Law Enforcement Turns Tables on LockBit; Varta Manufacturing Has Not Yet Resumed; Cyberattack Disrupts Change Healthcare

If you have been affected by LockBit, reach out to your local FBI contact to see if they have decryption keys available for you. At the same time: LockBit, the malware, is still around and modified installers have been sighted.

It appears that authorities are giving the LockBit organizers the digital middle finger as well as disclosing the identities of the two organizers to draw them into the open. Aside from watching that theatre play out, continue to expect variations/new generations of their ransomware. The other takeaway is that law enforcement has keys for LockBit, subsequently, decryption and/or recovery tools are available for free.

The other shoe has dropped. Broadcasting the complete take-over via seized infrastructure must sting. Well-played by international law enforcement authorities. The only remaining question: will the evildoers learn their lesson or simply look to build new infrastructure and continue with the ransomware game?

Again, well done to all involved. The intelligence data gathered by law enforcement during this operation will have many who are either directly involved in LockBit, or who are affiliates, looking over their shoulders for many years to come. This operation will hopefully become the template for many future operations to disrupt and detain other cybercriminal gangs.

A good reason not to let your PR folks have the final word on breach releases is this quote from Varta: “Organised group of hackers who managed to break through the high security standards of VARTA's IT systems with a high level of criminal energy.” This is basically saying “Our security standards are only high enough to thwart disorganized individual hackers with low levels of energy, even though a successful attack could halt our production systems for two weeks or more.”

While Varta is not sure when things will be on-line; they hope to have some services restored next week. They also warn customers that email exchanged between February 12 and 18th is lost and will need to be resent. Good move to notice where customer (or internal) communications are impacted by an incident and disclose that will need to be repeated. Have you considered how you'd detect gaps in either your ticketing or email system, let alone the steps to bridge them?

Varta’s annual revenue is around $1B. With downtime (3 weeks), forensic experts, system rebuilds, system purchases, this incident will easily cost them more than $100M. Hopefully, Varta will provide details of the attack, to include what cyber defenses were in place, so that we can all learn from this unfortunate incident.

Signal and Apple are taking the lead in implementing quantum safe encryption. But be careful rushing new algorithms into production. Apple developed its own "PQ3" algorithm. NIST is currently going through the deliberate and thorough process of identifying a quantum safe encryption standard. The process already eliminated a few algorithms that were initially considered safe by many experts. This isn't easy. If you develop software: Stay flexible and allow for encryption algorithms to be swapped later if needed. For any encryption implementation, a threat model is critical to define the most appropriate solution.

For anyone whose threat model ACTUALLY includes malicious actors capturing traffic now to decrypt in the future, quantum-resistant crypto may be something to consider. As Dr. J points out, several of the proposals NIST was considering have been found very weak (crypto is hard!), so best practice is probably to layer one of these new, shiny algorithms on top of something you already trust, like TLS 1.3.

End-to-end encryption for all messaging is important but adding post-quantum encryption to an already encrypted service that only works on Apple devices shouldn’t be on anyone’s Top Ten risk list when business emails are still sent unencrypted.

We still are about 5-10 years away from Q-Day and if you're in a sector where regulators are expecting you to implement PQC, this is a good place to see the process used to both certify and deploy a solution as well as see the impact. Otherwise, this may not be something you're focused on. Apple built their solution on both Signal's PQHDX and WhatsApp's auditable key directory leveraging both ECC and post-quantum Kyber and includes key rotation in their plans. Remember that all devices will need to be running an OS that supports PQ3 (and iMessage) or it will fall back to the older iMessage ECC or even SMS (none) encryption.

While this is a great step on Apple’s part, remember most cyber attackers are far more likely to simply text their victim and trick them into doing something they should not do than try to break an encryption algorithm.

One interesting "feature" of the outage was the reliance of media on "downdetector.com". This website does a great job in identifying widespread outages. But many reporting on the outage did not understand downdetector's methodology which led to reporting of outages in Verizon's and T-Mobile's network as well, which if they happened at all, were minor. Always consider the data collection methodology before drawing conclusions from data.

Yesterday morning, as I was changing flights in Denver, it was odd to see my AT&T device, in strong coverage area, with SOS service, and I had friends speculating that the root cause was a configuration or other process error. While we've all set up change processes, many of which include rollback plans, how many have of you tested the roll-back, let alone provided for an adequate time period to roll back? With nested interdependencies, it may not be the "5 minutes" your staff thinks it is. The challenge is to ask them to find an effective way to benchmark that process.

Another data point on the need for system administration hygiene. But the real question is: Did the Gross Domestic Product of the US go down or up when all those mobile devices stopped beeping, ringing and vibrating??

Well certainly a bad day for AT&T and its brand but it will survive. For organizations, this offers the perfect risk management tabletop exercise. Should you introduce an alternative communication pathway for business operation or can the company live with a little downtime? For users, it provides the opportunity to negotiate a discount on their plan when renewal time comes. And for government, perhaps a little red-teaming [tabletop] of the network-to-network peering is in order just to be safe.

Let this outage serve as a good reminder as to how you manage business resilience as a result of an outage in your supply chain. I wonder how many businesses had staff who could not work or their productivity impacted by not having access to calls or to mobile data?

I've worked with a number of the USCG's cyber warriors, and they're great at what they do. I applaud any executive or legislative action that expands their ability to help defend the nation. Here's hoping they're also given the resourcing and latitude to continue growing their cyber force structure. Semper paratus, my friends!

The message to the ports is to increase the security of their OT systems from PRC backed services and devices. The action calls for segmentation, monitoring, MFA, updating, backups, and reporting of incidents/suspected incidents, as we've seen in other critical infrastructure sectors. The Coast Guard, CISA and FBI are providing support for reporting and CISA can provide implementation guidance.

A crucial part of our infrastructure to which we hardly give any thought unless it breaks.

The actions are prioritized to help get your arms around raising the bar, and some actions, such as changing default passwords, are effectively free. While removing direct (Internet) access to OT systems may sound like it'll be expensive requiring staff to use other mechanisms to reach them, the prevalence of targeted OT attacks, particularly successful ones, will quickly outweigh those costs. Leverage the resources in the report to keep things manageable.

Just two pages. A two minute read. Actions to be taken. If taken across the industry, will raise cost of attack by a factor of ten. Great start.

While it’s good to have security guidance specific to water systems, the guidance for every critical sector has been around for decades. Regular cybersecurity assessments, check. Inventory of assets (HW, SW, Data), check. Creating and exercising incident response and recovery plan, check. These and other critical security controls should become the minimum baseline required of every critical infrastructure provider.