from it. I’m really excited for that.
0:20:38.8 MM: That sounds absolutely incredible, Kai, as always, it’s so much fun to have you on and we will do this again probably when the world explodes again, but until then, Where can everybody find you? And especially, what’s the name of the class? If we have any BU students listening.
0:20:52.6 KB: Yeah. So the cool part is, I’m actually gonna open source all the material and BU’s been really, really supportive of that effort. Right now it’s listed as CS 501 in the College of Arts and Sciences, and it’s got some really long name, but effectively, it’s an introduction to malware and malware analysis. So you can find it on my GitHub once the class goes live in the fall, you can find me on Twitter @KbIntel, you can find all the code that’s gonna exist for the class on kbsec on GitHub.
0:21:18.5 MM: That’s awesome. Kai, thank you again for your time, this is always informative and always interesting and we gotta kick out of it. Thanks again for coming on, and I’m sure we’ll talk again soon.
0:21:27.7 KB: My pleasure, thanks a lot.
0:21:32.1 Speaker 1: Thanks for joining us for this episode of In Scope to make sure you never miss an episode. Hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
If you have ideas for topics, guests, or technical tips, contact [email protected]