The CyberWire Daily Podcast 9.21.21
Ep 1422 | 9.21.21

BlackMatter hits an Iowa agricultural cooperative. US Treasury Department moves against ransomware’s support system. FBI gave Kaseya the REvil decryptor. Camorra cybercriminals arrested.

Transcript

Dave Bittner: Ransomware hits an Iowa agricultural cooperative. U.S. Treasury Department announces steps against ransomware's economic support system. Did Kaseya get its REvil decryptor from the FBI? Ben Yelin describes a major federal court victory for security researchers. Our guest is Dave Stapleton from CyberGRX on the rise of extortionware. And Europol, along with Spanish and Italian police, take down the Camorra crime ring.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 21, 2021. 

Dave Bittner: The BlackMatter ransomware gang, which claims to be the successor to the nominally, maybe, but possibly not retired groups REvil and DarkSide, has hit the Iowa-based U.S. farm services provider NEW Cooperative, Reuters and others report. NEW Cooperative, which operates grain elevators, trades crops and provides other support to farmers, says it's taken its systems offline as a precaution and that it's working with law enforcement. 

Dave Bittner: The company told BleepingComputer, quote, "NEW Cooperative recently identified a cybersecurity incident that is impacting some of our company's devices and systems. Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained," end quote. They added, "we also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation." 

Dave Bittner: BlackMatter has demanded $5.9 million in ransom, BleepingComputer says, a figure that will rise to $11.8 million if the gang isn't paid within five days. 

Dave Bittner: The timing is unfortunate, coming as it does at the beginning of the U.S. grain belt's harvest season. Some of the back-and-forth between criminal and victims suggests the ways in which BlackMatter understands its ethical exclusion of certain targets on, more or less, do-no-harm grounds. 

Dave Bittner: Don't you understand, NEW asks, that we're supplying people with food? Haven't you said you won't attack critical infrastructure? Hey, forget about it, BlackMatter replies. You're just making money. As they put it in their reply to the NEW Cooperative, quote, "you do not fall under the rules. Everyone will only incur losses. Everything is tied to the commerce. The critical ones mean the vital needs of a person, and you earn money," end quote. 

Dave Bittner: So let's gloss that. The meaning will be apparent to anyone who's ever had to endure a dorm bull session with the stoners in the den down the hall, where it's conventional stoner wisdom that, yeah, it's wrong to steal from people, but it's OK to rip off institutions 'cause that's different because they, like, make money and stuff. 

Dave Bittner: This gloss may give BlackMatter more credit for principled altruism than they deserve. But here's one more interesting sidelight. BlackMatter is probably usefully regarded as a Russian privateer, and, as a piece in Bloomberg points out, the attack on the NEW Cooperative may in part be intended to see exactly where the U.S. is prepared to draw its new, harder line on ransomware. 

Dave Bittner: As the crooks explain on their dark web page, the NEW Cooperative is just too small to count. Quote, "the volumes of their production do not correspond to the volume to call them critical," end quote. 

Dave Bittner: It's left alone companies that are really critical, like companies associated with oil, minerals and many others much more serious. BlackMatter told Bloomberg, we don't see any critical areas of activity. Also, this company only works in one state. So in essence, food's not really critical. And anyway, NEW Cooperative is below the size threshold of criticality. 

Dave Bittner: It was once said, proverbially, that Ukraine was the breadbasket of Russia, but during the decades of Soviet power, agricultural production fell off dramatically, and it hasn't fully recovered. Sometime in the late 20th century, the breadbasket of Russia became, well, Kansas, Nebraska, Iowa. Did we mention Iowa? It will be interesting to see where any food shortages, should they develop, bite hardest and whether that affects the letters of marque and reprisal evidently on offer from the Kremlin. 

Dave Bittner: There have been some U.S. moves against the infrastructure that supports the ransomware underworld. The U.S. Treasury Department this morning announced that it was taking steps to disrupt the financial structures that sustain the ransomware criminal economy. Cryptocurrency exchanges engaged in money laundering and processing ransom payments are being singled out for special attention. 

Dave Bittner: The first of those to come under sanction is Suex. As Treasury notes, most cryptocurrency exchanges and transactions are licit. They're going after the ones engaged in specifically criminal conduct. The Treasury announcement also details a lot of collaborative enforcement actions it's taking in conjunction with interagency and international partners. 

Dave Bittner: How to handle the details of a ransomware incident aren't always clear, even from the perspective of the law enforcement organizations charged with investigation and enforcement. In the case of the attack REvil made against Kaseya in early July, the company was able to recover its files with a decryptor it obtained from an undisclosed source. 

Dave Bittner: The Washington Post this morning disclosed the source. It was the FBI. The bureau gave Kaseya a decryptor 19 days after the company was hit. The FBI and its partners were hoping to be able to use the decryptor in the course of a bigger, more permanent strike against REvil. But then REvil went into occultation, and the FBI decided its best course of action was to help Kaseya unlock its files. 

Dave Bittner: Why the delay? There would be several reasons. The best one, the one that is probably most persuasive to Kaseya and the others who suffered losses from the incident, would be that a decryptor needs to be checked and tested to ensure that it works as advertised and that it won't do any harm on the side. 

Dave Bittner: Other reasons for the delay involve the inherent difficulty of working things out with the various partners that inevitably participate in this sort of investigation. Those are not only other U.S. law enforcement and intelligence agencies, but also private sector and international partners. That may seem like unnecessary dancing over equities, but if you're serious about a whole-of-nation approach, such coordination is probably just part of the cost of doing business. 

Dave Bittner: And, of course, there was the hope that the bureau might be able to take down REvil once and for all. Maybe later, and good hunting to the G-men. 

Dave Bittner: Finally, European police have rounded up about a hundred mobsters - and these are traditional, Al Caponesque gangsters associated with the Neapolitan Camorra - for cybercrimes that include SIM swapping, business email compromise and the like. Most of the hoods were collared in Spain, others in Italy, The Register reports, as it also observes that the mob is now apparently just as much into remote work as the rest of us are. 

Dave Bittner: Europol's press release announced the raids, put the tally of alleged mobsters taken into custody at 106. Congratulations to Europol and their Spanish and Italian partners for a righteous bust. 

Dave Bittner: A gangland note - a lot of the press coverage says those arrested were in the Mafia, which is probably close enough for journalistic work, or close enough if you were writing a screenplay for Warner Brothers in the 1930s. But as we noted above, the hoods were associated with the Camorra, centered largely in Naples, and not the Sicilian Mafia of American imagination. For what it's worth, while La Cosa Nostra has been traditionally active in North America, so, too, has Camorra. Al Capone's Chicago Outfit, for example, was connected with the Camorra. But that's probably inside baseball, and, as they say up in New Jersey, forget about it. 

Dave Bittner: The low-grade, cheap, grifting quality of the crime might serve as a useful corrective to those who think of gangsters as romantic figures. Phishing and SIM swapping seem like the digital equivalents of Lefty Ruggiero, Al Pacino's character in "Donnie Brasco," sitting in a dingy social club trying to beat a parking meter open to get at the quarters it might hold. Open sesame. Forget about it. 

Dave Bittner: Dave Stapleton is CISO at cyber risk management firm CyberGRX. He's had his eye on ransomware and the growing range of issues victims have to be concerned about. It's not necessarily just about encryption anymore. It can be exfiltration and public sharing of private data. 

Dave Stapleton: Initially, you know, ransomware was a pretty straightforward thing. It was - the first attack was executed using floppy disks, and you had to mail the ransom payments to a P.O. box. 

(LAUGHTER) 

Dave Bittner: Right. 

Dave Stapleton: I think it was, like, $180 or something like that. And then, of course, over the years, as people have, you know, found different defenses or ways to prevent that from being a successful type of attack, that's evolved. So we've got, you know, really kind of interesting things going on where they talk about the two-stage attack now. 

Dave Stapleton: Used to be the primary vector for ransomware was encrypt all this data, you know, thereby rendering systems useless and that kind of thing, and then demand a ransom to get a decryption key to unlock everything. Well, people started to get wise to that, and they're making, you know, offline backups, practicing restoring from backup, that kind of thing. And so they kind of just say, never mind. We're not going to pay the ransom. We're just going to restore our systems ourselves and move on. 

Dave Stapleton: So, you know, adversary got hip to that and said, well, what can I do to really force their hand? And so what we're seeing more of now in this kind of a two-stage attack is before encrypting that data, the threat actor is actually exfiltrating a copy of sensitive data. And so then they're hitting you with, one, OK, I've encrypted your systems and probably had a major impact on operations, at least temporarily. So that's kind of bad. 

