Spy vs. Spy: Ransomware Gangs and CISA Have a Mini Arms Race
2–13–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and portfolio company management teams. I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday February 13th, and this week’s One Big Thing is the intensifying game of cat and mouse - or perhaps Spy vs. Spy - taking place between ransomware actors and government agencies. Let’s dive in.
Spy vs. Spy: Ransomware Edition. What should we learn?
Over the last week, we’ve seen a very rapid dynamic evolving between threat actors targeting VMWare’s Virtual Machines and CISA - the Cybersecurity & Infrastructure Security Agency in the US.
This began with a new wave of attacks using a previously known vulnerability in VMWare’s ESXi platform. A reminder here that VMWare was acquired by Broadcom about a year ago for $61B.
The attack has hit approximately 4,000 victims in just a short time, and while a patch for this vulnerability has been available for two years, there are still thousands of unpatched systems on the internet, which are now being attacked at scale.
In response, CISA released a recovery script based on publicly available resources, along with a joint advisory from both CISA and the FBI.
While this response was very timely - and somewhat novel for CISA, this is where things get interesting. Responding to this move from CISA, the attackers updated their ransomware to both add additional encryption mechanics that make recovery difficult, and hide the ultimate destination of the payment addresses - making it harder for agencies to track the cryptocurrency that would be paid for a ransom.
Without getting too deep into the technical details, I do think there are a few things worth calling out in this exchange.
First of all, from the threat actor’s side, this is an interesting case because it leverages a bug that’s not only two years old, but that has had a patch available for it for nearly as long. It’s a good reminder that a vulnerability management / patching program within our companies needs to worry about older, known vulnerabilities as well as newly discovered ones.
Secondly, I think we should give some kudos to the response from CISA here. Not only was the guidance solid, but it was delivered very rapidly and designed to help make a difference for those who were impacted. I hope this is a trend that continues, particularly following some recent wins like the takedown of the HIVE ransomware group and the sanctions against the TrickBot crew.
Finally, it’s worth noting the sophistication and counter-attack dynamics here. We’ve learned that at least some attackers are not just in a “fire and forget” mode with these ransomware attacks. They are updating their payloads to not only make it more difficult for victims to recover, but also for governments to track.
This is an ominous sign in many ways, and I think should make all of use revisit our ransomware preparedness status amongst our portfolio companies and potential investments. The speed and sophistication of the threat actors and their attacks makes it nearly impossible to keep up with the latest developments. Instead, our energy is better spent focusing on building resilience within our companies to prevent, detect, and respond to these attacks with the goal of minimizing impact. If you need help doing this sort of a review, please reach out to us at info@coastalcyber.io.
Fundraising
Relatively small week from a fundraising perspective, totaling just over $12B - but with a couple of large announcements (large, at least in my eyes, being funds over $1B). We had three of those this week, which is - I think - a good sign.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://www.helpnetsecurity.com/2023/02/06/vmware-esxi-ransomware-cve-2021-21974/
https://www.helpnetsecurity.com/2023/02/08/esxiargs-ransomware-recovery/
https://www.cisa.gov/uscert/ncas/alerts/aa23-039a
https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant