Russian-Speaking Ransomware Gangs Hit New Victim: RussiansAlso: Australia's Data Breach Debacles; Customer Identity Access Management Trends Anna Delaney (annamadeline) • October 20, 2022 17 Minutes
The latest edition of the ISMG Security Report discusses how Russian-speaking ransomware gangs have their eyes on a new target, offers the latest on Australia's data security reckoning and the government’s response, and outlines emerging trends in customer identity and access management.
In this report, you'll hear (click on player beneath image to listen):
- ISMG's Mathew Schwartz discuss the rise of ransomware attacks targeting Russian organizations;
- ISMG's Jeremy Kirk explain how, after experiencing the biggest hack in history, Australia is now facing a series of data breach disasters;
- ISMG's Michael Novinson share highlights from the latest report by KuppingerCole analysts summarizing the latest trends in the customer identity and access management space.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Oct. 7 and Oct. 13 editions, which respectively discuss how adversaries are bypassing weak MFA and who should pay for the rising number of Zelle payment scams.
Anna Delaney: The Russian-speaking ransomware gangs hit a new victim, and Australia's data security reckoning. These stories and more on this week's ISMG Security Report. Hello, I'm Anna Delaney. First up this week, executive editor of DataBreachToday in Europe, Matthew Shwartz explains how Russian-speaking ransomware gangs are targeting a new victim.
Mathew Schwartz: Russian organizations are facing a new cybercrime threat: ransomware. Historically, Russian language cybercrime groups have shied away from attacking Russia or any of its neighboring allies. That's because there are a few unwritten rules of Russian cybercrime, at least for any Russians, who might want to stay out of their country's prisons. The first rule: never attack Russians, or any of the other countries in the Commonwealth of Independent States. The second rule: when the country's intelligence services asked you to do them a favor, you say yes. So back to that first rule. Such was the imperative for Russian language cybercrime groups to only target foreigners that most of the malware they design, including ransomware, won't even run on any system that uses either a Cyrillic keyboard, or appears to be in Russia. But apparently, times are tough and some cybercrime groups have been testing a fresh approach. Namely, since last year, ransomware attacks targeting Russian businesses and government agencies have doubled. So it says cybersecurity from Group-IB, which names Dharma, Crylock and Thanos as the most seen strains hitting Russia. Based on the attacks it's been able to track, Group-IB, says the average ransom demand is $1.6 million. Unlike victims like the United States and Europe, Russians don't typically get hit with a threat that stolen data will be leaked unless they pay the ransom. Instead, attackers who target Russians typically keep it old school and demand a ransom simply in exchange for a tool to decrypt the data that they have forcibly encrypted. As Western law enforcement agencies have increased their efforts to disrupt ransomware operations, some attackers have stopped working as affiliates of big name operators to try and stay under the radar. For the same reason, many attackers also askew big game hunting or hitting really large victims in pursuit of the biggest possible ransom payoffs. Instead, many are targeting small and midsize victims. But again, in Russia, the rules appear to be different, or at least they are for a Russian-speaking ransomware group called OldGremlin. It's been operating since 2020, and has been tied to a number of attacks against Russian organizations. Group-IB says that while the group's average ransom demand is $1.7 million, last year, in at least one instance, the group demanded $4.2 million and this year, nearly $17 million in a single ransom demand. Whether victims ultimately paid that amount is unclear, but clearly, the group is continuing to receive at least some ransom payments, given its continuing operation. Unlike other groups, the members of OldGremlin appear to take a break after they receive a ransom payment. Also, over the past year, they appear to have focused on a smaller number of victims compared to before. Perhaps they've been refining their tactics to increase their chances of success. Many of the group's attacks begin as spear-phishing emails in an attempt to trick victims into installing malware that can be used to download more code to give the gang remote access to the network. So these are the only tactics being used by ransomware gangs today. But it is a reminder that the most successful ransomware operations excel at finding new victims as well as ways of shaking them down. And at least for some Russian-speaking ransomware groups, Russian targets have become fair game. For Information Security Media Group, I'm Matthew Schwartz.