Dave Stapleton: But let's just say you were prepared for that and you can restore. I'm going to hit you with another threat, and that would be to, you know, either release that data that I stole from you - that could be, you know, intellectual property, something like that; it could have an impact on your sort of competitive advantage - or offer to sell it on dark web. Or even, in some cases, I'm just going to name and shame. I'm just going to let people know that I was able to successfully hack your environment, and reputational risk will take a hit. 

Dave Stapleton: So, yeah, a lot of evolution over the years in these types of attacks. 

Dave Bittner: Yeah, it's interesting to me because I think, along with the ransomware itself, the - by exfiltrating data, you are being noisier as an adversary, right? You're doing something else. And it's another thing for folks to detect. And so it's interesting to me that - the degree to which that strategy still pays off despite the increased noisiness of it. 

Dave Stapleton: Yeah, it's a good point. And I think, you know, that's one of the reasons that we're starting to see these criminal organizations. It's interesting to think of them conceptually like any business. You know, they have a certain set of objectives that would, you know, render success for their mission, if you will. It's an illicit mission, no doubt. But they operate not too dissimilarly from a lot of businesses that we work in. 

Dave Stapleton: And one of the things that they've started to do is specialize. And so, you know, ransomware as a service is something that's really gained a lot of popularity lately, and I think it's because of that kind of thing. Some of these attack types are getting more complicated, and you have to have better skills or techniques. 

Dave Bittner: What's your sense on where things are headed with this? I mean, this cat-and-mouse game - any ideas what the next steps are - may likely be? 

Dave Stapleton: (Laughter) I think more of attacks that are really just based on threatening behavior. I mean, we already see this. You'll get, you know, a message that says, hey, we're going to launch a distributed denial-of-service attack against your organization unless you pay us X. They don't actually have to have any capability to execute that attack in order to make that threat. 

Dave Stapleton: So as we're starting to see a trickle of these things coming in, you know, hey, I got this data of yours; I'm going to release it unless you pay me. Maybe they do. Maybe they don't. Maybe some organizations, particularly, you know, small and medium-sized businesses whose security maturity might not be all the way up to snuff, may not be able to confirm that. And so then you face a very complicated decision of, do I take this threat seriously and then act on it by, you know, potentially paying the ransom? 

Dave Stapleton: So my guess is that we'll start to see more of those types of things that really, truly require almost zero cost in order to execute and zero skill - you know, kind of see that combined with real APT-driven, highly sophisticated, highly targeted attacks, particularly against critical infrastructure because that threat is so critical - (laughter) I guess is the right word for it. You know, it's very hard, for example, if, you know, a hospital system is taken offline. You know, you've got people who are literally on operating tables. 

Dave Bittner: Right. 

Dave Stapleton: It's very tempting to say, well, shoot. We've just got to do what we got to do to get this back as quickly as we can. Let's just pay this ransom. So I think... 

Dave Bittner: Yeah. 

Dave Stapleton: ...Attacks against, you know, CI and more of these just, you know, reputational-type, you know, low-skill, low-cost threats will probably be on the rise. 

Dave Bittner: That's Dave Stapleton from CyberGRX. 

Dave Bittner: And I'm pleased to be joined once again by Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. But more important than that, he is my co-host on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. More important than anything, I would say. You can call me husband, father. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: Nothing is as much of an honor as your co-host. 

Dave Bittner: So what you're saying is your wife does not listen to this podcast. 

Ben Yelin: Yeah, I think we can - I think we can say that relatively safely, yeah. 

Dave Bittner: OK, safe enough. 

Dave Bittner: Well, I wanted to touch base with you. This article from CPO Magazine - they're covering a story here. It's titled "In a Major Victory for Security Researchers, Federal Court Rules that Virtual iOS Devices Are Not a Copyright Violation." This is written by Scott Ikeda. This is a pretty interesting development here, Ben. What's going on? 

Ben Yelin: This is a very interesting development. So these two individuals, Amanda Gorton and Chris Wade, founded a company in 2017 called Corellium. It is a product that emulates iPhones so that you can view them on desktop computers. 

Dave Bittner: Right. 

Ben Yelin: And it's supposed to be a tool for security researchers who are hunting for vulnerabilities. 

Dave Bittner: Right. 

