FBI vs. AlphV: Progress? Or Nothing New?
12–26–2023 (Tuesday)
Hello and welcome to the final 2023 edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, December 26, 2023, and we’re going to look at the ongoing battle between government agencies and ransomware - in particular, the FBI vs. AlphV/Blackcat.
FBI vs. AlphV: Progress? Or nothing new?
Last week, the US Department of Justice announced that it had “disrupted prolific ALPHV/Blackcat ransomware variant” - complete with press release and a big banner on the AlphV webpage indicating that it had been seized.
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa O. Monaco.
“The FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond,” said FBI Deputy Director Paul Abbate.
And hours later, the AlphV crew had “unseized” the website, and continues to extort victims - notably the first publicly traded victim who has had to file an 8-K with the SEC, notice of a Material Cybersecurity Incident.
This company, VF Corporation - parent company of apparel brands such as The North Face, Vans, Supreme, Dickies, and Jansport - is locked in a battle for control of their technology infrastructure.
AlphV appears to have not only encrypted the majority of their infrastructure, but also exfiltrated their cyber insurance policies (helpful in negotiating for the maximum amounts, of course), and even took and posted their materiality matrix and internal notes about the initial call with their attorneys and breach response teams. They’ve also posted the Scope of Work and Letter of Engagement with the response firms, indicating they really do still have significant access to their victim’s infrastructure and are perhaps not as disrupted as the FBI press release would lead you to believe.
Their messages appear to be toying with the victim, knowing that the longer they’re down, the more likely they are to pay (even if it’s a reduced amount). And, in the end, it is all about the money here - with a dash of geopolitics overlaid for a government in Russia who would appreciate any amount of pain or chaos inflicted on the West.
So where does this leave us in the grand scheme of things? Journalist Brian Krebs posted just a couple of days before the FBI press release that he’s coming more and more to the conclusion that we simply need to enact an outright and total ban ransomware payments as the solution to this scourge.
And this may work from the perspective of reducing the incentives, but this isn’t up to any of us. I’ve said ti before and will reiterate it here again - an ounce of prevention is worth a pound of cure here. We need to focus on the things we can control - robots asset inventory, effective patching programs, managing access via least privilege and multi factor authentication, robust immutable backups, and tested response and recovery plans.
We need to reduce the likelihood of falling victim to these attacks - tough with the rise in zero days like MOVEit, CitrixBleed, and no doubt there will be others - and also reduce the need to pay ransoms by having developing the ability to recover without needing decryption keys (which, in many cases, aren’t even 100% effective).
Is this expensive? Time consuming? Yes. But not as bad as the alternative of having to recover from a ransomware attack - and we have to be realistic about the choices before us. Waiting for a grand plan from regulators, legislators, or law enforcement simply isn’t going to happen. Hope, as they say, is not a strategy.
Fundraising
From a fundraising perspective, a quiet week, which is not surprising, given the holidays and market closures here in the US. Still noted about $1B in newly committed capital, and would expect the same over this coming week - the week between the holidays being a typically slow period, save for anything that’s really needing to get on the books in 2023.
I really appreciate you following along with the news, twists, turns, challenges, and opportunities that we’ve covered on this show in 2023 - and look forward to even more of the same in 2024, and beyond.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant