Connect with us

Published

1 month ago

on

Anne Neuberger, deputy national security advisor for cyber and emerging technologies, speaks during a news conference in the James S. Brady Press Briefing Room at the White House in Washington, D.C., U.S., on Monday, May 10, 2021 amid the Colonial fuel pipeline ransomware attack.

Bloomberg | Bloomberg | Getty Images

With ransomware attacks surging and 2024 on track to be one of the worst years on record, U.S. officials are seeking ways to counter the threat, in some cases, urging a new approach to ransom payments.

Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, wrote in a recent Financial Times opinion piece, that insurance policies — especially those covering ransomware payment reimbursements — are fueling the very same criminal ecosystems they seek to mitigate. “This is a troubling practice that must end,” she wrote, advocating for stricter cybersecurity requirements as a condition for coverage to discourage ransom payments.

Zeroing in on cyber insurance as a key area for reform comes as the U.S. government scrambles to find ways to disrupt ransomware networks. According to the latest report by the Office of the Director of National Intelligence, by mid-2024 more than 2,300 incidents already had been recorded — nearly half targeting U.S. organizations — suggesting that 2024 could exceed the 4,506 attacks recorded globally in 2023.

Yet even as policymakers scrutinize insurance practices and explore broader measures to disrupt ransomware operations, businesses are still left to grapple with the immediate question when they are under attack: Pay the ransom and potentially incentivize future attacks or refuse and risk further damage.

For many organizations, deciding whether to pay a ransom is a difficult and urgent decision. “In 2024, I attended a briefing by the FBI where they continued to advise against paying a ransom,” said Paul Underwood, vice president of security at IT services company Neovera. “However, after making that statement, they said that they understand that it’s a business decision and that when companies make that decision, it is taking into account many more factors than just ethics and good business practices. Even the FBI understood that businesses need to do whatever it takes to get back to operations,” Underwood said.

The FBI declined to comment.

“There’s no black or white here,” said cybersecurity expert Bryan Hornung, CEO of Xact IT Solutions. “There’s so many things that go into play when it comes to making the decision on whether you’re even going to entertain paying the ransom,” he said.

The urgency to restore operations can push businesses into making decisions they may not be prepared for, as does the fear of increasing damage. “The longer something goes on, the bigger the blast radius,” Hornung said. “I’ve been in rooms with CEOs who swore they’d never pay, only to reverse course when faced with prolonged downtime.”  

In addition to operational downtime, the potential exposure of sensitive data — especially if it involves customers, employees, or partners — creates heightened fear and urgency. Organizations not only face the possibility of immediate reputational damage but also class-action lawsuits from affected individuals, with the cost of litigation and settlements in some cases far outweighing the ransom demand, and driving companies to pay just to contain the fallout.

“There are lawyers out there who know how to put together class-action lawsuits based on what’s on the dark web,” Hornung said. “They have teams that find information that’s been leaked — driver’s licenses, Social Security numbers, health information — and they contact these people and tell them it’s out there. Next thing you know, you’re defending a multimillion-dollar class-action lawsuit.”  

Ransom demands, data leaks, and legal settlements

A notable example is Lehigh Valley Health Network. In 2023, the Pennsylvania-based hospital refused to pay the $5 million ransom to the ALPHV/BlackCat gang, leading to a data leak affecting 134,000 patients on the dark web, including nude photos of about 600 breast cancer patients. The fallout was severe, resulting in a class-action lawsuit, which claimed that “while LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and internationally ignoring the real victims.”

LVHN agreed to settle the case for $65 million.

Similarly, background-check giant National Public Data is facing multiple class-action lawsuits, along with more than 20 states levying civil rights violations and possible fines by the Federal Trade Commission, after a hacker posted NPD’s database of 2.7 billion records on the dark web in April. The data included 272 million Social Security numbers, as well as full names, addresses, phone numbers and other personal data of both living and deceased individuals. The hacker group allegedly demanded a ransom to return the stolen data, though it remains unclear whether NPD paid it.

What is clear, though, is that the NPD did not immediately report the incident. Consequently, its slow and incomplete response — especially its failure to provide identity theft protection to victims — resulted in a number of legal issues, leading its parent company, Jerico Pictures, to file for Chapter 11 on Oct. 2.

NPD did not to respond to requests for comment.

Darren Williams, founder of BlackFog, a cybersecurity firm that specializes in ransomware prevention and cyber warfare, is firmly against paying ransoms. In his view, paying encourages more attacks, and once sensitive data has been exfiltrated, “it is gone forever,” he said.

Even when companies choose to pay, there’s no certainty the data will remain secure. UnitedHealth Group experienced this firsthand after its subsidiary, Change Healthcare, was hit by the ALPHV/BlackCat ransom group in April 2023. Despite paying the $22 million ransom to prevent a data leak and quickly restore operations, a second hacker group, RansomHub, angry that ALPHV/BlackCat failed to distribute the ransom to its affiliates, accessed the stolen data and demanded an additional ransom payment from Change Healthcare. While Change Healthcare hasn’t reported if it paid, the fact that the stolen data was eventually leaked on the dark web indicates their demands most likely were not met.

The fear that a ransom payment may fund hostile organizations or even violate sanctions, given the links between many cybercriminals and geopolitical enemies of the U.S., makes the decision even more precarious. For example, according to a Comparitech Ransomware Roundup, when LoanDepot was attacked by the ALPHV/BlackCat group in January, the company refused to pay the $6 million ransom demand, opting instead to pay the projected $12 million to $17 million in recovery costs. The choice was primarily motivated by concerns about funding criminal groups with potential geopolitical ties. The attack affected around 17 million customers, leaving them unable to access their accounts or make payments, and in the end, customers still filed class-action lawsuits against LoanDepot, alleging negligence and breach of contract.

American companies are behind the curve in defending against cyber hacks, says Binary's David Kennedy

Regulatory scrutiny adds another layer of complexity to the decision-making process, according to Richard Caralli, a cybersecurity expert at Axio.

On the one hand, recently implemented SEC reporting requirements, which mandate disclosures about cyber incidents of material importance, as well as ransom payments and recovery efforts, may make companies less likely to pay because they fear legal action, reputational damage, or shareholder backlash. On the other hand, some companies may still opt to pay to prioritize a quick recovery, even if it means facing those consequences later.

“The SEC reporting requirements have certainly had an effect on the way in which organizations address ransomware,” Caralli said. “Being subjected to the consequences of ransomware alone is tricky to navigate with customers, business partners, and other stakeholders, as organizations must expose their weaknesses and lack of preparedness.” 

With the passage of the Cyber Incident Reporting for Critical Infrastructure Act, set to go into effect around October 2025, many non-SEC regulated organizations will soon face similar pressures. Under this ruling, companies in critical infrastructure sectors — which are often small and mid-sized entities — will be obligated to disclose any ransomware payments, further intensifying the challenges of handling these attacks.

Cybercriminals changing nature of data attack

As fast as cyber defenses improve, cybercriminals are even quicker to adapt.

“Training, awareness, defensive techniques, and not paying all contribute to the reduction of attacks. However, it is very likely that more sophisticated hackers will find other ways to disrupt businesses,” Underwood said.

A recent report from cyber extortion specialist Coveware highlights a significant shift in ransomware patterns.

While not an entirely new tactic, hackers are increasingly relying on data exfiltration-only attacks. That means sensitive information is stolen but not encrypted, meaning victims can still access their systems. It’s a response to the fact that companies have improved their backup capabilities and become better prepared to recover from encryption-based ransomware. The ransom is demanded not for recovering encrypted files but to prevent the stolen data from being released publicly or sold on the dark web.

New attacks by lone wolf actors and nascent criminal groups have emerged following the collapse of ALPHV/BlackCat and Lockbit, according to Coveware. These two ransomware gangs were among the most prolific, with LockBit believed to have been responsible for nearly 2,300 attacks and ALPHV/BlackCat over 1,000, 75% of which were in the U.S.

BlackCat executed a planned exit after pilfering the ransom owed to its affiliates in the Change Healthcare attack. Lockbit was taken down after an international law-enforcement operation seized its platforms, hacking tools, cryptocurrency accounts, and source codes. However, even though these operations have been disrupted, ransomware infrastructures are quickly rebuilt and rebranded under new names.

“Ransomware has one of the lowest barriers to entry for any type of crime,” said BlackFog’s Williams. “Other forms of crime carry significant risks, such as jail time and death. Now, with the ability to shop on the dark web and leverage the tools of some of the most successful gangs for a small fee, the risk-to-reward ratio is quite high.”

Making ransom a last resort

One point on which cybersecurity experts universally agree is that prevention is the ultimate solution.

As a benchmark, Hornung recommends businesses allocate between one percent and three percent of their top-line revenue toward cybersecurity, with sectors like health care and financial services, which handle highly sensitive data, at the higher end of this range. “If not, you’re going to be in trouble,” he said. “Until we can get businesses to do the right things to protect, detect, and respond to these events, companies are going to get hacked and we’re going to have to deal with this challenge.”

Additionally, proactive measures such as endpoint detection — a type of “security guard” on your computer that constantly looks for signs of unusual or suspicious activity and alerts you — or response and ransomware rollback, a backup feature that kicks in and will undo damage and get you your files back if a hacker locks you out of your system, can minimize damage when an attack occurs, Underwood said.

A well-developed plan can help ensure that paying the ransom is a last resort, not the first option.

“Organizations tend to panic and have knee-jerk reactions to ransomware intrusions,” Caralli said. To avoid this, he stresses the importance of developing an incident response plan that outlines specific actions to take during a ransomware attack, including countermeasures such as reliable data backups and regular drills to ensure that recovery processes work in real-world scenarios.

Hornung says ransomware attacks — and the pressure to pay — will remain high. “Prevention is always cheaper than the cure,” he said, “but businesses are asleep at the wheel.”

The risk is not limited to large enterprises. “We work with a lot of small- and medium-sized businesses, and I say to them, ‘You’re not too small to be hacked. You’re just too small to be in the news.'”

If no organization paid the ransom, the financial benefit of ransomware attacks would be diminished, Underwood said. But he added that it wouldn’t stop hackers.

“It is probably safe to say that more organizations that do not pay would also cause attackers to stop trying or perhaps try other methods, such as stealing the data, searching for valuable assets, and selling it to interested parties,” he said. “A frustrated hacker may give up, or they will try alternative methods. They are, for the most part, on the offensive.”

Related Topics:
Continue Reading

Technology

How Elon Musk’s plan to slash government agencies and regulation may benefit his empire

Published

2 days ago

on

November 22, 2024

By

How Elon Musk’s plan to slash government agencies and regulation may benefit his empire

Elon Musk’s business empire is sprawling. It includes electric vehicle maker Tesla, social media company X, artificial intelligence startup xAI, computer interface company Neuralink, tunneling venture Boring Company and aerospace firm SpaceX. 

Some of his ventures already benefit tremendously from federal contracts. SpaceX has received more than $19 billion from contracts with the federal government, according to research from FedScout. Under a second Trump presidency, more lucrative contracts could come its way. SpaceX is on track to take in billions of dollars annually from prime contracts with the federal government for years to come, according to FedScout CEO Geoff Orazem.

Musk, who has frequently blamed the government for stifling innovation, could also push for less regulation of his businesses. Earlier this month, Musk and former Republican presidential candidate Vivek Ramaswamy were tapped by Trump to lead a government efficiency group called the Department of Government Efficiency, or DOGE.

In a recent commentary piece in the Wall Street Journal, Musk and Ramaswamy wrote that DOGE will “pursue three major kinds of reform: regulatory rescissions, administrative reductions and cost savings.” They went on to say that many existing federal regulations were never passed by Congress and should therefore be nullified, which President-elect Trump could accomplish through executive action. Musk and Ramaswamy also championed the large-scale auditing of agencies, calling out the Pentagon for failing its seventh consecutive audit. 

“The number one way Elon Musk and his companies would benefit from a Trump administration is through deregulation and defanging, you know, giving fewer resources to federal agencies tasked with oversight of him and his businesses,” says CNBC technology reporter Lora Kolodny.

To learn how else Elon Musk and his companies may benefit from having the ear of the president-elect watch the video.

Continue Reading

Technology

Why X’s new terms of service are driving some users to leave Elon Musk’s platform

Published

2 days ago

on

November 22, 2024

By

Why X's new terms of service are driving some users to leave Elon Musk's platform

Elon Musk attends the America First Policy Institute gala at Mar-A-Lago in Palm Beach, Florida, Nov. 14, 2024.

Carlos Barria | Reuters

X’s new terms of service, which took effect Nov. 15, are driving some users off Elon Musk’s microblogging platform. 

The new terms include expansive permissions requiring users to allow the company to use their data to train X’s artificial intelligence models while also making users liable for as much as $15,000 in damages if they use the platform too much. 

The terms are prompting some longtime users of the service, both celebrities and everyday people, to post that they are taking their content to other platforms. 

“With the recent and upcoming changes to the terms of service — and the return of volatile figures — I find myself at a crossroads, facing a direction I can no longer fully support,” actress Gabrielle Union posted on X the same day the new terms took effect, while announcing she would be leaving the platform.

“I’m going to start winding down my Twitter account,” a user with the handle @mplsFietser said in a post. “The changes to the terms of service are the final nail in the coffin for me.”

It’s unclear just how many users have left X due specifically to the company’s new terms of service, but since the start of November, many social media users have flocked to Bluesky, a microblogging startup whose origins stem from Twitter, the former name for X. Some users with new Bluesky accounts have posted that they moved to the service due to Musk and his support for President-elect Donald Trump.

Bluesky’s U.S. mobile app downloads have skyrocketed 651% since the start of November, according to estimates from Sensor Tower. In the same period, X and Meta’s Threads are up 20% and 42%, respectively. 

X and Threads have much larger monthly user bases. Although Musk said in May that X has 600 million monthly users, market intelligence firm Sensor Tower estimates X had 318 million monthly users as of October. That same month, Meta said Threads had nearly 275 million monthly users. Bluesky told CNBC on Thursday it had reached 21 million total users this week.

Here are some of the noteworthy changes in X’s new service terms and how they compare with those of rivals Bluesky and Threads.

Artificial intelligence training

X has come under heightened scrutiny because of its new terms, which say that any content on the service can be used royalty-free to train the company’s artificial intelligence large language models, including its Grok chatbot.

“You agree that this license includes the right for us to (i) provide, promote, and improve the Services, including, for example, for use with and training of our machine learning and artificial intelligence models, whether generative or another type,” X’s terms say.

Additionally, any “user interactions, inputs and results” shared with Grok can be used for what it calls “training and fine-tuning purposes,” according to the Grok section of the X app and website. This specific function, though, can be turned off manually. 

X’s terms do not specify whether users’ private messages can be used to train its AI models, and the company did not respond to a request for comment.

“You should only provide Content that you are comfortable sharing with others,” read a portion of X’s terms of service agreement.

Though X’s new terms may be expansive, Meta’s policies aren’t that different. 

The maker of Threads uses “information shared on Meta’s Products and services” to get its training data, according to the company’s Privacy Center. This includes “posts or photos and their captions.” There is also no direct way for users outside of the European Union to opt out of Meta’s AI training. Meta keeps training data “for as long as we need it on a case-by-case basis to ensure an AI model is operating appropriately, safely and efficiently,” according to its Privacy Center. 

Under Meta’s policy, private messages with friends or family aren’t used to train AI unless one of the users in a chat chooses to share it with the models, which can include Meta AI and AI Studio.

Bluesky, which has seen a user growth surge since Election Day, doesn’t do any generative AI training. 

“We do not use any of your content to train generative AI, and have no intention of doing so,” Bluesky said in a post on its platform Friday, confirming the same to CNBC as well.