Delaney: After experiencing the biggest hack in history, Australia is now facing a series of data security disasters. Managing editor for security and technology Jeremy Kirk discusses the latest with me on Australia's data breach debacle. Great to see you, Jeremy. A few weeks ago, we discussed how Optus, Australia's second largest telecommunications company, suffered a massive knock to its reputation as it experienced one of the largest data breaches ever in the country's history. You conducted some excellent investigative reporting on this incident, and since then new data leaks have occurred. Can you bring us up to speed as to what happened post Optus?
Jeremy Kirk: Yeah, it's been absolutely wild. After Optus, which was about 10 million records - Optus is a second largest telecommunications company. There have been three other data breaches that have occurred that have been significant as well. There was an online retailing site called MyDeal, which is owned by the largest grocery chain here, Woolworths, that had a data breach, there was a wine retailer with a significant customer user base that also reported a data breach of probably about 700,000 records. And then there is Medibank, which is one of Australia's largest health insurance companies. And they said last week that they had a cyberattack and/or a cyber incident. And they said that they had done an investigation and it looked like no personal data had been taken so far. They said that's what the investigation had turned up. But then yesterday, they announced that a group had contacted it and said, "Look, we want to open negotiations with you, because we have stolen data from you. We have stolen personal data." And Medibank said it was investigating it and then it came out today and actually dropped this bombshell, which is that the ransomware group or extortion group provided about 100 insurance policies that prove that they did have data. And this is quite sensitive data includes medical diagnoses and codes for medical procedures in addition to all the usual name, address, date of birth, that sort of thing. And it also has Medicare numbers in it. So Medicare is Australia's national healthcare scheme. So this is a piece of sensitive data as well. So all this has happened in a matter of about three weeks here, we've had just massive reach and it's causing Australia to pay attention to these issues, and causing some government action as well.
Delaney: As you said, these events are unprecedented in the region. Why is this all happening in Australia? Is this just a coincidence? Or is there something more to it?
Kirk: Yeah, looking at these things, it's extraordinary. I have not seen this in Australia, or perhaps anywhere else to have four data breaches in a row, affecting at least 13 million people, we don't even know the number of people that are affected by Medibank. And that could be in the millions as well, because they have 4 million customers. Australia has a population of about 30 million people. So to have more than one in three people who have probably been touched by one of these breaches is extraordinary. And the government has been taking action on it. Australia has a Minister for Cybersecurity now. This is a newly created cabinet position that was created after the last election earlier this year. And her name is Claire O'Neil. She's also the Minister for Home Affairs. And after the Optus breach that she basically said, "We, as the government, need better powers to enforce cybersecurity provisions on private companies," and said, "Look, we've got to list standards here. This is totally unacceptable that this is happening." And so the government is looking into different ways to increase penalties on companies for privacy violations. There's already a bunch of cybersecurity-related legislation on the books, but they're also looking to strengthen that as well.
Delaney: So what does that mean - strengthening cybersecurity bills?
Kirk: Yeah, it hasn't been dictated exactly what the government plan is. But there's already a lot of good stuff on record, like Australia passed this thing called the Security of Critical Infrastructure Act in 2018. And basically, what this did is created a mandatory reporting requirement for utilities and financial services and healthcare organizations that if they had a serious cyber incident, they had to report it to the government because the government wanted to get better statistics on what was happening. And that act was also amended recently. And it added a new obligation to have companies basically create a critical infrastructure risk management program. They want to know that companies have a plan to deal with risk and evaluate risk. It also imposes a framework for enhanced cybersecurity obligations. And that's for infrastructure that are considered of national significance, like critical for national security. So, countries are reluctant to put prescriptive guidance on companies but they want them to, because technology changes and the risk landscape changes. But basically they want to know that companies are recognizing the risks and creating plans and strategies to counter it. So it will be interesting to see what the Australian government decides to do to strengthen that or strengthen the penalties around for non-compliance.
Delaney: Jeremy, very grateful to this hot off the press inside. Thank you so much.
Kirk: Thanks for having me.