Ben Yelin: They're not trying to replicate iOS software, you know, and sell it on the open market for people to use it the way one would use an iOS device. 

Dave Bittner: OK. 

Ben Yelin: That's not what they're doing. They created this as a research tool. 

Ben Yelin: So Apple, as a company with their stature is wont to do, first tried to buy them off. Always a good strategy. 

Dave Bittner: (Laughter). 

Ben Yelin: They were not able to do that. 

Dave Bittner: Let's throw money at the problem. 

Ben Yelin: Yeah, that usually works for them. 

Dave Bittner: Yeah. 

Ben Yelin: I mean, they are very good at buying off their competitors. 

Dave Bittner: Well, when you have all the money, you have that privilege, right? 

Ben Yelin: Yeah, exactly. I would do that if I were in their position. 

Dave Bittner: Yeah. 

Ben Yelin: Yeah. 

Dave Bittner: Yeah. 

Ben Yelin: Here's a billion dollars. Please go away. 

Dave Bittner: Right. 

Ben Yelin: But they were not able to successfully purchase them. So they filed lawsuit in federal court alleging a copyright violation. 

Ben Yelin: So there's this doctrine in the legal world called fair use. It's not a copyright violation if the alleged copier is using the thing they've copied for a good reason, what we call fair use. So the court in this case determined - is that replicating the software to do research on security vulnerabilities is fair use, just the way that reading an online article on something and commenting on it during a lecture for an academic course is also fair use 'cause it's... 

Dave Bittner: Right. 

Ben Yelin: ...Furthering the ends of economic - of academic research and not furthering the ends of trying to make a profit off of the product. 

Dave Bittner: There's a public benefit there. 

Ben Yelin: Exactly. You see fair use in a bunch of other different contexts. Things like parodies - you know, generally that would be a copyright violation. But Weird Al, you know, he's adding things to the marketplace of ideas, if you will. 

Dave Bittner: Right. 

Ben Yelin: So that generally qualifies as fair use. 

Ben Yelin: There's a separate allegation as part of this lawsuit that Corellium, this company, is violating the Digital Millennium Copyright Act. That's going to be examined separately. But in terms of a common law copyright violation, we now have a precedent that if you emulate a product to use for security research, that's going to be fair use and will not subject you to a copyright claim. And the result of that should be we'll see many more products like this, where individuals who are interested in research, interested in security emulate products for the purpose of finding vulnerabilities, which I think is going to have a very robust public benefit. 

Ben Yelin: So I think this is a perfect use of the fair use doctrine. These individuals are not trying to make a buck out of the iOS server on its own terms. They're trying to do academic research on security vulnerabilities. And that's exactly what the fair use doctrine is all about. 

Dave Bittner: Yeah. It's interesting, too - I mean, the - this article points out that the judge in the ruling made note that it's really a limited number of people who can even make use of Corellium's software. 

Ben Yelin: Right. 

Dave Bittner: This isn't a broadly applicable thing. 

Ben Yelin: Right. And that's a relatively limited universe of people. This is not something that's going to be widely used. It's people who are interested in the security vulnerabilities of Apple. And as you and I know, most people are not interested in the security and vulnerabilities of their iOS devices. They just want to get to, you know, the next cool application... 

Dave Bittner: Right. 

Ben Yelin: ...And talk to their friends. 

Dave Bittner: Right. 

Ben Yelin: I'll also say, though, you know, this is a pretty prominent organization in the cybersecurity world. Corellium won an award from Forbes magazine for the cybersecurity product for the year 2020, saying it was crucially important to app developers to let them know that their products work properly on iOS devices. And it's backed by some major venture capital investors, you know, some big banks. So this isn't just, you know, a nobody that's able to win this lawsuit. It's a relatively prominent company in this field. 

Ben Yelin: And I think it sets a really interesting precedent. I think we're going to see more security-minded startups come into the market and say, let's recreate this operating system not to present it as an alternative to actually buying an Apple device, but to foster research into security vulnerabilities. 

Dave Bittner: Right, right. So if you're a security researcher interested in iOS, for example, this is good news and sort of clears the path for more tools like this. 

Ben Yelin: Yeah, not just iOS. I mean, if you're a security researcher interested in any product from one of the Big Tech companies, I think this case is going to be a very valuable precedent for your endeavor. 

Dave Bittner: All right. Well, again, the article is over on CPO Magazine, written by Scott Ikeda. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.