Liquidated damages

Another unusual aspect of X’s new terms is its “liquidated damages” clause. The terms state that if users request, view or access more than 1 million posts – including replies, videos, images and others – in any 24-hour period they are liable for damages of $15,000.

While most individual users won’t easily approach that threshold, the clause is concerning for some, including digital researchers. They rely on the analysis of larger numbers of public posts from services like X to do their work. 

X’s new terms of service are a “disturbing move that the company should reverse,” said Alex Abdo, litigation director for the Knight First Amendment Institute at Columbia University, in an October statement. 

“The public relies on journalists and researchers to understand whether and how the platforms are shaping public discourse, affecting our elections, and warping our relationships,” Abdo wrote. “One effect of X Corp.’s new terms of service will be to stifle that research when we need it most.”

Neither Threads nor Bluesky have anything similar to X’s liquidated damages clause. 

Meta and X did not respond to requests for comment.

WATCH: Bluesky CEO: Our platform is ‘radically different’ from anything else in social media

Bluesky CEO: Our platform is 'radically different' from anything else in social media

Continue Reading

Technology

The Pentagon’s battle inside the U.S. for control of a new Cyber Force

Published

2 days ago

on

November 22, 2024

By

The Pentagon's battle inside the U.S. for control of a new Cyber Force

A recent Chinese cyber-espionage attack inside the nation’s major telecom networks that may have reached as high as the communications of President-elect Donald Trump and Vice President-elect J.D. Vance was designated this week by one U.S. senator as “far and away the most serious telecom hack in our history.”

The U.S. has yet to figure out the full scope of what China accomplished, and whether or not its spies are still inside U.S. communication networks.

“The barn door is still wide open, or mostly open,” Senator Mark Warner of Virginia and chairman of the Senate Intelligence Committee told the New York Times on Thursday.

The revelations highlight the rising cyberthreats tied to geopolitics and nation-state actor rivals of the U.S., but inside the federal government, there’s disagreement on how to fight back, with some advocates calling for the creation of an independent federal U.S. Cyber Force. In September, the Department of Defense formally appealed to Congress, urging lawmakers to reject that approach.

Among one of the most prominent voices advocating for the new branch is the Foundation for Defense of Democracies, a national security think tank, but the issue extends far beyond any single group. In June, defense committees in both the House and Senate approved measures calling for independent evaluations of the feasibility to create a separate cyber branch, as part of the annual defense policy deliberations.

Drawing on insights from more than 75 active-duty and retired military officers experienced in cyber operations, the FDD’s 40-page report highlights what it says are chronic structural issues within the U.S. Cyber Command (CYBERCOM), including fragmented recruitment and training practices across the Army, Navy, Air Force, and Marines.

“America’s cyber force generation system is clearly broken,” the FDD wrote, citing comments made in 2023 by then-leader of U.S. Cyber Command, Army General Paul Nakasone, who took over the role in 2018 and described current U.S. military cyber organization as unsustainable: “All options are on the table, except the status quo,” Nakasone had said.

Concern with Congress and a changing White House

The FDD analysis points to “deep concerns” that have existed within Congress for a decade — among members of both parties — about the military being able to staff up to successfully defend cyberspace. Talent shortages, inconsistent training, and misaligned missions, are undermining CYBERCOM’s capacity to respond effectively to complex cyber threats, it says. Creating a dedicated branch, proponents argue, would better position the U.S. in cyberspace. The Pentagon, however, warns that such a move could disrupt coordination, increase fragmentation, and ultimately weaken U.S. cyber readiness.

As the Pentagon doubles down on its resistance to establishment of a separate U.S. Cyber Force, the incoming Trump administration could play a significant role in shaping whether America leans toward a centralized cyber strategy or reinforces the current integrated framework that emphasizes cross-branch coordination.

Known for his assertive national security measures, Trump’s 2018 National Cyber Strategy emphasized embedding cyber capabilities across all elements of national power and focusing on cross-departmental coordination and public-private partnerships rather than creating a standalone cyber entity. At that time, the Trump’s administration emphasized centralizing civilian cybersecurity efforts under the Department of Homeland Security while tasking the Department of Defense with addressing more complex, defense-specific cyber threats. Trump’s pick for Secretary of Homeland Security, South Dakota Governor Kristi Noem, has talked up her, and her state’s, focus on cybersecurity.

Former Trump officials believe that a second Trump administration will take an aggressive stance on national security, fill gaps at the Energy Department, and reduce regulatory burdens on the private sector. They anticipate a stronger focus on offensive cyber operations, tailored threat vulnerability protection, and greater coordination between state and local governments. Changes will be coming at the top of the Cybersecurity and Infrastructure Security Agency, which was created during Trump’s first term and where current director Jen Easterly has announced she will leave once Trump is inaugurated.

Cyber Command 2.0 and the U.S. military

John Cohen, executive director of the Program for Countering Hybrid Threats at the Center for Internet Security, is among those who share the Pentagon’s concerns. “We can no longer afford to operate in stovepipes,” Cohen said, warning that a separate cyber branch could worsen existing silos and further isolate cyber operations from other critical military efforts.

Cohen emphasized that adversaries like China and Russia employ cyber tactics as part of broader, integrated strategies that include economic, physical, and psychological components. To counter such threats, he argued, the U.S. needs a cohesive approach across its military branches. “Confronting that requires our military to adapt to the changing battlespace in a consistent way,” he said.

In 2018, CYBERCOM certified its Cyber Mission Force teams as fully staffed, but concerns have been expressed by the FDD and others that personnel were shifted between teams to meet staffing goals — a move they say masked deeper structural problems. Nakasone has called for a CYBERCOM 2.0, saying in comments early this year “How do we think about training differently? How do we think about personnel differently?” and adding that a major issue has been the approach to military staffing within the command.

Austin Berglas, a former head of the FBI’s cyber program in New York who worked on consolidation efforts inside the Bureau, believes a separate cyber force could enhance U.S. capabilities by centralizing resources and priorities. “When I first took over the [FBI] cyber program … the assets were scattered,” said Berglas, who is now the global head of professional services at supply chain cyber defense company BlueVoyant. Centralization brought focus and efficiency to the FBI’s cyber efforts, he said, and it’s a model he believes would benefit the military’s cyber efforts as well. “Cyber is a different beast,” Berglas said, emphasizing the need for specialized training, advancement, and resource allocation that isn’t diluted by competing military priorities.

Berglas also pointed to the ongoing “cyber arms race” with adversaries like China, Russia, Iran, and North Korea. He warned that without a dedicated force, the U.S. risks falling behind as these nations expand their offensive cyber capabilities and exploit vulnerabilities across critical infrastructure.

Nakasone said in his comments earlier this year that a lot has changed since 2013 when U.S. Cyber Command began building out its Cyber Mission Force to combat issues like counterterrorism and financial cybercrime coming from Iran. “Completely different world in which we live in today,” he said, citing the threats from China and Russia.

Brandon Wales, a former executive director of the CISA, said there is the need to bolster U.S. cyber capabilities, but he cautions against major structural changes during a period of heightened global threats.

“A reorganization of this scale is obviously going to be disruptive and will take time,” said Wales, who is now vice president of cybersecurity strategy at SentinelOne.

He cited China’s preparations for a potential conflict over Taiwan as a reason the U.S. military needs to maintain readiness. Rather than creating a new branch, Wales supports initiatives like Cyber Command 2.0 and its aim to enhance coordination and capabilities within the existing structure. “Large reorganizations should always be the last resort because of how disruptive they are,” he said.

Wales says it’s important to ensure any structural changes do not undermine integration across military branches and recognize that coordination across existing branches is critical to addressing the complex, multidomain threats posed by U.S. adversaries. “You should not always assume that centralization solves all of your problems,” he said. “We need to enhance our capabilities, both defensively and offensively. This isn’t about one solution; it’s about ensuring we can quickly see, stop, disrupt, and prevent threats from hitting our critical infrastructure and systems,” he added.

Continue Reading

Trending