Delaney: And finally, perennial leaders ForgeRock, Ping Identity and IBM, along with a surging Okta, set themselves apart from the pack of CIAM lenders in the latest report by KuppingerCole analysts. I caught up with business editor Michael Novinson for latest CIAM trends. Great to see you, Michael. A new KuppingerCole analyst report provides an overview of the market for consumer identity and access management solutions. What are the main trends you picked up on in this report?
Michael Novinson: Anna, thank you for having me on. Customer identity and access management or signup market is rapidly maturing. It's been a space that's been around for a number of years. And it's getting increased attention in recent years, as vendors began to think about what is the experience like for customers who are using their apps and sectors like retail or e-commerce where there is a lot of engagement and activity from consumers, and it's often their primary buying motion. So there's been a shift from just focusing on the technology and making sure that suppliers are able to authenticate that people are who they say they are, really focusing on is that seamless, is there friction, does the environment, which they use to login into authenticate? Does it look like or feels like the rest of their experience when they're using the app or when they're using the website? So a lot of the innovation at this point is indeed on the UX side rather than on the technology or the R&D side. And we are seeing some players who'd been in the States for a while, maybe trailing off a little bit as well as some next-gen players, some of whom have stronger relationships with the developer community, stepping up then gaining more visibility.
Delaney: And did any surprises stamp you?
Novinson: So we're definitely seeing some turnover in the vendors who are gaining traction in the space. SAP and WSO2, KuppingerCole said their capabilities have faded a little bit. These are all folks who have not only been around for a while but often have their primary business outside of identity or even outside of security. In terms of folks who are rising. Auth0 was a big riser over the valuation period. They had been acquired by Okta, became part of Okta. That in particular helped with their market reach. That is a venture-backed startup. They had great reputation in the developer community, but lacked that global reach and also lacked that top-down approach, the ability to reach the CISO community and other members of the C-suite, which being part of such a well-known company like Okta has helped Auth0 with their market presence. Microsoft is gaining in so many areas of security, just given their 80% year-over-year growth and the security market that's also benefited them in the CIAM space. They're so well known in the workforce world for Active Directory and Azure Active Directory, and that benefits other elements of their identity practice. And then Transmit Security. I wanted to call it as well, they've been around for a number of years, they've bootstrapped their growth since 2014. But in June of 2021, they raised $543 million that has fueled headcount growth, R&D growth, geographic expansion in terms of their capabilities. So they went from not even appearing on the 2021 report for KuppingerCole to being one of the 10 leaders in the science space this year coming in at number seven, so they're definitely going to be one to watch down and forward.
Delaney: And what are we likely to see, going forward in the CIAM arena? How do you see the market evolving, next year?
Novinson: Interesting question. The top three remained unchanged between 2021 and 2022, which was ForgeRock, Ping and IBM where took the gold, silver and bronze, that was the same as last year. That, in all likelihood, will change over the next year. And the reason being that the top two companies ForgeRock and Ping Identity are both being acquired by Thoma Bravo. The acquisition of Ping by Thoma closed on Tuesday of this week. The ForgeRock acquisition was announced just last week, and it's expected to close in the first half of 2023. And it's overwhelmingly likely to industry observers that these two organizations are going to be combined. They're mirror images of one another, been around for a few decades, started off as legacy companies focused on on-premise delivery, focused on license-based models. They both transitioned in recent years to cloud base form factors to subscription delivery models, and they're both focused unlike Okta who was born and bred in the mid market. Both ForgeRock and Ping are focused on those larger enterprises and making sure that technology is customizable. So it would appear likely that Thoma Bravo will bring the two companies together, consolidate them into a single organization. What that means going forward in terms of the CIAM platforms are if they're single companies, does Thoma Bravo maintain the two separately and continue to have a technology roadmap for each. Does Thoma Bravo end of life one of them to try to transition customers onto one of the CIAM platforms, that all remains to be seen and probably we won't know more until the acquisition of ForgeRock closes in the first half of next year. But it does seem likely that those two companies will be combined once Thoma owns both of them.
Delaney: Michael, thank you for sharing this excellent overview of the current CIAM trends.
Novinson: You're very welcome and thanks for the time.
Delaney: That's it from the ISMG Security Report. Theme music is by Ithaca audio. I'm Anna Delaney. Until next time.