The Good, the Bad and the Ugly in Cybersecurity – Week 21

Everybody hates doing their taxes, except it seems a group of Russian cybercriminals, who were quite happy to “volunteer” to submit taxes on behalf of their victims. The gang utilized vulnerabilities in accounting software, obtained PIIs of American citizens, filed tax returns and redirected the IRS refunds into their own accounts, earning as much as $1.5 million meant for American taxpayers. But the good news is that this crime did not go unnoticed or unpunished. A joint task force led by the FBI and the Internal Revenue Service (IRS) has managed to arrest a Russian national, Anton Bogdanov (aka “Kusok”), extradite him and sentence him to 5 years imprisonment for Cyber Tax Fraud. Bogdanov will also pay $476,713 in forfeiture.

US Law enforcement agencies showed the same tenacity even when pursuing minor crimes associated with Hot Dogs. Salvatore A. La Rosa from San Jose pleaded guilty to hacking into concession stands at Paypal Park, home of Major League Soccer team the San Jose Earthquakes. La Rosa was fired from Spectra, the concessions contractor for the stadium. Seeking revenge, he hacked into Spectra’s mobile menu Point-of-Sale tablets before the first home game of the season, disabling the menu selections and the ability to accept credit cards, resulting in numerous hungry (and angry) customers and a total loss of $268,000. He’s facing up to 10 years in prison.

The Bad

But let’s not let the success of law enforcement and the courts in putting cyber criminals behind bars confuse us. The battle between cyber criminals and the rest of the world rages and they are all too often on the winning side. One very recent concern is ransomware payouts, which are ballooning. According to one study, these increased 171% from $115,123 in 2019 to $312,493 in 2020, and other research states that the total amount paid by ransomware victims increased by 336% in 2020, totaling $370 million. The figures for 2021 already look like they’re going to bust that amount and then some.

Last week’s Colonial Pipeline payout of $4.4 million to the DarkSide gang was just the tip of the iceberg. According to some sources, DarkSide has netted over $90 million in Bitcoin during their 8 months of operation. Analyzing the amounts received from their victims suggest that this group’s average payout is around $1.9 million.

But even these sums pale by comparison when considering the recent revelation that earlier this year, CNA Financial paid $40 million to free itself from ransomware. There have been even higher ransomware demands reaching $50 million (Apple, Acer), but it is unknown at the moment if these were met.

The Ugly

But the ugliest side of ransomware isn’t the financial damage to victims. It is the devastating effect it has on the ordinary people who are hurt as a consequence of critical infrastructure being crippled by these attacks. And the worst case is when it hits the healthcare sector. This week it was Ireland’s turn to feel that pain.

Health Service Executive (HSE), Ireland’s national healthcare system, responsible for the provision of health and personal social services, has suffered a devastating ransomware attack. Starting last Friday, the Department of Health network has been suffering disruptions to healthcare operations across the country, including delayed surgeries, delays in getting COVID-19 test results and emergency staff resorting to using pen and paper.

The Irish National Cyber Security Centre released an initial report stating that Conti ransomware was the cause of the disruptions. Later, the ransom note surfaced stating that the attacks had encrypted file servers and SQL servers.

Prior to encryption, the attackers exfiltrated more than 700GB of personally identifiable information (PII) including addresses and phone numbers of patients, doctors and nurses, payroll information and employment contracts. Some of this information has already found its way to the Darknet, according to reports. Although HSE is now said to be in possession of a decryptor that may have been provided for free by the gang itself, the cyber criminals are still demanding around $20 million not to leak further data, a sum the Irish Prime Minister refuses to pay.